AI Agents Guide
Menu
Best AI Tools
AI Agents
Best AI Agent Platforms Lindy Gumloop Relevance AI Bardeen
Compare
Zapier vs Make vs n8n Make Alternatives No-Code Tools AI-Native vs Traditional
Reviews
Make.com n8n Zapier
Guides
What Is an AI Agent? What Is MCP? What Is RAG? What Is iPaaS? What Is a Webhook? AI Agents vs RPA AI Agents vs Traditional Best for Small Business No-Code Guide Pricing Models EU AI Act AI Agents & GDPR California ADMT SOC 2 FTC Disclosure Prompt Injection
Personal AI
Personal AI Hub Best AI Calendar Apps Best AI Meeting Assistants Best AI Email Assistants Reclaim.ai Motion Otter.ai Notion AI
Methodology About
Affiliate disclosure: This page contains affiliate links marked with ↗. If you sign up through one of these links, we may earn a commission at no extra cost to you. Our rankings and reviews are editorially independent — affiliate relationships do not influence them. Read our methodology →
S

Editor & AI Automation Researcher

Last updated:  ·  Report an error

Updated May 2026

AI Agents and GDPR

Editorial note. This is a buyer-focused summary, not legal advice. GDPR enforcement varies by national supervisory authority, and AI-specific guidance is still evolving in 2026. Engage qualified counsel before deploying any agent that touches EU/UK personal data at scale.

Three personas, three different obligations

GDPR splits responsibility by who decides. Most AI-agent deployments touch all three:

  • You as data controller. You decide why and how to process personal data with the agent. You carry most obligations: lawful basis, transparency, data-subject rights, breach reporting.
  • The agent platform as processor. Lindy, Gumloop, Zapier, etc. process data on your instructions. They need a Data Processing Agreement (DPA) with you, and a list of sub-processors (their LLM provider, their cloud host).
  • The model provider as sub-processor. OpenAI, Anthropic, Google, Mistral. Some sub-process under your platform's DPA; some require a direct DPA from you. Always confirm.

The lawful-basis problem

Every personal-data processing operation needs a lawful basis under Art. 6:

  • Consent. Strong basis but easy to lose if your UX is sloppy. Required for marketing-style agents.
  • Contract. Workable when the agent is the means of delivering a service the user signed up for (chatbot for a SaaS the user uses).
  • Legitimate interest. The default for B2B internal tools — but you must run a Legitimate Interest Assessment (LIA) and document the balancing test.
  • Legal obligation / vital interest / public task. Narrow, rarely the right basis for commercial AI agents.

The hard case: training data. If the agent platform trains on your prompts to improve their model, the legal basis becomes much harder to argue. Most reputable platforms in 2026 default to no training on customer data; verify in writing.

Art. 22 — automated decision-making

If your AI agent makes a decision that significantly affects a person — credit, employment, insurance, eligibility for a service — Art. 22 grants the data subject the right not to be subject to a fully-automated decision. In practice you need either:

  1. A meaningful human-in-the-loop review before the decision lands, or
  2. Explicit consent or contractual necessity, plus extra safeguards (human-on-request, ability to contest the decision, explanation of the logic).

This is the GDPR cousin of the EU AI Act's high-risk classification (see our EU AI Act guide). Most B2B agents — lead routing, meeting prep, calendar autopilot — do not trigger Art. 22 because their decisions don't have legal or similarly significant effect.

When you need a DPIA

A Data Protection Impact Assessment is mandatory under Art. 35 when processing is high-risk. The European Data Protection Board's criteria flag AI scenarios specifically:

  • Automated decisions with legal / significant effect
  • Systematic and extensive profiling
  • Large-scale processing of special-category data (health, biometric, sensitive)
  • Innovative use of new technologies (most AI agents qualify)
  • Matching or combining datasets from different sources
  • Vulnerable data subjects (children, employees in many EU regimes)

Hit two or more, run a DPIA. Document the necessity, proportionality, risks, and mitigations. Many supervisory authorities expect a DPIA before deploying any production-scale AI agent.

International transfers

Most AI agent platforms route data through US infrastructure (OpenAI, Anthropic, Google Cloud) at some point. Transfers outside the EU need a valid mechanism:

  • EU-US Data Privacy Framework — most US LLM providers have certified. Check status; certifications change.
  • Standard Contractual Clauses (SCCs) — your fallback. Required if the partner is not DPF-certified.
  • EU-residency option — some platforms (n8n self-hosted, Voiceflow EU, Botpress self-hosted) keep all data in the EU. Strongest legal posture; sometimes needed for regulated sectors.

Buyer checklist

  1. Identify the lawful basis. If you cannot name one, do not deploy.
  2. Check the platform's DPA. It should list every sub-processor, retention period, sub-processor change notification window.
  3. Confirm "no training on customer data" in writing.
  4. Run a DPIA if you hit two or more high-risk criteria above.
  5. Implement data-subject-rights handling: how does an EU user request access, deletion, or rectification of data the agent has processed?
  6. Document the human-in-the-loop point if the agent makes any decision that could fall under Art. 22.
  7. Set retention windows: agent execution logs, prompt history, vector embeddings derived from personal data — all need a documented retention policy.
  8. Plan for breach reporting. 72-hour clock under Art. 33 starts the moment you become aware of a breach, not when the platform tells you.
  9. If processing children or special-category data, additional Art. 8 / Art. 9 obligations apply. Engage counsel.

How this maps to platform choice

EU-comfortable defaults in 2026:

  • n8n — Germany-headquartered; self-hosting in your data centre is the strongest data-control posture.
  • Voiceflow + Botpress — EU-region deployments; Botpress can self-host.
  • Lindy, Gumloop, Relevance AI — each ships an EU residency option in 2026; confirm the specific data-processing path for your use case.
  • Zapier, Make — EU data-center options exist; verify per workflow.

For high-stakes deployments touching health data or large-scale profiling: insist on an EU-resident option, demand the platform's GDPR addendum up front, and be prepared to walk away if their DPA leaves you carrying ambiguous risk.

Sources

Our Top Pick: Make.com

Try Free ↗