	In Browser
	StumbleUpon
	del.icio.us
	Google
	Google Buzz
	reddit
	LinkedIn

	Facebook
	Twitter
	Linkedin
	E-Mail

Generative AI > AI Governance > GDPR and EU AI Act Compliance for LLM Applications

GDPR and EU AI Act Compliance for LLM Applications

Author: Venkata Sudhakar

ShopMax India sells to customers across India and to European markets through its international platform. LLM applications that process personal data of European users must comply with GDPR, and AI systems classified as high-risk under the EU AI Act require additional documentation, testing, and human oversight. Understanding which obligations apply to which parts of the LLM stack allows ShopMax India to build compliance efficiently rather than retrofitting it after deployment.

GDPR compliance for LLM applications requires a lawful basis for processing personal data in prompts, a data processing agreement with the LLM API provider, data minimisation in prompt construction, and the ability to honour data subject access and erasure requests. The EU AI Act adds requirements for high-risk systems: a risk management system, technical documentation, human oversight mechanisms, and conformity assessment before deployment in EU markets.

The example below implements a GDPR and EU AI Act compliance runner for ShopMax India's LLM platform, checking each requirement programmatically and generating a compliance gap report.

from datetime import datetime

class GDPRComplianceRunner:
    def __init__(self, system_name):
        self.system_name = system_name
        self.checks = []

def check(self, requirement, status, notes=""):
        self.checks.append({
            "requirement": requirement,
            "status": status,
            "notes": notes
        })

def run(self):
        # GDPR checks
        self.check("Lawful basis documented (Art 6)", "PASS", "Legitimate interest assessment completed")
        self.check("DPA signed with LLM provider (Art 28)", "PASS", "DPA on file, reviewed 2025-01-10")
        self.check("Data minimisation in prompts (Art 5)", "PASS", "Pseudonymisation layer active")
        self.check("Data subject access request handler", "PASS", "DSR endpoint at /api/dsr/access")
        self.check("Right to erasure handler (Art 17)", "FAIL", "Erasure from vector store not implemented")
        self.check("Data retention policy (Art 5)", "PASS", "90-day log retention enforced")
        self.check("Privacy notice updated for AI use", "FAIL", "Policy update pending legal review")
        # EU AI Act checks
        self.check("AI system risk classification", "PASS", "Classified as limited-risk (Art 52)")
        self.check("Human oversight mechanism", "PASS", "Escalation to human agent available")
        self.check("Technical documentation (Annex IV)", "FAIL", "System card not yet completed")

def report(self):
        passed = [c for c in self.checks if c["status"] == "PASS"]
        failed = [c for c in self.checks if c["status"] == "FAIL"]
        print(f"GDPR + EU AI Act Compliance: {self.system_name}")
        print(f"Date: {datetime.now().strftime("%Y-%m-%d")}")
        print(f"Score: {len(passed)}/{len(self.checks)} passed\n")
        for c in failed:
            print(f"FAIL: {c['requirement']}")
            if c["notes"]:
                print(f"      Note: {c['notes']}")
        if not failed:
            print("All compliance checks passed.")

runner = GDPRComplianceRunner("ShopMax India LLM Platform")
runner.run()
runner.report()

It gives the following output,

GDPR + EU AI Act Compliance: ShopMax India LLM Platform
Date: 2025-04-15
Score: 7/10 passed

FAIL: Right to erasure handler (Art 17)
      Note: Erasure from vector store not implemented
FAIL: Privacy notice updated for AI use
      Note: Policy update pending legal review
FAIL: Technical documentation (Annex IV)
      Note: System card not yet completed

Treat the compliance runner as a living document and add new checks as regulations evolve. For the erasure requirement, implement a soft-delete mechanism in your vector store that marks embeddings as deleted and excludes them from retrieval without destroying the index. Assign a designated compliance contact responsible for reviewing the report monthly and escalating failures to the appropriate team. When exporting customer data for LLM fine-tuning, run a transfer impact assessment if the LLM provider processes data outside the EU to satisfy GDPR Chapter V obligations.

Send your comments, suggestions or queries regarding this site to [email protected].