Lawful Basis for AI Data Processing
GDPR Article 6 requires lawful basis for processing personal data. AI agents process personal data (customer interactions, training data, behavioral patterns). You must establish lawful basis before deploying AI.
Six Lawful Bases Under GDPR
- Consent: Explicit permission from individual. Required if processing is sensitive or unexpected.
- Contract: Processing necessary to perform service individual requested. Common for customer service AI.
- Legal Obligation: Law requires processing (tax reporting, fraud prevention). Least common for AI.
- Vital Interests: Processing protects someone's life. Rare in business AI.
- Public Task: Government or public body performing official function. Rare in private sector.
- Legitimate Interests: Business benefits outweigh individual's privacy interests. Most common for commercial AI.
For customer service AI, "contract" (processing needed to fulfill customer request) is typical basis. For marketing AI, "legitimate interests" requires documentation that business interests outweigh privacy concerns. Consent is safest but rarely required for business AI.
Data Subject Rights in AI Context
GDPR Articles 12-22 grant rights: access (know what data you have), correction (fix inaccurate data), deletion (remove data), data portability (export data), and objection (opt-out of processing). AI agents complicate these rights.
Key Compliance Requirements
- Provide access: Individuals can request all personal data an AI agent holds about them
- Correction: Individuals can request correction of inaccurate data AI uses
- Deletion: Individuals can request data deletion (within limits)
- Opt-out: Individuals can object to processing (especially automated decision-making)
- Human review: If AI makes decisions with legal effect (hiring, credit), provide ability to request human review
Data Protection Impact Assessments (DPIA)
GDPR Article 35 requires DPIA for high-risk processing. AI agents typically require DPIA, especially when processing sensitive data or making automated decisions. DPIA should address model bias, data quality, retention, and transparency.
DPIA Template for AI Agents
- Purpose: What does the AI agent do? What decisions does it make?
- Data types: What personal data does it process?
- Training data source: Where did model training data come from?
- Risks: Bias, accuracy, unauthorized access, retention duration
- Mitigation: How will you address identified risks?
- Rights fulfillment: How will individuals exercise GDPR rights?
- Approval: DPA review and approval (if required)
Vendor Contracts & Data Processing Agreements
If AI vendor processes personal data on your behalf, GDPR Article 28 requires Data Processing Agreement (DPA). Many organizations skip this with cloud AI services—this is non-compliance.
Essential DPA Clauses for AI
- Data scope: Exactly what data does vendor process?
- Purpose: Specifically for AI training? Inference only? Delete after processing?
- Duration: How long does vendor retain data?
- Sub-processors: Who else accesses data (model training, analytics)?
- Data deletion: Guarantee data is deleted after contract ends
- Audit rights: Can you audit vendor's data handling?
- Data transfers: Where is data stored? Are there international transfers?
- Opt-out: Can data be excluded from model training?
Model Training & Data Confidentiality
Critical question: Does AI vendor use your data to train their model? If yes, your data improves vendor's product (and competes with you). Insist on opt-out. Good vendors now offer data confidentiality guarantees.
Data Confidentiality Verification
- Request written commitment: "We will not use your data to train our models"
- Verify in contract: Include explicit clause prohibiting training use
- Review documentation: Many vendors now allow opt-out in account settings
- Sub-processors: Ensure clause covers sub-processors (vendors' vendors)
- Exceptions: Define any exceptions (e.g., we can use aggregated data for improvement)
International Data Transfers
If data leaves EU (even temporarily), GDPR Chapter V applies. Data transfers to non-adequate countries require safeguards (Standard Contractual Clauses). Verify vendor data location and transfer mechanisms.
Implementation Checklist
GDPR Compliance for AI Agents
- Document lawful basis for AI processing
- Complete DPIA for AI system
- Request DPA from AI vendor
- Verify data opt-out from training (in DPA or settings)
- Check data location and international transfer mechanisms
- Implement data subject rights fulfillment (access, deletion, correction)
- Document approval chain for AI deployment
- Train teams on GDPR requirements
- Review compliance quarterly
Bottom Line
GDPR compliance for AI is achievable but requires deliberate action. Document lawful basis, complete DPIA, request DPA from vendor, and verify data confidentiality. Without these basics, AI deployment in EU exposes organization to regulatory risk.
Compliance Checklist
Back to Compliance Pillar