ELRIC Lab · Guides 2026
AI agents GDPR SMB 2026: practical compliance guide
AI agents process personal data — emails, resumes, meetings, CRM. This guide helps SMBs deploy AI **without grey zones**: legal bases, hosting, processors, audit and human control.

3 compliance pillars
GDPR compliance for AI agents rests on three technical pillars. The diagram shows how they fit together.
Every sensitive action goes through approval; core data stays in the EU with per-company isolation.
- Pillar 1 — Location: core data in the EU, signed DPA, no third-party training on your content.
- Pillar 2 — Technical governance: multi-tenant isolation (RLS), encrypted tokens, exportable audit.
- Pillar 3 — Human control: approval before external email, data deletion/export, updated processing register.
12-point checklist
Vendor or internal audit: each item is verifiable — not a marketing promise.
Every sensitive action goes through approval; core data stays in the EU with per-company isolation.
- Identify personal data processed by AI
- Document purpose and legal basis
- Verify EU hosting of core data
- Sign DPA with AI vendor
- Require per-company isolation
- Enable agent action audit log
- Configure human approval for sensitive actions
- Limit OAuth scopes to minimum
- Train users (no unnecessary sensitive data)
- Plan deletion / export procedure
- Update processing register
- Review LLM subprocessors annually
Hosting compared
| Platform | Best for | Score |
|---|---|---|
| Elric (EU) | SMB, native RLS, DPA | Compliant |
| Mistral Le Chat | French model, chat data | DPA + purpose |
| ChatGPT Enterprise | US + EU options | DPA required |
| Copilot M365 | EU Data Boundary | If M365 |
| Make / n8n | Automation, subprocessors | Map data flows |
| US tools without DPA | — | Avoid |
Decision tree
Your regulatory requirements determine the platform — not the other way around.
- EU data + SMB → Elric or EU vendor with DPA
- 100% Microsoft + EU Boundary → Copilot acceptable
- Health / children data → mandatory DPO review
- Personal Shadow ChatGPT → ban, centralize workspace
- Export outside EU → legal review case by case
FAQ
- Is an AI agent reading my email compliant?
- Yes with documented legal basis, signed DPA, EU hosting, company isolation and clear purpose.
- Are US LLMs a problem?
- Risk is transfer outside EU. Use vendors with DPA, SCCs and — ideally — EU processing of core data.
- Does Elric provide a DPA?
- Yes — available at /dpa. EU hosting, no third-party training on your content, RLS isolation.
- Must AI agents be declared to the supervisory authority?
- Update your Article 30 processing register as soon as an agent processes personal data — emails, resumes, meetings. No separate "AI declaration" if the register is current.
- Are Make or n8n GDPR-compatible?
- Yes if you map personal data flows, sign DPAs with each connector and limit transferred fields. They do not replace a governed AI OS for business execution.
- What about employees using personal ChatGPT?
- Ban or channel to a governed workspace (Elric, enterprise Copilot) with DPA, audit and approvals — Shadow AI is the #1 risk in 2026.