For privacy, legal, and AI product teams
GDPR Compliance
for AI Systems
Operationalize GDPR for AI systems by mapping obligations to controls, linking evidence, and maintaining accountable review history across the AI lifecycle.
What is the General Data Protection Regulation (GDPR)?
The GDPR (Regulation (EU) 2016/679) is the EU's comprehensive data-protection law governing how organisations collect, process, store, and share personal data. In force since 25 May 2018, it applies under Article 3 to organisations established in the Union (Article 3(1)), to non-EU organisations offering goods or services to data subjects in the Union (Article 3(2)(a)), and to non-EU organisations monitoring data-subject behaviour in the Union (Article 3(2)(b)).
For AI systems, GDPR is particularly critical because personal data appears throughout the AI lifecycle: in training datasets, user inputs, operational logs, model outputs, and vendor relationships. Non-compliance under Article 83 carries fines of up to €20 million or 4% of total worldwide annual turnover, whichever is higher.
Timeline and Key Milestones
The GDPR has been the cornerstone of EU data protection since May 2018. It continues to evolve through landmark court decisions, new adequacy frameworks, and enhanced cross-border enforcement mechanisms. Use these milestones to align governance practices with current enforcement expectations.
European Commission proposes the General Data Protection Regulation
GDPR formally adopted by Parliament and Council; published in the Official Journal on 4 May
GDPR becomes enforceable across all EU Member States after two-year transition period
Schrems II: CJEU invalidates EU-US Privacy Shield, disrupting transatlantic data flows
EU-US Data Privacy Framework adopted, creating an Article 45 adequacy route for certified US organisations; other transfers continue to rely on Chapter V tools
Council adopts a GDPR procedural regulation to streamline handling of cross-border enforcement cases
The GDPR procedural regulation becomes applicable (15 months after entry into force), adding harmonized cross-border procedures
European Commission proposes the General Data Protection Regulation
GDPR formally adopted by Parliament and Council; published in the Official Journal on 4 May
GDPR becomes enforceable across all EU Member States after two-year transition period
Schrems II: CJEU invalidates EU-US Privacy Shield, disrupting transatlantic data flows
EU-US Data Privacy Framework adopted, creating an Article 45 adequacy route for certified US organisations; other transfers continue to rely on Chapter V tools
Council adopts a GDPR procedural regulation to streamline handling of cross-border enforcement cases
The GDPR procedural regulation becomes applicable (15 months after entry into force), adding harmonized cross-border procedures
European Commission proposes the General Data Protection Regulation
GDPR formally adopted by Parliament and Council; published in the Official Journal on 4 May
GDPR becomes enforceable across all EU Member States after two-year transition period
Schrems II: CJEU invalidates EU-US Privacy Shield, disrupting transatlantic data flows
EU-US Data Privacy Framework adopted, creating an Article 45 adequacy route for certified US organisations; other transfers continue to rely on Chapter V tools
Council adopts a GDPR procedural regulation to streamline handling of cross-border enforcement cases
The GDPR procedural regulation becomes applicable (15 months after entry into force), adding harmonized cross-border procedures
Who is Subject to GDPR?
GDPR has broad extraterritorial reach. Article 3 defines three scenarios that bring an organisation in scope. There is no general applicability threshold based on size, though specific duties scale with role, risk, and processing type.
EU Establishment
You process personal data in the context of activities of an establishment in the EU, regardless of whether the processing itself takes place in the EU.
A US company with a sales office in Berlin processes customer data on US servers. GDPR applies because the processing is in the context of the Berlin office's activities.
Offering Goods or Services
You offer goods or services to data subjects in the Union, whether paid or free. Indicators include the use of a Member State language or currency alongside other intent factors identified in EDPB Guidelines 3/2018.
A Japanese SaaS tool with an EU pricing page in euros and German-language support is offering services to EU data subjects. GDPR applies even with no EU office.
Monitoring Behaviour
You monitor the behaviour of individuals within the EU, including profiling, tracking, or analytics on EU users.
A US ad-tech company tracking browsing behaviour of EU website visitors to build advertising profiles. GDPR applies to this behavioural monitoring.
No Size Threshold
Unlike NIS2 or DORA, GDPR has no general applicability threshold based on size. If Article 3 applies, GDPR applies whether you have 1 employee or 100,000. Specific duties scale with role, risk, scale, and processing type; Article 30(5) provides a narrow records-of-processing derogation for organisations with fewer than 250 employees subject to conditions.
EU Representative (Article 27)
Where Article 3(2) applies, non-EU controllers or processors must appoint an EU representative under Article 27 unless an Article 27(2) exception applies. The exceptions cover (a) occasional processing that is not large-scale Article 9 special-category data or Article 10 criminal-offence data and is unlikely to result in a risk to data subjects’ rights and freedoms, and (b) public authorities or bodies. The representative is a contact point for data subjects and supervisory authorities; Article 27(5) preserves direct enforcement against the controller or processor.
GDPR Enforcement Has Global Reach
EU regulators have imposed billions in fines on companies worldwide, demonstrating that GDPR's extraterritorial scope is actively enforced.
Unlawful EU-US data transfers (2023)
Non-compliant ad targeting practices (2021)
Data transfers to China, children's data (2025)
Targeted advertising consent violations (2024)
The 7 GDPR Principles
Article 5 of GDPR establishes seven principles that form the foundation of all data protection obligations.
Lawfulness, Fairness & Transparency
Data must be processed lawfully, fairly, and in a transparent manner. Individuals must be informed about how their data is used.
Purpose Limitation
Data must be collected for specified, explicit, and legitimate purposes and not further processed in incompatible ways.
Data Minimisation
Only data that is adequate, relevant, and limited to what is necessary for the stated purpose should be processed.
Accuracy
Personal data must be accurate and, where necessary, kept up to date. Inaccurate data must be erased or rectified without delay.
Storage Limitation
Data must be kept in a form that permits identification of individuals for no longer than is necessary for the processing purposes.
Integrity & Confidentiality
Data must be processed with appropriate security, including protection against unauthorised access, loss, or destruction.
Accountability
The data controller is responsible for demonstrating compliance with all GDPR principles and must maintain evidence of compliance.
Data Subject Rights
GDPR grants individuals comprehensive rights over their personal data. For AI systems, Article 22 on automated decision-making is particularly relevant.
Right to Access
Individuals can request a copy of their personal data and information about how it is being processed.
Right to Rectification
Individuals can request correction of inaccurate personal data without undue delay.
Right to Erasure
The "right to be forgotten": individuals can request deletion of their personal data under certain conditions.
Right to Restrict Processing
Individuals can request limitation of processing while accuracy or lawfulness is being verified.
Right to Data Portability
Where processing is based on Article 6(1)(a) consent or 6(1)(b) contract and carried out by automated means, individuals can receive their data in a structured, machine-readable format and transmit it to another controller.
Right to Object
Individuals can object on grounds relating to their particular situation to processing based on Article 6(1)(e) or 6(1)(f), including profiling. Article 21(2) makes objections to direct marketing absolute.
Automated Decision-Making
Individuals have the right not to be subject to a decision based solely on automated processing (including profiling) producing legal effects or similarly significantly affecting them. Article 22(2) to (4) set the exceptions, safeguards, and Article 9 restrictions.
Right to be Informed
Individuals must be provided with clear, transparent information about how their data is collected and used.
Penalties for Non-Compliance
GDPR introduced the most significant data protection penalties in history, with a two-tier fine structure.
Article 83(5)
Violations of data-processing principles, data-subject rights, conditions for consent, and international data transfers.
Article 83(4)
Violations of obligations on controllers and processors, certification bodies, and monitoring bodies.
Under Article 33, personal-data breaches must be reported to the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of them, unless the breach is unlikely to result in a risk to data subjects’ rights and freedoms. Under Article 34, affected data subjects must be informed when there is a high risk to them, subject to the Article 34(3) exceptions where appropriate technical and organisational measures have been applied.
How Modulos Helps with GDPR Compliance
Modulos gives privacy and product teams one workflow for requirements, controls, evidence, reviews, and exports. This helps you convert policy expectations into verifiable execution records.
Book a GDPR DemoTranslate GDPR obligations into structured requirements and mapped controls so teams can execute with clear ownership and status tracking.
FAQ about GDPR for AI
The General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, is the EU’s binding data-protection regulation. It governs the processing of personal data of individuals in the Union under the territorial-scope rules in Article 3: establishment in the Union under Article 3(1), offering of goods or services to data subjects in the Union under Article 3(2)(a), or monitoring of behaviour in the Union under Article 3(2)(b). GDPR has been in force since 25 May 2018. Penalties under Article 83 reach the higher of €20 million or 4% of total worldwide annual turnover.
GDPR applies to AI systems that process personal data falling within the territorial scope of Article 3 (Article 3(1) establishment in the Union, Article 3(2)(a) goods or services to data subjects in the Union, or Article 3(2)(b) monitoring of behaviour in the Union). Three groups of articles drive most AI obligations: Article 22 (automated decision-making with significant effects), Article 35 (Data Protection Impact Assessments for high-risk processing), and the lawful-basis requirements of Articles 6 and 9. AI systems also trigger transparency requirements under Articles 13 and 14 when personal data is collected.
Article 22 grants individuals the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects or similarly significantly affects them. Article 22(2) sets narrow exceptions: contractual necessity (a), EU or Member State law (b), and explicit consent (c). For decisions taken under (a) or (c), Article 22(3) requires safeguards including human intervention, the right to express a view, and the right to contest. Article 22(4) restricts use of Article 9 special-category data unless Article 9(2)(a) or (g) applies.
Article 35 requires a DPIA when processing is likely to result in a high risk to individuals’ rights and freedoms. The EDPB-endorsed WP248 guidelines from the Article 29 Working Party identify nine criteria, including evaluation or scoring, automated decision-making with significant effects, systematic monitoring, large-scale processing, and innovative-technology applications. Many high-risk AI systems under the EU AI Act will also trigger a GDPR DPIA where personal-data processing is likely high-risk.
GDPR governs personal data processing; the EU AI Act governs AI system safety and fundamental rights. They overlap on biometric processing, automated decision-making, bias detection using sensitive data, and individual rights. Compliance with one does not satisfy the other; both apply simultaneously. The EU AI Act explicitly preserves GDPR (see Article 2(7) and Recital 9 of Regulation (EU) 2024/1689).
This is unsettled and case-specific. Common Article 6(1) bases for AI training: (a) consent under Article 6(1)(a), used for sensitive applications but operationally fragile; (b) legitimate interests under Article 6(1)(f), the most common basis for non-sensitive training, with a documented balancing test; (c) public interest under Article 6(1)(e), only where grounded in applicable EU or Member State law; (d) contract performance under Article 6(1)(b) where narrowly applicable. Special-category data requires an explicit Article 9(2) ground in addition to the Article 6 basis.
Article 35(7) sets the minimum DPIA contents: a systematic description of the envisaged processing operations and purposes; an assessment of the necessity and proportionality; an assessment of the risks to data subjects’ rights and freedoms; and the measures envisaged to address those risks. For AI systems, add data-quality and bias assessment, automated-decision-making analysis, model behaviour assessment, and post-deployment monitoring. The DPIA must precede high-risk processing; refer to the EDPB-endorsed WP248 DPIA guidelines.
Under Articles 22, 13, 14, and 15: the right to know that automated decision-making is taking place; the right to information about the logic involved and the significance of the decision (Articles 13(2)(f) and 14(2)(g)); the right under Article 22(3) to obtain human intervention, express one’s view, and contest the decision; the right of access under Article 15; and rights to rectification (Article 16) and erasure (Article 17) where applicable. National laws may extend these rights further.
Identify the Article 6 lawful basis: typically Article 6(1)(f) legitimate interests with a documented balancing test, not consent (candidates cannot freely refuse, so consent is operationally fragile). Run an Article 35 DPIA before deploying. Provide transparent information to candidates under Articles 13 and 14, and where Article 22 applies, implement the Article 22(3) safeguards (human intervention, right to express a view, right to contest). In Germany, additional analysis under Article 88 GDPR and the BDSG employment provisions is typically required. Many AI hiring tools also trigger high-risk obligations under EU AI Act Annex III, point 4.
GDPR compliance is not a property of an AI tool; it is a property of how a controller uses the tool with personal data. Compliance depends on the concrete role, purpose, data, safeguards, and Article 6 lawful basis, plus Article 28 processor agreements, Article 35 DPIA where required, and Articles 13 and 14 transparency. Some tools or uses may not be deployable lawfully at all (for example, AI Act prohibited practices or Article 22(4) restrictions on special-category data). Focus on your controller obligations, not on the tool’s marketing claims.
Modulos automates the governance workflow at the GDPR-AI intersection: Article 35 DPIA documentation, Article 22 automated-decision-making records, Article 6 lawful-basis tracking, data-subject-rights workflows, Article 28 processor due diligence, model documentation, and monitoring records. Controls map across GDPR, the EU AI Act, ISO/IEC 42001, NIST AI RMF, and SOC 2 simultaneously, so one evidence pipeline serves multiple frameworks.
The European Data Protection Board (EDPB) publishes guidelines and opinions at edpb.europa.eu. National Data Protection Authorities (DPAs) issue country-specific guidance: for AI, the French CNIL, the Spanish AEPD, and the UK ICO have particularly substantive guidance. The EU AI Act’s interaction with GDPR is addressed in joint EDPB and European Commission communications, and the published Regulation (EU) 2016/679 is on EUR-Lex.
How GDPR fits with other frameworks
GDPR rarely operates alone. AI builders and deployers run it alongside the EU AI Act and other frameworks across the same data and the same AI systems.
The EU AI Act explicitly preserves GDPR (Article 2(7) and Recital 9 of Regulation (EU) 2024/1689). The two regimes overlap on biometric processing, automated decision-making, bias detection using sensitive data, and individual rights. Compliance with one does not satisfy the other; both apply.
Where a cybersecurity incident is also a personal-data breach, NIS2 incident-reporting and Article 33 GDPR breach notification can both be triggered. For financial entities, DORA incident reporting layers on top.
Operationally, ISO/IEC 42001 provides the AI-management system inside which GDPR-AI controls run. NIST AI RMF supports the risk-analysis underpinning DPIA and Article 22 work. ISO/IEC 27002 controls support Article 32 security obligations.
For US-attestation work, SOC 2 control sets share evidence with GDPR Article 32 security and Article 28 processor obligations.
Need Stronger GDPR Governance for AI?
In a live walkthrough, see how to move from policy intent to verifiable execution with structured controls, evidence, and approvals.