GDPR (General Data Protection Regulation)

The GDPR (Regulation (EU) 2016/679) governs how organizations process personal data. For AI systems, GDPR obligations commonly surface in training data, inference inputs, logging and monitoring, retention, vendor relationships, and downstream decision impacts.

Key facts

Type

EU regulation

Scope

Personal data processing

Common artifacts

DPIAs, records, notices

AI relevance

Data governance and transparency

How to use this guide

Most teams use GDPR guidance in one of three ways:

• Product and engineering: “What do we need to change in the system to be privacy-safe and defensible?”
• Privacy/legal and governance: “What decisions and artifacts need to exist — and who approves them?”
• Audit readiness: “Can we prove what we did, when we did it, and why?”

Authoritative text (EUR-Lex)

• Regulation (EU) 2016/679 (GDPR) — Official Journal text

Where GDPR shows up in AI systems (quick map)

AI system: where personal data appears

Training and fine-tuningdatasets, labels, sampling, retention, deletion

User inputsprompts, forms, feedback, support tickets

Operational logstraces, monitoring, access logs, incident records

Outputs and downstream decisionsprofiling, recommendations, automation, human review

Vendors and subprocessorsmodel providers, hosting, analytics, tooling

How GDPR intersects with AI governance

GDPR is not an “AI law,” but it often determines whether an AI system is deployable:

• whether training and input data is lawful and minimized
• how retention, logging, and access are controlled
• whether individuals receive the required information and can exercise rights
• how vendors and subprocessors are governed

Go deeper: Key principles and obligations.

For the broader regulatory picture, see: EU AI Act vs GDPR (external).

How Modulos operationalizes GDPR work

Modulos helps teams turn GDPR obligations into auditable work:

• requirements and controls for privacy governance
• linked evidence for DPIAs, records, notices, and technical measures
• review flows for approvals and accountability
• exports for audit packages and stakeholder sharing

Related platform areas:

• Evidence
• Assets and documents
• Vendors

Go deeper: Operationalizing GDPR in Modulos.

Integrated Management System (IMS): ISO/IEC 27701 + ISO/IEC 27001

Many organizations run GDPR work through an Integrated Management System:

• ISO/IEC 27701 provides a privacy management system structure (roles, controls, evidence, audits).
• ISO/IEC 27001 provides the security baseline and governance discipline (access control, incident handling, supplier governance).

This helps avoid “GDPR as a document pile” by turning privacy obligations into owned, operable controls with evidence and review cadence.

Getting started

Key principles and obligations

The practical GDPR decisions teams need to make for AI systems (and what evidence exists)

Operationalizing in Modulos

A practical way to track privacy work with controls and evidence

Project settings

Scope a system and document governance context

ISO/IEC 27701

Privacy management system governance and audit-ready structure

Disclaimer

This page is for general informational purposes and does not constitute legal advice.