What is the GDPR and how does it apply to AI?
Privacy, security and identity
The GDPR is the EU General Data Protection Regulation (Regulation (EU) 2016/679), the law governing how personal data about people in the EU is processed. It is not an AI law, but it applies in full whenever an AI system trains on, or runs on, personal data. That means controllers need a lawful basis, must be transparent, must respect data subject rights, and must handle profiling, automated decisions and special category data with care.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
The GDPR is the European Union's central data protection law. It took effect on 25 May 2018 and applies directly in every EU and EEA member state. It sets rules for any organisation that processes personal data, meaning any information relating to an identified or identifiable living person. It does not regulate AI as such. It regulates personal data, whatever technology is used to handle it.
Because so much AI is built and run on personal data, the GDPR is one of the main laws AI developers and deployers in Europe must follow. There is no AI exemption. If a model is trained on personal data, or used to make decisions about people, the GDPR applies at each stage. This page explains the Regulation itself and the parts most relevant to AI.
This page covers the specific EU instrument. The wider field of data protection, the general subject, is covered on a separate page. The UK has its own near-identical version, the UK GDPR, which is now diverging slowly and is explained briefly below.
Why it matters
The GDPR matters for AI because it is already being enforced against AI systems, and the penalties are high. The top tier of fines reaches 20 million euros or 4 percent of total worldwide annual turnover, whichever is higher, for breaches of core principles and data subject rights. Regulators have used these powers. The Italian Garante fined OpenAI 15 million euros in its decision of 20 December 2024 over ChatGPT, and the Dutch authority fined Clearview AI 30.5 million euros over its facial recognition database. National courts can overturn enforcement, as happened in the OpenAI case, but the underlying duties remain.
For any leader deploying AI in Europe, the GDPR is the floor. It governs the training data, the transparency owed to people, the rights individuals can exercise, and the safeguards required where decisions are automated. Getting this wrong is not just a compliance risk. It can force retraining, deletion of data, or in the most serious cases deletion of a model.
How it works
What the Regulation is and what it covers
The GDPR is Regulation (EU) 2016/679. As a Regulation rather than a Directive, it applies directly across the EU without needing each country to pass its own transposing law, though member states retain some room to add national rules in specific areas. Its material scope, set in Article 2, covers the processing of personal data wholly or partly by automated means, and non-automated processing of data held in a filing system. It does not apply to truly anonymous data, that is information that does not relate to an identifiable person. It also does not apply to purely personal or household activity, or to areas outside EU law such as national security.
The key building blocks are defined in Article 4. Personal data is any information relating to an identified or identifiable natural person. Processing is almost anything done with that data, from collection to storage to deletion. A controller decides why and how data is processed. A processor acts on the controller's instructions. Pseudonymised data is still personal data. Only genuinely anonymous data falls outside the Regulation.
Territorial scope under Article 3
Article 3 gives the GDPR its long reach. Under the establishment criterion in Article 3(1), the Regulation applies to processing in the context of the activities of an establishment in the EU, regardless of where the processing actually happens. Under the targeting criterion in Article 3(2), it also applies to organisations outside the EU where they process the data of people in the EU in connection with offering goods or services to them, or monitoring their behaviour in the EU. This is why a US-based AI company with no EU office can still fall under the GDPR. The Clearview AI cases turned on exactly this point: the company argued it was outside the GDPR because it had no EU establishment, and European regulators rejected that argument.
The principles in Article 5
Article 5 sets seven principles that govern all processing. Personal data must be processed lawfully, fairly and transparently. It must be collected for specified, explicit and legitimate purposes and not used in incompatible ways, a rule called purpose limitation. It must be adequate, relevant and limited to what is necessary, called data minimisation. It must be accurate and kept up to date. It must not be kept longer than necessary, called storage limitation. It must be kept secure, called integrity and confidentiality. Finally, under the accountability principle in Article 5(2), the controller must be able to demonstrate compliance with all of these. These principles are the backbone of the Regulation, and most enforcement against AI traces back to one or more of them.
Lawful bases in Article 6
To process personal data lawfully you need one of the six lawful bases in Article 6(1): consent, performance of a contract, compliance with a legal obligation, protection of vital interests, performance of a task in the public interest or official authority, or legitimate interests. No single basis is superior, and consent is not the default. For commercial AI training, legitimate interests under Article 6(1)(f) is often the most relevant basis, but it requires a documented three-part assessment, which is explained below. The controller must identify the basis before processing begins and tell people which basis applies.
Data subject rights, Articles 12 to 22
Chapter III gives individuals a set of enforceable rights. Article 12 requires that information and responses be concise, transparent, intelligible and accessible. Articles 13 and 14 require controllers to inform people about processing, whether the data came from them directly or from another source such as web scraping. Article 15 is the right of access, the most exercised and most litigated right. Article 16 is rectification. Article 17 is erasure, the right to be forgotten, which is not absolute and is subject to the exceptions in Article 17(3). Article 18 is restriction. Article 20 is data portability. Article 21 is the right to object. Article 22 covers automated decisions and is discussed below. These rights apply to AI just as they do to any other processing, which raises hard practical questions when personal data is embedded in a trained model.
Lawful basis for AI training data
Training a model on personal data is processing and needs a lawful basis. In Opinion 28/2024, adopted on 17 December 2024 at the request of the Irish Data Protection Commission, the European Data Protection Board confirmed that legitimate interest can be a valid basis for developing and deploying AI models, but only where a three-step test is met. The controller must identify a legitimate interest that is lawful, clearly articulated and real rather than speculative. The controller must show the processing is necessary, meaning there is no less intrusive way to achieve the aim, with attention to data minimisation. And the controller must carry out a balancing test, weighing the interest against the rights, freedoms and reasonable expectations of the people whose data is used. The Opinion stressed that this is a case-by-case analysis. The Italian fine against OpenAI rested in part on a finding that personal data had been used to train ChatGPT without first identifying an adequate legal basis.
Anonymity of models and unlawful training data
Opinion 28/2024 also addressed when a model can be treated as anonymous, and so outside the GDPR. The EDPB set a high bar: both the likelihood of extracting personal data from the model and the likelihood of obtaining it through queries must be insignificant, taking into account all the means reasonably likely to be used. This must be assessed model by model. The Opinion further warned that if a model is developed using unlawfully processed personal data, this can taint later deployment, unless the model has been properly anonymised. In serious cases supervisory authorities can order deletion of training data or even of the model itself, though such steps must be proportionate.
Transparency for AI
Transparency under Articles 12 to 14 requires that people are told, in plain language, how their data is used. For AI this is demanding because models are complex and training data is often scraped from public sources. Where automated decision-making under Article 22 is involved, controllers must also give meaningful information about the logic involved and the significance and envisaged consequences for the individual. The transparency principle in Article 5, and the information duties in Articles 13 and 14, were both cited in enforcement against OpenAI and Clearview AI.
Automated decision-making and profiling, Article 22
Article 22 gives people the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significant effects. This is often misread as a blanket ban. It is better understood as a prohibition in principle with exceptions: the decision is permitted where it is necessary for a contract, authorised by EU or member state law with safeguards, or based on explicit consent. Where it is permitted, safeguards must include the right to human intervention, to express a view and to contest the decision. In the CJEU judgment of 7 December 2023, Case C-634/21 (SCHUFA Holding, OQ v Land Hessen), the Court held that a credit reference agency generating a probability score is itself carrying out automated individual decision-making within Article 22(1) where a third party draws strongly on that score. In the Dun and Bradstreet case (C-203/22, February 2025), the Court held that controllers must give meaningful information about the procedures and principles behind such decisions, and that trade secrets cannot be used to deny the data subject all explanation.
Special category data, Article 9
Article 9 prohibits processing special category data by default. These categories include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for unique identification, health data, and data about a person's sex life or sexual orientation. Processing is only allowed where an Article 9(2) exception applies, such as explicit consent or substantial public interest. This is a second layer on top of the Article 6 lawful basis, so both must be satisfied. For AI this matters in two ways. First, biometric AI such as facial recognition processes special category data directly, which is why Clearview AI was found to breach Article 9. Second, models can infer special category data, for example health or political views, and inferred sensitive data can fall within Article 9 depending on how deliberate and certain the inference is.
Data protection impact assessments, Article 35
Article 35 requires a data protection impact assessment, or DPIA, where a type of processing is likely to result in a high risk to people's rights and freedoms, particularly when using new technologies. Article 35(3) lists three cases that always require one: systematic and extensive automated evaluation with significant effects, large-scale processing of special category data, and large-scale systematic monitoring of public areas. Much AI falls into these categories. The ICO's list of processing operations likely to result in high risk expressly names AI, machine learning, large-scale profiling and automated decision-making resulting in denial of a service, product or benefit as requiring a DPIA. If a high risk cannot be mitigated, the controller must consult the supervisory authority before proceeding.
Enforcement and fines
The GDPR is enforced by national supervisory authorities, often called data protection authorities, coordinated through the European Data Protection Board. Article 83 sets two tiers of fines. The lower tier reaches 10 million euros or 2 percent of worldwide annual turnover. The higher tier reaches 20 million euros or 4 percent of worldwide annual turnover, for breaches of the core principles, lawful basis, data subject rights and transfer rules. Fines are calculated against several factors and must be effective, proportionate and dissuasive.
How the GDPR interacts with the EU AI Act
The GDPR and the EU AI Act are separate laws that apply at the same time. The AI Act regulates the AI system itself, how it is designed, tested, documented and governed, using a risk-based, product-safety logic. The GDPR regulates what happens to personal data. The AI Act does not replace the GDPR and does not create a new lawful basis for processing personal data, so a valid Article 6 basis is still needed for any personal data used in AI. Where both apply, obligations stack: a fundamental rights impact assessment under the AI Act is meant to complement, not replace, a DPIA under the GDPR. The AI Act's high-risk obligations are being phased in, with key dates around 2 August 2026 and later, subject to ongoing amendments. The detail of the AI Act is covered on its own page.
Examples
Credit scoring and automated decisions. In the CJEU judgment of 7 December 2023, Case C-634/21 (SCHUFA Holding), a German credit agency generated a probability score that a bank relied on to refuse a loan. The Court held that producing the score was itself automated individual decision-making under Article 22(1) where the third party draws strongly on it. The practical lesson is that whoever generates a decisive score, not just the party making the final call, can carry Article 22 duties.
Facial recognition and biometric data. Clearview AI built a database of more than 30 billion photos of people, scraped automatically from the internet, according to the Dutch DPA, and sold identification services. Multiple European authorities found this unlawful. The French CNIL imposed 20 million euros in 2022, and the Dutch DPA imposed 30.5 million euros plus orders subject to penalties for non-compliance of up to 5.1 million euros in its decision announced in 2024, citing processing without a lawful basis under Article 6, breach of the Article 9 ban on biometric data, failure of transparency under Articles 12 to 14, and failure to appoint an EU representative. The Dutch DPA chairman Aleid Wolfsen called facial recognition "a highly intrusive technology, that you cannot simply unleash on anyone in the world". This shows how the GDPR applies to AI built outside the EU on data about people in the EU.
Generative AI training. The Italian Garante fined OpenAI 15 million euros in its decision of 20 December 2024, finding that OpenAI used personal data to train ChatGPT "without having an adequate legal basis and violated the principle of transparency and the related information obligations towards users", ordering a six-month public awareness campaign across Italian media, and faulting OpenAI for failing to notify the March 2023 breach to the Garante as required by Article 33, a nine-hour-window incident exposing chat histories and payment data that affected 440 Italian users. A Rome court later annulled the decision on jurisdictional grounds, after OpenAI's Irish establishment made the Irish authority the lead supervisor, without ruling on whether the conduct was lawful. The episode shows both that the GDPR is being applied to generative AI and that cross-border enforcement is procedurally complex.
Common misunderstandings
The GDPR is an AI law. It is not. It is a data protection law that applies to personal data regardless of technology. It catches AI because AI so often uses personal data, but it says nothing about AI as such. The AI-specific law is the EU AI Act.
Consent is the only way to use data for AI. It is not. Consent is one of six lawful bases in Article 6. For AI training, legitimate interest is often more appropriate, subject to the EDPB's three-step test. Choosing the right basis matters because each carries different conditions.
Article 22 is an absolute ban on automated decisions. It is not. It is a prohibition in principle with exceptions for contractual necessity, authorising law, and explicit consent, and it requires safeguards including human intervention where those exceptions are used.
Anonymous and pseudonymised mean the same thing. They do not. Pseudonymised data is still personal data and stays within the GDPR. Only data that cannot reasonably be linked back to a person is anonymous and outside the Regulation. The EDPB applies a high bar to claims that an AI model is anonymous.
The UK GDPR and the EU GDPR are identical. They were almost identical at the point of Brexit but are diverging. The UK version is supervised by the ICO, has its own reforms through recent UK legislation, and applies to data about people in the UK. The EU GDPR is the instrument explained here.
Risks and boundaries
This page explains the EU GDPR. It is not legal advice, and applying the Regulation always depends on the specific facts and on national rules that fill gaps left to member states. Enforcement practice and regulatory guidance move quickly, so any statement about current guidance should be treated as a snapshot.
Several questions remain genuinely contested. The legal basis for large-scale training on scraped data is not settled, and supervisory authorities differ. The EDPB's Opinion 28/2024 deliberately uses case-by-case language and left out several issues, including special category data, automated decision-making, DPIAs and data protection by design, which means those areas still rely on older guidance and individual assessment. Dedicated EDPB guidelines on generative AI and data scraping were still forthcoming as of mid-2026. Treat all of this as a developing area, not a closed one.
The boundary with the EU AI Act also needs care. The two laws overlap but are not the same, and complying with one does not mean complying with the other. The EU AI Act detail belongs on its own page.
What to do next
Start by mapping where your AI touches personal data, across training, fine-tuning, deployment and monitoring. If any stage uses personal data, the GDPR applies and you need to act.
Then, in order: identify and document a lawful basis under Article 6 for each stage, and if you rely on legitimate interest, complete and record the three-step assessment the EDPB describes. Check whether any special category data under Article 9 is processed or could be inferred, and if so secure an Article 9(2) condition. Build transparency that meets Articles 12 to 14, including meaningful information about automated decisions where Article 22 applies. Put data subject rights processes in place so access, erasure and objection requests can actually be handled, including for data held in models. Run a DPIA under Article 35 for high-risk AI, and consult your supervisory authority if a high risk cannot be mitigated.
The benchmarks that should change your plan: if you process biometric data for identification, or make solely automated decisions with significant effects, or train at scale on scraped personal data, treat the risk as high and assume a DPIA and close legal review are required. Track EDPB and national authority guidance, and align your GDPR work with your EU AI Act preparation rather than running them separately.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does the GDPR apply to AI?
Yes, whenever an AI system processes personal data. There is no AI exemption. The GDPR applies to training, deployment and monitoring if personal data is involved, even though the Regulation never mentions AI.
Does the GDPR apply to companies outside the EU?
It can. Under Article 3(2), an organisation with no EU establishment still falls under the GDPR if it offers goods or services to people in the EU or monitors their behaviour there. This is why non-EU AI firms have been fined.
Can I train an AI model on personal data under the GDPR?
Yes, if you have a lawful basis and meet the principles. Legitimate interest is often used, but the EDPB requires a documented three-step test covering the interest, necessity and a balancing of rights.
Is consent always required for AI?
No. Consent is one of six lawful bases. For AI training, legitimate interest or contractual necessity may fit better. The right basis depends on the context and must be identified before processing starts.
Does Article 22 ban automated decision-making?
No. It prohibits solely automated decisions with significant effects in principle, but allows them where they are necessary for a contract, authorised by law, or based on explicit consent, with safeguards including human intervention.
How is the GDPR different from the EU AI Act?
The GDPR governs personal data. The EU AI Act governs AI systems as products, on a risk basis. They apply at the same time, and the AI Act does not create a new lawful basis for processing personal data.
Is the UK GDPR the same as the EU GDPR?
They began almost identical and are slowly diverging. The UK version is overseen by the ICO and amended by UK law. This page covers the EU GDPR.
What are the maximum GDPR fines?
Up to 20 million euros or 4 percent of total worldwide annual turnover, whichever is higher, for the most serious breaches. A lower tier reaches 10 million euros or 2 percent.