We respect attorney-client confidentiality. No tracking pixels in our emails.
GDPR compliance for legal AI requires Article 28 DPAs, EU data residency confirmation, and SCCs for international transfers. This checklist and vendor review covers every requirement for legal teams procuring AI in 2026.
2026/06/17
When a German in-house legal team at a manufacturing company uploaded confidential contract negotiations to a U.S.-based AI legal tool in early 2024, they discovered six months later — during a routine data governance audit — that their DPA with the vendor did not explicitly prohibit the use of submitted data for model training, and that the vendor's subprocessors included cloud providers processing data outside the EU. The company's data protection officer flagged the deployment as a potential GDPR violation. The legal team had to stop using the tool immediately, negotiate a new DPA, confirm data deletion, and document the incident — a costly disruption that a proper pre-procurement compliance review would have prevented.
That scenario is playing out with increasing frequency as EU-based legal teams adopt AI tools with procurement processes designed for software that does not process personal data. Legal AI tools process contracts, legal opinions, employment records, client correspondence, and litigation documents — all of which may contain personal data subject to GDPR. The compliance requirements are substantive, and most AI vendors based in the United States were not originally designed with GDPR compliance as a primary architectural concern. This article provides the complete framework.
GDPR imposes specific obligations on data controllers (the organizations using AI tools) and data processors (the AI vendors processing data on the controller's behalf). For legal AI tools, the controller is typically the law firm or in-house legal department. The processor is the AI vendor. Article 28 of GDPR requires that processing by a processor be governed by a binding contract — the Data Processing Agreement — that includes specific mandatory provisions.
The enforcement landscape has intensified. EU data protection authorities have imposed significant fines on technology companies for inadequate data transfer mechanisms, including in cases where standard contractual clauses were not properly implemented. Legal teams — who process particularly sensitive data including attorney-client communications and confidential legal advice — face heightened scrutiny when their AI tools are involved in data incidents.
The EU-U.S. Data Privacy Framework, which replaced Privacy Shield in 2023, provides a transfer mechanism for U.S. vendors that have self-certified under the framework. However, legal uncertainty remains: the framework is subject to ongoing legal challenges, and privacy practitioners recommend implementing SCCs as a backup mechanism regardless of DPF certification status.
UK considerations have evolved post-Brexit. The UK GDPR mirrors the EU GDPR in most substantive requirements. The UK's adequacy decisions for international transfers operate separately from EU adequacy decisions — including the UK-U.S. Data Bridge for U.S. transfers. UK in-house teams must ensure their AI vendor procurement considers both UK GDPR and, for multinational organizations, EU GDPR requirements simultaneously.
An Article 28-compliant DPA must include, at minimum: the subject matter, duration, nature, and purpose of processing; the type of personal data and categories of data subjects; the obligations and rights of the controller. In practice, GDPR-compliant DPAs for legal AI tools should specifically address: prohibition on using submitted data for model training, data retention and deletion procedures, security measures, subprocessor list and approval process, cooperation obligations for data subject requests, and breach notification timelines.
For legal AI tools, the training data prohibition is the most critical provision. Legal AI vendors improve their models through exposure to submitted data unless explicitly prohibited by contract. A DPA that is silent on this point does not adequately protect the controller. Require explicit contractual language: "Processor shall not use Controller's personal data to train, improve, or develop AI models without explicit written consent from Controller."
GDPR does not require data to be stored within the EU, but international transfers require a lawful transfer mechanism. For transfers to the U.S. — where most major legal AI vendors are based — the two primary mechanisms are Standard Contractual Clauses (SCCs, updated 2021 version) and the EU-U.S. Data Privacy Framework.
SCCs are the more reliable mechanism given ongoing legal challenges to the DPF. Require vendors to execute the appropriate module of the 2021 SCCs (Module 2 for controller-to-processor transfers). Verify that the SCCs are signed, not merely referenced.
For organizations with strong data residency preferences — whether for compliance, client contractual obligations, or risk management — several legal AI vendors offer EU-hosted deployments. Luminance operates EU data centers. Leya, a Swedish AI legal research tool, is built on EU infrastructure. Legora similarly offers EU data residency. For these vendors, data does not leave the EU, eliminating the international transfer compliance burden entirely.
Harvey AI: U.S.-based vendor. Offers enterprise DPAs with SCCs for EU customers. EU data residency options depend on deployment tier — confirm availability for your organization's scale. Model training prohibition available in enterprise DPAs. Recommended: execute SCCs in addition to DPF certification.
CoCounsel (Thomson Reuters): U.S.-based, large enterprise vendor with mature privacy program. Article 28 DPA available. SCCs available for EU transfers. Thomson Reuters is a large organization with established GDPR compliance infrastructure — DPA negotiation is straightforward at enterprise scale.
Luminance: UK-based, with EU data center options. Article 28 DPA available. EU-hosted deployment available — recommended for EU in-house teams. Strong GDPR compliance documentation given UK/EU client base.
Leya: Sweden-based, EU data residency native. Designed for EU legal market compliance from inception. Article 28 DPA and SCCs available. Recommended for European in-house teams prioritizing data sovereignty.
Legora: Stockholm-based. EU data residency, Article 28 DPA available. Strong GDPR compliance posture for EU-based legal departments.
Vincent AI (vLex): Spain-based parent company, EU operational presence. EU data residency options available. Review DPA carefully for AI training provisions — confirm explicit prohibition.
UK in-house teams must comply with the UK GDPR, enforced by the Information Commissioner's Office. For U.S. vendor transfers, the UK-U.S. Data Bridge provides an adequacy mechanism, but SCCs under UK law (International Data Transfer Agreements, IDTAs) provide a backup mechanism that is recommended for risk management. UK in-house teams at multinational organizations must also ensure that their AI procurement satisfies EU GDPR requirements for EU operations — a dual compliance obligation.
Mandatory questions: (1) Can you provide an Article 28 DPA for our review? (2) Does your DPA explicitly prohibit using our submitted data for model training? (3) Where is our data stored and processed? (4) What is your subprocessor list and how are we notified of changes? (5) What are your SCCs or DPF certification details for EU transfers? (6) What is your breach notification timeline? (7) How do you handle data subject access requests for data submitted by our organization?
Vendors who cannot answer these questions promptly or who deflect to sales conversations rather than privacy team conversations are not ready for EU deployment.
GDPR Procurement Checklist — Step by Step
Step 1: Identify personal data processed. Before vendor evaluation, map what personal data the tool will process: employee names in contracts, client personal information in case files, identified individuals in legal correspondence. This determines the scope of GDPR obligations.
Step 2: Request DPA and subprocessor list at first vendor meeting. Do not wait until procurement is advanced — vendors who cannot produce these documents in the first week of discussions are not procurement-ready.
Step 3: Review DPA for training prohibition, retention periods, and subprocessor approval rights. Escalate any gaps to your data protection officer.
Step 4: Confirm transfer mechanism — SCCs or DPF certification. For EU-hosted options, confirm geographic scope of data processing.
Step 5: Execute DPA and SCCs before any data is submitted to the tool — including pilot programs. Pilot programs involving real data are full GDPR deployments, not exempt from compliance requirements.
Step 6: Register the vendor as a processor in your organization's data processing records. Include the tool in your next DPIA review cycle if processing is high-risk.
Luminance — UK-based, EU data center available, strong GDPR compliance documentation; recommended for EU in-house teams and law firms with EU client data.
Leya — Swedish AI legal research tool, EU data residency native, designed for EU legal market compliance from inception.
Legora — Stockholm-based, EU data residency, strong privacy posture for EU-headquartered legal departments.
Harvey AI — U.S.-based but with enterprise DPA capability and SCCs for EU transfers; viable with proper contractual protections in place.
Robin AI — UK-based contract AI, EU/UK data residency options, strong privacy compliance for contract review use cases.
See also: our glossary entries on GDPR, data residency, and SOC 2.
Q: Does GDPR apply to my law firm even if we are based in the EU but primarily handle non-EU clients?
A: If your firm processes personal data of EU residents — including in client matters involving EU individuals — GDPR applies to that processing. The location of the client is more relevant than the location of the firm for determining GDPR applicability.
Q: Is a vendor's ISO 27001 certification sufficient for GDPR compliance?
A: No. ISO 27001 addresses information security, not data protection compliance. GDPR requires a DPA and appropriate transfer mechanisms regardless of security certifications. Both are necessary; neither substitutes for the other.
Q: Can we use U.S.-hosted AI tools for EU matters if we have SCCs in place?
A: SCCs provide a lawful transfer mechanism, but you must also conduct a Transfer Impact Assessment for transfers to the U.S. to confirm that U.S. surveillance law does not undermine the protection the SCCs provide. Consult your DPO before finalizing the assessment.
Q: What are the consequences if our AI tool vendor suffers a data breach involving our submitted documents?
A: Under GDPR, you must assess the breach risk and notify the supervisory authority within 72 hours if the breach poses a risk to individuals' rights and freedoms. Your DPA should require the vendor to notify you promptly — the typical contractual requirement is 24-48 hours, giving you time to meet the 72-hour regulatory clock.
Q: Do we need a Data Protection Impact Assessment before deploying legal AI tools?
A: If the AI tool processes special category data (which may include information about legal disputes, health data in PI matters, or financial information in litigation), or if the processing is large-scale or systematic, a DPIA may be required. Consult your DPO to determine whether a DPIA is mandatory for your specific deployment.
For GDPR-sensitive research workflows, see our CoCounsel vs Casetext comparison covering each product's data handling commitments.
This article reflects independent editorial analysis. LawyerAI does not accept payment for editorial coverage. Tool scores are based on methodology described in Our 5-Dimension Methodology. Last reviewed: 2026-06-17.