Softplorer Logo

Affiliate links present. Disclosure

Which AI tools are GDPR-compliant — and what does that mean for EU data?

GDPR compliance is widely claimed by AI tools but inconsistently implemented. 'GDPR compliant' in a privacy policy or marketing page typically means the company has implemented processes to handle EU data subject rights requests. It doesn't automatically mean: a signed data processing agreement (DPA) is available, data stays within the EU or EEA, the tool has been assessed under the EU AI Act GPAI obligations, or the company has adequate safeguards for data transferred from the EU to the US.

For organizations with EU users or EU-resident employees whose personal data enters AI tools, GDPR creates specific obligations: the AI tool vendor is a data processor, which means a DPA is required; data transfers to the US require a legal transfer mechanism (Standard Contractual Clauses or adequacy decision); and data subject rights (access, deletion, portability) must be enabled. These are specific legal requirements, not marketing claims.

Quick answer

You need a signed DPA for GDPR compliance before using an AI tool with EU personal dataClaude Enterprise, ChatGPT Enterprise, Synthesia Enterprise — all document DPA availability at enterprise tier; request directly before processing EU personal data through the tool
You need the AI tool's primary jurisdiction to be EU/UK rather than USSynthesia — UK-incorporated; UK GDPR primary jurisdiction; not subject to US CLOUD Act as primary legal framework; verify whether UK jurisdiction satisfies your specific EU requirement
You need to understand the US CLOUD Act exposure for EU data in US-incorporated AI toolsChatGPT (OpenAI), Claude (Anthropic), Grok (xAI), Perplexity, Jasper, Copy.ai, Writesonic, Rytr, Leonardo AI, Ideogram, HeyGen, Pictory, Runway — all US-incorporated; subject to CLOUD Act, FISA 702, NSL authority regardless of GDPR compliance claims
You need to evaluate EU AI Act GPAI compliance status for AI toolsVerify directly with each vendor — EU AI Act GPAI obligations take effect August 2, 2026; most AI tool vendors have not published specific GPAI compliance statements as of May 2026

When it matters

Using an AI tool with EU personal data creates GDPR obligations that are specific and non-negotiable regardless of what the tool's marketing materials say about GDPR compliance.

Data processing agreement (DPA)

  • Required under GDPR Article 28 when a controller (your organization) uses a processor (the AI tool) to process personal data
  • The DPA must specify: the subject matter and duration of processing, the nature and purpose of processing, the type of personal data and categories of data subjects, the controller's obligations and rights
  • Standard ToS agreements are not DPAs; a separate contractual instrument is required
  • DPA availability: Claude Enterprise, ChatGPT Enterprise, Synthesia Enterprise, Copy.ai Enterprise all document DPA availability; standard plans typically don't include contractual DPAs

Data transfer mechanisms for US-incorporated tools

  • EU personal data transferred to US-incorporated companies requires a legal transfer mechanism — Standard Contractual Clauses (SCCs) are the most common mechanism post-Schrems II
  • The EU-US Data Privacy Framework (July 2023) provides an adequacy mechanism for US companies that self-certify; verify whether specific AI vendors are certified
  • Enterprise contracts with US AI tools typically include SCCs as part of the DPA; standard plans may not include these mechanisms
  • Schrems III litigation risk: EU-US data transfer mechanisms remain subject to ongoing legal challenge; monitor for regulatory developments

EU AI Act GPAI obligations (effective August 2, 2026)

  • General Purpose AI (GPAI) models — AI models trained on broad data that can serve many purposes — face new transparency and documentation obligations under the EU AI Act
  • GPAI model providers must maintain technical documentation, publish summaries of training data, and respect copyright in training data
  • High-capability GPAI models (above computational threshold) face additional adversarial testing and incident reporting requirements
  • Most major AI assistant, writing, image, and video tools fall within GPAI scope; compliance statements as of May 2026 are limited

When it fails

GDPR compliance claims in marketing materials and actual GDPR compliance for specific use cases are frequently different things.

  • DPA assumption — assuming GDPR compliance means a DPA is available and in place without actually requesting and signing one is a compliance failure. 'We are GDPR compliant' is a statement about internal processes; it doesn't create a controller-processor agreement.
  • Training data default as GDPR violation — AI tools that use EU personal data for model training by default without valid legal basis are potentially violating GDPR. Training on personal data requires: consent, legitimate interest assessment, or another GDPR Article 6 legal basis. 'Opt-out available' doesn't satisfy GDPR if personal data was processed before opt-out.
  • Data subject rights requests — GDPR requires AI tools to honor data subject access, deletion, and portability requests within mandatory timelines. Verify that the tool's privacy process includes functional data subject rights handling, not just a policy statement that rights exist.
  • Perplexity EU AI Act GPAI gap — Perplexity has no public GPAI compliance statement as of May 2026 despite EU AI Act GPAI obligations taking effect August 2, 2026. For EU organizations using Perplexity, this is a regulatory compliance risk that materializes in Q3 2026.

How providers fit

Synthesia is the only major AI tool in this vertical incorporated in the UK — subject to UK GDPR as primary framework rather than US law. UK GDPR is substantively equivalent to EU GDPR and benefits from the EU-UK adequacy decision. For EU organizations with data sovereignty concerns about US CLOUD Act exposure, Synthesia's UK incorporation is a meaningful structural advantage. DPA available at Enterprise tier.

Claude Enterprise and ChatGPT Enterprise both provide DPAs, SCCs for EU-US data transfer, and training exclusion at the enterprise tier. Both are US-incorporated and subject to CLOUD Act authority — EU personal data transferred to either service is accessible to US government with appropriate legal process regardless of GDPR compliance. For organizations where US government data access is a specific concern, Synthesia's UK incorporation addresses it; Claude and ChatGPT Enterprise don't.

Jasper documents GDPR compliance, user data deletion via Transcend privacy center, and US data center storage. DPA availability for Jasper enterprise contracts should be confirmed directly. Not UK or EU-incorporated; US CLOUD Act applies.

The GDPR AI tool checklist

Identify EU personal data in the AI workflow → confirm DPA is signed (not just GDPR compliance claimed) → verify EU-US transfer mechanism (SCCs or adequacy certification) → confirm training exclusion is contractual, not just opt-out → verify data subject rights handling process → monitor EU AI Act GPAI compliance statements from each vendor through Q3 2026.

Related

Enterprise AI — compliance and governanceAI for regulated industries — sector requirementsSOC 2 certified AI tools — what certification coversAI training data policies — detailed breakdown

Where to go next

Synthesia
Synthesia
AI avatar video for training, onboarding, and corporate communications — no camera, no studio required
Review
Go to Synthesia
Claude
Claude
The reasoning-first AI assistant — deep analysis, long documents, and careful thinking before answering
Review
Go to Claude
ChatGPT
ChatGPT
The default starting point for AI — broad capability, the largest ecosystem, and the most integrations
Review
Go to ChatGPT
Browse all providers

© 2026 Softplorer

About·Contact·Privacy Policy·Affiliate Disclosure