GDPR and generative AI: what companies must know

Under the GDPR, pasting personal data into a consumer AI assistant is processing — often a transfer to a third-party processor, sometimes outside the EU. Without a legal basis, without informing data subjects, and without contractual safeguards, that is non-compliance. The most robust fix is not to ban AI: it is to apply data minimization at the source by anonymizing data before sending.

Why a prompt can fall under the GDPR

The GDPR applies as soon as data can identify a person, directly or indirectly. A first name plus a city, an email, a phone number, a customer ID: all of these are personal data. Once entered into a third-party service, there is processing — and most often disclosure to a processor that hosts and handles it on its behalf.

• Lawfulness: a legal basis is required for the processing (Article 6).
• Minimization: transmit only what is strictly necessary (Article 5).
• Transfers outside the EU: these require specific safeguards (Chapter V).
• Information: data subjects must be informed of the usage.

Anonymization as a minimization principle

The minimization principle is your best ally: if the assistant doesn't need the real name to rephrase an email, don't give it. By replacing each identifying value with a neutral token before sending, the transmitted content no longer identifies anyone. The original value stays on the user's machine, and the answer is restored locally.

The best-protected data is the data that never left the browser.

Anonymization vs pseudonymization: the nuance that matters

The GDPR distinguishes the two. Pseudonymization replaces the identifier but keeps a re-identification key somewhere — the data remains “personal.” Anonymization makes re-identification reasonably impossible for the recipient. In a prompt flow, the goal is clear: the AI service should receive only tokens, and the mapping table must never reach it. On the user side, the mapping stays in local memory to restore the answer — it is not transmitted to the third party.

A compliance checklist for AI usage

1. 1Map the categories of sensitive data your teams handle.
2. 2Decide which must never leave in clear text (default: all personal data).
3. 3Tool up anonymization at the source rather than banning AI.
4. 4Inform teams and document the usage policy.
5. 5Keep control of the re-identification mapping on the client side.

ONYRI Sanitize was built around this logic: the anonymization engine runs in the browser, the token ↔ value link never travels to the backend, and detector coverage adapts to the country (FR, US rules, and beyond). It is minimization made operational for everyday AI usage.