Skip to content
Misar.io

AI & Data Privacy under GDPR in 2026: Ethics & Best Practices

All articles
Guide

AI & Data Privacy under GDPR in 2026: Ethics & Best Practices

Complete 2026 guide to AI under the GDPR: lawful bases, Article 22, DPIAs, international transfers, and enforcement lessons from CNIL, Garante, and the EDPB.

Misar Team·Jun 27, 2025·5 min read
Table of Contents

Quick Answer

AI systems processing EU personal data in 2026 must comply with the GDPR alongside the EU AI Act. GDPR fines reach EUR 20 million or 4% of global turnover, and regulators (CNIL, Garante, DPC, BfDI) have now litigated every major LLM provider.

  • Lawful basis is required before any processing begins
  • Article 22 restricts automated decisions with legal or similar significant effects
  • EDPB Opinion 28/2024 clarifies LLM training, deployment, and anonymisation

What Is GDPR in the AI Context?

The EU General Data Protection Regulation (Regulation (EU) 2016/679) applies whenever personal data is processed by AI. The European Data Protection Board (EDPB) issued Opinion 28/2024 on 17 December 2024 specifically addressing AI models trained on personal data. It confirmed:

  • LLM training typically requires a lawful basis under Article 6
  • "Legitimate interests" (Art. 6(1)(f)) can apply but requires a three-step test
  • A truly anonymous model is only anonymous if personal data cannot be extracted
  • Unlawfully processed training data can render deployment unlawful

Key Details / Requirements

Lawful Bases for AI Training

Lawful Basis

Applicability to AI

Typical Use

Consent (Art. 6(1)(a))

Possible but impractical at scale

User-initiated features

Contract (Art. 6(1)(b))

Narrow

Personalisation of a contracted service

Legal obligation (Art. 6(1)(c))

Rare

Regulatory required screening

Vital interests (Art. 6(1)(d))

Emergency medical AI

Exceptional

Public task (Art. 6(1)(e))

Government AI

Public bodies

Legitimate interests (Art. 6(1)(f))

Most common for training

Requires LIA

Enforcement Actions (Selected)

Case

Authority

Year

Outcome

ChatGPT temporary ban

Garante (Italy)

2023

Service restored after compliance changes

Clearview AI

CNIL (France)

2022

EUR 20M fine

ChatGPT training data

Garante

2024

EUR 15M fine

DeepSeek

Garante

2025

Service restricted

Replika

Garante

2023

Temporary ban on processing Italian user data

Real-World Examples / Case Studies

OpenAI ChatGPT — Garante banned in March 2023 after a data breach exposed conversation titles; service restored April 2023 after OpenAI added opt-out, age gate, and updated Privacy Policy. A EUR 15M fine followed in December 2024.

Replika — Garante imposed a temporary processing ban in February 2023, citing risks to minors and data-processing transparency.

X (Twitter) Grok — Irish DPC secured a voluntary undertaking in August 2024 to pause training on EU user data pending an Article 22 investigation.

What This Means for AI Teams

Every AI product processing EU personal data must:

  • Identify the lawful basis before the first token is processed
  • Complete a Data Protection Impact Assessment (Art. 35) for high-risk AI
  • Publish an Article 13/14 privacy notice with profiling details
  • Honour data-subject rights (access, rectification, erasure) including for training corpora
  • Transfer data to non-adequate countries only under Chapter V tools (SCCs, BCRs, derogations)
  • Document every stage per Article 30 Records of Processing Activities

Compliance Checklist

  • Conduct a Legitimate Interests Assessment (LIA) for training data
  • Map training data sources and licensing
  • Implement an opt-out mechanism per EDPB Opinion 28/2024
  • Complete a DPIA and publish its summary
  • Update the privacy notice with AI-specific disclosures
  • Register with the EU AI Act database for high-risk systems (Art. 71)
  • Establish a data-subject rights workflow covering deletion from embeddings

FAQs

Q: Can I train an LLM on publicly scraped data?

Only with a lawful basis and after a robust LIA. Public availability does not make data free for training.

Q: Does Article 22 prohibit all automated decisions?

No — it restricts decisions with "legal or similarly significant effects" unless consent, contract necessity, or explicit legal authorisation applies.

Q: What is EDPB Opinion 28/2024?

A formal EDPB opinion clarifying GDPR application to AI training, deployment, and anonymisation claims.

Q: Is anonymisation possible for LLMs?

Only if personal data cannot be inferred from outputs — a high bar that must be empirically demonstrated.

Q: Must I do a DPIA for every AI system?

Yes for high-risk processing (profiling, biometrics, innovative tech); good practice for all AI.

Q: Do Chapter V transfers still work post-Schrems II?

Yes — SCCs with transfer impact assessments; the EU-US Data Privacy Framework (July 2023) restored adequacy for certified US organisations.

Q: What are typical GDPR AI fines?

EUR 15-20M for severe violations; the EDPB has emphasised that AI-specific context can aggravate penalties.

Conclusion

GDPR and the EU AI Act are now co-enforced. Building AI that respects data-subject rights is faster than defending against regulators.

Audit your AI against GDPR with Misar AI's privacy compliance toolkit.

gdprai-privacyedpbdpiadata-protection
Enjoyed this article? Share it with others.
Next ArticleHow to Train an AI Chatbot on Website Content Safely

More to Read

View all posts
Guide

How to Train an AI Chatbot on Website Content Safely

Website content is one of the richest sources of information your business has. Every help article, FAQ, service description, and policy page is a direct line to your customers’ most pressing questions—yet most of this d

9 min read
Guide

E-commerce AI Assistants: Use Cases That Actually Drive Revenue

E-commerce is no longer just about transactions—it’s about personalized experiences, instant support, and frictionless journeys. Today’s shoppers expect more than just a website; they want a concierge that understands th

11 min read
Guide

What a Healthcare AI Assistant Needs Before Launch

Healthcare AI isn’t just about algorithms—it’s about trust. Patients, clinicians, and regulators all need to believe that your AI assistant will do more than talk; it will listen, remember, and act responsibly when it ma

12 min read
Guide

Website AI Chat Widgets: What Converts Better Than Generic Bots

Website AI chat widgets have become a staple for SaaS companies looking to engage visitors, answer questions, and drive conversions. Yet, most chat widgets still rely on generic, rule-based bots that frustrate users with

11 min read

Explore Misar AI Products

From AI-powered blogging to privacy-first email and developer tools — see how Misar AI can power your next project.

Explore ProductsGet in Touch

Stay in the loop

Follow our latest insights on AI, development, and product updates.

Get Updates