LLMs, agents and RAG systems process personal data. GDPR and EU AI Act create a cross-compliance framework. This guide covers concrete obligations for Belgian SMEs.
Using an LLM to process personal data requires an explicit legal basis: legitimate interest (often insufficient), consent, or contract performance. Document in the processing register.
If you send personal data to OpenAI, Anthropic or Google: a Data Processing Agreement (DPA) is mandatory. All providers offer a standard DPA, but data retention conditions vary.
OpenAI (US), Anthropic (US): verify the DPA includes Standard Contractual Clauses (SCCs) for EU-US transfers. Azure OpenAI with EU data residency is safer for sensitive data.
Data Protection Impact Assessment mandatory for large-scale processing of special categories or systematic profiling.
AI systems must support rights: access, rectification, erasure, objection. Plan a process for tracing and deleting individual data in RAG embeddings.
GDPR Art. 22: fully automated decisions with legal effect require a right to explanation and human recourse. Critical for credit, recruitment, healthcare.
Detect and replace PII (names, emails, national IDs) before sending to the LLM. Tools: Microsoft Presidio (open-source), AWS Comprehend PII, or custom spaCy/GLiNER pipeline.
Llama 4 or Mistral Large on a Belgian/European server. No external transfer. Ideal for medical practices, law firms, HR departments.
"EU Data Boundary" option guarantees data stays in European data centres. SOC2, ISO27001, GDPR contractually guaranteed.
For RAG embeddings containing personal data: per-client encryption. The encryption key serves as the "right to erasure" without rebuilding the index.
Molderez Consult SRL assesses your EU AI Act and GDPR compliance.
Request my audit