I
Impetora
Regulation

GDPR

The General Data Protection Regulation (GDPR) is the EU's data-protection regulation, governing the processing of personal data of people in the EU and EEA.

What is GDPR?

GDPR sets out lawful bases for processing, data subject rights (access, rectification, erasure, portability, objection), accountability obligations (records of processing, DPIAs, DPO designation where applicable), security and breach notification, and cross-border transfer rules. Article 22 specifically restricts solely automated decisions with legal or similarly significant effects. AI systems trained on personal data, embedding personal data, or using personal data at inference are all within scope.

How does GDPR apply to enterprise AI?

Every enterprise AI deployment that touches personal data must map its processing to a lawful basis, run a DPIA where the risk warrants, document sub-processors, and design for data subject rights from the start.

Related terms

Regulation

EU AI Act

The EU AI Act (Regulation (EU) 2024/1689) is the European Union's horizontal regulation for AI, classifying systems by risk and imposing obligations on providers, deployers, importers, and distributors.
Methodology

Data Residency

Data residency is the requirement that personal or regulated data stays within a specified geographic region throughout processing, storage, and backup.
Methodology

Sub-processor

A sub-processor is a third party that processes personal data on behalf of a processor, typically an infrastructure or software vendor sitting beneath the primary service provider.

External references

Impetora

Need help applying GDPR to your enterprise? Submit a short brief and we reply within one business day.

Submit a projectBack to glossary
Discovery call

Book a discovery call

Tell us what you would like to build. We reply within one business day.

30-minute call. Free of charge. No obligation.