GDPR AI Compliance Requirements for LLM Deployments
GDPR predates the LLM era, but its obligations attach the moment personal data reaches a prompt. Lawful basis, purpose limitation, data minimization, special-category handling, automated-decision rights, records of processing, and cross-border transfer rules all apply to AI request traffic. This maps each requirement to the control that satisfies it at the AI request boundary, and shows why prompt content is the layer most GDPR programs currently cannot see.

GDPR was written in 2016, before anyone was pasting customer records into a chat interface, and its obligations attach the moment personal data reaches a prompt. When an employee sends a support ticket containing a name and an account number to an LLM, that is processing of personal data under Article 4, and every duty that follows from processing applies. The prompt is the part most GDPR programs currently cannot see, which is where the exposure sits.
I want to walk through the GDPR requirements that govern AI request traffic, map each to the control that satisfies it, and mark where the standard data-protection stack goes blind.
Lawful basis and purpose
Processing personal data through an AI system needs a lawful basis under Article 6, the same as any other processing. The basis you relied on to collect the data does not automatically extend to sending it to a model. If a customer gave you their data to service an account, using it to train or query a general-purpose model is a new purpose, and Article 5's purpose-limitation principle requires you to justify it.
Special-category data under Article 9, such as health, biometric, or racial data, raises the bar further. Most deployments have no control that stops special-category data from entering a prompt, which means they are relying on the person sending the prompt to make the Article 9 judgment in real time.
Data minimization at the prompt layer
Article 5's minimization principle requires that you process only the personal data you need. In an AI deployment, minimization happens in the prompt. A well-scoped prompt sends the fields the task requires. An unscoped prompt sends the whole record because that was quicker to paste.
Minimization is therefore a request-layer control. The place to enforce it is between the user and the model, where prompt content can be inspected, classified, and redacted before it leaves the environment. I covered why network and document-level tools miss this in the AI DLP breakdown: they classify files and connections, and the prompt is neither.
Automated decisions and data-subject rights
Article 22 gives data subjects rights around decisions based solely on automated processing that produce legal or similarly significant effects, including a right to human intervention and an explanation. When an AI system drives such a decision, you owe the person a record of what happened. I go deeper on this in the Article 22 automated-decision analysis.
The broader access and erasure rights under Articles 15 and 17 also reach AI traffic. To answer a subject-access request about AI processing, you need to know which of that person's data went into which model calls. Without a per-request record tying identity to prompt content, that answer is a guess.
Records, DPIAs, and security
Three more obligations shape an AI deployment. Article 30 requires records of processing activities, and AI processing belongs in that register. Article 35 requires a data protection impact assessment where processing is high-risk, which most consequential AI use is; I cover the mechanics in the GDPR AI DPIA guide. Article 32 requires security appropriate to the risk, which for AI traffic means controlling and recording what leaves for a model.
Cross-border transfer rules in Chapter V apply when the model runs outside the EEA. A prompt sent to a US-hosted model endpoint is an international transfer of any personal data it contains, and it needs a transfer mechanism. Data residency at the request layer decides whether that transfer is governed or invisible.
Where GDPR and the AI Act meet
GDPR and the EU AI Act cover overlapping ground with different vocabulary. GDPR governs personal data processing. The AI Act governs AI systems. A high-risk AI system that processes personal data sits under both, and the EU AI Act versus GDPR comparison draws the line. The practical convergence is the record: both regimes want you to be able to reconstruct what happened to a specific person's data in a specific AI interaction. Penalties under Article 83 reach €20 million or 4% of global annual turnover for the higher tier, so the record is not a formality.
DeepInspect
This is the gap DeepInspect closes for GDPR at the AI request boundary. DeepInspect sits as a stateless proxy between your users or agents and any LLM. It inspects prompt content, classifies the personal data inside it, and applies per-route and per-role policy: permit, redact, or deny, inline, before the request reaches the model.
For GDPR, that maps to the requirements directly. Prompt-level classification and redaction enforce data minimization under Article 5. Data-residency policy governs Chapter V transfers by controlling which endpoints a prompt may reach. And every request produces a signed, per-decision audit record tying the identity to the data class and the outcome, which is the evidence layer that Article 30 records, Article 22 explanations, and subject-access responses all draw from.
If you are running personal data through AI systems and your GDPR controls stop at the network and the document, let's talk today.
Frequently asked questions
- Does GDPR apply to using LLMs?
Yes. Sending personal data to a large language model is processing under GDPR Article 4, so the full set of obligations applies: a lawful basis under Article 6, purpose limitation and minimization under Article 5, special-category handling under Article 9, records of processing under Article 30, and, where the processing is high-risk, a data protection impact assessment under Article 35. This holds whether the model is a third-party API or self-hosted, and whether the data is typed into a chat interface or sent by an application. The prompt is the point where most of these obligations become concrete.
- How do you enforce data minimization in AI prompts?
Data minimization under GDPR Article 5 means sending only the personal data a task requires, and in an AI deployment that decision is made in the prompt. Enforcing it requires inspecting prompt content before it reaches the model, classifying the personal data inside it, and redacting or blocking fields that are not needed. Network DLP cannot do this because it sees encrypted traffic, and document DLP cannot because a prompt is not a file. An inline enforcement layer at the AI request boundary is where minimization can actually be applied, since it reads the prompt as it passes.
- What records does GDPR require for AI processing?
GDPR Article 30 requires records of processing activities, which must include AI processing of personal data: the purposes, the categories of data and subjects, and retention. Beyond the register, answering data-subject rights under Articles 15, 17, and 22 requires knowing which personal data entered which AI interactions, which calls for a per-request record tying identity to prompt content and outcome. A contemporaneous, identity-bound audit record of AI requests is what makes these responses defensible, rather than reconstructed after a request arrives.
- Is sending a prompt to a US model an international data transfer?
If the prompt contains personal data and the model endpoint is outside the EEA, then yes, it is a restricted international transfer under GDPR Chapter V and needs a valid transfer mechanism such as an adequacy decision or standard contractual clauses. The practical difficulty is visibility: transfers happen at the moment a prompt is sent, so unless the AI request layer enforces data-residency policy over which endpoints a prompt may reach, the transfer is happening without governance. Controlling endpoint routing at the request boundary is how the transfer becomes a governed decision rather than an invisible one.