Definition
GDPR
The GDPR (General Data Protection Regulation, Regulation 2016/679) is the EU's comprehensive data-protection law, in force since May 2018.
For AI usage, the load-bearing articles are Article 6 (lawful basis), Article 9 (special categories), Article 25 (privacy by design), Article 28 (processor obligations), Article 30 (records of processing) and Article 33 (breach notification within 72 hours). Sending personal data into an LLM is a "processing operation" requiring a documented lawful basis and a balancing test.
Why it matters
- ✓Penalties up to €20M or 4 % of global annual turnover, whichever is higher.
- ✓A pasted customer email in ChatGPT can constitute an unauthorised transfer of personal data.
- ✓GDPR fines and EU AI Act fines stack — the same incident can trigger both.