GDPR turned eight in 2026 and remains the toughest data-protection regime for AI systems globally — partly because of its extraterritorial reach (you don't need EU offices to be subject to it) and partly because the EU AI Act now layers additional requirements on top. Every AI project we ship for clients serving EU users goes through the five-step process below. Skipping any step has cost clients we know up to €4M in fines plus mandatory remediation.
GDPR's Reach Over AI Systems Outside the EU
GDPR applies to any organization that processes the personal data of EU residents, regardless of where the organization is based. A US SaaS company with EU customers, a Vietnam-based ML training operation processing EU-sourced datasets, a Singapore startup with an EU marketing funnel — all fall under GDPR. "Personal data" is broader than HIPAA's PHI: it includes any data that can be linked to an identifiable individual, including IP addresses, device IDs, and inferred attributes (e.g., an AI's classification of a user). For AI systems specifically, this means model inputs, model outputs, training datasets, fine-tuning data, embeddings derived from personal data, and observability logs are all in scope.
Lawful Basis: Which One Applies to Your AI Workflow
GDPR requires a documented lawful basis for every processing activity. For AI, three bases apply in most cases. Consent: explicit, granular, revocable consent from the user — required for use cases like personalized recommendations, behavioral profiling for marketing, or training on user-generated content where users didn't anticipate ML training as a use. Contract: processing necessary to deliver the service the user signed up for — valid for an AI feature that's a stated part of the product (e.g., "AI summarization of your meeting notes"). Legitimate interest: processing necessary for a legitimate business interest that doesn't override user rights — valid for things like fraud detection or aggregate analytics, but NOT for marketing profiling or training on opted-out user data. The lawful basis must be documented before processing begins, surfaced to the user in your privacy policy with sufficient specificity, and changeable only with notice. Choosing the wrong basis is the most common GDPR violation in AI products.
📥 Free Download: Vietnam Offshore Dev Cost Guide 2026
Real developer rates, project cost breakdowns, and a budget planning template. Used by 200+ startup founders.
Ready to build?
NKKTech delivers AI Development projects from $30K.
Fixed scope. Senior Vietnam engineers. 14-day kickoff.
DPIA: When Required, How to Conduct
A Data Protection Impact Assessment is required whenever processing is likely to result in a high risk to user rights. The Article 29 Working Party guidelines explicitly flag several AI patterns as high-risk: systematic monitoring (e.g., AI-powered employee productivity tracking), large-scale processing of sensitive data (health, biometric, genetic), automated decision-making with legal or similarly significant effects (credit scoring, hiring), and innovative use of new technology (most production AI deployments). Practically, you should conduct a DPIA for nearly every customer-facing AI system serving EU users. The DPIA documents: the processing purpose, the legal basis, the data flows, the risks to user rights, and the safeguards in place. It must be reviewed annually or whenever processing materially changes. We have a 6-page DPIA template we use for client projects; the first time through takes 2–4 hours of engineering time with legal review.
Data Minimization and Purpose Limitation
GDPR's data minimization principle: collect only the personal data necessary for the stated purpose, and don't repurpose it later without re-consent. For AI systems this has two big implications. Training data: if you collected user data for product delivery, you cannot use it for ML training without specific consent or a clearly disclosed legitimate interest. Many AI products are quietly in violation here — the privacy policy says "we use your data to provide the service" but the team trains the model on user data without explicit notice. Fix this with separate, granular consent for training; or use synthetic data; or use data your users explicitly contributed for training (e.g., a feedback button "share this example to improve the AI"). The second implication: feature engineering. If you derive new attributes from a user's data (sentiment classification, persona inference), those derived attributes are personal data too, subject to the same rules. Document them in your data inventory.
User Rights: Especially the Right to Erasure
GDPR grants users the right to access, correct, port, restrict, object, and erase their personal data. The trickiest for AI is erasure — "the right to be forgotten" — because deleting a user's data from your operational database doesn't remove their influence from a model that was trained on their data. The current regulatory consensus (informed by the Italian DPA's 2024 ChatGPT decision and the EU AI Act): you must have a process to honor erasure requests, which at minimum means removing the user from training data going forward; in some cases retraining the model without the erased user is required; for embedding-based systems, deleting the user's embeddings and metadata is straightforward and we automate this. Build this into your deployment from day one — bolting it on later requires architectural changes most teams underestimate. For the broader compliance picture covering HIPAA, PDPA (Vietnam, Singapore, Thailand), PIPEDA (Canada), APPI (Japan), and the EU AI Act risk classification, see our AI Compliance Guide for 2026.
📥 Free Download: Vietnam Offshore Dev Cost Guide 2026
Real developer rates, project cost breakdowns, and a budget planning template. Used by 200+ startup founders.
Ready to build?
NKKTech delivers AI Development projects from $30K.
Fixed scope. Senior Vietnam engineers. 14-day kickoff.
10+ years building AI systems for Toyota, Sony, and Rakuten in Japan. Founded NKKTech in 2018 with a senior-only engineering model.
Want to build this with NKKTech?
Building an AI system for EU users and need a GDPR + EU AI Act review? Book a free 30-minute call with a NKKTech engineer who has shipped GDPR-compliant AI for European fintech and SaaS clients. We'll review your architecture, flag the gaps, and walk you through a DPIA template.
Book a Free Call