Datenschutz & Souveränität
GDPR-compliant AI: The 7 most important selection criteria
Not every AI solution that promises to be "GDPR-compliant" actually is. The seven criteria — from the data processing agreement to the training exclusion and certificates — by which you can recognize true data sovereignty.

"GDPR-compliant" is quickly written on a website — but it doesn't always deliver what it promises. The Data Protection Conference (DSK) published a guide for companies in 2024; from this and the relevant GDPR articles, seven robust selection criteria emerge.
The 7 criteria at a glance
Hosting location: Are the data processed in an EU, preferably German, data center?
Legal entity: Is the provider subject to EU law — or, as a US corporation, to the CLOUD Act?
No training on your data: contractually guaranteed and technically preset?
Data Processing Agreement (DPA) according to Art. 28 GDPR — complete?
Access control and tenant separation (TOMs according to Art. 32)?
Deletion concept: are data, including derived data, demonstrably deleted?
Transparency: is it documented which models run where and how data flows?
The Data Processing Agreement (DPA)
If a company uses a cloud AI, data processing on behalf of another usually occurs. The DSK formulates this clearly:
"...there is often a data processing relationship between the application provider and the controller according to Art. 28 et seq. GDPR..."
A DPA according to Art. 28 Para. 3 must regulate eight points: binding instructions, confidentiality, TOMs, sub-processors, support for data subject rights, support for security/notification obligations, deletion or return, and audit rights. Check the list point by point.
No training on customer data
The most important content criterion. The DSK is clear:
"From a data protection law perspective, applications that do not use input and output data for training purposes are therefore preferable."
The marketing claim is not enough — demand a contractual assurance in the DPA, a technical default setting, and proof of opt-out.
Data Residency is not Data Sovereignty
EU hosting says nothing about legal control. The decisive factor is the legal entity: a US parent company is subject to the CLOUD Act despite having an EU data center. Our article explains why: "EU Region ≠ GDPR-secure": the US CLOUD Act.
Certificates instead of self-disclosure
Ask for evidence instead of promises: ISO/IEC 27001 (information security), ISO/IEC 42001 (AI management system, certifiable since 2023), as well as the BSI catalogs C5 (Cloud) and AIC4 (AI cloud services).
Rule of thumb: Do not ask IF a provider is "GDPR-compliant," but WHERE the data is located and WHICH legal jurisdiction they are subject to. The rest follows from that.
Fine Reality: The difference is 10 million
Those who neglect the selection risk fines — and theThe amount depends on the violation.A pure deficiency in the Data Processing Agreement (DPA) / order processing falls under Art. 83(4) (up to €10 million / 2%). In contrast, an unlawful third-country transfer falls under paragraph 5 (up to €20 million / 4%). The common formula "DPA violation = 20 million" is incorrect.
Conclusion
Data protection is not a checkbox, but an architectural decision. Anyone who checks these seven points will quickly realize whether an AI platform truly delivers data sovereignty — or only promises it. Our [link/guide/etc.] provides the overall overview.Guide to GDPR-compliant AI for companies.
Sources
GDPR-compliant AI from a real German data center
Kasimir runs on its own infrastructure in Germany — no detour via US providers, no CLOUD Act reach.



