Do I need consent to use an AI chatbot under GDPR?

Not always. If the chatbot is necessary to provide a service the user requested (e.g., answering a support question), you can process data under 'legitimate interest' or 'contractual necessity.' However, you still need to inform users about data processing in your privacy notice.

Can I use OpenAI's API and still be GDPR-compliant?

Yes, but you need a Data Processing Agreement (DPA) with OpenAI, which they provide. You must also disclose the third-party processing in your privacy notice and ensure appropriate safeguards for international data transfers.

Is self-hosting the only way to be fully GDPR-compliant?

No. Self-hosting eliminates third-party data transfer concerns entirely, which simplifies compliance. But cloud-hosted solutions with proper DPAs, EU data residency, and transparent privacy notices can also be fully compliant.

GDPR-Compliant AI Chatbot: A Practical Guide for EU Businesses

To run a GDPR-compliant AI chatbot, you need a lawful basis for processing chat data, a clear privacy notice, data processing agreements with AI providers, and ideally the option to self-host your LLM. This guide walks through each requirement with practical steps, not legal theory.

Does GDPR apply to AI chatbots?

Yes. If your chatbot collects, processes, or stores any data from EU residents, GDPR applies. Chat messages are personal data — they can contain names, email addresses, order numbers, and other identifying information, even when users do not intend to share it.

The tricky part with AI chatbots is the data flow. A typical conversation involves:

User input (stored in your database)
That input sent to an AI provider's API (third-party processing)
The AI response (stored in your database)
Conversation metadata (timestamps, session IDs, IP addresses)

Each of these steps has GDPR implications. The 2025 EDPB guidelines on AI systems specifically confirmed that chat interactions with AI fall under GDPR's scope.

The 5 GDPR requirements for chatbots

1. Lawful basis for processing

You need a legal reason to process chat data. The two most common bases for chatbots are:

Legitimate interest — providing customer support is a legitimate business interest, as long as it does not override the user's privacy rights
Contractual necessity — if the chatbot helps fulfill a service the user explicitly requested (like checking order status)

Consent is an option but generally overkill for support chatbots. If you do rely on consent, remember that users must be able to withdraw it at any time.

2. Transparency

Users must know they are interacting with an AI, not a human. Your privacy notice must explain what data the chatbot collects, why, and who processes it (including third-party AI providers). This is not optional — the EU AI Act reinforces this requirement.

3. Data minimization

Collect only what you need. Set automatic session expiry so chat data does not persist indefinitely. Avoid storing unnecessary metadata. If you do not need IP addresses, do not log them.

4. Data Processing Agreement (DPA)

If you send chat data to OpenAI, Anthropic, or any third-party API, you need a DPA with that provider. Most major AI providers offer standard DPAs:

OpenAI provides a DPA that covers API usage (not ChatGPT consumer product)
Anthropic offers a DPA for Claude API customers
Self-hosted models (Ollama) require no third-party DPA

5. Data subject rights

Users have the right to access, correct, and delete their chat data. Your platform must support:

Exporting a user's conversation history on request
Deleting specific conversations or all data for a user
Providing information about what data was processed and by whom

Pro tip

Automate data subject requests. If your chatbot platform supports automatic session cleanup and data export, you will handle 90% of GDPR requests without manual work.

The data flow problem — where does chat data go?

This is where most businesses get tripped up. When a user types a message, it typically travels through multiple systems:

User's browser sends the message to your chatbot backend
Your backend sends it to an AI provider's API (potentially in the US)
The AI provider processes it and returns a response
Your backend stores both messages in your database

Step 2 is the compliance hotspot. Sending EU personal data to a US-based AI provider triggers Chapter V of GDPR (international transfers). You need either Standard Contractual Clauses (SCCs), an adequacy decision, or a recognized transfer mechanism.

Both OpenAI and Anthropic include SCCs in their DPAs. But if you want to eliminate this complexity entirely, there is a simpler option.

Self-hosting as the nuclear option

When you run your LLM on your own infrastructure using Ollama, no chat data leaves your network. There is no third-party processor. No international transfer. No DPA needed for the AI layer.

Self-hosting with rentabot.chat works like this:

Install Ollama on your server (EU-based)
Download a model like Llama 3 or Mistral
Point your rentabot.chat chatbot to your Ollama endpoint
All processing happens on your infrastructure

For healthcare, legal, financial services, and government organizations, self-hosting is often the only option that satisfies both GDPR and industry-specific regulations.

Practical checklist for GDPR compliance

Identify your lawful basis for processing chat data (legitimate interest or contractual necessity)
Update your privacy notice to mention the AI chatbot and any third-party AI providers
Disclose that users are interacting with an AI system (not a human)
Sign DPAs with all AI providers you use (OpenAI, Anthropic, etc.)
Verify that your AI providers include SCCs for international transfers
Set automatic session and data retention policies (e.g., delete chat data after 30 days)
Implement data subject access and deletion requests
Document your processing activities in your Records of Processing (ROPA)
Conduct a Data Protection Impact Assessment (DPIA) if processing at scale
Consider self-hosting for maximum compliance and simplicity

This is guidance, not legal advice

GDPR compliance depends on your specific situation. This guide covers the technical and practical aspects, but consult a qualified data protection lawyer for your particular case.

What about the EU AI Act?

The EU AI Act, which entered force in stages throughout 2025-2026, adds requirements on top of GDPR for AI systems. For chatbots, the key obligations are:

Transparency: Users must be informed they are interacting with an AI system (this overlaps with GDPR transparency requirements)
Risk classification: Most customer support chatbots fall under "limited risk" — the lowest regulation tier — requiring only transparency obligations
Content moderation: AI systems should have safeguards against generating harmful content (see our moderation guide)

High-risk classifications (which require extensive documentation, testing, and human oversight) apply mainly to AI in healthcare diagnostics, hiring, law enforcement, and critical infrastructure — not typical customer support chatbots.

FAQ

Can I use chatbot data to improve my AI model?

Only with explicit consent and a clear purpose limitation. Using chat data for model training is a separate processing activity that requires its own lawful basis. Most businesses avoid this complexity by using RAG instead, which does not involve training the model on user conversations.

How long should I retain chat data?

As short as reasonably possible. Most businesses set retention between 30 and 90 days. The key principle is purpose limitation: once the chat data no longer serves its original purpose (answering the user's question), it should be deleted or anonymized.

Do I need a cookie banner for the chatbot?

If your chatbot widget does not set cookies (rentabot.chat uses WebSocket sessions, not cookies), no cookie banner is required for the chatbot itself. However, if you use analytics cookies to track chatbot usage, those fall under your existing cookie consent requirements.

For the strongest GDPR posture, combine self-hosting with automatic data cleanup. Read our self-hosted AI chatbot guide, or see how content moderation adds another layer of compliance.