Why does GDPR matter when choosing an AI system?
Under the GDPR, an organisation remains legally responsible for personal data even when that data is processed by an AI system. If a tool sends prompts, documents or customer records to a model hosted outside the European Economic Area (EEA), the organisation has effectively made an international data transfer – and must be able to justify it. That is why the choice of AI is not only a technical decision but a data protection decision: where and how a model processes data can determine whether its use is lawful.
This article explains the connection between GDPR and AI in practical terms. It is general information, not legal advice – assess your own situation with qualified counsel.
What is the risk with global cloud AI services?
Most widely used AI services run on infrastructure operated by large US technology providers. When personal data leaves the EEA, GDPR treats it as a third-country transfer, which requires a valid legal mechanism such as the EU–US Data Privacy Framework or standard contractual clauses, often supported by a transfer impact assessment.
A further concern is the US CLOUD Act, which can compel US-based providers to disclose data they hold, including data stored on servers located in Europe. This creates a tension that European regulators have repeatedly scrutinised: the physical location of a server does not, on its own, guarantee that data is beyond the reach of foreign jurisdictions.
For compliance leaders, investors and companies operating in Europe, this uncertainty is a real cost. It can slow procurement, complicate risk assessments, and expose an organisation to regulatory challenge.
What does "data control" actually mean in practice?
Data control is the ability to know, and to determine, exactly where personal data goes and who can access it. In practice it usually rests on several conditions working together:
- EEA hosting – processing takes place on infrastructure located within the EEA, avoiding routine third-country transfers.
- On-premise or private cloud options – for sensitive use cases, the model runs inside the organisation's own environment, so data never leaves it.
- No onward data sharing – prompts and outputs are not passed to global cloud AI services or used to train third-party models.
- Clear contractual terms – a data processing agreement that defines roles, purposes and security measures.
Together, these give an organisation something GDPR effectively demands: a defensible, documented account of how personal data is handled.
Does EEA hosting make an AI system GDPR-compliant?
No – and this distinction matters. EEA hosting removes one of the hardest GDPR problems, the international transfer question, but it is a necessary rather than a sufficient condition. Compliance also depends on factors that no hosting arrangement can supply on its own.
Organisations still need a valid lawful basis for processing personal data, a clear and limited purpose (purpose limitation), data minimisation, appropriate security, and a data processing agreement with the provider. An EEA-hosted model reduces risk and simplifies the legal analysis, but it does not replace this wider framework. Any vendor claiming that hosting alone makes a system "GDPR-compliant" is overstating the position.
The honest summary: EEA hosting lowers the barrier significantly, but responsible use of AI under GDPR is a combination of technical, contractual and organisational measures.
How does Od1n approach data control?
Od1n is a sovereign Norwegian language model built with these constraints in mind. It is hosted within the EEA, in Germany, so data stays in Europe. It does not share prompts or outputs with global cloud AI services, and for organisations with stricter requirements it can be deployed on-premise or in a private cloud, keeping data inside the customer's own environment.
Od1n V5 is a large language model with 3 billion parameters, trained from scratch on Norwegian text rather than adapted from a foreign base model. It is a product owned and developed by EZ-Fix AS in Oslo – designed for organisations that need capable AI while retaining control over where their data lives.
This design is built for GDPR compliance rather than certified against it: the architecture is intended to make lawful, well-documented processing straightforward, while the surrounding obligations – lawful basis, purpose limitation, data processing agreements – remain the responsibility of each organisation.
To explore how this works in a specific context, see Od1n for business, read more about the underlying technology, or review how it fits alongside the EU AI Act.
For European organisations, the question is increasingly practical rather than theoretical: which AI systems can we actually use, given the data we handle? Data control is what turns that question into a manageable one.
