GDPR and AI agents: the essential guide
If your business operates in Europe, GDPR applies to your AI agent. Full stop. Every conversation your agent has with a customer contains personal data - names, email addresses, order numbers, sometimes health or financial information.
Getting this wrong has real consequences. GDPR fines reach up to 20 million EUR or 4% of global annual revenue, whichever is higher. In 2025 alone, EU data protection authorities issued over 2 billion EUR in total fines.
This guide tells you exactly what you need to do to run AI agents within the rules.
What GDPR requires for AI agents
GDPR applies whenever personal data is processed. An AI agent processes personal data the moment a customer types "Hi, my name is Jan and I want to check my order." That message contains a name and implies a customer relationship with associated data.
Here is what the regulation requires:
1. Lawful basis for processing
You need a legal reason to process the data. For AI agents, the most common bases are:
Legitimate interest (Article 6(1)(f)): you need the data to provide the service the customer is actively using. When someone starts a chat to ask about their order, processing their name and order number is necessary to help them.
Consent (Article 6(1)(a)): the customer explicitly agrees to data processing. This is required if you want to store conversations for training or analytics.
Contract performance (Article 6(1)(b)): processing is necessary to fulfill a contract with the customer.
2. Data processing agreement (DPA)
If a third party processes personal data on your behalf - which includes your AI agent provider - you need a Data Processing Agreement. This is a legal document that specifies:
- What data is processed
- Why it is processed
- How long it is stored
- What security measures are in place
- What happens when the contract ends
Any AI agent provider that does not offer a DPA is a red flag. Walk away.
3. Data minimization
Only collect and process data that is necessary. Your AI agent should not ask for a customer's date of birth if the conversation is about product information.
4. Storage limitation
Do not keep conversation data forever. Define a retention period and stick to it. Common practice: delete conversation logs after 90 days unless there is a specific reason to keep them longer.
5. Right to erasure
Customers can request deletion of their data. Your AI agent system must support this - you need the ability to delete specific conversations and any associated personal data on request.
6. Transparency
Customers must know they are talking to an AI agent, not a human. And they must know what happens with their data. This means:
- Clear disclosure that the conversation is with an AI
- Link to your privacy policy
- Information about data processing and storage
The EU hosting requirement
This is where many platforms fail. GDPR does not technically require EU hosting, but transferring personal data outside the EU/EEA requires additional safeguards that are hard to implement correctly.
After the Schrems II ruling, transferring data to US servers requires Standard Contractual Clauses (SCCs) plus supplementary measures. In practice, many legal experts recommend keeping data in the EU as the simplest path to compliance.
Where popular AI models process data
| Provider | Data processing location | EU option available |
|---|---|---|
| Anthropic (Claude) | US default | EU via API (no training on data) |
| OpenAI (GPT) | US default | EU via Azure OpenAI |
| Mistral | EU (France) | Yes, native EU |
| Google (Gemini) | US/EU | EU region selectable |
Key distinction: where the AI model runs vs. where conversation data is stored are separate questions. You can use a model that processes in the EU while storing conversation data on EU servers.
Zero Data Retention (ZDR)
Some providers offer Zero Data Retention agreements. This means your data is processed for the immediate request and then deleted - it is not stored, logged, or used for training.
Mistral offers ZDR by default. Anthropic offers it for business accounts. OpenAI offers it through their API (but not through ChatGPT consumer).
For GDPR compliance, ZDR at the model provider level combined with EU-hosted infrastructure for your agent gives you the strongest position.
The compliance checklist
Use this checklist before deploying an AI agent for your business:
Infrastructure
- [ ] Agent server is hosted in the EU
- [ ] Database is hosted in the EU
- [ ] No personal data transfers to non-EU countries without safeguards
- [ ] Encryption at rest and in transit (TLS 1.2+)
- [ ] Access controls and authentication in place
Legal
- [ ] Data Processing Agreement signed with AI agent provider
- [ ] Data Processing Agreement signed with AI model provider (if different)
- [ ] Privacy policy updated to mention AI agent usage
- [ ] Lawful basis for processing identified and documented
- [ ] Data retention period defined
Transparency
- [ ] Customers are informed they are communicating with an AI agent
- [ ] Privacy policy is linked from the chat interface
- [ ] Cookie consent covers any analytics or tracking in the chat
Data subject rights
- [ ] Process exists for handling data deletion requests
- [ ] Process exists for handling data access requests (providing conversation history)
- [ ] Process exists for handling data portability requests
- [ ] Response time for requests: within 30 days (GDPR requirement)
Security
- [ ] Regular security updates applied to the agent platform
- [ ] Access to conversation data restricted to authorized staff
- [ ] Logging and audit trails for data access
- [ ] Incident response plan for data breaches
- [ ] Data breach notification process (72-hour rule)
How to evaluate an AI agent provider for GDPR
Ask these questions before signing up:
Where are your servers located? - Acceptable answer: EU (specific country). Red flag: "cloud-based" without specifying region.
Do you offer a Data Processing Agreement? - Acceptable: yes, here it is. Red flag: "what is a DPA?"
What happens to conversation data? - Acceptable: stored encrypted on EU servers, deleted after X days. Red flag: "used to improve our model" or no clear answer.
Can I delete specific customer data? - Acceptable: yes, via API or dashboard. Red flag: "we will look into that."
What AI model do you use, and where is it processed? - Acceptable: specific model with clear processing location. Red flag: vague about model provider or processing location.
Do you have a security incident response plan? - Acceptable: yes, with defined notification timelines. Red flag: hesitation.
Provider comparison for GDPR compliance
| Feature | AI Agent (OpenClaw) | Intercom | Botpress | OpenAI GPTs |
|---|---|---|---|---|
| EU servers | Yes (default) | Available | Self-hosted | No |
| DPA available | Yes | Yes | Yes | Enterprise only |
| Data deletion API | Yes | Yes | Yes | No |
| ZDR option | Yes (Mistral) | No | Depends | API only |
| Transparent pricing | Yes | Per-resolution | Variable | N/A |
| Data used for training | No | Check terms | Depends | Check terms |
Common GDPR mistakes with AI agents
Mistake 1: using a consumer AI tool for business data
Pasting customer emails into ChatGPT or Claude's consumer interface means that data goes to US servers and may be used for model training. Use business API accounts or managed platforms instead.
Mistake 2: no disclosure that the customer is talking to AI
EU guidelines and several national DPAs require transparency about automated decision-making and AI interaction. A simple note like "You are chatting with our AI assistant" at the start of the conversation is enough.
Mistake 3: storing conversations indefinitely
"We might need it someday" is not a valid retention justification. Define a policy, automate deletion, and document why you chose that timeframe.
Mistake 4: forgetting the DPA
A DPA is not optional. If your AI agent provider processes personal data (they all do), you need a signed DPA before going live. Not after. Not "when we get around to it."
Mistake 5: ignoring sub-processors
Your AI agent provider likely uses sub-processors (cloud hosting, AI model providers, monitoring tools). GDPR requires that these sub-processors are also covered by appropriate data processing agreements. Ask your provider for their sub-processor list.
The AI Act connection
The EU AI Act, which came into effect in phases starting 2024, adds requirements on top of GDPR for AI systems. For business AI agents:
Transparency obligation: AI systems that interact with humans must disclose that the user is interacting with AI. This reinforces the GDPR transparency requirement.
Risk classification: most business AI agents fall under "limited risk" or "minimal risk" categories, which have lighter requirements than high-risk systems (hiring, credit scoring, etc.).
Record-keeping: maintain documentation of your AI agent's purpose, capabilities, limitations, and the data it processes.
The AI Act does not fundamentally change what responsible businesses already do. If you follow GDPR properly and are transparent with customers, you are already aligned with most AI Act requirements for business agents.
Your action plan
1. Audit your current setup: if you already use AI tools, check where data goes and whether you have proper agreements 2. Choose an EU-hosted platform: eliminate the biggest compliance headache by keeping data in Europe 3. Get the DPA signed: before going live, not after 4. Update your privacy policy: mention AI agent usage, data processing, and storage 5. Set up data deletion: automate retention and have a process for deletion requests 6. Train your team: make sure staff know how to handle GDPR requests related to the AI agent
At AI Agent, we build GDPR compliance into every deployment. Dedicated EU servers, DPA included, zero data retention available, and full data deletion support. Visit aiagent.nl/openclaw to learn more.
