Forgeron3
Log in Demo
/ SecurityAug 4, 20258 min read

GDPR and AI assistants: the keys to compliance

Article 28 processing, DPIA, data subject rights, retention periods: the operational checklist to bring your AI assistant into compliance — without paying €5,000 to a lawyer for nothing.

F3
The Forgeron3 teamMarseille & Paris

1. Qualifying roles: who’s responsible for what

First reflex: identify who does what.

  • You are the data controller (you decide which documents are ingested, for what purpose, for whom).
  • The assistant provider is a processor under Article 28 GDPR (they process personal data on your behalf).
  • The provider’s host is a sub-processor (second-tier processor).

This qualification triggers everything else — contracts, guarantees, audit, records.

2. The Article 28 DPA (Data Processing Agreement)

Before the first ingestion, sign a DPA that complies with Article 28 GDPR. Six non-negotiable clauses:

  1. The subject, duration, nature, and purpose of the processing.
  2. The types of data and categories of data subjects.
  3. The processor’s obligations (documented instructions, confidentiality, security, audit).
  4. Authorization and list of sub-processors.
  5. End-of-contract terms (return or destruction of data).
  6. Audit terms (your right to audit the processor).

If your provider doesn’t volunteer this document, that’s a bad sign. Our DPA is available on our security page.

3. The DPIA: when it’s required, how to run it

A Data Protection Impact Assessment (DPIA) is mandatory if the processing presents a high risk to rights and freedoms. For an AI assistant, the threshold is reached as soon as:

  • You process sensitive data (health, judicial, opinions).
  • You process data on children or vulnerable persons.
  • The processing is large-scale and systematic of personal data.

For other cases (product FAQ, internal document search without sensitive personal data), the DPIA isn’t required but remains recommended.

A basic DPIA takes two weeks with your DPO or a partner firm. Budget €2,000 to €5,000 depending on complexity.

A common misconception”We’ll do the DPIA later, once the project is further along.” No. The DPIA is done before processing starts. Otherwise you find out in September that the project can’t be kept as-is.

4. Data subject rights: what your assistant must support

A person whose data has been ingested must be able to exercise five rights:

  1. Access: know what data is stored about them.
  2. Rectification: correct inaccurate data.
  3. Erasure: have their data deleted.
  4. Restriction: have the processing of their data frozen.
  5. Portability: retrieve their data in a usable format.

Check that your provider has a documented procedure to handle these requests in under a month. If not, you’ll be in breach.

5. Retention periods

Define, and document, the retention period for each data type:

  • Ingested documents (duration of the engagement or legitimate use, typically between 1 and 10 years).
  • User conversations (typically 6 to 12 months).
  • Audit logs (typically 12 months to 3 years depending on criticality).

Beyond that, automatic deletion. This is a provider-side setting, to verify explicitly.

6. Non-EU transfers: avoid, or frame

GDPR only authorizes non-EU transfers with specific guarantees (standard contractual clauses, adequacy decision, BCRs). Better: no transfer at all. That’s the point of sovereign AI: hosted in France, under French jurisdiction, operated by a French entity.

7. Records of processing: what to include

Add the AI assistant to your records of processing (Article 30 GDPR), with:

  • Purpose of the processing.
  • Categories of persons and data.
  • Recipients (internal, processors).
  • Retention period.
  • Security measures.
  • Any transfers.

It’s an internal document, but the CNIL will request it during an audit — budget two hours to draft a proper entry.

For Forgeron3’s commitments on these seven points, see our security & GDPR page.

Walk through the DPA

Twenty minutes to review the DPA point by point, and identify the adjustments needed for your context (firm, local government, industrial SMB).

Book a demo

Read next.

/ Sovereignty9 min

Why choose sovereign AI in 2026

Seven concrete criteria to separate marketing from substance on sovereignty.

Read →
/ Security7 min

The essential questions to ask your AI provider

Fifteen precise questions, with the answers to demand in 2026.

Read →
/ Method7 min

Integrating an AI assistant into your IT infrastructure

SSO, ACL, logs, backups: what IT needs to lock down before ingestion.

Read →