This article is for informational purposes only and does not constitute legal advice. We have made every effort to ensure the analysis reflects the current state of the law, but regulations may change and their interpretation may be subject to dispute. For questions concerning your company's specific situation, consult a qualified lawyer or data protection specialist.
What actually happens when you paste that message
Picture a common scenario: a customer sends in a complaint, and a support agent copies that message into ChatGPT to draft a faster reply. The whole transaction takes a few seconds. What just happened legally takes considerably longer to describe.
First, your company formed a legal relationship with the model provider as a processor of personal data acting on your behalf. Second, the customer's personal data left the European Economic Area and entered infrastructure managed by a US-based entity. Third, an AI system interacting with a user triggered obligations under Regulation (EU) 2024/1689, the AI Act.
Most business owners are aware of at most one of these three dimensions. This article describes all three and shows which of them local AI structurally removes, and which remain regardless of your system's architecture.
The processing chain
Start with the legal categories. Under Article 4(7) GDPR, a controller is the entity that "alone or jointly with others, determines the purposes and means of the processing of personal data." When your company processes a customer message, you are the controller: you decide the purpose and the manner in which those data are used.
When you send that message to an external language model, the model provider becomes a processor within the meaning of Article 4(8) GDPR: "a natural or legal person... which processes personal data on behalf of the controller." Sub-processors can join the chain: cloud infrastructure providers, content delivery networks, monitoring systems. Each one inherits obligations under GDPR, but you as the controller are responsible for the entire chain operating in compliance with the regulation.
Article 28(1) GDPR states this plainly: a controller must use only processors "providing sufficient guarantees to implement appropriate technical and organisational measures." Assuming the model provider meets those requirements is not enough. Article 28(3) imposes an obligation to conclude a written data processing agreement covering, among other things, a clause that the processor acts only on documented instructions from the controller and applies the security measures required by Article 32 GDPR.
The practical consequence is straightforward: as the controller, your company is responsible for any breach anywhere in the processing chain, regardless of which party was technically at fault. A data processing agreement manages risk, but it does not transfer liability.
The transfer out of the EEA
When a customer message reaches a language model based in the United States, personal data leaves the European Economic Area. From that point, Chapter V GDPR (Articles 44-50) applies, governing transfers to third countries. The transfer is permitted, but it comes with obligations that must be actively fulfilled.
The legal foundation in this area is the CJEU judgment of 16 July 2020, Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II), ECLI:EU:C:2020:559. The Court invalidated the Commission's prior adequacy decision on Privacy Shield and held that US domestic law does not offer protection equivalent to GDPR. The Court focused in particular on US intelligence authorities' powers of mass data access and the absence of effective judicial redress for EU citizens.
The Commission's response was Commission Implementing Decision (EU) 2023/1795 of 10 July 2023, establishing the EU-US Data Privacy Framework (DPF). A critical qualification: the DPF covers only US organizations that have self-certified under the program, and only to the extent covered by their certification. It is not a general adequacy decision for the United States. Many language model providers are not on the DPF list, or their certification does not cover the specific type of processing you are conducting.
Where a transfer is not covered by the DPF, an appropriate safeguard under Article 46 GDPR is required, typically standard contractual clauses. Their presence in a contract is not enough by itself. EDPB Recommendations 01/2020 require a six-step assessment: identify transfers, select the legal transfer tool, assess the law of the destination country in light of the tool's effectiveness, implement supplementary measures, take any required procedural steps, and monitor the situation on an ongoing basis. Step three is where many organizations encounter difficulty: after Schrems II, assessing US law in the context of mass surveillance must be a genuine analysis, not a formal declaration.
The DPF is subject to periodic Commission review and is the subject of at least one ongoing legal challenge before the CJEU. The legal basis for transfers to the US has changed twice in five years. That does not mean transfers are prohibited, but it does mean the obligations attached to them must be actively managed and the regulatory picture must be monitored continuously.
The AI Act layer
Regulation (EU) 2024/1689, the AI Act, entered into force on 1 August 2024. Its provisions apply in stages: the prohibition on unacceptable-risk practices took effect on 2 February 2025, obligations for general-purpose AI (GPAI) models on 2 August 2025, and general provisions from 2 August 2026. The specific category of high-risk systems under Article 6(1) will not apply until 2 August 2027.
If your company uses AI solely to draft replies for customers, you are most likely not dealing with a high-risk system within the meaning of the AI Act. Annex III lists eight areas where AI systems are by default classified as high-risk: biometrics, critical infrastructure, education, employment, access to essential services, law enforcement, migration management, and administration of justice. Customer support involving the drafting of replies to messages does not appear in Annex III. One qualification: depending on the context of use, that assessment may differ. If the AI system makes or directly conditions automated decisions affecting individuals' access to services, the classification may change.
Regardless of risk classification, Article 50(1) of the AI Act imposes a transparency obligation on all providers of AI systems intended for direct interaction with natural persons. The user must know they are communicating with an AI system, unless this is obvious to a reasonably informed and attentive person. This obligation applies to any system generating content directed at a specific individual, without regard to the system's risk level.
At the GDPR level, the EDPB ChatGPT Taskforce report of 23 May 2024 is also relevant. In paragraph 30, the EDPB observes preliminarily that, given the probabilistic nature of language models, their outputs may contain biased or fabricated content, and that end users often treat this content as factually accurate. The EDPB notes that the accuracy principle in Article 5(1)(d) GDPR must be respected. This means AI-generated content that relates to natural persons is subject to the accuracy requirement in the same way as any other personal data.
The weight of national supervisory authority decisions extends beyond their own territory. The Garante (Italy's data protection authority) issued an emergency order on 30 March 2023 suspending OpenAI's processing of personal data in Italy, citing specifically Articles 5, 6, and 13 GDPR (docweb 9870832). The grounds were: absence of a legal basis for processing training data, inaccuracy of generated outputs, and lack of age verification mechanisms. GDPR is a single regulation enforced by all national supervisory authorities, including UODO (Poland's data protection authority): the Garante's decision cites the same articles that UODO is obliged to enforce in Poland. As of the date of this article, UODO has not published detailed guidance on the use of cloud-based language models, but it enforces the same regulation on the same provisions.
What local AI actually changes
When a language model runs locally, on your company's own infrastructure located within the EEA, four specific legal risks are structurally eliminated. First, no personal data leaves the EEA at inference time, which means Chapter V GDPR and the analysis required by Schrems II are simply not engaged. Second, no processor relationship arises with a US-based model provider or its sub-processors, removing the obligation to verify their safeguards under Article 28 GDPR. Third, customer messages do not reach a third party's infrastructure that might use them for further model training. Fourth, there is no dependency on the legal durability of the Data Privacy Framework, which was invalidated once and remains the subject of ongoing litigation.
Local processing does not change anything that forms the core of your obligations as a controller, and that list is longer. Your company remains a controller in the full sense of Article 5 GDPR, meaning continuous responsibility for the lawfulness, fairness, and transparency of processing, as well as for data subjects' rights under Articles 12-22, including the rights of access, rectification, and erasure. A legal basis under Article 6 GDPR is still required, and the choice of basis must be justified by the specific processing purpose, not by the technical architecture. Depending on the scale and nature of your AI use, a data protection impact assessment under Article 35 GDPR may still be mandatory. AI Act obligations attach to the use case, not the deployment model: Article 50(1) on transparency toward users applies regardless of where the model runs, and if a specific application falls within Annex III, high-risk system obligations remain fully in force. Running a model locally does not eliminate the risk of hallucinations or inaccurate outputs, which matters under Article 5(1)(d) GDPR. In EDPB Opinion 28/2024 of 18 December 2024, the EDPB stated preliminarily that "AI models trained using personal data cannot in all cases be considered anonymous." The EDPB's preliminary position on the accuracy of generated content, discussed in the previous section, applies to every model, regardless of where it is deployed.
Local processing therefore changes the legal surface of the problem, structurally eliminating the risks that arise from transferring data outside the EEA, but it does not change the substantive obligations that apply to you as the controller of your customers' personal data.
A moving target
The regulation is still being phased in: the AI Act is not yet fully applicable, and the most demanding obligations are staggered out to 2027.
The Data Privacy Framework, established by Commission Implementing Decision (EU) 2023/1795, is subject to periodic Commission review. Its predecessor, Privacy Shield, was invalidated by the Schrems II judgment after three years of operation. The current framework is the subject of at least one ongoing legal challenge. The legal basis for data transfers to the US may change again, whatever the Commission's 2023 assessment concluded.
The value of a local data processing decision increases in direct proportion to the growth of the regulatory surface: the obligations that a local architecture structurally eliminates are precisely those that will expand in the years ahead.
Practical questions
Three questions your company should be able to answer specifically, right now.
Where geographically are your customers' messages processed when they reach the AI tool you use? Is the infrastructure serving the model's responses located within the EEA or outside it?
If your model provider is based in the United States: is it on the current DPF list of certified organizations, and does its certification cover the specific type of processing you are conducting? If not, has your company completed the six-step assessment required by EDPB Recommendations 01/2020?
Do your customers know, at the moment of interaction, that they are communicating with an AI system? The transparency obligation under Article 50(1) of the AI Act applies regardless of the system's risk level and regardless of where the model is deployed. It applies, however, to systems where AI interacts directly with the customer. A human-in-the-loop model — where a human reviews and manually sends each response — changes that assessment: the customer interacts with a person using AI as a tool, not with the AI system itself.
Local AI like Suovo is built on the premise that customer data does not leave your infrastructure. We wrote this article to show what that changes legally, and what does not change regardless of the architecture.
Sources
European Parliament and Council of the EU, Regulation (EU) 2024/1689 of 13 June 2024 (Artificial Intelligence Act). Articles 5, 6, 50, Annex III, Article 113. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng. Accessed: 2026-04-13.
European Parliament and Council of the EU, Regulation (EU) 2016/679 of 27 April 2016 (GDPR). Articles 4, 5(1)(d), 28, 35, Chapter V (Articles 44-50). https://eur-lex.europa.eu/eli/reg/2016/679/oj. Accessed: 2026-04-13.
European Commission, Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 (EU-US Data Privacy Framework adequacy decision). https://eur-lex.europa.eu/eli/dec_impl/2023/1795/oj/eng. Accessed: 2026-04-13.
Court of Justice of the EU, Judgment of 16 July 2020, Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II). ECLI:EU:C:2020:559. https://curia.europa.eu/juris/liste.jsf?num=C-311/18. Accessed: 2026-04-13.
European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Version 2.0, adopted 18 June 2021. https://www.edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf. Accessed: 2026-04-13.
European Data Protection Board, Report of the work undertaken by the ChatGPT Taskforce, 23 May 2024. https://www.edpb.europa.eu/our-work-tools/our-documents/other/report-work-undertaken-chatgpt-taskforce_en. Accessed: 2026-04-13.
European Data Protection Board, Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models, 18 December 2024. https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-282024-certain-data-protection-aspects_en. Accessed: 2026-04-13.
Garante per la protezione dei dati personali (Italy's data protection authority), Order of 30 March 2023, No. 112, docweb 9870832. Articles 5, 6, 8, 13, 25, 58(2)(f) GDPR. https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9870832. Accessed: 2026-04-13.