Claude and GDPR: a compliance guide for businesses

Is Claude GDPR compliant?

Yes. Anthropic provides a Data Processing Addendum (DPA) governing the processing of personal data in line with Article 28 of the GDPR. Under it, Anthropic acts as a processor and your organization as the controller. For API and commercial usage, Anthropic states that the data you send is not used to train its models by default.

Real-world compliance still depends on three things: the plan you use, the data you send, and the measures you put in place on your side.

---

API and commercial plans vs consumer Claude.ai

This is the most important distinction for GDPR:

• API and Claude for Work / Enterprise: covered by the DPA, data not used for training, reduced-retention options (down to "zero data retention" for eligible customers).
• Free / Pro Claude.ai (consumer): different terms, designed for individual use. Avoid it for processing customers' or employees' personal data.

Simple rule: for any processing of personal data for business purposes, use the API or an enterprise plan covered by the DPA.

---

Anthropic's commitments on your data

• DPA aligned with GDPR Article 28, including Standard Contractual Clauses (SCCs) for transfers outside the EU.
• No training on API and commercial customer data by default.
• Sub-processor list published and kept up to date.
• Security measures and a Trust Center documenting practices.

These commitments evolve: always check Anthropic's current terms and documentation before deploying.

---

GDPR and Claude: who is responsible for what?

Under the GDPR, responsibilities are clearly split:

• You (controller): you define the purposes, establish a legal basis (consent, legitimate interest…), inform individuals and handle their rights.
• Anthropic (processor): processes data on your instructions and under the DPA, and applies security measures.

In other words, signing the DPA is not enough: your compliance mostly depends on your own practices.

---

7 best practices to use Claude in GDPR compliance

---

Frequently asked questions

Is Claude GDPR compliant?

Yes, provided you use a plan covered by Anthropic's DPA (API, Claude for Work / Enterprise) and implement your own compliance measures as the controller.

Is the data I send to Claude used to train the AI?

For the API and commercial plans, Anthropic states it does not use customer data to train its models by default. Consumer Claude.ai terms differ.

Where is the data processed by Claude hosted?

Anthropic may process data outside the EU; transfers are governed by Standard Contractual Clauses. Check Anthropic's data location options and Trust Center for your plan.

Can I use free Claude.ai for business data?

Not recommended. For any processing of personal data, prefer the API or an enterprise plan covered by the DPA.

Do I need a Data Protection Impact Assessment (DPIA)?

A DPIA is required for processing likely to result in a high risk to individuals' rights. When in doubt, consult your Data Protection Officer (DPO).

---

In short

Claude can absolutely be used in compliance with the GDPR: Anthropic provides the contractual framework (DPA, no training, SCCs), and it is up to you to apply best practices — minimization, pseudonymization, informing individuals, and choosing the right plan.

Note: this article is for informational purposes and is not legal advice. Check Anthropic's current terms and consult your Data Protection Officer (DPO) for your specific case.