Using AI in a GDPR-compliant way: The complete guide 2026

1. What does GDPR-compliant actually mean for AI?

On providers' websites, „GDPR-compliant“ has become a marketing term. In legal terms, the question breaks down into three verifiable requirements. Anyone who can answer all three is on the safe side — anyone who meets only one of them has a compliance problem that cannot be advertised away.

The Data Processing Agreement (DPA) under Art. 28 GDPR

As soon as an AI tool processes personal data on your behalf — and practically every business prompt that contains names, email addresses, client or customer data does exactly that — you are the controller and the provider is the processor. Art. 28(3) GDPR requires a written contract for this, setting out the subject matter, duration, nature and purpose of the processing. The provider may process data exclusively on your documented instructions, must disclose sub-processors, and must delete or return all data at the end of the contract.

From this follows the first hard consequence: free consumer versions of AI tools do not offer a DPA. Anyone who feeds ChatGPT Free or Plus with personal business data is in breach of Art. 28 — regardless of what actually happens to the data. The breaches carry fines: Art. 83(4) GDPR provides for up to €10 million or 2 % of worldwide annual turnover, and these ceilings double where data subjects' rights are infringed.

Data residency: where does the data sit — and who can access it?

The second requirement concerns the place of processing. If data is transferred to a third country such as the USA, you need a legal basis under Chapter V of the GDPR. Since the Schrems II ruling of the CJEU (C-311/18), it is clear that standard contractual clauses alone are not sufficient where the law of the recipient country conflicts with EU data protection. That is precisely the case with the US CLOUD Act: it obliges US companies to hand over data to US authorities — regardless of where the data is physically stored. An „EU data center“ run by a US corporation improves the situation, but does not fully eliminate the structural problem.

The training-data question

The third requirement is specific to AI: does the provider use your inputs to train its models? If so, your data permanently leaves your sphere of control — deletion under Art. 17 GDPR is, in practice, no longer possible from a trained model. Consumer versions of many AI services use inputs for training by default; business and API versions exclude this contractually. You must have this clause in writing, not just read it in a provider's blog post.

2. The legal situation: GDPR, §203 StGB and the EU AI Act

GDPR: the base layer for all companies

The GDPR applies to every company that processes personal data — from sole traders to large corporations. For the use of AI, alongside Art. 28 the most relevant provisions are Art. 5(1)(c) (data minimization: the AI receives only what it needs for the task), Art. 25 (data protection by design), Art. 32 (security of processing) and Art. 35: where there is likely to be a high risk to data subjects — which is regularly the case with systematic AI processing of sensitive data — a data protection impact assessment (DPIA) must be carried out before the tool goes live.

§203 StGB: the criminal provision for professionals bound by confidentiality

For lawyers, tax advisors, doctors, auditors, pharmacists and other professional groups, a second, stricter layer is added: §203 StGB (German Criminal Code) makes the unauthorized disclosure of others' secrets a criminal offense — punishable by up to one year of imprisonment or a fine. This is not data protection law with fines, but criminal law with personal liability.

The 2017 reform does allow professionals bound by confidentiality to involve external IT service providers as „other persons assisting in their professional activity“. The conditions, however, are narrow: the service provider must be contractually bound to secrecy, disclosure must be limited to what is necessary, and the professional remains personally liable. A standard SaaS subscription from an AI provider without such a confidentiality undertaking generally does not meet these requirements. We have explored what this means specifically for law firms in two dedicated articles: Can my law firm use ChatGPT? and ChatGPT for tax advisors: what §203 StGB really prohibits.

EU AI Act: the new regulatory layer

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 2 August 2024 and becomes applicable in stages. For companies that merely use AI (in the terminology of the Regulation: „deployers“), three dates are particularly relevant:

• Since 2 February 2025: the ban on AI practices with unacceptable risk (Art. 5) and the obligation to ensure AI literacy (Art. 4) — companies must ensure that staff who use AI have a sufficient understanding of it. This also applies to small teams.
• Since 2 August 2025: obligations for providers of general-purpose AI models (GPAI, Art. 53), including technical documentation and a summary of the training content.
• From 2 August 2026: the bulk of the remaining Regulation becomes applicable, including the transparency obligations and large parts of the high-risk rules.

For most companies that use AI to assist with text, research or document work, the AI Act primarily means: take the training obligation seriously, document which systems are in use, and, when choosing a provider, make sure that the provider meets its GPAI obligations. It does not replace the GDPR — both apply in parallel.

3. The four technical routes compared

Anyone who wants to use AI in a GDPR-compliant way has, in 2026, four realistic options. None of them is the right one for everyone — the honest answer depends on team size, budget, data category and whether you are bound by professional confidentiality.

Route 1: public AI tools (consumer versions)

ChatGPT Free/Plus, Gemini, Copilot in the consumer version. Advantages: instantly available, cheap or free, best usability. Drawbacks: no DPA, inputs can be used for training, no control over storage location and sub-processors. Conclusion: not permissible for personal or confidential business data. What remains legitimate is use for fully anonymous tasks — general research, text drafts with no personal reference. In practice, however, this dividing line is hard to maintain in day-to-day work (see section 5, shadow AI).

Route 2: enterprise contracts (ChatGPT Team/Enterprise, Copilot 365, Langdock & co.)

Business versions of the large providers, as well as German wrapper platforms such as Langdock. Advantages: DPA included, training on customer data contractually excluded, SSO and admin controls, in some cases EU data residency, familiar interfaces. Drawbacks: with US providers, the CLOUD Act problem remains structurally in place; the infrastructure is shared, not dedicated; and — crucially for regulated professions — a §203 confidentiality undertaking is not part of the standard contract with any of the large providers. Conclusion: for companies not bound by professional confidentiality, often a defensible, pragmatic solution. For law firms, tax advisors and medical practices, a gap remains. You will find the detailed comparison here: ClapNClaw vs. ChatGPT Team vs. Langdock.

Route 3: Managed Private (e.g. ClapNClaw)

A dedicated AI workspace per company, operated by the provider. With ClapNClaw, that means in concrete terms: your data, documents and chat histories sit in a dedicated, isolated container on Hetzner servers in Frankfurt (German provider, German jurisdiction). Inference runs via Claude on AWS Bedrock in eu-central-1 (Frankfurt) without data storage — prompts are processed and discarded, not stored and not used for training. The DPA under Art. 28 is part of the contract from day 1, on the Compliance plan together with the §203 confidentiality undertaking. Pricing: Team €29, Compliance €59 per user per month.

In fairness, the limits too: ClapNClaw is not an on-premise product — anyone who must or wants to keep data exclusively in-house needs Route 4. Inference uses AWS Bedrock, i.e. the EU region of a US hyperscaler — without data storage, but anyone who categorically rules out any US contact will not be happy here. And in the current phase, ClapNClaw does not process health data under Art. 9 GDPR; for medical practices that means: administration, correspondence and organization yes, patient data no. Conclusion: the right route for small and mid-sized teams in regulated professions that need compliance without their own IT department.

Route 4: on-premise with open-source models

Llama, Mistral or other open models on your own hardware. Advantages: maximum control, no third-country transfer, no dependence on providers, conceivable even for Art. 9 data. Drawbacks: a substantial initial investment in GPU hardware (realistically five figures), ongoing operating and maintenance effort, your own responsibility for security and updates — and on demanding text and analysis tasks, open models currently do not consistently reach the level of the leading commercial models. Conclusion: the right choice for larger organizations with their own IT and the highest demands on data sovereignty. For a team of 5–20 people, usually uneconomical.

4. Checklist: 10 points for evaluating a provider

Whichever route you decide on — every AI provider should be able to answer these ten questions in writing before a single prompt with real data is ever sent:

1. DPA: is there a Data Processing Agreement under Art. 28 GDPR — and is it part of the contract, not a matter for negotiation?
2. Training exclusion: is it contractually guaranteed that your inputs will not be used for model training?
3. Storage location: where does your data permanently sit — and is the hosting provider under EU or US jurisdiction?
4. Inference location: where does the model processing run, and are prompts stored in the process?
5. Sub-processors: is there a complete, up-to-date list of all sub-processors?
6. §203 undertaking: does the provider offer professionals bound by confidentiality a written undertaking under §203(4) StGB?
7. Deletion: can you request and verify the complete deletion of your data (Art. 17 GDPR)?
8. Access control: who at the provider can technically access your content — and is every access logged?
9. Tenant isolation: is your data isolated from that of other customers (dedicated instance) or only logically separated?
10. AI Act maturity: does the model provider meet its GPAI obligations (Art. 53), and does the provider support you with the training obligation under Art. 4?

5. Implementing it in your team: policy, training, shadow AI

Shadow AI: the problem you already have

The uncomfortable truth first: your staff are already using AI — with or without approval. If you do not provide a compliant tool, you do not get an AI-free organization, but shadow AI: private ChatGPT accounts into which client letters, patient notes and draft contracts are pasted, without a DPA, without control, without a log. The most effective remedy is not a ban, but an official, equally good tool plus clear rules.

The AI policy: one page is enough

A usable AI policy for a small or mid-sized team fits on a single page and answers four questions: Which tools are approved? (By name, with the version specified.) What data may go in? (E.g.: approved tool = personal data too; everything else = anonymous content only.) What is off-limits? (For example, health data, unless the tool is approved for it.) Who is the point of contact in case of doubt? Add a review obligation: AI results are checked on the merits before use — responsibility remains with the human.

Training: mandatory since February 2025, not optional

With Art. 4 of the EU AI Act, AI literacy has been a legal requirement since 2 February 2025. In practice, a short, documented training session is enough for most teams: what the tool can and cannot do (keyword: hallucinations), what data may go in, how to check results. Repeat this annually and at onboarding — and document attendance. Industry-specific starting points can be found on our pages for law firms, tax advisors and medical practices, as well as in the practical article AI for tax advisors: use cases and DATEV integration.

6. Frequently asked questions (FAQ)

Is ChatGPT GDPR-compliant?

The free and Plus versions are not suitable for personal business data: by default, inputs can be used for training, and there is no DPA. ChatGPT Team and Enterprise offer a DPA and exclude training on customer data — but the CLOUD Act problem and the missing §203 safeguard remain. For professionals bound by confidentiality, that is usually not enough.

Do I need a DPA under Art. 28 GDPR for every AI tool?

Yes, as soon as the tool processes personal data on your behalf. Without a written DPA, using the tool is a breach of Art. 28(3) GDPR — regardless of how well the provider is technically secured. You should also check the sub-processor list and the place of processing.

What does §203 StGB mean for using AI in law firms and medical practices?

§203 StGB makes the unauthorized disclosure of professional secrets a criminal offense. Professionals bound by confidentiality may only involve external IT service providers if those providers are contractually bound to secrecy and disclosure is limited to what is necessary. A standard cloud AI subscription without a corresponding confidentiality undertaking generally does not meet this requirement. Details: our law firm article on §203 StGB.

Is an EU data center of a US provider enough for GDPR?

An EU data center improves data residency, but it does not solve every problem: US parent companies are subject to the CLOUD Act and can be compelled to hand over data, regardless of where it is stored. What matters is the overall architecture — where data permanently resides, who has access and whether inference happens without storage.

What does GDPR-compliant AI cost for a small team?

Enterprise versions from the large providers start at around €25–30 per user per month. Managed private solutions such as ClapNClaw cost €29 (Team) or €59 (Compliance, incl. the §203 safeguard) per user per month. On-premise open source is free to license, but incurs hardware and operating costs that are usually well above that for small teams.