AI tools and GDPR — a complex relationship
Artificial intelligence tools like ChatGPT, Microsoft Copilot, Google Gemini, and countless others are becoming standard in everyday business. However, their use creates significant data protection challenges: where is the data processed? What is the legal basis? How long is data retained? Who has access?
What we examine and advise on
- AI tool inventory — which AI systems are in use in your organization?
- Legal basis assessment — is the use of each tool lawful under GDPR?
- Data transfer analysis — are personal data transferred to third countries (e.g., USA)?
- Data Processing Agreements — are vendors covered by valid DPAs?
- EU AI Act compliance — risk classification and obligations under the new EU AI regulation
- AI usage policies — internal guidelines for employees using AI tools
- DPIA for high-risk AI — mandatory assessments for high-risk AI systems
Practical outcome
You receive a clear assessment of which AI tools can be used lawfully and under what conditions, a set of internal usage guidelines, and where necessary, complete DPIA documentation — enabling your organization to benefit from AI while staying on the right side of the GDPR.