GDPR-Compliant AI: What SMEs Need to Know

AI and GDPR: Not a Contradiction, but a Requirement

When mid-market companies think about AI, the question inevitably arises: “What about data privacy?” The good news: AI and GDPR are not mutually exclusive. The less good news: those who don’t know the rules risk hefty fines — up to 20 million euros or 4% of annual global turnover.

This article provides a practice-oriented overview of GDPR requirements for AI projects in the mid-market. No legal jargon, just concrete recommendations for action.

Key Takeaway: 78% of AI projects in the mid-market process personal data. Only 34% have conducted a Data Protection Impact Assessment beforehand. That is a risk that can be easily avoided.

GDPR Fundamentals for AI Projects

What Exactly Counts as “Personal Data” in an AI Context?

Many companies underestimate what qualifies as personal data. In the AI context, this includes:

• Obvious: Names, email addresses, customer numbers
• Less obvious: IP addresses, machine operator IDs, device identifiers
• Often forgotten: Behavioral data (click patterns, usage times), biometric data (voice, face), location data
• Indirect: Data sets that, in combination, can make a person identifiable

Rule of Thumb: If a data set can theoretically be traced back to a natural person — even with additional effort — it constitutes personal data.

The Six GDPR Principles in the AI Context

1. Lawfulness: You need a legal basis (consent, legitimate interest, contract)
2. Purpose limitation: Data collected for purpose A cannot simply be used for AI training (purpose B)
3. Data minimization: Only process data that is truly necessary — no “the more, the better”
4. Accuracy: AI models must be trained with correct data
5. Storage limitation: Training data must not be stored indefinitely
6. Integrity and confidentiality: Technical and organizational measures to protect data

Legal Bases for AI Data Processing

For most AI projects in the mid-market, three legal bases apply:

Art. 6(1)(b) — Performance of a Contract:

• Applies when AI processing is necessary for contract fulfillment
• Example: AI-powered order processing, automated quote generation

Art. 6(1)(f) — Legitimate Interest:

• Applies when your interest in the processing outweighs the data subjects’ interests
• Example: Predictive maintenance (no direct personal reference), process optimization
• Important: Requires a documented balancing of interests

Art. 6(1)(a) — Consent:

• Required for particularly sensitive applications (e.g., employee monitoring)
• Must be voluntary, informed, and revocable
• Caution: “Voluntariness” is often questionable in employment relationships

Data Processing Agreements (DPA): Mandatory for External AI Services

As soon as an external service provider processes your data — and that is the case with most cloud-based AI solutions — you need a Data Processing Agreement (DPA) under Art. 28 GDPR.

What Must the DPA Include?

• Subject matter and duration of processing
• Nature and purpose of processing
• Type of personal data
• Categories of data subjects
• Obligations and rights of the controller
• Technical and organizational measures (TOMs)
• Provisions for sub-processors
• Deletion obligations after processing ends

Checklist for AI Service Providers

Before engaging an AI service provider, clarify:

• Does the provider offer a GDPR-compliant DPA?
• Where is data processed (EU or third country)?
• Is your data used for training the provider’s own models?
• Is there a deletion confirmation after contract termination?
• Which sub-processors are involved?
• Is the provider ISO 27001 or SOC 2 certified?

Where Does Your Data Live? EU vs. US vs. Rest of the World

The Third-Country Problem

Many popular AI services (OpenAI, Google Cloud AI, AWS) process data in the United States. Since the Schrems II ruling and the EU-US Data Privacy Framework, special rules apply:

EU-US Data Privacy Framework (DPF):

• US companies on the DPF list may process personal data from the EU
• But: Verify that your specific provider is on the list
• Risk: The DPF could be invalidated like its predecessors (Safe Harbor, Privacy Shield)

Standard Contractual Clauses (SCCs):

• Alternative to DPF for data transfers to third countries
• Require a Transfer Impact Assessment (TIA)
• Additional technical measures (e.g., encryption) may be necessary

Practical Recommendation: EU-First

For most mid-market AI projects, I recommend an EU-first approach:

1. Prefer EU-based AI providers: Aleph Alpha (DE), Mistral AI (FR), or self-hosted open-source models
2. Use EU data centers: Azure EU, AWS Frankfurt, Google Cloud EU
3. Consider on-premise options: For particularly sensitive data, a local installation may be the better choice

Tip: Self-hosted open-source models (e.g., Llama, Mistral) give you full control over your data — and make a DPA with a US provider unnecessary.

Anonymization and Pseudonymization: Your Best Allies

Anonymization

When data is processed so that no personal reference can be established, the GDPR no longer applies. True anonymization is the gold standard.

Methods:

• Removal of all direct identifiers (name, email, customer number)
• k-Anonymity: Each record appears at least k times in the dataset
• Differential Privacy: Targeted noise in the data prevents individual identification
• Aggregation: Only averages and totals instead of individual data points

Caution: Pseudonymization is not anonymization. Pseudonymized data remains personal data because the mapping can theoretically be restored.

Pseudonymization

Still valuable as a protective measure:

• Replaces direct identifiers with pseudonyms
• Reduces risk in case of data breaches
• Recognized by the GDPR as a technical safeguard
• Can positively influence the balancing of interests under Art. 6(1)(f)

Practical Workflow: Preparing Data for AI

1. Inventory data: What personal data is in the training data?
2. Assess necessity: Does the AI model actually need the personal reference?
3. Anonymize where possible: Remove all unnecessary identifiers
4. Pseudonymize where anonymization is not feasible: E.g., for customer support data
5. Document: Record the process and results

Data Protection Impact Assessment (DPIA): When Is It Mandatory?

Mandatory for High Risk

A DPIA under Art. 35 GDPR is mandatory when processing “is likely to result in a high risk to the rights and freedoms of natural persons.” In the AI context, this includes:

• Automated decision-making with legal effect (Art. 22 GDPR)
• Profiling of employees or customers
• Systematic monitoring of publicly accessible areas
• Processing special categories of personal data (health, biometrics)
• New technologies on a large scale

Contents of a DPIA

1. Systematic description of the processing operations
2. Assessment of necessity and proportionality
3. Assessment of risks to data subjects’ rights
4. Planned remediation measures (technical and organizational)

Practical Tip

Even when a DPIA is not mandatory: document your data protection considerations for every AI project. This demonstrates to the supervisory authority that you act responsibly — and protects you in case of disputes.

Do You Need a Data Protection Officer (DPO)?

Mandatory in Germany

In Germany, a DPO is mandatory when:

• At least 20 persons are continuously involved in automated processing of personal data
• The core activity involves extensive processing of special data categories
• A Data Protection Impact Assessment under Art. 35 GDPR is required

Internal vs. External DPOs

Criterion	Internal DPO	External DPO
Costs	Fixed salary + training	€300–€1,500/month
AI expertise	Must be developed	Can choose a specialist
Termination protection	Special protection	Contract term
Availability	On-site	By appointment
Recommendation for SMEs	From 50 employees	Under 50 employees

Recommendation for AI Projects: An external DPO with AI experience is the better choice for most mid-market companies. They bring specialist knowledge and are more cost-effective than an internal full-time DPO.

Practical Checklist: GDPR-Compliant AI in 10 Steps

1. Define purpose: Why are you using AI? What problem is being solved?
2. Determine legal basis: Contract, legitimate interest, or consent?
3. Analyze data inventory: What personal data is affected?
4. Anonymize/Pseudonymize: Where possible, remove the personal reference
5. Check DPIA requirement: Is a Data Protection Impact Assessment mandatory?
6. Conclude DPAs: With every external service provider that processes data
7. Update processing records: Enter AI processing activities
8. Inform data subjects: Update privacy policy to include AI processing
9. Implement technical measures: Encryption, access control, logging
10. Review regularly: Check compliance at least annually

The EU AI Act: What Is Coming for SMEs?

In addition to the GDPR, the EU AI Act has been taking effect in phases since 2024. For most AI projects in the mid-market:

• Minimal risk: The majority of enterprise AI (document processing, process optimization) falls into the “minimal risk” category and is barely regulated
• High risk: AI in hiring, credit scoring, or safety-critical systems is subject to strict requirements (documentation, transparency, human oversight)
• Prohibited: Social scoring, manipulative AI, biometric mass surveillance

Relevant for SMEs: From August 2026, obligations for high-risk AI will be fully enforceable. Check now whether your AI applications are affected.

Conclusion: Data Privacy as a Quality Feature

GDPR compliance in AI projects is not an obstacle — it is a quality feature. Companies that incorporate data privacy from the start build more robust systems, earn customer trust, and avoid expensive retrofitting.

The effort for GDPR-compliant AI is manageable when you proceed systematically. The ten steps in the checklist above will cost you one to two days of work — and protect you from risks that could cost many times that amount.

Planning an AI project and want to ensure GDPR compliance from day one? We support you with planning, vendor selection, and documentation — so your project stands on solid ground both technically and legally.

Schedule a Consultation Now →