Table of Contents
Quick Answer
AI systems processing EU personal data in 2026 must comply with the GDPR alongside the EU AI Act. GDPR fines reach EUR 20 million or 4% of global turnover, and regulators (CNIL, Garante, DPC, BfDI) have now litigated every major LLM provider.
- Lawful basis is required before any processing begins
- Article 22 restricts automated decisions with legal or similar significant effects
- EDPB Opinion 28/2024 clarifies LLM training, deployment, and anonymisation
What Is GDPR in the AI Context?
The EU General Data Protection Regulation (Regulation (EU) 2016/679) applies whenever personal data is processed by AI. The European Data Protection Board (EDPB) issued Opinion 28/2024 on 17 December 2024 specifically addressing AI models trained on personal data. It confirmed:
- LLM training typically requires a lawful basis under Article 6
- "Legitimate interests" (Art. 6(1)(f)) can apply but requires a three-step test
- A truly anonymous model is only anonymous if personal data cannot be extracted
- Unlawfully processed training data can render deployment unlawful
Key Details / Requirements
Lawful Bases for AI Training
| Lawful Basis | Applicability to AI | Typical Use |
|---|---|---|
| Consent (Art. 6(1)(a)) | Possible but impractical at scale | User-initiated features |
| Contract (Art. 6(1)(b)) | Narrow | Personalisation of a contracted service |
| Legal obligation (Art. 6(1)(c)) | Rare | Regulatory required screening |
| Vital interests (Art. 6(1)(d)) | Emergency medical AI | Exceptional |
| Public task (Art. 6(1)(e)) | Government AI | Public bodies |
| Legitimate interests (Art. 6(1)(f)) | Most common for training | Requires LIA |
Enforcement Actions (Selected)
| Case | Authority | Year | Outcome |
|---|---|---|---|
| ChatGPT temporary ban | Garante (Italy) | 2023 | Service restored after compliance changes |
| Clearview AI | CNIL (France) | 2022 | EUR 20M fine |
| ChatGPT training data | Garante | 2024 | EUR 15M fine |
| DeepSeek | Garante | 2025 | Service restricted |
| Replika | Garante | 2023 | Temporary ban on processing Italian user data |
Real-World Examples / Case Studies
OpenAI ChatGPT — Garante banned in March 2023 after a data breach exposed conversation titles; service restored April 2023 after OpenAI added opt-out, age gate, and updated Privacy Policy. A EUR 15M fine followed in December 2024.
Replika — Garante imposed a temporary processing ban in February 2023, citing risks to minors and data-processing transparency.
X (Twitter) Grok — Irish DPC secured a voluntary undertaking in August 2024 to pause training on EU user data pending an Article 22 investigation.
What This Means for AI Teams
Every AI product processing EU personal data must:
- Identify the lawful basis before the first token is processed
- Complete a Data Protection Impact Assessment (Art. 35) for high-risk AI
- Publish an Article 13/14 privacy notice with profiling details
- Honour data-subject rights (access, rectification, erasure) including for training corpora
- Transfer data to non-adequate countries only under Chapter V tools (SCCs, BCRs, derogations)
- Document every stage per Article 30 Records of Processing Activities
Compliance Checklist
- Conduct a Legitimate Interests Assessment (LIA) for training data
- Map training data sources and licensing
- Implement an opt-out mechanism per EDPB Opinion 28/2024
- Complete a DPIA and publish its summary
- Update the privacy notice with AI-specific disclosures
- Register with the EU AI Act database for high-risk systems (Art. 71)
- Establish a data-subject rights workflow covering deletion from embeddings
Conclusion
GDPR and the EU AI Act are now co-enforced. Building AI that respects data-subject rights is faster than defending against regulators.
Audit your AI against GDPR with Misar AI's privacy compliance toolkit.