← Sovereignty Hub

GDPR & AI: A Compliance Framework

Using AI to process documents containing personal data triggers GDPR obligations. Understanding these requirements is essential before deploying any AI system in the EU.

SCOPE

Any Personal Data Processing

If your AI system processes names, addresses, case details, or any information relating to identified individuals, GDPR applies.

REQUIREMENTS

Legal Basis + Safeguards

You need a valid legal basis for processing, appropriate security measures, and compliance with data subject rights.

PENALTIES

Up to EUR 20M or 4% Revenue

Serious violations can result in fines of up to EUR 20 million or 4% of global annual turnover, whichever is higher.

The Six GDPR Principles

Article 5 of the GDPR establishes six principles that govern all personal data processing. AI systems must comply with each:

1

Lawfulness, Fairness, and Transparency

Processing must have a valid legal basis, be fair to data subjects, and be transparent about what data is collected and how it's used.

AI Implication: You must inform clients that AI will process their documents and explain how the system works.

2

Purpose Limitation

Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.

AI Implication: Documents uploaded for case analysis cannot be used to train general AI models or for unrelated purposes.

3

Data Minimization

Data collected must be adequate, relevant, and limited to what is necessary for the purposes of processing.

AI Implication: Only upload documents necessary for the specific task. Avoid bulk uploads of entire archives "just in case."

4

Accuracy

Personal data must be accurate and, where necessary, kept up to date. Inaccurate data must be erased or rectified without delay.

AI Implication: AI-generated summaries or analyses must be reviewed for accuracy. Hallucinations or errors must be correctable.

5

Storage Limitation

Data must be kept in a form that permits identification of data subjects for no longer than necessary.

AI Implication: Define retention policies. Don't keep documents in your AI system indefinitely after a matter closes.

6

Integrity and Confidentiality

Data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

AI Implication: This is where infrastructure matters. Encryption, access controls, and—ideally—air-gapped deployment.

Legal Bases for AI Document Processing

Article 6 requires a valid legal basis for any personal data processing. For professional services firms using AI, these are the most relevant:

RECOMMENDED

Contract Performance (Article 6(1)(b))

Processing is necessary for the performance of a contract with the data subject or to take steps at their request prior to entering a contract.

Application: If you have an engagement letter with a client, using AI to analyze their documents is processing necessary to perform that contract.

Legitimate Interests (Article 6(1)(f))

Processing is necessary for legitimate interests pursued by the controller, except where overridden by the interests or rights of the data subject.

Application: Improving service efficiency through AI may qualify, but requires a documented balancing test. More scrutiny applies.

Consent (Article 6(1)(a))

The data subject has given consent to the processing for one or more specific purposes.

Application: Possible but problematic—consent must be freely given, specific, informed, and withdrawable. Not ideal for ongoing client relationships.

Special Category Data (Article 9)

Health data, biometric data, data revealing racial or ethnic origin, political opinions, religious beliefs, or trade union membership require additional protections.

Warning: Medical records, immigration documents, or employment disputes may contain special category data. Additional legal basis required under Article 9(2).

AI-Specific GDPR Considerations

Automated Decision-Making (Article 22)

Data subjects have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

Does This Apply to Legal AI?

Generally no, if the AI is used as a tool to assist human decision-making rather than making decisions autonomously.

  • AI summarizes documents, lawyer makes decisions → Article 22 does not apply
  • AI automatically rejects applications without human review → Article 22 applies

Data Protection Impact Assessment (Article 35)

A DPIA is required when processing is "likely to result in a high risk to the rights and freedoms of natural persons."

When is a DPIA Required for AI?

The EDPB guidelines suggest a DPIA is likely required when:

  • • Processing involves systematic evaluation of personal aspects (profiling)
  • • Processing involves special category data at scale
  • • Processing uses new technologies (AI qualifies)
  • • Processing could prevent data subjects from exercising rights

Recommendation: When in doubt, conduct a DPIA. It demonstrates accountability and due diligence.

Third-Party AI Providers (Article 28)

When using external AI services, you're engaging a data processor. This requires a Data Processing Agreement (DPA) with specific terms.

Risks with US AI Providers

  • • CLOUD Act exposure ( see our guide )
  • • Data may be used for model training
  • • Shared infrastructure with other customers
  • • Limited control over subprocessors

Tacitus Approach

  • • EU-jurisdiction (Cloud Bridge) or on-premises (Cortex)
  • • Data never used for training
  • • Single-tenant isolation
  • • No third-party subprocessors for data processing

GDPR Compliance Checklist for AI Systems

Before deploying any AI system that processes personal data, verify the following:

Legal basis identified and documented

Contract performance, legitimate interests, or consent—with supporting documentation.

Privacy notice updated

Clients informed that AI will process their documents, what data is processed, and retention periods.

Data Processing Agreement in place

If using third-party AI providers, Article 28-compliant DPA signed.

DPIA conducted (if required)

Risk assessment documented, particularly for special category data or large-scale processing.

Security measures appropriate

Encryption, access controls, audit logging, and—ideally—jurisdiction-appropriate infrastructure.

Data subject rights procedures

Process for handling access, rectification, erasure, and portability requests.

Records of processing maintained

Article 30-compliant records of all processing activities involving personal data.

How Tacitus Supports GDPR Compliance

Cloud Bridge

  • EU-headquartered provider (no CLOUD Act)
  • Single-tenant isolation (data minimization)
  • Full data export (portability)
  • Data never used for training
Learn More

Cortex (Maximum Compliance)

  • On-premises (your jurisdiction)
  • Air-gapped (maximum security)
  • No third-party processors
  • Complete data control
Learn More

Need Help with GDPR Compliance?

Our team can discuss how Tacitus infrastructure supports your compliance requirements.

Request a Briefing Read the CLOUD Act Guide