Data Processing Agreements and AI Providers
When you use cloud-based AI services (OpenAI, Azure AI, Google Vertex AI, Anthropic), you transmit personal data to an external service provider. This requires a Data Processing Agreement (DPA) and special attention to third-country transfers.
What Is Data Processing?
Data processing (Art. 28 GDPR) occurs when an external service provider processes personal data on your behalf. For AI cloud services, this is the norm:
| Scenario | Data Processing? |
|---|
| Employee uses ChatGPT for internal research without personal data | No |
| Customer data sent to OpenAI API for analysis | Yes |
| AI tool processes application documents in the cloud | Yes |
| On-premise LLM without external data transmission | No |
The Data Processing Agreement (DPA)
A DPA must be concluded before processing begins and must contain at minimum:
Mandatory Contents (Art. 28(3) GDPR):
- Subject and duration of processing
- Nature and purpose of processing
- Type of personal data and categories of data subjects
- Obligations and rights of the controller
- Instruction-bound processing by the processor
- Confidentiality obligation of employees
- Technical and organizational measures (TOMs)
- Sub-processor regulations
- Support for data subject rights and DPIA
- Deletion or return of data after processing ends
DPAs of Major AI Providers (as of 2026):
- OpenAI: Data Processing Addendum available for Enterprise customers
- Microsoft Azure: Standard DPA as part of Online Services Terms
- Google Cloud: Cloud Data Processing Addendum
- Anthropic: DPA available for API customers
- AWS Bedrock: AWS DPA as part of the service agreement
Check: Whether the standard DPA meets your requirements or adjustments are needed.
Third-Country Transfers
Many AI providers have servers outside the EU (especially USA). Transferring personal data to third countries requires additional safeguards:
Current Legal Situation (2026):
- EU-US Data Privacy Framework: Valid since July 2023, enables data transfers to certified US companies
- Standard Contractual Clauses (SCC): Alternative when no adequacy decision exists
- Transfer Impact Assessment (TIA): Additional assessment of protection level in the third country
Practical Recommendations:
- Choose EU region: Most providers offer EU data processing (e.g., Azure EU, AWS Frankfurt)
- Check data residency: Where is data stored AND processed?
- Opt out of training: Ensure your data isn't used for model training
- Zero data retention: Some providers offer not to store data
Checklist: Using AI Providers in GDPR Compliance
- ☐ DPA concluded (before processing begins)
- ☐ Third-country transfer checked and secured
- ☐ EU region selected for data processing
- ☐ Opt-out for model training activated
- ☐ Provider's TOMs reviewed
- ☐ Sub-processor list reviewed
- ☐ Deletion concept agreed
Practical Tip: Choose an AI provider with an EU data center and zero-data-retention option. This significantly reduces compliance effort and risk.