AI and GDPR: Deploying Compliant AI

The complete guide to reconciling artificial intelligence and personal data protection

Compliance
By Victor
14 min read

73% of French companies report being concerned about the GDPR compliance of their artificial intelligence projects. Yet only 12% of them have taken concrete action to address this. The result: projects frozen, opportunities missed, and competitors moving forward while you hesitate. At JAIKIN, we have been deploying GDPR-compliant AI systems since our inception — because automation that exposes your company to a 20 million euro fine is not intelligent automation. This comprehensive guide gives you the keys to deploy GDPR-compliant AI with complete peace of mind.

In this article

  1. 1. GDPR and AI: what the regulation actually says
  2. 2. The 7 GDPR obligations for AI systems
  3. 3. Practical checklist: is your AI compliant?
  4. 4. Our approach: AI compliant by design
  5. 5. Concrete case study: GDPR-compliant HR automation
  6. 6. GDPR-compliant AI and AI Act: dual compliance
  7. 7. Frequently asked questions
  8. 8. Sources

1. GDPR and AI: what the regulation actually says

The General Data Protection Regulation was not written with artificial intelligence specifically in mind — it dates from 2016, well before the explosion of language models. But its principles fully apply to AI systems whenever they process personal data. And that is precisely where most companies go wrong: they think that GDPR-compliant AI is an unattainable goal, when the legal framework is actually clear and structured.

Article 22: automated decision-making

Article 22 of GDPR is the text most directly linked to AI. It stipulates that "the data subject has the right not to be subject to a decision based solely on automated processing", when that decision produces legal or significant effects. Concretely, if your AI agent alone decides to reject a job application, terminate a contract, or assign a credit score, you are in violation — unless you have implemented specific safeguards.

The solution is not to abandon automation, but to design GDPR-compliant AI agents that integrate human supervision into their decision loop. At JAIKIN, every automation affecting significant decisions includes a human validation mechanism (human-in-the-loop).

Article 35: Data Protection Impact Assessment (DPIA)

Article 35 requires conducting a Data Protection Impact Assessment (DPIA) when a processing activity is likely to result in high risk to the rights and freedoms of individuals. CNIL considers that most large-scale AI processing falls into this category, particularly those involving profiling, systematic evaluation, or processing of sensitive data.

A DPIA is not a bureaucratic formality: it is a strategic tool. It forces you to map data flows, identify risks, and document mitigation measures before deployment. We systematically integrate this analysis into our GDPR-compliant AI automation missions.

Legal basis: legitimate interest vs. consent

Any processing of personal data requires a legal basis. For AI in enterprise, two bases are generally invoked: legitimate interest (Article 6.1.f) and consent (Article 6.1.a). Legitimate interest is often better suited for B2B processing (optimization of internal processes, analysis of business data), but it requires balancing against the rights of individuals concerned. Consent, meanwhile, is necessary when you process sensitive data or conduct large-scale profiling.

"GDPR-compliant AI is not a brake on innovation. It is the framework that allows innovation to last."

2. The 7 GDPR obligations for AI systems

Deploying GDPR-compliant AI requires respecting seven fundamental obligations. We detail them here with their specific application to artificial intelligence systems.

1

Data minimization

Collect only data strictly necessary for processing. An AI agent for business analysis does not need your customers' personal addresses. This is the most frequently violated principle: by default, people send "everything" to the model, when only a fraction is relevant.

2

Purpose limitation

Data collected for a specific objective cannot be reused for another without a legal basis. If your CRM collects data for sales tracking, you cannot use it to train an HR scoring model.

3

Transparency

Individuals must be informed that an AI system processes their data, the logic of processing, and possible consequences. This implies clear information notices in your terms and forms.

4

Right to explanation

In case of automated decision-making, any individual can request a comprehensible human explanation. Your systems must therefore be capable of tracing and explaining the reasoning behind a decision.

5

Data Protection Impact Assessment (DPIA)

Mandatory for high-risk processing. CNIL has published a list of processing requiring a DPIA, and most AI use cases are on it: profiling, systematic evaluation, large-scale data.

6

DPO's role

The Data Protection Officer must be consulted during the design phase of the AI system. If one does not exist in your structure, an external DPO is recommended for any major project.

7

Limited storage of data

Personal data processed by your AI cannot be retained indefinitely. You must define retention periods proportionate to the processing purpose, and implement automatic purge mechanisms. For an AI agent sorting applications, for example, data from unsuccessful candidates must be deleted or anonymized within a reasonable timeframe (generally 24 months according to CNIL).

These seven obligations are not theoretical constraints: they form the foundation of any GDPR-compliant AI automation. Ignoring one of them exposes you to penalties reaching 4% of annual worldwide turnover — and more concretely, to a loss of trust from your customers and partners.

3. Practical checklist: is your AI compliant?

Before deploying — or if you have already deployed — an AI system, review this checklist. Each unchecked item represents a concrete legal risk.

Governance and documentation

Processing register updated

Is your AI system listed in your processing register (Article 30) with a description of data processed, purposes, and recipients?

DPIA conducted

Has an impact analysis been conducted to identify and mitigate risks related to AI processing?

Legal basis identified

Have you determined and documented the applicable legal basis (legitimate interest, consent, contractual performance)?

DPO consulted

Has your DPO (internal or external) validated the deployment of the AI system?

Technical architecture

Data minimization at input

Are only strictly necessary data sent to the AI model? No unnecessary fields?

Data hosting localized

Is personal data hosted in the EU? Are transfers outside the EU governed by standard contractual clauses?

Data encryption

Is data encrypted at rest and in transit? Are encryption keys secure?

Pseudonymization or anonymization

Is data pseudonymized before AI processing when identification is not necessary?

Rights of individuals

Transparent information

Are individuals informed of the use of an AI system in processing their data?

Rights exercise procedure

Is there a clear process for responding to requests for access, rectification, deletion, and objection?

Human oversight

Can a human intervene and contest a decision made by the AI system? Is the escalation process documented?

Data retention and purge policy

Are retention periods defined? Is an automatic deletion mechanism in place?

If you checked fewer than 8 items out of 12, your AI system presents compliance risks. This is precisely the type of situation where specialized support makes a difference.

Need an AI compliance audit?

Our experts analyze your existing AI systems or automation projects to identify GDPR risks and propose concrete solutions. Free audit, no commitment.

Request free audit →

4. Our approach: AI compliant by design

At JAIKIN, GDPR compliance is not a post-deployment audit — it is a founding principle of every automation. We have developed a "compliance by design" methodology that integrates data protection from the first line of specification. Here are the technical pillars that make our approach different.

n8n self-hosted: your data stays with you

We use n8n as the workflow orchestration engine, deployed on your infrastructure or on European servers. Unlike American SaaS platforms (Zapier, Make), self-hosted n8n guarantees that your data never transits through servers located outside the European Economic Area. This is a fundamental difference for compliance: no transatlantic transfer, no risk related to the American Cloud Act, no dependence on a service provider subject to American law.

To learn more about the limitations of American SaaS platforms, see our comprehensive guide to AI automation for SMEs.

Local LLMs: no data sent to the cloud

For the most sensitive processing, we offer the deployment of local language models (Mistral, LLaMA, or other open-source models) directly on your infrastructure. Your data never leaves your network. This option is particularly suited to regulated sectors (healthcare, finance, HR) where data sensitivity is maximum.

When the power of a cloud LLM is necessary (GPT-4, Claude), we implement pseudonymization layers upstream: personal data is replaced by random identifiers before sending to the model, then restored downstream. The model never sees identifying data.

Architecture with "zero data leakage"

Every automation we deploy follows a strict architectural pattern:

🔒

Input filtering

Only necessary data enters the pipeline. Unnecessary fields are eliminated at the first step.

🔀

Pseudonymization

Identifying data is replaced by tokens before sending to an external LLM. The correspondence table stays on your server.

🗑

Automatic purge

Temporary data is automatically deleted after processing. Logs are anonymized according to defined retention periods.

This architecture makes our GDPR-compliant AI automation solutions among the most secure on the European market. Discover our GDPR-compliant AI implementation approach or all our AI automation services.

5. Concrete case study: GDPR-compliant HR automation

Recruitment is one of the areas where AI brings the most value — and where GDPR risks are highest. Here is how we deployed GDPR-compliant AI automation for the pre-screening process of a 200-employee SME.

The problem

The HR team received an average of 350 applications per month for 8 to 12 open positions. Manual sorting took 40 hours per month. Several AI solutions on the market had been considered but abandoned by the DPO because of sending complete CVs (with photo, address, age) to American servers.

Our solution

We designed a self-hosted n8n workflow on the company's infrastructure, with the following steps:

Step 1: Extraction and anonymization

A parser extracts skills, experience, and training from the CV. Personal data (name, address, photo, date of birth) are immediately separated and stored in a separate encrypted database.

Step 2: Local LLM analysis

A locally deployed Mistral model evaluates the fit between anonymized skills and the desired profile. It generates a score and summary — without ever accessing identifying data.

Step 3: Human validation

The recruiter receives a shortlist with scores and summaries. They validate, adjust, or challenge recommendations. No application is automatically rejected — AI assists, it does not decide.

Step 4: Scheduled purge

Data for unsuccessful candidates is automatically anonymized after 24 months (in accordance with CNIL recommendations). Selected candidates are transferred to the HRIS with their consent.

Results

-75 %

time spent on application screening

100 %

GDPR compliance validated by DPO

0

personal data sent outside infrastructure

This case perfectly illustrates that GDPR-compliant AI is not limited AI — it is better designed AI. To discover other use cases of operational AI agents, consult our dedicated guide.

6. GDPR-compliant AI and AI Act: dual compliance

Since February 2, 2025, the AI Act (European Regulation on Artificial Intelligence) has come into force, adding an additional layer of compliance. Now, a company deploying AI in Europe must respect both GDPR and the AI Act. This dual compliance is not redundant: the two regulations are complementary.

Aspect GDPR AI Act
Objective Protection of personal data Regulation of AI systems
Classification By type of data By risk level (minimal, limited, high, unacceptable)
Transparency Information on data processing Information on AI system functioning
Human oversight Right not to be subject to automated decision Human control requirement for high-risk systems
Sanctions Up to 4% of worldwide turnover Up to 35 million euros or 7% of worldwide turnover

The AI Act classifies AI systems into four risk levels. Most business automations (CRM, finance, HR) fall into "limited risk" or "high risk" categories, the latter applying particularly to recruitment, credit evaluation, and scoring of individuals.

Our "compliance by design" methodology natively covers the requirements of both regulations. To explore this topic further, see our white paper on the AI Act as well as our detailed analysis of AI compliant with AI Act in practice.

"Companies that anticipate dual compliance GDPR + AI Act will gain considerable advantage. Those who wait will have to manage regulatory urgency on top of technological transformation."

Ready to deploy responsible AI?

JAIKIN designs AI automations compliant with GDPR and AI Act from day one. Let's talk about your project.

Schedule a meeting →

7. Frequently asked questions

Is using ChatGPT in business GDPR compliant?

Not necessarily. If you send personal data of customers or employees via ChatGPT interface or OpenAI API, that data is transferred to American servers. This constitutes a transfer outside the EU that requires specific safeguards (standard contractual clauses, transfer impact assessment). Our approach prioritizes European LLMs or self-hosted ones, and when an American LLM is essential, we pseudonymize data before sending.

Must a DPIA be conducted for each AI project?

A DPIA is mandatory when the processing is likely to result in high risk to the rights and freedoms of individuals. In practice, CNIL recommends conducting a DPIA for any processing involving profiling, systematic evaluation, or large-scale data. At JAIKIN, we systematically conduct a simplified DPIA for each project, even when not formally required, because it is an excellent risk mapping tool.

How to reconcile data minimization with AI effectiveness?

Contrary to popular belief, less data does not mean less performance. An AI model fed with relevant, targeted data will often outperform a model flooded with noisy data. The key is in prompt engineering and data structuring upstream. We design pipelines that extract only necessary attributes before AI processing.

Can an AI agent make automated decisions about individuals?

Article 22 of GDPR prohibits decisions based solely on automated processing producing legal or significant effects, except in specific cases (explicit consent, contractual necessity, legal authorization). In practice, we design all our AI agents with a human-in-the-loop mechanism: AI recommends, humans decide. This eliminates Article 22 risk while retaining 90% of the productivity gain.

What is the difference between pseudonymization and anonymization for AI?

Pseudonymization replaces direct identifiers (name, email) with codes, but data remains "personal" because re-identification is possible with the correspondence table. GDPR still applies. Anonymization makes re-identification impossible — data then falls outside GDPR scope. For AI, we use pseudonymization when we need to associate results with individuals (CV screening, for example), and anonymization for statistical analysis and model training.

How to ensure an AI provider respects GDPR?

Require five elements: (1) a data processing agreement compliant with Article 28 of GDPR, (2) precise location of servers processing your data, (3) technical and organizational security measures, (4) data retention and deletion policy, and (5) ability to respond to rights exercise requests. At JAIKIN, we systematically provide these elements and prioritize architectures where data remains under your direct control.

8. Sources

CNILPractical guide: artificial intelligence and personal data (2024).
https://www.cnil.fr/fr/intelligence-artificielle

CNILRecommendations on generative AI systems (2024).
https://www.cnil.fr/fr/ia-generative

Regulation (EU) 2016/679 — General Data Protection Regulation.
Full text on EUR-Lex

Regulation (EU) 2024/1689 — AI Act (European Regulation on Artificial Intelligence).
Full text on EUR-Lex

European Data Protection Board (EDPB)Guidelines on Automated individual decision-making and Profiling (WP251rev.01).
https://www.edpb.europa.eu

CNILList of processing requiring Data Protection Impact Assessment (DPIA).
https://www.cnil.fr/fr/analyse-dimpact

Deploy compliant AI, starting today

JAIKIN supports SMEs and mid-market companies in deploying AI automations compliant with GDPR and AI Act. Our solutions are designed for performance and compliance — without compromise. Schedule a meeting for a free assessment.

Free assessment →

Related reading

AI Act 2026: What the European Regulation Changes for Your AI

The European AI regulation enters into force in phases. Timeline, risk classification, concrete obligations and 8 steps to make your AI compliant.

Read

Compliant AI Automation: Balancing Performance and Regulation

Compliance is not a barrier to automation — it's a competitive advantage. Discover the 3 pillars of GDPR and AI Act compliant AI automation.

Read

EU AI Act: The Complete Reference Guide

Comprehensive and neutral analysis of EU Regulation 2024/1689 on artificial intelligence: risk classification, obligations by actor, penalties, and implementation timeline.

Read