EU regulation governing how personal data is collected, stored, processed, and shared. In force since May 2018. Applies to any organization handling EU residents' personal data, regardless of where the organization is based.
Definition: EU regulation governing how personal data is collected, stored, processed, and shared. In force since May 2018. Applies to any organization handling EU residents' personal data, regardless of where the organization is based.
GDPR is the EU's main privacy law and the default framework for handling personal data in UX research. It applies whenever a study touches identifiable participant data, even when participants are recruited outside the EU but reside in member states. Two GDPR concepts dominate vendor evaluation: lawful basis (usually consent for research) and data minimisation (collect only what's needed for the stated purpose).
For AI tools, the relevant questions are: who is the controller, who is the processor, where is the data processed, and what is the basis for international transfers if any. A vendor that uses participant data to train models without a clear legal basis turns your study into a compliance incident. The DPA (Data Processing Agreement) is the document that nails these obligations down.
GDPR coexists with the EU AI Act since August 2024. The AI Act adds transparency and documentation obligations on top, it does not replace GDPR.
This term is referenced in the following articles: