GDPR and AI: How to run business AI in the EU
You want to use AI to run your business. You’re in the EU. Your legal team has questions. This guide answers them.
The core tension
AI models need data to work. GDPR restricts how you process personal data. These aren’t incompatible — but the default setup of most AI tools violates GDPR by design.
When you type “Follow up with Sarah Chen about the Acme proposal” into ChatGPT, you’ve just sent personal data (Sarah’s name, her business relationship with Acme) to OpenAI’s US servers. That’s a transatlantic data transfer. Under GDPR, you need a legal basis for that.
The three layers to get right
Layer 1: Where your AI runs
This is the most important decision. Your options:
| Provider | Region | GDPR Impact | CLOUD Act |
|---|---|---|---|
| Anthropic Direct | US | Transfer to US. Requires SCCs, DPIA. | ⚠️ Yes |
| AWS Bedrock | Frankfurt (eu-central-1) | EU processing. AWS EU entity as processor. | ⚠️ US parent |
| Google Vertex AI | Belgium (europe-west1) | EU processing. Google EU entity as processor. | ⚠️ US parent |
| Mistral | Paris, France | EU processing. French company as processor. | ✅ None |
| Scaleway | Paris, France | EU processing. French company as processor. | ✅ None |
| Nebius | Finland / Netherlands | EU processing. EU infrastructure. | ✅ None |
| Local model (LLaMA, Qwen) | Your hardware | No transfer. You’re the only processor. | ✅ None |
Recommendation: For maximum AI quality, use AWS Bedrock in Frankfurt (Claude models, EU data residency). For true EU sovereignty without US CLOUD Act exposure, consider EU-native providers like Mistral (own models, native tool calling) or Scaleway/Nebius (open-source models at lower cost). lynox supports all of these via its custom provider setup.
Layer 2: Where your data lives
If you use a cloud AI platform (Lindy, Dust, etc.), your business data lives on their servers. You’re adding another processor to the chain — and another compliance surface.
With self-hosted software like lynox, your data stays on your server. The data flow is:
- You → Your server (no third party)
- Your server → AI provider (conversation context only)
- Your server → lynox.ai (nothing — no telemetry, no analytics)
The AI provider is your only processor. You sign their DPA directly. No middleman.
Layer 3: What data reaches the AI
Even with EU-based processing, you should minimize what reaches the AI model. Best practices:
- Avoid sending raw API keys or passwords. lynox uses an encrypted vault designed to keep secrets out of conversations.
- Be deliberate about personal data. The AI doesn’t need passport numbers to write a follow-up email.
- Use the right model for the task. Quick tasks can use smaller models that process less context.
Article-by-article checklist
| GDPR Article | What it means | How to comply |
|---|---|---|
| Art. 5 — Minimization | Only process data you need | Send conversation context, not bulk exports |
| Art. 17 — Right to erasure | Users can request deletion | With self-hosted: delete the SQLite file |
| Art. 20 — Portability | Users can export their data | SQLite files are portable by default |
| Art. 25 — Privacy by design | Build privacy into the system | Self-hosted + encrypted vault + no telemetry |
| Art. 28 — Processor agreements | Need DPA with processors | Sign DPA with your AI provider directly |
| Art. 44-49 — International transfers | Restrictions on non-EU transfers | Use Bedrock Frankfurt, Vertex Belgium, or EU-native providers (Mistral, Scaleway, Nebius) |
What to tell your DPO
Give them this summary:
- Software (lynox): Source-available, runs on your server. Not a service — no DPA needed with lynox.
- AI Provider (Bedrock/Vertex/Mistral/Scaleway): EU-based processing. Their EU entity is the processor. Standard DPA available. EU-native providers (Mistral, Scaleway) substantially reduce CLOUD Act exposure.
- Data flow: User → our server → EU-based AI provider. No other third parties.
- Storage: SQLite on our server. Encrypted backups. No external database.
- Telemetry: Zero. The software doesn’t phone home.
Then point them to lynox.ai/trust/eu-compliance for the detailed breakdown.
The bottom line
Running AI in the EU isn’t hard. It’s just about making the right architectural choices upfront:
- Self-host the software (removes one processor from the chain)
- Choose an EU-based AI provider (removes transatlantic transfer)
- For maximum sovereignty, pick an EU-native provider like Mistral — no US parent company, no CLOUD Act
- Minimize data sent to the model (encrypted vault for secrets)
lynox was designed for exactly this setup. One command to install, one config change for your preferred EU provider. Choose between Claude on Bedrock Frankfurt (best AI quality), Mistral (EU-native, reduced CLOUD Act exposure), or local models (no external data transfer). Consult your legal team for your specific compliance requirements.