GDPR + AI Email Stack: 7-Point Audit Checklist

Most AI email procurement happens with a 30-minute demo, a price quote, and zero compliance review. That’s how a 12-person Polish marketing agency ended up paying €18,000 in fines after a UODO inquiry in 2025. The vendor’s sales team had assured them “we’re GDPR compliant” — which was true at one level (they had a DPA) and false at another (the DPA didn’t cover the OpenAI sub-processor relationship).

The 7 questions

1. Article 28 — Is a DPA available?

Ask for the DPA template. Read it. Verify it names: the controller (you), the processor (vendor), all sub-processors (OpenAI, Anthropic, AWS, etc.), the categories of personal data, the security measures, and the breach notification SLA.

Good answer: a 6-10 page DPA, sub-processors named, 72-hour breach notification. Walk-away answer: “we’ll send one over after you sign.”

2. Article 35 — Has a DPIA been completed?

AI email is large-scale automated processing of personal data — DPIA is required. Ask for the executive summary.

Good answer: a 1-3 page summary identifying risks (sub-processor exposure, training data leakage, accuracy errors) and mitigations. Walk-away answer: “that’s our customers’ responsibility.” (Partial truth — but a serious vendor produces their own.)

3. Chapter V — Where does the data flow?

Ask for an architecture diagram or written description of data flow from your inbox to the LLM and back. Identify every cross-border transfer.

Good answer: “all data stays in EU, no transfers.” Or “transfers to US under EU-US DPF + SCCs, listed in DPA.” Walk-away answer: “we don’t track that.”

4. Retention — How long is data kept?

AI prompts and responses, email content, derived metadata. Each may have different retention.

Good answer: explicit retention periods, ideally short (30-90 days) for derived AI artifacts. Walk-away answer: “until you delete your account.”

5. Sub-processors — Who else touches this data?

Demand a full list. The DPA should name all of them, with their function and jurisdiction.

Good answer: a maintained subprocessors page on the vendor’s website with notification commitment for changes. Walk-away answer: “we use industry-standard providers.”

6. Audit logging — Can you prove what happened?

If a customer asks “did your AI process my email?”, you need a logged answer. Ask whether per-email audit logs are available, retention period, and export format.

Good answer: structured logs accessible via UI or API, 1-year retention. Walk-away answer: “we don’t log AI activity at the per-email level.”

7. Breach notification — What’s the SLA?

GDPR requires you to notify within 72 hours of becoming aware. Your vendor’s notification of you must give you time to do that.

Good answer: “within 24 hours of confirmed breach.” Walk-away answer: “within a reasonable timeframe.”

When to walk away

Two or more vague answers from the list above is a strong walk-away signal. The vendor either hasn’t done the compliance work or doesn’t want to commit on paper. Either way, you’re inheriting their gap as your liability when the regulator inquires.