The General Data Protection Regulation is not a compliance checkbox — it is the operational baseline for any commerce team collecting, processing, or sharing personal data of individuals in the European Economic Area. For AI-driven commerce, it creates specific obligations that go beyond traditional data handling: automated decision-making, profiling, and AI-generated personalization each trigger additional rules that most teams underestimate.
Regulation Overview
The GDPR (Regulation EU 2016/679) came into force on 25 May 2018 and replaced the 1995 EU Data Protection Directive. It establishes a unified framework for data protection across the EU, giving individuals enforceable rights over their personal data and imposing obligations on any organization that processes it — regardless of where that organization is based.
Enforcement is carried out by national Data Protection Authorities (DPAs). Fines for serious violations can reach €20 million or 4% of global annual revenue, whichever is higher (GDPR Art. 83, 2018). The regulation is not static: DPAs have issued binding decisions and guidance that shape how GDPR applies to AI systems in practice.
Geographic Applicability
GDPR applies to your commerce operation if any of the following are true:
- You are established in the EU or EEA (regardless of where data processing occurs)
- You offer goods or services to individuals in the EU — including free services, even if no purchase is made
- You monitor the behavior of individuals in the EU — including through cookies, analytics, recommendation engines, or behavioral profiling
This means a US-headquartered retailer running AI-powered personalization for EU customers is fully subject to GDPR, even with no EU office. The territorial scope (Art. 3) is one of the most commonly misunderstood aspects of the regulation for non-European commerce teams.
Key Principles
Every processing activity — including AI inference, model training, and data pipelines — must comply with GDPR's six core principles (Art. 5):
1. Lawfulness, fairness, and transparency
Processing must have a valid legal basis (consent, contract, legitimate interest, legal obligation, vital interests, or public task). AI systems that process personal data must be disclosed to users in plain language.
2. Purpose limitation
Data collected for one purpose (e.g. order fulfillment) cannot be repurposed for a different use (e.g. training a recommendation model) without a separate legal basis or user consent.
3. Data minimisation
Collect only what is necessary. AI models trained on more personal data than required for the task at hand violate this principle by design.
4. Accuracy
Personal data must be kept accurate and up to date. AI systems that make decisions based on stale or incorrect profiles can create both compliance and liability exposure.
5. Storage limitation
Data cannot be retained indefinitely. AI training datasets that include personal data must have defined retention schedules and deletion procedures.
6. Integrity and confidentiality
Appropriate technical and organizational security measures are required. This includes access controls on training data, model outputs, and any system that processes personal information.
Obligations for AI Use
AI systems in commerce create specific GDPR obligations that go beyond standard data handling:
Automated Decision-Making and Profiling (Art. 22)
Individuals have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. This directly applies to:
- AI-driven credit or financing decisions at checkout
- Automated fraud detection that blocks a transaction or account
- Personalization engines that determine whether a user sees a promotional offer or is excluded from one
What this means in practice: If your AI system makes a consequential decision without human review, you must either obtain explicit consent, demonstrate the decision is necessary for a contract, or provide a clear mechanism for the individual to request human intervention and contest the outcome.
Data Protection Impact Assessments (Art. 35)
A DPIA is mandatory before deploying any AI system that involves large-scale processing of personal data, systematic profiling, or processing of sensitive categories (health, financial, location data). A DPIA must document the risks, the necessity of the processing, and the mitigations in place. DPAs in Germany, France, and the UK have each published AI-specific DPIA guidance.
Legitimate Interest vs. Consent
Many commerce AI use cases are built on a "legitimate interest" legal basis — but this requires a documented balancing test showing that the organization's interest does not override the individual's rights. Personalization, lookalike modeling, and behavioral analytics are frequently challenged on this ground. When in doubt, consent is the more defensible basis, but it must be freely given, specific, informed, and unambiguous.
Data Subject Rights
GDPR grants individuals eight rights that AI systems must be designed to support:
- Right of access — users can request all personal data held about them, including inferred attributes and model outputs
- Right to rectification — inaccurate data must be correctable, including AI-generated profiles
- Right to erasure ("right to be forgotten") — upon request, personal data must be deleted; this extends to derived data and, in some DPA interpretations, to model unlearning
- Right to data portability — data provided by the user must be exportable in a machine-readable format
- Right to object — users can object to processing based on legitimate interest, including profiling
- Right not to be subject to automated decisions — as described under Art. 22 above
Implications for Data Handling in AI Implementations
Training Data
Personal data used to train AI models is subject to GDPR from collection through deletion. Key obligations:
- The original legal basis for collecting the data must cover its use in model training, or a new basis must be established
- Training datasets must be auditable: data lineage, retention schedules, and access logs are required
- Synthetic data generation is increasingly used to reduce personal data exposure in training pipelines — but synthetic data derived from real personal data may still carry GDPR obligations depending on re-identification risk
Inference and Real-Time Processing
Every API call that passes personal data to an AI model is a processing activity. For third-party AI providers (including foundation model APIs):
- A Data Processing Agreement (DPA) must be in place before any personal data is shared
- If the provider processes data outside the EEA, a valid transfer mechanism is required (Standard Contractual Clauses, adequacy decision, or Binding Corporate Rules)
- Zero Data Retention (ZDR) arrangements — where the provider does not store inputs or outputs — significantly reduce GDPR exposure for real-time inference
Vendor and Supply Chain Obligations
Under GDPR, the organization deploying an AI system is the data controller and bears primary responsibility. AI vendors and infrastructure providers who process data on your behalf are data processors — their sub-processors must also be contractually bound. Vendor assessments should verify: data residency, retention policies, DPA availability, and breach notification SLAs.
Breach Notification
If a breach affecting personal data is identified, it must be reported to the relevant DPA within 72 hours (Art. 33). If the breach is likely to result in high risk to individuals, those individuals must also be notified without undue delay (Art. 34). AI systems that process large volumes of personal data increase the potential blast radius of any breach.