GDPR and generative AI: the questions to ask before you sign

25 January 2026 · 3 min read · After Penser avec les machines

As soon as an AI touches personal data, a name, an email, a client file, you remain responsible for it, even if a third-party tool does the processing. The supplier does not carry the risk for you. It is a reality many discover late, often at the worst moment, and one worth setting out before you sign anything.

I am not a lawyer, and what follows does not replace professional advice. But these questions do not call for an expert. They only call for being asked beforehand, while you still have the power to say no.

Where is the data processed

This is the first question, and it already filters out many offers. Hosting and processing within the European Union make things far simpler. Processing elsewhere, outside recognised frameworks, opens a compliance file that few SMEs have the means to handle calmly.

This question is not theoretical. In 2023, the Italian authority temporarily blocked ChatGPT on its territory, precisely over personal data processing. When a regulator can suspend a global tool overnight, location and guarantees are not a contractual detail but a real operational risk.

Is my data used to train the model

Second question, and it is decisive. If the answer is yes, or if it is vague, the information you give the tool can help train it, and potentially resurface elsewhere, with someone else. For professional use touching client data or your know-how, you want a clear no, in writing. Not a reassuring spoken no, a contractual commitment.

This is often where a consumer offer differs from one built for business. The latter generally lets you turn off training on your data, or never switches it on. The former stays deliberately vague, because your data is part of what feeds it.

Can I delete, and know what is kept

The right to erasure is not negotiable, and a supplier unable to guarantee it puts you at fault, you, not them. You must be able to request deletion of the data, obtain the list of what is kept, and know for how long. If those answers do not exist, or get lost in handoffs between departments, that is already a signal.

Who is responsible for what, in writing

Last question, the most structuring. A data processing agreement that clearly splits the roles is not an administrative formality, it is your protection on the day a question comes up, whether from a client, an employee or an authority. Who processes, for what purposes, with what guarantees, who answers in case of an incident. All of that must be written, not implied.

Compliance is not the enemy of speed

These questions are often presented as a brake, paperwork that slows innovation. It is the opposite. Set out well at the start, compliance saves you from having to stop everything six months later because an awkward question finally surfaced, or because a client found out where their data was landing. The cost of stopping midway, in time, money and trust, far exceeds that of a few good questions at signing time.

And there is a simple test to gauge a supplier. A serious provider answers these questions clearly, in writing, without bristling. A provider who stalls, who drowns the answer in jargon or promises to get back to you, has already told you everything. The way they handle your questions about data is a fair preview of how they will handle your data.

← All writing Get in touch