The GDPR does not forbid using artificial intelligence. But the moment you enter personal data into a cloud assistant (a client's name, an email, an HR file, a medical note), you carry out a data processing operation for which you are accountable. And most consumer services put you at odds with the rules on three precise points: an unclear legal basis, a transfer outside Europe, and a processor you don't control. What makes the use compliant isn't the provider's brand, it's keeping control over where the data goes.
The good news is that these three points can be solved. You just need to know where they hide.
Under the GDPR, personal data is any information that makes someone identifiable, directly or not. A harmless prompt often contains some without you realising: "draft a reply for Mr Martin whose contract is ending", "summarise this email from our client", "proofread this letter for the patient". The text you paste leaves in full for the provider.
The first compliance reflex is therefore data minimisation: only send what is necessary. Anonymise where possible, remove identifying details that add nothing to the request. This helps, but it isn't enough, because in many professions the identifying data is the work. A lawyer cannot anonymise the case they are handling.
When you send personal data to a cloud assistant, the provider acts as a processor within the meaning of Article 28 of the GDPR. This requires a contract framing what they may do with that data, and it leaves you as the controller. In other words, it is your liability that is engaged, not theirs.
Two concrete problems arise with consumer offerings:
Checking these two points before entrusting anything to an assistant isn't a legal formality, it's what determines whether you are compliant.
This is the most serious obstacle. As soon as the provider processes the data outside the European Union, you fall under the regime for international transfers (Articles 44 and following), which demands solid safeguards. Yet the arrangement that currently frames data flows to the United States remains legally fragile, contested, and liable to be struck down as the two previous ones were.
The advertised hosting location doesn't settle the matter: a service run by a company subject to US law stays exposed, even from a European datacenter. I covered that mechanism in a dedicated article, why "hosted in Europe" isn't enough. For the GDPR, what matters here is that the transfer doesn't depend on the server's address but on who actually processes the data, and under which law.
The CNIL has said it repeatedly: AI is compatible with the GDPR, provided you respect the framework. In practice, for professional use, it comes down to being able to answer yes to each of these questions:
This checklist is demanding with a consumer cloud service. It becomes simple as soon as the data no longer leaves your premises, because that removes, in one move, the question of transfers and that of the third-party processor.
If the AI runs on your own infrastructure, your personal data is never handed to a third party. There is no international transfer to frame, no external processor to audit, no training clause to watch. You remain the controller, but you process on your own premises, which the GDPR views very favourably.
This is the principle behind Gungnir, the AI assistant that installs on your own infrastructure: the conversations and documents you entrust to it never leave, and you choose the models you plug in. Compliance isn't a marketing promise here, it follows from where your data lives.
This site applies the same logic: no cookies, no trackers, no third-party requests. The surest way to protect a piece of data is still not to hand it to someone else.
No. The GDPR frames the use, it doesn't forbid it. The problem is entering personal data into a service that offers no processing agreement, reuses your inputs, or processes data outside Europe without safeguards. Without personal data in your prompts, the question doesn't arise in the same way.
As soon as a text makes a person identifiable, directly or by cross-referencing, it is personal data: a name, an email, a file number, a detail of someone's situation is enough. In most professions, everyday requests contain some without you paying attention.
Not necessarily. European hosting answers the question of where the data is stored, not who controls and processes it. A service run by a company under foreign law stays exposed. The detail is explained in the article on the CLOUD Act and European hosting.
It doesn't exempt you from being the controller, but it removes the heaviest obstacles: no transfer outside the EU, no third-party processor, no reuse of your data by a provider. You still have to respect the basics (purpose, minimisation, security), which are in your hands.
