GDPR-compliant AI integration — A guide for businesses
Using AI isn't illegal — using AI carelessly is. In this article, we show how we (MyForge Labs) build chatbots, RAG systems, and AI customer-service tools without exposing anyone to fines.
Why "we just plugged in OpenAI" is a problem
GDPR asks two questions about every data operation: (1) who is responsible, (2) what's the legal basis? If you call an OpenAI, Anthropic, or Google API and send your Hungarian customer's message, then:
- The US provider becomes your processor (Art. 28).
- You need a DPA (Data Processing Agreement).
- Because it's a third country (USA), you also need a transfer mechanism (typically SCC + TIA).
- The user must be informed which model, in which country, sees their data.
Miss any of that — fines up to €20M (or 4% of global turnover).
The 4 main AI-data scenarios
1) Public cloud LLM (OpenAI API, Anthropic, Gemini)
- Risk: high. Customer data leaves for the US.
- OK when: no personal data in the input (e.g. generic B2B content generation).
- NOT OK: customer messages, names, CRM data, health data.
2) Public cloud LLM with EU region (OpenAI EU Data Residency, Azure OpenAI West Europe)
- Risk: medium.
- OK when: DPA signed + customer informed + data not in a special category.
- Bonus: Microsoft Azure OpenAI doesn't train on your data by default. It's written in the contract.
3) Self-hosted open-source model (Llama 3, Mistral, on your own VPS)
- Risk: low — all data stays with you.
- Cost: high. GPU infra runs €500–€5,000 / month.
- OK when: strict compliance category (healthcare, finance, legal).
4) Hybrid (public LLM + anonymizing proxy)
- How: a proxy on your own server strips personal data (names, emails, ID numbers) from the input before it reaches the LLM.
- Risk: low, if the proxy is solid.
- This is the model we use for larger clients at MyForge Labs.
5 typical pitfalls and fixes
- Chat logs stored forever. → Need an automatic retention policy (30 / 90 / 365 days, then deleted).
- User can't delete their conversation. → Legal minimum under GDPR Art. 17. Implement a "Delete my data" button.
- No AI mention in the cookie banner. → Chatbot usage is data processing. Needs a separate basis or legitimate-interest disclosure.
- Prompt injection can expose other users' data. → Security. At MyForge, every chatbot uses RAG embedding, not fine-tuning (no context cross-leak).
- No log of what was sent. → Audit trail is mandatory. Who, when, what data went to the LLM.
Practical checklist (MyForge Labs minimum)
- ✅ EU region (Azure West Europe or OpenAI EU)
- ✅ DPA in writing
- ✅ Retention policy (90 days by default)
- ✅ Right-to-delete built into UI
- ✅ Privacy policy updated
- ✅ Cookie banner updated
- ✅ Prompt sanitization (PII strip)
- ✅ Audit log with 1-year retention
What's next?
If you're starting an AI project, read our BMAD method — we begin every engagement with it. If you already have something running and aren't sure it's GDPR-compliant, ask for a free 30-minute AI compliance audit via our contact form.
Further reading: Cybersecurity services and Data Management.
Free AI compliance audit
30-minute video call, 3-page report. We tell you where you're exposed and what to fix.