Overview
When using external AI cloud services (e.g. LLM APIs, ML platforms, hosting services), data processing within the meaning of Art. 28 GDPR regularly applies.
In this case, a Data Processing Agreement (DPA) is required, which must contain certain minimum content. With AI services, additional specifics arise -- particularly regarding training data usage, model improvement and sub-processor chains.
This checklist serves as a structured review aid for organisations.
Note
The specific design of a DPA depends on the individual case and should be reviewed by legal counsel.
DPA Checklist (Art. 28 GDPR)
1. Basic Contract Structure
A) Subject Matter and Duration
- Is the subject of processing clearly described?
- Is the duration defined?
- Is the purpose precisely stated (e.g. "hosting an AI chatbot")?
B) Nature and Purpose of Processing
- Which processing steps are carried out (storage, training, inference)?
- Does model improvement take place?
- Does logging or analysis of prompts occur?
C) Categories of Personal Data
- Customer data
- Application/recruitment data
- Health data
- Usage data
- Sensitive categories (Art. 9 GDPR)?
D) Categories of Data Subjects
- Customers
- Employees
- Applicants
- Patients
- Others
2. Instruction Binding
- Is the instruction binding clearly regulated?
- Can instructions be documented?
- Is there a procedure for changing instructions?
Typical Error
Unclear or overly broad processing purposes can undermine instruction binding.
3. Confidentiality
- Obligation of confidentiality for employees?
- Access restrictions defined?
- Role concepts in place?
4. Technical and Organisational Measures (TOMs)
- Encryption (in transit / at rest)
- Access control
- Logging
- Incident response process
- Backup and recovery mechanisms
- Protection against model manipulation
Are the TOMs described concretely as an annex?
5. Sub-Processors
- Are sub-processors used?
- Does a complete list exist?
- Is there a right of objection to changes?
- Are sub-processors contractually bound to equivalent standards?
Sub-Processor Chains
With AI cloud services, multi-level sub-processor chains can exist. Transparency is particularly important here.
6. Third-Country Transfers
- Does processing take place outside the EU/EEA?
- Does a DPF certification exist?
- Have Standard Contractual Clauses (SCCs) been concluded?
- Has a Transfer Impact Assessment been carried out?
7. Support for Data Subject Rights
- Does the service provider support access requests?
- Are erasure mechanisms defined?
- Can data be removed from training datasets?
- Is there support for objection procedures?
8. Training Data Usage and Model Improvement (AI-Specific)
- Is customer data used for model training?
- Does usage occur only in anonymised/pseudonymised form?
- Can usage for training purposes be deactivated?
- Is the purpose transparently regulated?
Model Improvement
The use of customer data for model improvement can constitute a separate processing operation.
9. API Logging and Data Storage
- Are prompts stored?
- Are outputs stored?
- How long is storage retained?
- Are retention periods defined?
10. Audit and Control Rights
- Does an audit right exist?
- Are certifications provided (e.g. ISO)?
- Is an audit process defined?
11. Data Deletion and Return
- Is data deleted or returned after contract termination?
- Is the deletion process documented?
- Is there evidence of deletion?
12. Incident Management
- Is a reporting obligation for data protection incidents regulated?
- Are deadlines defined?
- Are cooperation obligations agreed?
Compact Review Matrix
| Review Point | Fulfilled (Yes/No) | Action Required |
|---|---|---|
| DPA concluded | ||
| TOMs specified | ||
| Sub-processors reviewed | ||
| Third-country transfers regulated | ||
| Training data usage clearly regulated | ||
| Data subject rights support secured |
Typical Sources of Error
| Error | Risk |
|---|---|
| No DPA for API usage | GDPR violation |
| Unclear training data usage | Purpose limitation issue |
| Missing SCCs/TIA | Third-country transfer violation |
| No audit right | Loss of control |
| No clear deletion provisions | Accountability violation |
Practical Recommendation
Before deploying an AI cloud service, you should:
- Carry out role clarification (controller vs. processor).
- Review or renegotiate the DPA.
- Analyse the sub-processor chain in full.
- Document third-country transfers.
- Contractually regulate training data usage clearly.
Need help implementing?
Work with Creativate AI Studio to design, validate and implement AI systems — technically sound, compliant and production-ready.
Need legal clarity?
For specific legal questions on the AI Act and GDPR, specialized legal advice focusing on AI regulation, data protection and compliance structures is available.
Independent legal advice. No automated legal information. The platform ai-playbook.eu does not provide legal advice.
Not sure where you stand?
If your AI use case does not clearly fit into a category, send us a brief description — we will point you in the right direction.
Next Steps
- Review existing AI cloud contracts against this checklist.
- Identify gaps in training data or sub-processor provisions.
- Clarify third-country transfer mechanisms.
- Update your documentation.
- Have your DPA reviewed by qualified experts if necessary.
Need help implementing?
Work with Creativate AI Studio to design, validate and implement AI systems — technically sound, compliant and production-ready.
Need legal clarity?
For specific legal questions on the AI Act and GDPR, specialized legal advice focusing on AI regulation, data protection and compliance structures is available.
Independent legal advice. No automated legal information. The platform ai-playbook.eu does not provide legal advice.