// DOCS.LOG / MAY 23, 2026
May 23, 2026 6 min read

GDPR-compliant LLM APIs: what European companies need

Calling a US LLM provider with European personal data is a GDPR risk. Learn what compliance actually requires and how a GDPR-native API gateway eliminates the problem at the infrastructure level.

// TL;DR

The Compliance Gap

When a European company sends a prompt to a US-based cloud AI provider, that data travels to US data centres. Under GDPR Article 44, transferring personal data to a third country requires either an adequacy decision, Standard Contractual Clauses (SCCs), or Binding Corporate Rules. Most teams using LLM APIs have none of these in place for every model they call.

The risk is not theoretical. In 2023, the Italian DPA (Garante) temporarily banned a major LLM service over data transfer concerns. In 2024 the Irish DPC fined Meta €1.2 billion for SCCs it deemed insufficient. LLM API calls are next in the regulators' sights.

What GDPR Requires for AI Processing

For AI processing involving personal data, GDPR mandates:

  • Legal basis — you need a valid legal basis (consent, legitimate interest, contract) for processing each category of data
  • Data minimisation — only the data necessary for the purpose should be processed; sending a full CRM record to get a summary violates this principle
  • Purpose limitation — data collected for one purpose cannot be used to train a model for another
  • Data subject rights — individuals can request erasure; if their data is in a model's training set or a provider's log, you cannot guarantee erasure
  • Data residency — for certain sectors (health, finance, public administration) national laws require data to stay within EU borders

Intellixer's Approach

Intellixer is designed so that GDPR compliance is enforced at the infrastructure layer, not left to application developers.

  • PII anonymisation before inference — every prompt passes through our Presidio-based Privacy Engine. Names, emails, fiscal codes, IBANs, and addresses are detected and replaced with typed placeholders ([PERSON], [EMAIL]) before the text reaches any model
  • EU-resident infrastructure — all processing runs on Google Cloud europe-west12 (Turin). On-prem inference nodes run in our own data centre
  • No training on your data — Intellixer never uses customer prompts or completions for model training
  • Immutable audit log — every API call is logged with a privacy-safe hash of the prompt, model used, token counts, and latency. Logs are retained for 90 days and exportable for DPA audits

Next Steps

If your team is evaluating LLM APIs under GDPR constraints, we are happy to provide a Data Processing Agreement (DPA) and a technical briefing on our privacy architecture.

Request early access →

// FAQ
Is calling a US LLM provider with European personal data GDPR compliant?
Not without proper legal basis — GDPR Art.44 requires an adequacy decision, Standard Contractual Clauses (SCCs), or Binding Corporate Rules for cross-border transfers; most teams using LLM APIs have none of these in place.
What does GDPR require for AI processing?
GDPR requires a legal basis, data minimisation, purpose limitation, data subject rights including erasure, and for regulated sectors data residency within EU borders.
How does Intellixer ensure GDPR compliance?
PII is anonymized before inference via Microsoft Presidio (names, emails, fiscal codes, and IBANs are replaced with typed placeholders); all processing runs on EU-resident Google Cloud europe-west12 infrastructure; Intellixer never trains on customer data; and every API call produces a 90-day immutable audit log exportable for DPA audits.
What happened when companies violated GDPR with LLM APIs?
In 2023 Italy's Garante temporarily banned a major LLM service; in 2024 the Irish DPC fined Meta €1.2 billion for insufficient SCCs. LLM API calls are under increasing regulatory scrutiny.