GDPR and AI: The Practical Guide for European SMEs Using AI Tools

Does GDPR apply to AI? The short answer is yes — and it already has teeth

GDPR applies to any processing of personal data — and almost every practical AI application processes personal data. If your AI system uses customer names, emails, browsing behaviour, purchase history, location data, or any other information that relates to an identifiable person, GDPR applies to that processing. This covers the vast majority of AI use cases in business: personalisation engines, chatbots, AI-assisted customer service, hiring tools, credit and fraud models, and analytics dashboards.

GDPR enforcement in the context of AI is not theoretical. In 2024 alone, EU regulators issued over €1.2 billion in GDPR fines, with cumulative penalties reaching €5.88 billion since the regulation took effect in 2018. Enforcement has expanded well beyond big tech into financial services, healthcare, retail, and energy. A Berlin bank was fined €300,000 in 2023 specifically for rejecting a credit card application through an automated process without explaining the decision to the customer — a direct Article 22 violation that can affect businesses of any size.

Article 22 — the most important GDPR provision for AI users

Article 22 of the GDPR gives individuals the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects concerning them. In plain terms: if your AI system makes or drives an important decision about a person without any human involvement in that specific decision, Article 22 is engaged.

Decisions that trigger Article 22 include automatic credit or loan rejections; AI-driven insurance pricing that materially affects an individual's premium or coverage; automated candidate rejection in hiring processes; and AI-generated assessments that determine access to services, benefits, or opportunities. Trivial automated decisions — a product recommendation, a spam filter — do not reach the threshold. The key test is whether the decision produces legal effects (like a contract being entered or refused) or similarly significant effects on the individual's financial situation, employment, or access to services.

On 27 February 2025, the Court of Justice of the EU issued a landmark ruling in Case C-203/22 (Dun & Bradstreet Austria) confirming that individuals have a genuine right to explanation of the logic and results of automated decisions — not just a general description of the system, but a meaningful explanation specific to the decision that was made about them. This ruling clarified years of legal uncertainty and set the standard: organisations must be able to explain in human-understandable terms why a specific automated decision was made about a specific person, even if trade secrets are involved in the underlying model.

Where Article 22 applies, organisations must: either obtain the individual's explicit consent, or establish that the automated decision is necessary for a contract, or show it is authorised by EU or member state law with adequate safeguards. In all permitted cases, the organisation must provide the individual with the right to request human review of the decision, the right to express their view, and the right to contest the outcome.

What GDPR requires for AI systems that process personal data

Beyond Article 22, the main GDPR obligations that AI systems must satisfy are:

Lawful basis for processing (Article 6). Every AI system that processes personal data needs a valid legal basis. For most business AI applications, legitimate interests or contract performance are the most common bases. Legitimate interests requires a balancing test — the organisation's interest in using AI must be weighed against the individual's rights and reasonable expectations. The legitimate interests basis is facing heightened scrutiny from regulators for AI applications, particularly where individuals are unlikely to expect their data to be used in an AI model.

Privacy by design and data minimisation (Articles 5 and 25). AI systems must be built to collect only the personal data necessary for their specific purpose. GDPR Article 25 requires privacy to be built into systems from the start — not added after the fact. For AI models, this means designing data pipelines that minimise input data, implementing access controls so the model sees only what it needs, and regularly reviewing whether data collected for one purpose is being repurposed for another.

Transparency and Privacy Notices (Articles 13-15). Individuals must be informed in plain language about how AI systems use their personal data, including: whether automated decision-making is used; meaningful information about the logic involved; the significance and consequences of the processing. This is not satisfied by generic boilerplate — Privacy Notices must accurately describe the AI systems in use and the decisions they influence.

Data Protection Impact Assessments (Article 35). A DPIA is legally required before deploying any AI system that is likely to result in high risk to individuals. High-risk processing includes: systematic processing of personal data on a large scale; processing of biometric or health data; systematic evaluation of personal aspects of individuals (profiling); and decisions that significantly affect individuals. Most customer-facing AI systems and all AI hiring tools require a DPIA before deployment.

Data processors and vendor contracts (Articles 28-29). When AI vendors process personal data on your behalf — as is the case for most cloud AI services and third-party model providers — they are data processors under GDPR. A Data Processing Agreement (DPA) must be in place before any processing begins. The DPA must specify what data is processed, for what purpose, and what security measures apply. If an AI vendor trains or fine-tunes models on your customer data, this must be addressed explicitly in the DPA.

The UK divergence — Data (Use and Access) Act 2025

For organisations operating in the UK, the landscape changed materially on 19 June 2025 when the Data (Use and Access) Act 2025 (DUAA) received Royal Assent. The DUAA repeals Article 22 of the UK GDPR and replaces it with new Articles 22A-D, which permit automated decision-making by default as long as the organisation implements specified safeguards. Under the new UK framework, organisations using solely automated decisions must inform individuals that a significant automated decision has been made, provide a way for individuals to make representations and request human review, and allow individuals to contest decisions. The strongest protections — human intervention before a decision is made — now apply only where the decision is based entirely or partly on special category data (health, biometric, racial origin, and others). This is a significant weakening of the previous prohibition and diverges substantially from EU GDPR, which maintains the more protective Article 22 framework.

Practical compliance steps for SMEs

For a small or medium-sized business using AI, the most important practical steps are: conduct a DPIA for any AI system that makes significant decisions about individuals or processes personal data at scale; update Privacy Notices to accurately describe AI use and automated decision-making; ensure Data Processing Agreements are in place with all AI vendors; document the lawful basis for AI processing; and for any Article 22-triggering automated decision, implement a human review process and a clear way for individuals to contest decisions. These steps apply regardless of whether your customer base is in the EU, UK, or both — the jurisdictions overlap for any business serving customers across both regions.

Related reading

GDPR and the EU AI Act: How They Interact and Where They Conflict · What Is Data Governance? How It Differs from AI Governance and Why You Need Both