LawyerAILawyerAIIndependent Reviews
  • Search
  • Categories
  • Tag
  • Collection
  • Blog
  • Compare
  • Glossary
  • Solutions
  • Pricing
  • Submit
LawyerAILawyerAI
  1. Home
  2. ›
  3. Glossary
  4. ›
  5. GDPR (General Data Protection Regulation)

GDPR (General Data Protection Regulation)

EU Regulation 2016/679 governing personal data collection, processing, and transfer for EU residents — directly applicable to law firms using AI tools on EU client matters.

Last reviewed: 2026/05/22

Definition

Why It Matters for Lawyers

How AI Tools Handle It

Frequently Asked Questions

Does GDPR apply to law firms that only process EU client data occasionally?
Yes. GDPR does not have a de minimis threshold for territorial application. If a law firm processes the personal data of even one EU resident, the regulation applies to that processing. The scale and regularity of EU data processing is relevant to the *proportionality* of measures required — a firm processing EU personal data occasionally may not need a full-time Data Protection Officer — but the core obligations (legal basis, DPA, transfer rules) apply regardless of volume.
Is it sufficient to include GDPR language in our vendor confidentiality agreement rather than a separate DPA?
No. Article 28 requires a contract that addresses specific subject matter defined by the regulation. A standard confidentiality clause, even one that references GDPR, does not satisfy the Article 28 requirements unless it contains all the mandatory provisions: the specific list of processing activities, the geographic scope of processing, the obligation to implement appropriate security measures, the obligation to notify the controller of data breaches, the obligation to assist with data subject rights, sub-processor disclosure and contractual obligations, and post-termination data return/deletion. A template Article 28 DPA should be used or reviewed by privacy counsel.
What is the difference between a data controller and a data processor for law firm AI use?
In the typical law firm AI use case, the law firm is the data controller (it determines that EU personal data will be processed, for what purpose, and using which tools) and the AI vendor is the data processor (it processes the data on the firm's instructions). This distinction matters because the legal obligations differ: the controller bears primary responsibility for GDPR compliance and must ensure the processor meets Article 28 requirements; the processor is directly obligated by those requirements under the signed DPA. If the law firm uses an AI tool in a way the vendor has not authorized or anticipated — for example, using a research tool to store client confidential files — the firm bears responsibility for that unauthorized use.

Related Concepts

Security

EU AI Act

Regulation 2024/1689, the world's first comprehensive AI law, classifying AI systems into four risk tiers with obligations applying to providers and deployers including law firms.

Security

GDPR Article 22 (Automated Decision-Making)

GDPR Article 22 gives individuals the right not to be subject to purely automated decisions that produce legal or similarly significant effects.

Security

Data Residency for Legal AI

Where a legal AI vendor physically stores and processes client data — a compliance requirement under GDPR, data sovereignty laws, and attorney confidentiality obligations.

Related Tools

  • Legalfly

    European-compliant AI legal platform with built-in GDPR safeguards for contract review and research.

  • Legora

    Modern AI workspace for collaborative legal work, EU-grown.

  • Harvey AI

    The most expensive legal AI in the market — Am Law 100 firms only.

  • Lexis+ AI

    Conversational legal research with real-time Shepard's citation validation.

Related Reading

  • Legal AI Security: What Every Law Firm Must Verify Before Adoption

Last reviewed: 2026/05/22. Definitions are written by the LawyerAI Editorial team. We do not accept affiliate commissions; Featured placement is clearly labeled and does not influence editorial content.

← All glossary terms
LawyerAILawyerAI

Independent Reviews

The independent directory of AI tools for lawyers — reviewed by methodology, not by ad budget.

X (Twitter)
Tools
  • Search
  • Categories
  • Tag
  • Collection
Resources
  • Blog
  • Compare
  • Glossary
  • Solutions
  • Pricing
  • Submit
  • Suggest a Tool
  • Newsletter
Company
  • About Us
  • Studio
Legal
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Refund Policy
  • Editorial Independence
  • Sitemap
Editorially independent. Methodology open and versioned.
© 2026LawyerAI Editorial

The General Data Protection Regulation (GDPR, EU Regulation 2016/679) is the European Union's comprehensive framework for protecting the personal data of EU and EEA residents. It establishes principles governing how personal data may be collected, processed, stored, and transferred; grants rights to individuals regarding their data; and imposes obligations on organizations that handle personal data as data controllers (those who determine the purpose and means of processing) or data processors (those who process data on a controller's behalf).

For law firms, GDPR is not a background compliance consideration. It is an active professional obligation that arises every time a lawyer uses a cloud AI tool to process documents, research queries, or communications that contain personal data of EU individuals. The regulation's territorial scope is explicitly extra-territorial: it applies to any organization worldwide that processes personal data of individuals located in the EU, regardless of where the organization is headquartered. A New York litigation firm handling a cross-border employment dispute involving EU employees, a Chicago transactional firm advising a German client on a US acquisition, and a London arbitration practice representing EU parties all process EU personal data and are all subject to GDPR.

GDPR's relevance to legal AI adoption is not hypothetical. It creates concrete obligations at every stage of AI tool selection and use, and the consequences of non-compliance are both regulatory and reputational.

The data processor relationship. When a law firm uses a cloud-based AI tool — a legal research assistant, a contract review platform, a document drafting assistant — and submits client documents containing personal data, the AI vendor becomes a data processor acting on behalf of the firm (which is the data controller). GDPR Article 28 requires that this relationship be governed by a written Data Processing Agreement (DPA). The DPA must specify: the subject matter and duration of processing; the nature and purpose of processing; the type of personal data and categories of data subjects; the obligations and rights of the controller; and a set of specific processor obligations including data security, sub-processor management, assistance with data subject rights, and audit cooperation. Using a cloud AI tool without a GDPR-compliant DPA in place is a violation of Article 28, independent of whether any data breach occurs.

International data transfers. The rules governing personal data transfers from the EU to third countries are among GDPR's most operationally complex provisions. Chapter V (Articles 44–49) requires that transfers to countries outside the EU/EEA are only permitted if an adequate level of protection is ensured — either because the destination country has an EU adequacy decision (as of 2026, the UK has a time-limited adequacy decision and the US has adequacy under the Trans-Atlantic Data Privacy Framework), or because appropriate safeguards are in place. The primary safeguard mechanism is Standard Contractual Clauses (SCCs) issued by the European Commission in June 2021, which must be incorporated into contracts with vendors processing EU personal data outside the EEA. SCCs alone are no longer sufficient post-Schrems II: they must be accompanied by a Transfer Impact Assessment (TIA) evaluating the practical risk of third-country government access to the transferred data.

Enforcement reality. GDPR enforcement against law firms is not routine, but it is not zero. The Irish Data Protection Commission (DPC) has investigated law firms and legal service providers. More significantly, EU data protection authorities have issued fines against professional service firms in regulated sectors for inadequate vendor DPAs, unauthorized transfers, and failure to respond to Data Subject Access Requests (DSARs). The maximum penalty under Article 83(5) — for the most serious violations including invalid transfers and violations of basic processing principles — is €20 million or 4 percent of global annual turnover, whichever is higher. Under Article 83(4), less serious violations (including failure to have an adequate DPA) carry fines up to €10 million or 2 percent of turnover.

Client-imposed GDPR obligations. Many large EU corporations require their outside counsel to provide GDPR compliance representations as part of outside counsel guidelines or engagement letters. These representations typically require the firm to certify that any cloud tools used to process client data are covered by adequate DPAs, that transfers comply with Chapter V, and that the firm has implemented appropriate technical and organizational security measures. A firm that cannot make these representations — because it has not done the underlying DPA work — risks losing the engagement or being in contractual breach.

The ABA Formal Opinion 477R (2017) and the UK Solicitors Regulation Authority guidance on cloud services both indicate that attorneys' use of cloud technology for client data requires due diligence on the security and legal framework governing that technology. GDPR formalizes much of this due diligence obligation into binding legal requirements.

How It Works (Technical)

GDPR's operational architecture for law firm AI use rests on seven principles (Article 5) and a set of individual rights (Articles 12–23).

The seven principles are: (1) lawfulness, fairness, and transparency — there must be a legal basis for processing, and the data subject must be informed; (2) purpose limitation — data collected for one purpose cannot be repurposed for a different, incompatible purpose without a new legal basis; (3) data minimization — only data that is adequate, relevant, and limited to what is necessary may be processed; (4) accuracy — personal data must be kept accurate and up to date; (5) storage limitation — data may not be kept longer than necessary; (6) integrity and confidentiality — appropriate security measures must protect against unauthorized access, accidental loss, and destruction; (7) accountability — the data controller bears the burden of demonstrating compliance with all of the above.

For legal AI use, the principles with the most practical bite are purpose limitation (can a legal AI vendor use query data for model improvement?), data minimization (is the AI tool being provided more personal data than necessary for the task?), storage limitation (how long does the vendor retain submitted documents and queries?), and integrity/confidentiality (what security measures govern the data in transit and at rest?).

Legal basis for processing must be identified before processing begins. For law firm AI use, the most appropriate bases are typically Article 6(1)(b) — processing is necessary for the performance of a contract with the data subject (when the law firm is processing a client's data in connection with legal services) — or Article 6(1)(f) — processing is necessary for the legitimate interests of the controller, where those interests are not overridden by the interests or fundamental rights of the data subject. Consent (Article 6(1)(a)) is rarely the appropriate basis for law firm AI processing because consent must be freely given and withdrawable, which is incompatible with ongoing matter work.

Individual rights relevant to legal AI include the right of access (Article 15) — a data subject can request what personal data a controller holds and how it is processed; the right to erasure (Article 17) — a data subject can request deletion of personal data in certain circumstances; the right to data portability (Article 20) — a data subject can request their data in a machine-readable format; and the right not to be subject to automated decision-making (Article 22) — addressed in a separate glossary entry. Law firms must have operational processes to respond to these rights requests within the statutory timeframes (generally one month, extendable to three months for complex requests).

Data Protection Impact Assessments (DPIAs) are required under Article 35 before undertaking processing that is "likely to result in a high risk to the rights and freedoms of natural persons." The use of new AI technologies involving profiling, large-scale processing of sensitive categories, or systematic monitoring likely triggers the DPIA requirement. A law firm deploying an AI tool that will process health information, financial data, or other sensitive personal data of EU individuals should conduct a DPIA before deployment.

How Legal AI Vendors Address It

LegalFly is purpose-built for GDPR compliance. Its DPA is detailed, publicly available, and specifically addresses law firm use cases including matter-based processing and European data residency. LegalFly processes data exclusively in EU data centers and publishes a current sub-processor list. Its zero-data-retention commitment — documents submitted for AI analysis are deleted after the session ends — directly addresses purpose limitation and storage limitation concerns. The limitation is primarily geographic scope: LegalFly's legal research capabilities are strongest for EU law and EU-language documents.

Legora takes a similar EU-first approach. Its GDPR compliance documentation is thorough, and its design prioritizes data minimization and purpose limitation at the product architecture level. For Scandinavian and broader European law firms, Legora's compliance posture is among the strongest in the market. Like LegalFly, its feature set is primarily optimized for EU legal practice.

Harvey AI operates primarily on US-based infrastructure. GDPR-compliant DPAs and SCCs are available at Harvey's enterprise tier, and the vendor offers EU regional deployment as a negotiated option for large law firm clients. However, the compliance posture on a standard Harvey subscription — without a negotiated enterprise agreement — is unlikely to satisfy GDPR Chapter V transfer requirements for EU personal data. Law firms that have signed standard Harvey terms and are using the platform for EU client matters without a negotiated DPA and SCC addendum are likely in technical violation of Article 28. Harvey's compliance team is responsive to enterprise inquiries on these points; the issue is that the path to compliance requires active negotiation, not just accepting standard terms.

Lexis+ AI (LexisNexis) offers GDPR-compliant DPAs through its enterprise contract process. LexisNexis has a well-established data privacy compliance function and experience with law firm-specific requirements across its broader product portfolio. The standard tier subscription terms default to US processing and may not include a GDPR-adequate DPA; enterprise tier agreements negotiate these terms specifically. Lawyers using Lexis+ AI at standard subscription tiers should not assume GDPR compliance is automatic — they should request and review the applicable DPA before processing EU personal data.

The most common GDPR compliance gap across all vendors is sub-processor transparency. A vendor may have a strong primary DPA but rely on sub-processors — cloud infrastructure providers, security monitoring services, customer support platforms — that are not subject to equivalent geographic or contractual constraints. Review the vendor's sub-processor list with the same attention paid to the primary DPA.

How Lawyers Should Verify and Apply GDPR Compliance

  1. Identify every AI tool that processes EU personal data. Conduct an inventory of all AI tools currently in use — legal research platforms, document review tools, contract analysis, drafting assistants. For each tool, determine whether it processes any EU personal data. This includes not just explicitly EU-focused work, but any document that contains names, contact information, financial data, health data, or other personal data of EU-resident individuals.

  2. Obtain and review a GDPR-compliant DPA from each vendor before use. Do not assume that a vendor's privacy policy or security documentation satisfies the Article 28 DPA requirement. Request the vendor's DPA template, review it against the Article 28 mandatory content checklist, and execute it before uploading any EU personal data to the platform. If the vendor does not offer a DPA, that is disqualifying for EU personal data processing.

  3. Execute Standard Contractual Clauses for US-based vendors. If the AI vendor processes data in the US (or in any country without an EU adequacy decision), SCCs are required. The 2021 SCCs issued by the European Commission include four modules for different data flow scenarios; Module 2 (controller-to-processor transfers) is the applicable module for law firm-to-AI-vendor flows. SCCs must be incorporated by reference or in full into the DPA.

  4. Conduct a Transfer Impact Assessment for US vendor processing. Post-Schrems II, SCCs must be supplemented by a TIA. The TIA should assess the nature and volume of personal data transferred, the risk of US government access under FISA Section 702 or other surveillance authorities, and the supplementary measures (encryption, pseudonymization, contractual restrictions on data access) that reduce the risk of such access to an acceptable level. Document the TIA in writing and retain it for audit purposes.

  5. Implement a process to respond to Data Subject Access Requests. Clients and opposing parties whose personal data is processed by the firm's AI tools may exercise GDPR rights. Designate a responsible person within the firm for DSAR response, establish a process for identifying what personal data is held in AI tool logs or cached documents, and ensure the firm can respond within the statutory one-month deadline. Failure to respond to a DSAR on time is itself a GDPR violation subject to regulatory complaint.