AI PlaybookEU

Data Processing Agreements for AI Services

How to meet GDPR data processing agreement requirements when using AI cloud services.

1 June 20253 min read
GDPRData ProcessingCloudArt. 28

Introduction

When using AI cloud services (e.g. OpenAI API, Google Vertex AI, AWS Bedrock), personal data is frequently transmitted to third-party providers. In these cases, Art. 28 GDPR applies -- the provisions on data processing.

What Is Data Processing?

Data processing occurs when a service provider processes personal data on behalf of the controller. The controller determines the purposes and means of the processing.

When Does Data Processing Apply?

The decisive factor is whether the AI provider processes the data only on instruction from the controller or pursues its own purposes:

  • Data processing (Art. 28): AI API processes user data exclusively for the provision of the agreed service
  • Joint controllership (Art. 26): AI provider also uses data for its own purposes (e.g. model training)
  • Separate controllership: Entirely separate purposes

Obligations of the Controller

As a controller, you must:

  1. Conclude a Data Processing Agreement (DPA)
  2. Review technical and organisational measures
  3. Approve or reject sub-processors
  4. Safeguard third-country transfers (SCCs, adequacy decision)
  5. Conduct regular audits

DPA Checklist for AI Services

CheckpointStatus
Subject matter and duration of processing defined
Nature and purpose of processing described
Types of personal data listed
Categories of data subjects named
TOMs of the processor reviewed
Sub-processor list obtained
Deletion concept agreed
Audit rights secured

Attention with US-Based Providers

For providers based in the US, you must check whether an adequacy decision (EU-US Data Privacy Framework) applies or Standard Contractual Clauses (SCCs) are required. Conduct a Transfer Impact Assessment where applicable.

Practical Tips

  • Check the provider's opt-out options regarding model training
  • Document your review of TOMs in a verifiable manner
  • Use European data centres where possible
  • Create a record of processing activities (Art. 30 GDPR)

Further Reading

  • Data subject rights in AI deployment
  • Data Protection Impact Assessment for AI systems

Legal Protection for AI Cloud Services?

For GDPR-compliant data processing agreements and third-country transfers with AI providers, specialised legal advice is available — independent and focused on AI regulation.

Request legal adviceClarify AI Act & GDPR questions

Independent legal advice. No automated legal information. The platform ai-playbook.eu does not provide legal advice.

Technical Implementation of Data Protection Requirements?

Creativate AI Studio supports you in selecting privacy-compliant AI architectures, implementing opt-out mechanisms and building secure data processing pipelines.

Talk to an AI architectDiscuss AI strategy

Related Articles

EU AI Act

Transparency Obligations under the EU AI Act

The transparency requirements of the EU AI Act for AI systems – labelling obligations, information rights and technical implementation.

Read more

Best Practices

AI Model Selection – A Decision Guide

Criteria and frameworks for selecting the right AI model for your use case.

Read more

GDPR & AI

Art. 5 GDPR – Principles for Processing Personal Data

The seven data processing principles under Art. 5 GDPR – with AI-specific guidance on data minimisation, purpose limitation, accountability and automated systems.

Read more