GDPR

The General Data Protection Regulation governs personal-data processing for individuals in the EU/EEA, with extraterritorial reach and material penalties.

What is GDPR?

The General Data Protection Regulation (Regulation (EU) 2016/679) governs the processing of personal data of individuals located in the EU and European Economic Area. It applies to any organisation processing such data regardless of where the organisation is based — extraterritorial reach. It came into force in May 2018.

GDPR establishes data subject rights (access, rectification, erasure, portability, objection), legal bases for processing (consent, contract, legitimate interest, legal obligation, vital interests, public interest), and obligations on controllers and processors including data protection impact assessments, breach notification within 72 hours, and appointment of a Data Protection Officer in qualifying cases.

Data Processing Agreements (DPAs)

Under Article 28, controllers and processors must have a written contract — a Data Processing Agreement — that specifies the processing scope, duration, nature, purpose, type of personal data, and the controller's instructions. For AI vendors, the DPA must address sub-processors (typically with prior authorization and a flow-down obligation) and cross-border transfers (typically using EU Standard Contractual Clauses or an adequacy decision).

GDPR for AI procurement

When evaluating an AI vendor for use with EU personal data, ask: do they offer a GDPR-compliant DPA, what sub-processors do they use, do they train on customer prompts, where is data hosted, and what cross-border transfer mechanism applies. If the vendor routes through a U.S.-based upstream model API, the DPA must address the U.S. data flow — typically via SCCs and a Transfer Impact Assessment.