ELRIC Lab · Guides 2026

AI agents GDPR SMB 2026: practical compliance guide

AI agents process personal data — emails, resumes, meetings, CRM. This guide helps SMBs deploy AI **without grey zones**: legal bases, hosting, processors, audit and human control.

Last updated : July 6, 2026 · Reading time : ~6 min

3 compliance pillars

GDPR compliance for AI agents rests on three technical pillars. The diagram shows how they fit together.

Data flow and human control

Every sensitive action goes through approval; core data stays in the EU with per-company isolation.

  • Pillar 1 — Location: core data in the EU, signed DPA, no third-party training on your content.
  • Pillar 2 — Technical governance: multi-tenant isolation (RLS), encrypted tokens, exportable audit.
  • Pillar 3 — Human control: approval before external email, data deletion/export, updated processing register.

12-point checklist

Vendor or internal audit: each item is verifiable — not a marketing promise.

Data flow and human control

Every sensitive action goes through approval; core data stays in the EU with per-company isolation.

  1. Identify personal data processed by AI
  2. Document purpose and legal basis
  3. Verify EU hosting of core data
  4. Sign DPA with AI vendor
  5. Require per-company isolation
  6. Enable agent action audit log
  7. Configure human approval for sensitive actions
  8. Limit OAuth scopes to minimum
  9. Train users (no unnecessary sensitive data)
  10. Plan deletion / export procedure
  11. Update processing register
  12. Review LLM subprocessors annually

Hosting compared

PlatformBest forScore
Elric (EU)SMB, native RLS, DPACompliant
Mistral Le ChatFrench model, chat dataDPA + purpose
ChatGPT EnterpriseUS + EU optionsDPA required
Copilot M365EU Data BoundaryIf M365
Make / n8nAutomation, subprocessorsMap data flows
US tools without DPAAvoid

Decision tree

Your regulatory requirements determine the platform — not the other way around.

  1. EU data + SMB → Elric or EU vendor with DPA
  2. 100% Microsoft + EU Boundary → Copilot acceptable
  3. Health / children data → mandatory DPO review
  4. Personal Shadow ChatGPT → ban, centralize workspace
  5. Export outside EU → legal review case by case

FAQ

Is an AI agent reading my email compliant?
Yes with documented legal basis, signed DPA, EU hosting, company isolation and clear purpose.
Are US LLMs a problem?
Risk is transfer outside EU. Use vendors with DPA, SCCs and — ideally — EU processing of core data.
Does Elric provide a DPA?
Yes — available at /dpa. EU hosting, no third-party training on your content, RLS isolation.
Must AI agents be declared to the supervisory authority?
Update your Article 30 processing register as soon as an agent processes personal data — emails, resumes, meetings. No separate "AI declaration" if the register is current.
Are Make or n8n GDPR-compatible?
Yes if you map personal data flows, sign DPAs with each connector and limit transferred fields. They do not replace a governed AI OS for business execution.
What about employees using personal ChatGPT?
Ban or channel to a governed workspace (Elric, enterprise Copilot) with DPA, audit and approvals — Shadow AI is the #1 risk in 2026.