Skip to main content
Legal Guide

GDPR for AI

General Data Protection Regulation | Complete Legal Breakdown with Official Citations

Effective: May 25, 2018
Status: Currently Enforced
Penalties: Up to €20M or 4% revenue

Table of Contents

Overview

The GDPR is the EU's comprehensive data protection law with specific provisions for automated decision-making. It applies to any company processing EU resident data, with strict requirements for AI transparency, data subject rights, and security measures. Penalties up to €20M or 4% of global annual revenue.

Official Citation

Regulation (EU) 2016/679

View Official GDPR Text

Key Facts

Effective Date
May 25, 2018
Currently enforced
Jurisdiction
European Union
Applies to EU resident data
Enforcement
National DPAs
Data Protection Authorities
Max Penalties
€20M or 4% revenue
Whichever is higher

Who This Law Applies To

Global Reach

GDPR applies to any organization that processes personal data of EU residents, regardless of where the organization is located.

You must comply if:
  • You have customers in the EU
  • Your AI systems process EU resident data
  • You make automated decisions affecting EU citizens
  • You're a data processor or controller for EU data

Key Roles

Data Controller

Citation: Article 4(7)

The organization that decides why and how to process personal data.

Data Processor

Citation: Article 4(8)

A service provider that processes data on behalf of the controller (e.g., AI vendor).

Lawful Basis for Processing

⚠️ Critical Requirement

Citation: Article 6

You MUST have at least one legal basis to process personal data. Choose from:

1. Consent

The data subject has given clear consent

AI Example: User opts in to AI-powered recommendations

2. Contract

Processing is necessary for a contract

AI Example: AI fraud detection for payment processing

3. Legal Obligation

Required by law

AI Example: AI for anti-money laundering compliance

4. Legitimate Interests

Necessary for legitimate interests (with balancing test)

AI Example: AI security monitoring (if proportionate)

Automated Decision-Making (Article 22)

🚫 Right to Object

Citation: Article 22

Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects them.

In Plain English: People can object to purely automated decisions that significantly affect them.

Required Safeguards:
  • Right to obtain human intervention
  • Right to express their point of view
  • Right to contest the decision

Data Subject Rights

Right to Access (Art. 15)

People can ask what data you have about them

Right to Rectification (Art. 16)

People can correct inaccurate data

Right to Erasure (Art. 17)

People can ask you to delete their data ("Right to be Forgotten")

Right to Data Portability (Art. 20)

People can get their data in a portable format

Right to Object (Art. 21)

People can object to certain types of processing

Right to Explanation (Art. 22)

People can ask for an explanation of automated decisions

Data Protection Impact Assessment (DPIA)

When Required

Citation: Article 35

Required when processing is likely to result in high risk to rights and freedoms:

  • Systematic and extensive profiling with significant effects
  • Large-scale processing of special categories of data
  • Systematic monitoring of publicly accessible areas

Need Help with GDPR Compliance?

Our platform provides automated GDPR assessments, DPIA templates, and ongoing monitoring to ensure your AI systems comply with EU data protection requirements.

How to Cite This Guide

HAIEC. (2026). GDPR for AI: Complete Legal Breakdown with Citations. Retrieved from https://haiec.com/compliance/gdpr/legal-guide

This guide is maintained by HAIEC's legal compliance team and updated regularly to reflect the latest EDPB guidance. Last updated: February 2026.