· 3 min read
Rolling out AI GDPR-compliantly: the 7-point checklist for companies
From shadow AI to a clean setup: seven points companies should clarify before rolling out an AI platform — from the DPA and subprocessors to the deletion concept.
In most companies, AI has long been in use — just unofficially. Employees use private accounts with US chatbots, paste customer data into third-party systems, and nobody has an overview. This shadow AI is the real data protection risk: it is not the introduction of an AI platform that endangers GDPR compliance, but its absence.
If you want to set the topic up properly, clarify the following seven points before the rollout starts.
1. Define purpose and legal basis
What should employees be allowed to do with AI — and with which categories of data? A clear usage framework (e.g. "internal documents yes, special categories of personal data only after approval") is the foundation for everything else, including the question of whether a data protection impact assessment is required.
2. Review the data processing agreement (DPA)
The provider processes your data on your behalf — for this, Art. 28 GDPR requires a data processing agreement. Check: Is there a DPA? Is it up to date? And does it cover all the processing the platform actually performs?
3. Clarify subprocessors and third-country transfers
The most interesting part is often in the annex of the DPA: the subprocessor list. Which service providers are involved, where are they based, what do they process? If US services appear in the data path, the third-country transfer question arises — along with the jurisdiction question we cover in detail in our CLOUD Act article.
4. Understand the AI data path
With AI platforms, looking at where the application is hosted is not enough: what matters is where prompts and documents flow for processing. Does the language model itself run in the EU with an EU provider? And the background functions — text recognition, transcription, embeddings? Serious providers disclose this completely.
5. Rule out training on your data
Ask explicitly: are inputs or outputs used to train models? Get the answer contractually guaranteed rather than just on a marketing page. (Our own answer is simple: we ourselves never train models on your data.)
6. Deletion and retention concept
Data subject rights do not end at the chat history: can users delete conversations themselves — and is that a real hard delete? Can retention periods be enforced centrally so old data does not linger forever? Is there a data export for access requests?
7. Roles, transparency and internal rules
Clarify who can see what within the platform — in particular whether administrators have access to employees' content (more on this in the context of works council co-determination). Add a short, understandable usage policy and a training session: the best platform helps little if nobody knows what is allowed.
(Note: this article is not legal advice. For an assessment of your specific case, talk to your data protection counsel.)
How FutureWay AI answers the checklist
FutureWay AI is built so that these seven points have short answers: a DPA with a complete, public subprocessor list; platform and all AI models on European infrastructure — 100% of AI processing in the EU, including the background functions, which we list transparently with model and location. Administrators never see chat contents, deletion is an immediate hard delete, retention periods are configurable per organization, and we never use your data to train models.
Try FutureWay AI free for 14 days — no credit card, up to 5 users.
