Does GDPR apply to AI agent data processing?

Yes — GDPR applies to any AI agent that processes personal data of EU residents, and agents create unique compliance challenges because they make autonomous decisions about data access, storage, and transmission without human review.

GDPR requirements that AI agents routinely violate:

• Lawful basis (Article 6): Each data processing operation needs a legal basis — but agents process data thousands of times per session without individual consent
• Data minimization (Article 5): Agents often access more data than necessary because they operate with broad permissions
• Right to erasure (Article 17): When a user requests deletion, every agent log, cache, and embedding must be purged
• Data protection impact assessment (Article 35): High-risk automated processing requires DPIA — most agent deployments don't have one
• Breach notification (Article 33): If an agent exfiltrates personal data, you have 72 hours to notify the supervisory authority

Exogram's PII Air Gap invariant detects and scrubs personal data before it enters the Trust Ledger. Hard deletion capabilities satisfy Article 17 right-to-erasure. Namespace isolation prevents cross-tenant data access. Every data processing action is logged with the legal basis and consent context required for DPIA documentation.