Skip to content
fewtokensai
PL
Service

GDPR-compliant AI & EU AI Act

I deploy LLM/AI systems in regulated industries — from working with Compliance/Legal to data-residency, right-to-be-forgotten, and EU AI Act readiness.

GDPR and AI is not a choice

At IG Group, for 6 years I deployed AI systems in environments regulated by the FCA (UK), CFTC (US), JFSA (Japan) and several others. Every LLM project went through Compliance and Legal — from KYC automation in 40+ languages to internal knowledge base chatbot. I understand how this works in practice, not just from a tutorial.

With the EU AI Act in force and tighter GDPR enforcement across EU regulators, every company using LLMs that touch personal data needs concrete answers.

What I deliver

  • LLM/AI compliance audit (1–3 weeks) — review of existing deployments against GDPR, EU AI Act, sector regulations (financial services, healthcare, insurance). Report with concrete gaps and prioritized fixes.
  • Data residency for LLMs — designing architectures where personal data never leaves the EU. Vertex AI europe-west1, Azure OpenAI EU, self-hosted Mistral/Llama, hybrid setups.
  • EU AI Act framework — system categorization (minimal/limited/high-risk/unacceptable), risk assessment, technical documentation, post-market monitoring.
  • Right to be forgotten for LLMs — strategies for removing personal data from ML/AI systems (re-training vs. fine-tuning unlearning vs. RAG-only).
  • DPIA for AI deployments — Data Protection Impact Assessment tailored to a specific deployment, ready for the regulator.
  • Working with your Compliance/Legal — I speak their language and produce the documentation they need.

Common pitfalls

  1. OpenAI API with personal data in the prompt — no DPA, no opt-out from training, no GDPR checks. The most common mistake of 2024–2025.
  2. Embedding personal data in a vector DB — embeddings preserve information about personal data and fall under GDPR.
  3. No audit log — for financial regulations, “we don’t know what the model said to the customer” = regulator letter.
  4. Confusing EU AI Act with GDPR — these are two regimes with two timelines. You need to satisfy both.

Who this fits

  • Banks, insurers, fintechs touching customer personal data via AI.
  • Healthcare providers with AI/LLM plans on patient data.
  • HR-tech, recruiting-tech — these are EU AI Act high-risk areas.
  • Any company planning an LLM over internal documents (which usually contain personal data).
Let's talk about your AI

Let's talk.

30 minutes, no obligation. Tell me where your AI initiative is stuck or what you're planning — you'll leave with concrete next steps.

Book a 30-minute call →
Email LinkedIn
admin@fewtokens.pl