For privacy, legal, and AI product teams
GDPR Compliance
for AI Systems
Operationalize GDPR for AI systems by mapping obligations to controls, linking evidence, and maintaining accountable review history across the AI lifecycle.
What is the General Data Protection Regulation (GDPR)?
The GDPR (Regulation (EU) 2016/679) is the EU's comprehensive data protection law governing how organizations collect, process, store, and share personal data. In force since 25 May 2018, it applies to any organization that processes the personal data of individuals in the EU, regardless of where the organization is based.
For AI systems, GDPR is particularly critical because personal data appears throughout the AI lifecycle: in training datasets, user inputs, operational logs, model outputs, and vendor relationships. Non-compliance carries fines of up to €20 million or 4% of global annual turnover.
Timeline and Key Milestones
The GDPR has been the cornerstone of EU data protection since May 2018. It continues to evolve through landmark court decisions, new adequacy frameworks, and enhanced cross-border enforcement mechanisms. Use these milestones to align governance practices with current enforcement expectations.
European Commission proposes the General Data Protection Regulation
GDPR formally adopted by Parliament and Council; published in the Official Journal on 4 May
GDPR becomes enforceable across all EU Member States after two-year transition period
Schrems II: CJEU invalidates EU-US Privacy Shield, disrupting transatlantic data flows
EU-US Data Privacy Framework adopted, restoring a legal basis for EU-US data transfers
Council adopts a GDPR procedural regulation to streamline handling of cross-border enforcement cases
The GDPR procedural regulation becomes applicable (15 months after entry into force), adding harmonized cross-border procedures
European Commission proposes the General Data Protection Regulation
GDPR formally adopted by Parliament and Council; published in the Official Journal on 4 May
GDPR becomes enforceable across all EU Member States after two-year transition period
Schrems II: CJEU invalidates EU-US Privacy Shield, disrupting transatlantic data flows
EU-US Data Privacy Framework adopted, restoring a legal basis for EU-US data transfers
Council adopts a GDPR procedural regulation to streamline handling of cross-border enforcement cases
The GDPR procedural regulation becomes applicable (15 months after entry into force), adding harmonized cross-border procedures
European Commission proposes the General Data Protection Regulation
GDPR formally adopted by Parliament and Council; published in the Official Journal on 4 May
GDPR becomes enforceable across all EU Member States after two-year transition period
Schrems II: CJEU invalidates EU-US Privacy Shield, disrupting transatlantic data flows
EU-US Data Privacy Framework adopted, restoring a legal basis for EU-US data transfers
Council adopts a GDPR procedural regulation to streamline handling of cross-border enforcement cases
The GDPR procedural regulation becomes applicable (15 months after entry into force), adding harmonized cross-border procedures
Who is Subject to GDPR?
GDPR has the broadest extraterritorial reach of any EU regulation. There is no size threshold: a one-person startup and a Fortune 500 company face the same obligations. Article 3 defines three scenarios that bring you in scope.
EU Establishment
You process personal data in the context of activities of an establishment in the EU, regardless of whether the processing itself takes place in the EU.
A US company with a sales office in Berlin processes customer data on US servers. GDPR applies because the processing is in the context of the Berlin office's activities.
Offering Goods or Services
You offer goods or services to individuals in the EU, whether paid or free. Indicators include EU languages, currencies, or mentioning EU customers.
A Japanese SaaS tool with an EU pricing page in euros and German-language support is offering services to EU data subjects. GDPR applies even with no EU office.
Monitoring Behaviour
You monitor the behaviour of individuals within the EU, including profiling, tracking, or analytics on EU users.
A US ad-tech company tracking browsing behaviour of EU website visitors to build advertising profiles. GDPR applies to this behavioural monitoring.
No Size Threshold
Unlike NIS2 or DORA, GDPR has no minimum employee count or revenue threshold. If you process personal data of EU individuals in any of the three scenarios above, GDPR applies, whether you have 1 employee or 100,000.
EU Representative (Article 27)
Non-EU organizations subject to GDPR must designate a representative in the EU. This representative serves as a contact point for data subjects and supervisory authorities and can be held liable for non-compliance.
GDPR Enforcement Has Global Reach
EU regulators have imposed billions in fines on companies worldwide, demonstrating that GDPR's extraterritorial scope is actively enforced.
Unlawful EU-US data transfers (2023)
Non-compliant ad targeting practices (2021)
Data transfers to China, children's data (2025)
Targeted advertising consent violations (2024)
The 7 GDPR Principles
Article 5 of GDPR establishes seven principles that form the foundation of all data protection obligations.
Lawfulness, Fairness & Transparency
Data must be processed lawfully, fairly, and in a transparent manner. Individuals must be informed about how their data is used.
Purpose Limitation
Data must be collected for specified, explicit, and legitimate purposes and not further processed in incompatible ways.
Data Minimisation
Only data that is adequate, relevant, and limited to what is necessary for the stated purpose should be processed.
Accuracy
Personal data must be accurate and, where necessary, kept up to date. Inaccurate data must be erased or rectified without delay.
Storage Limitation
Data must be kept in a form that permits identification of individuals for no longer than is necessary for the processing purposes.
Integrity & Confidentiality
Data must be processed with appropriate security, including protection against unauthorised access, loss, or destruction.
Accountability
The data controller is responsible for demonstrating compliance with all GDPR principles and must maintain evidence of compliance.
Data Subject Rights
GDPR grants individuals comprehensive rights over their personal data. For AI systems, Article 22 on automated decision-making is particularly relevant.
Right to Access
Individuals can request a copy of their personal data and information about how it is being processed.
Right to Rectification
Individuals can request correction of inaccurate personal data without undue delay.
Right to Erasure
The "right to be forgotten": individuals can request deletion of their personal data under certain conditions.
Right to Restrict Processing
Individuals can request limitation of processing while accuracy or lawfulness is being verified.
Right to Data Portability
Individuals can receive their data in a structured, machine-readable format and transfer it to another controller.
Right to Object
Individuals can object to processing based on legitimate interests, including profiling and direct marketing.
Automated Decision-Making
Individuals have the right not to be subject to decisions based solely on automated processing that produce legal effects.
Right to be Informed
Individuals must be provided with clear, transparent information about how their data is collected and used.
Penalties for Non-Compliance
GDPR introduced the most significant data protection penalties in history, with a two-tier fine structure.
Upper Tier
Violations of data processing principles, data subject rights, conditions for consent, and international data transfers.
Lower Tier
Violations of obligations on controllers and processors, certification bodies, and monitoring bodies.
Data breaches must be reported to the supervisory authority within 72 hours of becoming aware of the breach. Affected individuals must be notified without undue delay when there is a high risk to their rights.
How Modulos Helps with GDPR Compliance
Modulos gives privacy and product teams one workflow for requirements, controls, evidence, reviews, and exports. This helps you convert policy expectations into verifiable execution records.
Book a GDPR DemoTranslate GDPR obligations into structured requirements and mapped controls so teams can execute with clear ownership and status tracking.
FAQ about GDPR
The General Data Protection Regulation (GDPR, Regulation EU 2016/679) is the EU's comprehensive data protection law that governs how organizations collect, process, store, and share personal data. It has been in effect since 25 May 2018 and applies to any organization processing personal data of individuals in the EU.
GDPR applies to any organization, regardless of location, that processes personal data of individuals in the EU. This includes data controllers (who determine the purpose of processing) and data processors (who process data on behalf of controllers). It has extraterritorial reach, meaning non-EU companies serving EU customers must also comply.
AI systems process personal data throughout their lifecycle: in training datasets, user inputs, operational logs, model outputs, and vendor relationships. Article 22 specifically addresses automated decision-making, giving individuals the right not to be subject to decisions based solely on automated processing. DPIAs are mandatory for high-risk processing, which includes many AI applications.
GDPR has a two-tier fine structure: upper tier fines of up to €20 million or 4% of global annual turnover for violations of core principles, data subject rights, and international transfers; and lower tier fines of up to €10 million or 2% of global annual turnover for violations of controller/processor obligations.
A Data Protection Impact Assessment (DPIA) is required under Article 35 when processing is likely to result in a high risk to individuals' rights and freedoms. This includes systematic evaluation of personal aspects (profiling), large-scale processing of special categories of data, and systematic monitoring of publicly accessible areas. Many AI systems processing personal data will require a DPIA, depending on context and risk.
GDPR governs personal data protection, while NIS2 governs cybersecurity of network and information systems and DORA governs ICT operational resilience in finance. They intersect when a cybersecurity incident causes a personal data breach, triggering parallel reporting obligations under different rules (GDPR: 72 hours to supervisory authority, NIS2: early warning within 24 hours, DORA RTS: initial major-incident notification within 4 hours of classification and no later than 24 hours from awareness).
Modulos helps teams operationalize GDPR work by structuring obligations as requirements, mapping controls, linking evidence, and tracking reviews and approvals. The result is clearer execution and audit-ready accountability documentation.
Need Stronger GDPR Governance for AI?
In a live walkthrough, see how to move from policy intent to verifiable execution with structured controls, evidence, and approvals.