"But does the GDPR also apply to artificial intelligence?"
I've been asked this so many times I've lost count. And every time the answer is the same: the GDPR doesn't know what artificial intelligence is. The GDPR cares about one thing only: how you process people's personal data. The rest (whether you use paper, Excel or a language model with billions of parameters) is a technical detail.
And yet this "technical detail" is creating a real headache for many organizations. Because using AI to manage documents almost always means processing personal data in new ways. And often it also means sending them somewhere they weren't going before.
As the European Data Protection Board emphasized in its opinion on AI models: "GDPR principles support responsible AI." They're not in conflict, but you need to know how to apply them.
Let's get some clarity.
Business documents are full of personal data (more than you think)
First objection I always hear: "But we don't process personal data, we do B2B."
Hold on. Open a random contract. Are there names and signatures? That's personal data. Is there a delivery address? Personal data. A reference to a contact person with email and phone? Personal data. An IBAN in the name of an individual? Personal data.
And let's not even talk about HR documents, CVs, payslips, performance reviews, which are practically 100% personal data. Or legal files, where there's often also sensitive data: health information, religious beliefs, union membership.
Bottom line: if you handle business documents, you handle personal data. There's no escape.
What happens when AI meets GDPR
Here's where things get complicated. Imagine using a cloud service to search for information in your documents. You upload a contract, you ask "what are the confidentiality clauses?", you get an answer.
What happened behind the scenes? The document was sent to an external server. It was processed, which means an algorithm "read" all the personal data it contained. It was probably stored, at least temporarily. And in some cases (this is the controversial point) it may have been used to train the model.
Now, under the GDPR, each of these steps is a "processing" activity. And every processing activity requires a legal basis. If the data is transferred outside the EU, specific safeguards are required. If there's automated profiling, other obligations come into play.
The result? What seemed like a simple gesture (uploading a document and asking a question) from a privacy point of view is a complex operation that requires contracts, checks, assessments.
As the IAPP explains well in their analysis on the AI Act and GDPR, the fundamental principles remain the same: lawfulness, transparency, purpose limitation, data minimization. But applying them to AI systems requires particular attention.
The "secure servers" trap
One of the phrases that most raises my antennas is: "Don't worry, our servers are super secure."
Not because it's false, but because it answers the wrong question. The GDPR doesn't just ask that data be secure. It asks that you know exactly where it is, who accesses it, how long it's kept, and that you can delete it on request.
With many cloud services, this information is vague. Where are the servers physically? It depends on the load. Who are the sub-processors? A list of 40 companies in 15 countries. Can I delete the data? Sure, but it stays in backups for 6 months.
I'm not saying it's illegal. I'm saying that compliance becomes a continuous bureaucratic exercise: DPAs to sign, contractual clauses to verify, records to update. And if something goes wrong (a data breach, an access request you can't fulfill) you're the one responsible, not the provider.
The solution that simplifies everything
You know what the simplest way to be GDPR-compliant with document AI is? Don't let the data leave.
If the AI runs on your infrastructure, on your servers, in your corporate network, all the complexity of data transfers disappears. There are no sub-processors to monitor. There are no extra-EU transfers to justify. There's no ambiguity about where the data is: it's there, under your control, period.
The right to be forgotten? You delete the document and it no longer exists. No backup in data centers distributed on the other side of the world. No residual copy you have no visibility into.
It's not just a matter of formal compliance. It's a matter of peace of mind. When a client asks you "but where do my data end up?", the answer "they stay here, they never leave our network" closes the discussion.
"But on-premises costs too much"
I often hear this objection, and I understand where it comes from. The idea of buying hardware, installing software, managing updates, sounds like enterprise stuff with million-dollar budgets.
But things have changed. Today there are solutions like DocZoom that run on compact dedicated hardware (think of a device the size of a book) and install in a few hours, not weeks. The cost? Comparable to a couple of years of cloud service, with the difference that after the initial investment costs drop dramatically.
And above all: how much does non-compliance cost? As Harvard Business Review reminds us in the analysis on the EU AI Act, penalties can reach EUR 35 million or 7% of global turnover for the most serious violations. The GDPR provides for up to 4%. The reputational damage from a data breach can be incalculable. Compared to these risks, investing in an on-premises solution is insurance, not an expense.
What the DPO won't tell you (but should)
I talk with many Data Protection Officers, and there's a recurring theme in our conversations: the difficulty of keeping up with AI adoption.
The business wants new tools, employees start using ChatGPT for meeting summaries, someone uploads documents to external services "just to try", and the poor DPO finds themselves chasing situations of fact that nobody had communicated.
With an on-premises solution, this problem is enormously reduced. Not because everyone magically becomes disciplined, but because the system is closed by design. There's no easy way to let data out, even if you wanted to. It's privacy by design in the most literal sense of the term.
In practice, what to do
If you're evaluating a document AI system and GDPR compliance worries you (as it should), here's my practical suggestion.
Start by mapping the documents you handle. How many contain personal data? What kind? Then ask yourself: if these documents ended up online tomorrow, what would the consequences be? Reputational, legal, economic.
If the answer gives you chills, on-premises is often the most prudent choice.
If instead you only manage technical documentation, manuals, standard procedures, then you have more flexibility. You can also evaluate cloud solutions, paying attention to who you choose as a provider and carefully verifying the DPA.
In any case, don't delegate the choice to the IT department. The decision on where to process personal data is a governance decision, not a technical one. The DPO must be involved, and possibly the legal team too.
If your priority is compliance, you can start from the Contact page with a request focused on GDPR and data governance.
