AI Literacy Foundation
Support us
← All memos
Memo 04 · Data residency

Where does your data go?

AI tools, EU data residency, and GDPR in plain language.

Copenhagen · 16 May 2026

The short version

Every time you paste a document into ChatGPT, every time Copilot suggests text in your Outlook, every time your team uses an AI summarizer, that data leaves your computer. Where it goes matters. Under GDPR, it can matter a lot.

This memo explains, in plain language: what data residency actually is, where your data goes when you use the most common AI tools, which EU rules apply, what good-faith practice looks like for a small organization, and what to do when an AI tool you actually need stores data outside the EU.

If you run a school, a clinic, a nonprofit, a public office, a law firm, or any organization that handles personal data in Europe, this applies to you. Read it.

This memo is plain-language explanation. It is not legal advice. For obligations specific to your organization, consult a qualified lawyer or your Data Protection Officer.

Why this matters now

Three things happened in the last two years.

First, AI tools became ordinary office software. ChatGPT, Microsoft Copilot, Google Gemini, Anthropic Claude, and dozens of smaller tools are now embedded in everyday work. Many of them send data outside the European Union by default.

Second, EU regulators made it clear that AI use does not get a pass under the General Data Protection Regulation. The Italian data protection authority, the French CNIL, German DPAs, and the European Data Protection Board have all issued opinions or enforcement actions on generative AI, training data, and cross-border transfers.

Third, the EU AI Act came into force. Article 4 requires organizations using AI to ensure that the people using it have sufficient AI literacy, including knowing what the tool does with their data. (See Memo 02.)

The combination matters. If your team is pasting client data into a tool you have no legal basis to use, you have a GDPR problem, an Article 4 problem, and a professional-conduct problem. Most organizations have not stopped to check.

What "data residency" actually means

Data residency is the question of where, geographically, your data is stored and processed. It is not a single rule. It is the answer to four practical questions.

  1. Where is the data physically held? Which datacenter, in which country?
  2. Where is it processed? Where does the actual computation happen?
  3. Who can access it? Which staff of the vendor, in which jurisdiction, under which laws?
  4. Where do logs and metadata live? These are often in a different region than the data itself.

A tool can be "EU-hosted" for storage and still process data in the United States. A tool can keep the main payload in Europe and ship the diagnostic logs to a global cloud. A tool can promise "EU data residency" while subcontracting parts of its operation to providers outside the EU. The marketing label is not enough. Read the details.

A tool can be "EU-hosted" and still send your data to the United States. The marketing label is not enough.

The legal frame, in plain language

Under the General Data Protection Regulation (GDPR), personal data of people in the EU can move outside the EU only under specific conditions. The Regulation calls this "international transfers" and covers it in Chapter V (Articles 44 to 50).

There are three main lawful bases for transferring personal data outside the EU/EEA.

  • Adequacy decision. The European Commission has formally decided that the receiving country provides "essentially equivalent" data protection. As of mid-2026, adequacy decisions exist for Andorra, Argentina, Canada (commercial organizations), the Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, the United Kingdom, Uruguay, and the United States under the EU-US Data Privacy Framework. The US adequacy is conditional on the receiving organization being self-certified under the Framework.
  • Appropriate safeguards. The most common in practice are Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). These are contractual mechanisms that commit the receiving organization to GDPR-equivalent protection.
  • Derogations. Narrow exceptions, such as explicit consent for a specific transfer, or where the transfer is genuinely necessary for performing a contract with the data subject. These are not a general-purpose route for routine transfers.

The default position is that personal data should stay in the EU/EEA, or move only to a country with adequacy, or move only with proper safeguards in place. The burden of proof is on the organization sending the data, not on the person whose data it is.

The EU AI Act does not change these rules. It sits on top of them. When you use AI tools that handle personal data, both GDPR and the AI Act apply.

Where the major AI tools actually send your data

What follows is the general picture for the most common AI tools as of mid-2026. Vendor policies change. Always verify against the current Data Processing Addendum or trust-center page of the tool you actually use.

ChatGPT (free and Plus). Conversations are sent to OpenAI's infrastructure, primarily in the United States. On the free and Plus tiers, OpenAI may retain conversations and, depending on user settings, use them to improve its models. OpenAI is self-certified under the EU-US Data Privacy Framework, but the enterprise-grade controls (no training, EU data residency, audit logs, contractual DPA) are not available on these consumer tiers.

ChatGPT Team and Enterprise. OpenAI offers EU data residency for these tiers. Conversation data is not used to train models by default. A Data Processing Addendum is available. For most Danish organizations that want to use ChatGPT lawfully on real work data, this is the minimum tier to consider.

OpenAI API. Data is not used to train models by default. Customers can request zero data retention for eligible endpoints. Region selection is available for certain configurations. Suitable for organizations with technical capacity to integrate the API directly.

Microsoft 365 Copilot. Data is processed within your Microsoft 365 tenant boundary. For EU tenants, this typically means EU data residency, though the precise behaviour depends on your Microsoft licensing, your tenant configuration, and the specific Copilot feature. Your Microsoft administrator can verify the current setting in the Microsoft 365 admin centre.

Azure OpenAI Service. You choose the region. EU regions such as West Europe, Sweden Central, and France Central keep data within the EU. Microsoft offers stronger contractual protections than the public ChatGPT consumer product. This is often the cleanest commercial route to a US-built model with EU residency.

Anthropic Claude (claude.ai, consumer). Conversations are processed on Anthropic's primary infrastructure, based in the United States. Anthropic is self-certified under the EU-US Data Privacy Framework. Enterprise and API customers can negotiate data handling terms.

Anthropic Claude via Amazon Bedrock or Google Cloud Vertex AI. Claude is available through major cloud providers, and you can select an EU region for processing. For organizations already using AWS or Google Cloud, this is often the cleanest path to Claude with EU residency.

Google Gemini (consumer). Data flows into Google's global infrastructure, with handling subject to Google's general consumer privacy practices. Suitable for personal use; not generally appropriate for work data containing personal information about others.

Google Workspace Gemini. Data handling follows your Workspace data region and data-processing settings. Workspace Business and Enterprise customers can configure EU data regions.

Vertex AI (Gemini, Gemma, Claude, partner models). Region selectable, including EU regions. Provides the contractual and operational controls most enterprises need.

Translation tools. DeepL (German company) offers a Pro tier with strict no-retention guarantees and EU hosting. Free tiers of any translation service (DeepL Free, Google Translate, Microsoft Translator) typically retain data and may use it for product improvement. Not suitable for confidential or personal content.

Open-source models you self-host (Mistral, Llama, Qwen, Whisper, and similar). The data goes wherever you put the server. Self-hosted on EU infrastructure is the cleanest path to true data residency, with the trade-off of requiring technical capacity to deploy and maintain.

Smaller AI productivity tools. Note-takers, transcribers, AI scheduling assistants, AI CRM enrichment. Highly variable. Many small AI startups use OpenAI, Anthropic, or Google under the hood and forward your data to those providers. Some have no Data Processing Addendum at all. Always check, and ask the vendor directly if the documentation is unclear.

This list is a snapshot. Vendor policies, regional options, and certifications shift continuously. Treat any specific claim above as a starting point for verification, not a final answer.

Where it goes wrong

Four patterns we see repeatedly in small organizations.

1. Free tier in production

A staff member starts experimenting with free ChatGPT, finds it useful, and quietly begins using it on real work, including documents containing personal data. The organization has no awareness, no contract, no audit trail, and no legal basis for the transfer. This is the single most common GDPR exposure in small organizations.

2. EU residency on the front, US logs on the back

A vendor markets "EU data residency" but ships diagnostic logs, error reports, or telemetry to its global infrastructure. The main data sits in Frankfurt; the logs sit in Virginia. The transfer still happens, often with metadata that includes personal data.

3. The integration nobody mapped

Your CRM has an AI feature. Your email has a writing assistant. Your meeting tool has an AI note-taker. Each one was approved separately, by a different person, at a different time. Nobody mapped the combined picture, so nobody noticed that confidential client meetings end up summarized on three different US clouds.

4. The "this is just for me" tool

A senior leader uses a personal subscription to a consumer AI tool to summarize board papers, including personal data of staff, donors, or service users. The organization is still the controller for that personal data. A personal subscription is not a defense.

If any of these sound familiar, you have a data residency problem worth taking seriously.

What good-faith practice looks like

A small organization cannot have a Chief Data Officer and a fifty-page transfer impact assessment for every tool. GDPR does not require that. It requires reasonable, documented care, proportionate to the data and the risk.

Six concrete steps that cover most small organizations.

  1. Inventory. List every AI tool your team is actually using. Include the ones embedded in software you already pay for (Microsoft 365, Google Workspace, your CRM, your accounting platform, your applicant tracking system).
  2. Classify the data. For each tool, write down what kind of data goes into it. Personal data of staff? Personal data of clients or service users? Health data? Children's data? Financial data? Confidential commercial information? Or only public, non-personal information? This shapes the risk.
  3. Locate. For each tool that handles personal data, find out where the data is processed. Check the vendor's Data Processing Addendum, sub-processor list, or trust-centre page. Where the answer is unclear, ask the vendor in writing and keep the reply.
  4. Decide. For each tool, decide whether the current setup is acceptable. The question is not whether the tool says "EU-hosted" in marketing materials. The question is whether your specific use, with your specific data, satisfies GDPR.
  5. Switch or document. If a tool is not acceptable, switch to one that is. If it is acceptable, write a short note (one paragraph) explaining why the transfer is lawful, which mechanism applies (adequacy, SCCs, etc.), and keep it on file.
  6. Tell your team. A one-page internal policy stating which tools are approved, what kinds of data can go into them, and what cannot. This is also part of Article 4 compliance under the EU AI Act.

Done in good faith with documentation you can show, this is reasonable. Done with no inventory and no policy, it is not.

You do not need a compliance officer to fix this. You need an hour of attention, a one-page inventory, and a one-page policy.

The Article 4 connection

Memo 02 explained Article 4 of the EU AI Act: organizations using AI must ensure that their staff have sufficient AI literacy. Knowing where your data goes is part of that literacy.

A staff member who is AI-literate can answer three questions about any tool they use at work:

  • Which AI tools am I allowed to use for which kinds of work?
  • What kind of data can I put into each tool, and what cannot?
  • Where does that data go when I use the tool?

If a substantial portion of your team cannot answer those three questions, you are not yet Article 4 compliant on the data dimension. The fix is not difficult. It is mostly a question of doing it.

A short practical checklist

For the person who wants to know what to do this week.

  1. List the AI tools your team actually uses.
  2. For each, write down what data goes in.
  3. For each, find out where that data is processed.
  4. Where personal data is involved, check the legal basis for any transfer outside the EU.
  5. Write a one-page internal policy and brief the team.
  6. Review every six months.

What the Foundation will do

Data residency is part of every AI tool review the AI Literacy Foundation runs. When we evaluate a tool for a Danish organization, we document where the data goes, which legal basis applies, what the residency posture is, and any known risks. The review is free at the point of access.

We include data residency questions in our Article 4 compliance training so that the people who finish a cohort can answer the three core questions for their own organization: which AI tools are in use, what data goes into them, and where that data is processed.

We do not sell AI tools. We do not have a preferred vendor. We help people make informed decisions.

If you are unsure where to start, write to us.

Closing

Data residency is one of the most concrete intersections of AI and the law. It is also one of the most ignored. Most small organizations using AI in 2026 have no inventory, no policy, and no clear answer to the question "where does our data actually go."

The legal exposure is real. The fix is reasonable. The difference between a compliant organization and a non-compliant one is rarely sophistication. It is usually attention.

That is what this foundation is for.

Ali Al Mokdad

Founder, AI Literacy Foundation

hello@ailiteracyfoundation.eu

ailiteracyfoundation.eu

This memo is plain-language explanation. It is not legal advice. Vendor policies, regional options, and adequacy decisions change continuously. For obligations specific to your organization, consult a qualified lawyer or your Data Protection Officer, and verify every specific vendor claim above against the current documentation of the tool you actually use.

AI Literacy Foundation · CVR 46487869 · Copenhagen, Denmark · Published 16 May 2026