Why it matters

EU users common; GDPR mandatory. Understanding shapes deployment strategy.

Advertisement

The architecture

Personal data: any info identifying person.

Lawful basis: consent, contract, legitimate interest, legal obligation, vital interest, public task.

GDPR requirementsLawful basisfor processingData subject rightsaccess + delete + portabilityDPIAfor high-riskRight to erasure conflicts with model memorization — challenging
GDPR elements.
Advertisement

How it works end to end

Right to erasure: hard for trained-in data; use RAG instead where possible.

DPIA: for high-risk automated decisions.

Data minimization: don't send more PII than needed.

Cross-border transfer: SCCs + adequacy decisions.