FutureWay AI
All articles

· 3 min read

Rolling out AI GDPR-compliantly: the 7-point checklist for companies

From shadow AI to a clean setup: seven points companies should clarify before rolling out an AI platform — from the DPA and subprocessors to the deletion concept.

GDPRComplianceAI rollout

In most companies, AI has long been in use — just unofficially. Employees use private accounts with US chatbots, paste customer data into third-party systems, and nobody has an overview. This shadow AI is the real data protection risk: it is not the introduction of an AI platform that endangers GDPR compliance, but its absence.

If you want to set the topic up properly, clarify the following seven points before the rollout starts.

1. Define purpose and legal basis

What should employees be allowed to do with AI — and with which categories of data? A clear usage framework (e.g. "internal documents yes, special categories of personal data only after approval") is the foundation for everything else, including the question of whether a data protection impact assessment is required.

2. Review the data processing agreement (DPA)

The provider processes your data on your behalf — for this, Art. 28 GDPR requires a data processing agreement. Check: Is there a DPA? Is it up to date? And does it cover all the processing the platform actually performs?

3. Clarify subprocessors and third-country transfers

The most interesting part is often in the annex of the DPA: the subprocessor list. Which service providers are involved, where are they based, what do they process? If US services appear in the data path, the third-country transfer question arises — along with the jurisdiction question we cover in detail in our CLOUD Act article.

4. Understand the AI data path

With AI platforms, looking at where the application is hosted is not enough: what matters is where prompts and documents flow for processing. Does the language model itself run in the EU with an EU provider? And the background functions — text recognition, transcription, embeddings? Serious providers disclose this completely.

5. Rule out training on your data

Ask explicitly: are inputs or outputs used to train models? Get the answer contractually guaranteed rather than just on a marketing page. (Our own answer is simple: we ourselves never train models on your data.)

6. Deletion and retention concept

Data subject rights do not end at the chat history: can users delete conversations themselves — and is that a real hard delete? Can retention periods be enforced centrally so old data does not linger forever? Is there a data export for access requests?

7. Roles, transparency and internal rules

Clarify who can see what within the platform — in particular whether administrators have access to employees' content (more on this in the context of works council co-determination). Add a short, understandable usage policy and a training session: the best platform helps little if nobody knows what is allowed.

(Note: this article is not legal advice. For an assessment of your specific case, talk to your data protection counsel.)

How FutureWay AI answers the checklist

FutureWay AI is built so that these seven points have short answers: a DPA with a complete, public subprocessor list; platform and all AI models on European infrastructure — 100% of AI processing in the EU, including the background functions, which we list transparently with model and location. Administrators never see chat contents, deletion is an immediate hard delete, retention periods are configurable per organization, and we never use your data to train models.

Try FutureWay AI free for 14 days — no credit card, up to 5 users.

Ready to bring your AI infrastructure to Europe?

Up and running in minutes — 14-day free trial, no credit card.

We are launching soon — secure one of the first spots.

This website uses no cookies and no tracking — which is why there is no cookie banner.

Learn more