AI systems process data — and when that data is personal, GDPR applies. In this lesson, we clarify when and how GDPR applies to AI applications and what responsibilities arise.
GDPR applies whenever an AI system processes personal data. This includes:
Even when using an external LLM via API (e.g., OpenAI, Anthropic), you process personal data when:
GDPR distinguishes three roles:
| Role | Description | Example in AI Context |
|---|---|---|
| Controller | Determines purpose and means of processing | Your company deploying an AI tool |
| Processor | Processes data on behalf of the controller | Cloud AI provider (OpenAI, Azure AI) |
| Joint Controllers | Jointly determine purpose and means | When you train AI models with a partner |
Key point: As a company deploying an AI tool, you are typically the controller — even when actual AI processing happens at the provider. You bear the compliance responsibility.
| Principle | Meaning for AI |
|---|---|
| Lawfulness | Legal basis needed for every data processing |
| Purpose limitation | Use data only for the defined AI purpose |
| Data minimization | Send only necessary data to the AI |
| Accuracy | Verify AI outputs for correctness before use |
| Storage limitation | Don't store prompts and responses indefinitely |
| Integrity & Confidentiality | Encryption, access controls, secure APIs |
| Accountability | Document proof of compliance |
AI systems often unintentionally process sensitive data (Art. 9 GDPR):
Consequence: Processing special categories is generally prohibited — unless one of the narrow exceptions in Art. 9(2) GDPR applies (e.g., explicit consent).
Practical Tip: Create a record of processing activities (Art. 30 GDPR) for each AI system. It's mandatory — and helps you maintain oversight at the same time.
Wann greift die DSGVO bei AI-Systemen?