AI is not automatically GDPR compliant — and it is not automatically banned. The GDPR analysis depends on the concrete processing of personal data in context [3][4].

Create a landscape editorial hero image for this Studio Global article: Ist KI DSGVO-konform? Der Faktencheck für Deutschland und die EU. Article summary: KI ist in Deutschland und der EU nicht pauschal DSGVO konform: Nach der EDPB Opinion 28/2024 kommt es auf den konkreten Einsatz, personenbezogene Daten, Anonymität und Rechtsgrundlage an.. Topic tags: ai, privacy, gdpr, data protection, european union. Reference image context from search candidates: Reference image 1: visual subject "A blurred abstract image with warm gold, brown, and black tones is displayed alongside a white page featuring the title "Enzai | AI Governance Deep Dive" and a subtitle indicating" source context "Ist KI DSGVO-konform? Was in Deutschland und der EU wirklich gilt | Antwort | Studio Global" Reference image 2: visual subject "Der KI-Selbstcheck leitet dich mit einigen einfachen Fragen zu deinem Ergebnis. Natü
The short answer is: not by default. Under the GDPR, the key question is not whether a system is called “AI”. It is whether a specific AI model or AI-enabled service processes personal data — during development, deployment or use — and whether that processing has a valid GDPR basis and a defensible assessment behind it .
That also means the opposite slogan is wrong. AI is not automatically unlawful in Germany or the wider EU. The European Data Protection Board (EDPB), the EU body that brings together national data protection authorities, has not issued a blanket ban or a blanket green light. Its Opinion 28/2024 focuses on “certain data protection aspects” of processing personal data in the context of AI models .
The claim “AI is GDPR-compliant” is too broad to be useful. So is the claim “AI always breaches the GDPR.” The GDPR assessment has to be tied to a concrete processing operation: what personal data is involved, for what purpose, on what legal basis, and with what implications for later use .
In its 18 December 2024 announcement, the EDPB said Opinion 28/2024 looks at three central issues: when and how AI models can be considered anonymous, whether and how legitimate interest can be used as a legal basis for developing or using AI models, and what happens if an AI model was developed using personal data that was processed unlawfully .
For a German company, public body or service provider, that leads to the same practical answer as elsewhere in the EU: do not assess “AI” in the abstract. Assess the actual data processing around the model.
Opinion 28/2024 is important because it addresses AI models through the lens of personal data processing . It does not settle every legal issue around artificial intelligence. It focuses on several GDPR questions that are especially important in AI projects: anonymity, legitimate interest, and the legal consequences of problematic data processing during development
.
That framing matters. A model’s technical label, size or novelty does not decide compliance. The relevant question is whether personal data is processed in the model’s development or use, and whether the GDPR requirements can be met in that specific setting .
A common mistake is to assume that once personal data has been absorbed into a model, the model must be anonymous. The EDPB’s announcement says the opposite kind of shortcut is not enough: whether an AI model is anonymous should be assessed case by case by data protection authorities .
In practice, that means a controller cannot rely on a bare statement that “the model is anonymous”. The assessment has to be credible for the actual model and the actual circumstances .
This becomes especially important if personal data is retained in the model. ENISA-hosted material on the EDPB opinion describes scenarios in which retained personal data may affect the lawfulness of later processing, with a case-by-case assessment required .
The EDPB opinion expressly considers whether and how legitimate interest can be used as a legal basis for developing or using AI models . That is significant, but it does not mean legitimate interest automatically covers every AI project.
The question is whether that legal basis works for the specific processing operation. The available EDPB materials do not create a general “AI exception” to the GDPR .
The assessment can become more complicated if earlier data processing was unlawful. The ENISA material notes that where later processing is based on legitimate interest, initial unlawfulness may need to be considered in the legitimate interest assessment .
Another core issue in Opinion 28/2024 is what happens when an AI model has been developed using personal data that was processed unlawfully .
The practical point is simple: a problematic data origin does not necessarily disappear just because the original dataset is no longer the focus and the model is now being used. If personal data is retained in the model, that may affect the lawfulness of later processing, and ENISA’s material again points to the need for a case-by-case assessment .
Responsibilities also matter when more than one organisation is involved. The ENISA material distinguishes between scenarios involving the same controller and separate controllers, and states that each controller should ensure the lawfulness of its own processing . In plain terms, an organisation cannot assume another party’s role removes its own GDPR obligations.
This checklist is not legal advice, but it reflects the main points raised by the EDPB and ENISA materials cited here.
Be clear about whether the processing relates to development, deployment or another use of the AI model. The EDPB’s announcement refers specifically to personal data used for the development and deployment of AI models .
Document whether personal data is processed at any point in the AI lifecycle. Opinion 28/2024 is about data protection aspects related to processing personal data in the context of AI models .
If the organisation claims the model is anonymous, that conclusion needs to stand up in the specific circumstances. The EDPB says model anonymity should be assessed case by case .
If legitimate interest is being used, assess whether and how it supports the specific development or use of the model . The cited materials do not support a blanket rule that all AI processing is covered by legitimate interest
.
Check whether personal data may remain in the model and whether the data used during development was processed lawfully. Both issues can affect later processing .
Where several organisations are involved in building, providing or using a model, clarify who is responsible for which processing step. ENISA’s material says each controller should ensure the lawfulness of its own processing .
“The model is anonymous because users cannot see the raw training data.” Not necessarily. The EDPB says anonymity of an AI model should be assessed case by case .
“Legitimate interest always works for AI.” No. The EDPB opinion examines whether and how legitimate interest can be used; it does not turn legitimate interest into an automatic justification for every AI use .
“Once the model is trained, the origin of the data no longer matters.” That is too simple. The opinion expressly addresses what happens if a model was developed using unlawfully processed personal data . If personal data remains in the model, later processing may be affected
.
AI can be used in a GDPR-compliant way in Germany and the EU, but it is not compliant just because it is AI. Nor is it automatically prohibited. The serious GDPR question is the concrete processing of personal data — especially anonymity, legal basis, retained model data, controller responsibility and the possible consequences of unlawful earlier processing .
Studio Global AI
Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.
AI is not automatically GDPR compliant — and it is not automatically banned. The GDPR analysis depends on the concrete processing of personal data in context [3][4].
AI is not automatically GDPR compliant — and it is not automatically banned. The GDPR analysis depends on the concrete processing of personal data in context [3][4]. The EDPB’s 18 December 2024 announcement highlights three core questions: model anonymity, legitimate interest as a legal basis, and models developed with unlawfully processed personal data [3].
If personal data remains in an AI model, or if earlier processing was unlawful, later use may require a case by case lawfulness assessment [2].