Skip to content
PrivateAI
← Back to Home
Privacy Guides

GDPR and AI Tools: A Practical Compliance Guide for Tech Workers in 2026

11 min readBy PrivateAI Team

Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.

Proton for Business adds team management, custom domains, and admin controls — relevant if you're implementing this stack for your team, not just yourself.

Tresorit — Zero-Knowledge Storage for Files You Feed Into AI

When you absolutely must share a file that will be processed by AI — internally, with a vendor, or with a client — the storage and transfer layer needs to be locked down.

Tresorit uses client-side end-to-end encryption, meaning even Tresorit's servers can't read your files. This is called zero-knowledge architecture. The encryption happens on your device before the file ever hits the network.

Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.

Perplexity Pro subscribers can opt out of data collection for AI training under their privacy settings. More importantly, for research queries that don't contain personal data, Perplexity's architecture (retrieve-then-generate, with cited sources) means you're not submitting sensitive context to a model — you're asking it to search and summarize public information.

The GDPR case for Perplexity: use it for research that doesn't involve personal data. Use local LLMs or Proton-adjacent tools for everything that does.


Building a Compliant AI Workflow: Step by Step

Here's how to architect your daily AI use around GDPR requirements.

Step 1: Classify your tasks

Split your AI use into two buckets:

  • Category A: Tasks involving personal data (customer names, emails, support tickets, employee records, medical info, financial records)
  • Category B: Tasks with no personal data (coding, research, drafting from scratch, summarizing public information)

Category B is low risk regardless of tool. Category A requires the compliant stack.

Step 2: Route Category A tasks to local or zero-knowledge tools

For Category A work:

  • Store source documents in Tresorit or Proton Drive
  • Process them with a local LLM via Ollama
  • Redact names and identifiers before processing if possible (pseudonymization satisfies GDPR Article 4(5))
  • Store outputs in the same encrypted environment

Step 3: Set up Ollama for your Category A workload

```bash

Install Ollama (macOS)

brew install ollama

Pull a capable model for work tasks

ollama pull mistral

Run with a local UI (optional)

docker run -d -p 3000:8080 ghcr.io/open-webui/open-webui:main

```

For most document summarization, drafting, and classification tasks, mistral or llama3.2 are sufficient. For code, qwen2.5-coder is excellent.

Step 4: Use Perplexity for research, not for context

When you need to research a topic, look up regulations, find recent case law, or summarize public reports, Perplexity Pro is your tool. It's built for retrieval — finding and synthesizing public information — not for ingesting your private context.

Think of it as a private search layer, not a document processor.

Step 5: Document your AI use for compliance records

GDPR's accountability principle (Article 5(2)) requires you to demonstrate compliance, not just achieve it. Keep a simple log:

  • What AI tools are in use
  • What categories of data they process
  • What DPAs or legal bases cover each tool
  • Where outputs are stored

A spreadsheet is fine. Regulators want to see that you've thought about it.


The DPA Checklist: What to Verify Before Using Any AI Tool at Work

Before adding any cloud AI tool to your work stack, run through this:

  • [ ] Does the vendor offer a signed Data Processing Agreement?
  • [ ] Does the DPA specify the purpose and scope of processing?
  • [ ] Where is data stored? (EU, US, or elsewhere — and does your organization's policy permit it?)
  • [ ] Does the vendor use your data for model training? Can you opt out?
  • [ ] What is the data retention policy?
  • [ ] Does the vendor have a published incident response process for data breaches?
  • [ ] Is there a sub-processor list? (AI tools often have sub-processors — cloud providers, annotation vendors — that also receive your data)

ChatGPT Enterprise passes most of these. The consumer ChatGPT API passes some with configuration. The free consumer tier fails several by default.


Common Mistakes to Avoid

Mistake 1: Assuming "chat history off" means no data retention

Disabling chat history in ChatGPT stops it from appearing in your sidebar. OpenAI still retains the conversation for up to 30 days for safety review. This is not the same as no retention.

Mistake 2: Treating pseudonymization as anonymization

Replacing "Jane Smith" with "User A" in a document before feeding it to an AI is pseudonymization, not anonymization. GDPR still applies to pseudonymous data. True anonymization requires that re-identification be impossible — a high bar.

Mistake 3: Ignoring the "legitimate interest" loophole

Some teams try to justify AI use under GDPR's legitimate interests basis (Article 6(1)(f)) without doing the required balancing test. Legitimate interests is a real legal basis, but it requires documented analysis weighing your interests against data subjects' rights. It's not a get-out-of-jail-free card.

Mistake 4: Forgetting sub-processors

When you use an AI tool, you're often also using its cloud provider (AWS, Azure, GCP), its vector database vendor, and potentially annotation contractors. All of these are sub-processors, and GDPR requires you to account for them.


The Compliant Stack Summary

| Task | Tool | GDPR Status |

|------|------|-------------|

| Document summarization (personal data) | Ollama + local model | ✅ Clean |

| File storage and sharing | Tresorit | ✅ Clean |

| Email and productivity | Proton Suite | ✅ Clean |

| Research and public info | Perplexity Pro | ✅ With settings |

| Coding assistance | Ollama + qwen2.5-coder | ✅ Clean |

| Consumer ChatGPT (work tasks) | — | ❌ Non-compliant by default |


Stay Ahead of the Curve

GDPR enforcement of AI tool use is accelerating. Italy's Garante blocked ChatGPT in 2023. Ireland's DPC has issued guidance on AI tools and personal data. The EU AI Act — now in effect — adds additional layers specifically for high-risk AI use in employment, credit, and healthcare contexts.

Tech workers who build compliant habits now will be the ones their organizations trust with AI access as governance tightens.

Want a personal checklist for auditing your current AI tool stack? Join the PrivateAI newsletter — we publish practical compliance templates, tool reviews, and data sovereignty guides every two weeks.

Get the PrivateAI newsletter →

No spam. Unsubscribe any time.


Last updated: 2026-03-24. GDPR enforcement and vendor policies change. Verify DPA availability and data residency settings directly with vendors before making compliance decisions.