← Blog

Datenschutz & Souveränität

GDPR-compliant AI: The 7 most important selection criteria

Not every AI solution that promises to be "GDPR-compliant" actually is. The seven criteria — from the data processing agreement to the training exclusion and certificates — by which you can recognize true data sovereignty.

Felix Stürmer· 15 April 2026· 3 min read
GDPR-compliant AI: The 7 most important selection criteria

"GDPR-compliant" is quickly written on a website — but it doesn't always deliver what it promises. The Data Protection Conference (DSK) published a guide for companies in 2024; from this and the relevant GDPR articles, seven robust selection criteria emerge.

The 7 criteria at a glance

  • Hosting location: Are the data processed in an EU, preferably German, data center?

  • Legal entity: Is the provider subject to EU law — or, as a US corporation, to the CLOUD Act?

  • No training on your data: contractually guaranteed and technically preset?

  • Data Processing Agreement (DPA) according to Art. 28 GDPR — complete?

  • Access control and tenant separation (TOMs according to Art. 32)?

  • Deletion concept: are data, including derived data, demonstrably deleted?

  • Transparency: is it documented which models run where and how data flows?

7
Criteria that demonstrate true GDPR compliance

The Data Processing Agreement (DPA)

If a company uses a cloud AI, data processing on behalf of another usually occurs. The DSK formulates this clearly:

"...there is often a data processing relationship between the application provider and the controller according to Art. 28 et seq. GDPR..."

A DPA according to Art. 28 Para. 3 must regulate eight points: binding instructions, confidentiality, TOMs, sub-processors, support for data subject rights, support for security/notification obligations, deletion or return, and audit rights. Check the list point by point.

No training on customer data

The most important content criterion. The DSK is clear:

"From a data protection law perspective, applications that do not use input and output data for training purposes are therefore preferable."

The marketing claim is not enough — demand a contractual assurance in the DPA, a technical default setting, and proof of opt-out.

Data Residency is not Data Sovereignty

EU hosting says nothing about legal control. The decisive factor is the legal entity: a US parent company is subject to the CLOUD Act despite having an EU data center. Our article explains why: "EU Region ≠ GDPR-secure": the US CLOUD Act.

Certificates instead of self-disclosure

Ask for evidence instead of promises: ISO/IEC 27001 (information security), ISO/IEC 42001 (AI management system, certifiable since 2023), as well as the BSI catalogs C5 (Cloud) and AIC4 (AI cloud services).

⚠️

Rule of thumb: Do not ask IF a provider is "GDPR-compliant," but WHERE the data is located and WHICH legal jurisdiction they are subject to. The rest follows from that.

Fine Reality: The difference is 10 million

Those who neglect the selection risk fines — and theThe amount depends on the violation.A pure deficiency in the Data Processing Agreement (DPA) / order processing falls under Art. 83(4) (up to €10 million / 2%). In contrast, an unlawful third-country transfer falls under paragraph 5 (up to €20 million / 4%). The common formula "DPA violation = 20 million" is incorrect.

Conclusion

Data protection is not a checkbox, but an architectural decision. Anyone who checks these seven points will quickly realize whether an AI platform truly delivers data sovereignty — or only promises it. Our [link/guide/etc.] provides the overall overview.Guide to GDPR-compliant AI for companies.

Sources

GDPR-compliant AI from a real German data center

Kasimir runs on its own infrastructure in Germany — no detour via US providers, no CLOUD Act reach.