GDPR and AI — how to deploy legally in 2026

AI Act is live. AI systems split into 4 risk categories. Most business use cases are limited risk — you must inform the user they're talking to AI.

GDPR: personal data can't go to the model without a legal basis. Solutions: EU processing (Azure OpenAI EU, Mistral, local LLMs), anonymise before send, DPAs with vendors.

Cookie banner: granular consents (necessary / analytics / marketing), easy withdrawal, no dark patterns. Pre-ticked checkbox = fine.

Privacy policy must list every AI vendor you use, processing purpose and retention period.

We build sites and AI deployments fully compliant with GDPR and AI Act. Docs, DPAs, audit — included.