DPC Guidance on AI
aka Data Protection Commission AI guidance, DPC AI blog
Published positions from Ireland's Data Protection Commission on how AI and large language models interact with GDPR. The closest thing to an official Irish AI rulebook for SMEs.
Last reviewed May 2026
Definition
The Data Protection Commission (DPC) is the Irish supervisory authority for GDPR and the lead regulator in the EU for most US-headquartered AI vendors (Meta, OpenAI via its Irish entity, X, Google, Microsoft, TikTok). Rather than a single AI code, the DPC has published its current thinking through a series of guidance blogs and statements: notably the 'AI, Large Language Models and Data Protection' blog at dataprotection.ie/en/dpc-guidance/blogs, complemented by enforcement positions taken in 2024 and 2025 against Meta's AI training and X's Grok deployment. The DPC's working position is that GDPR already covers AI processing - there is no separate Irish AI regime. The questions a controller must answer remain the standard GDPR ones: what is the lawful basis, what data are being processed, is there a Data Processing Agreement with the AI vendor, where is the data processed, has a Data Protection Impact Assessment been completed where required under Article 35, and are data subject rights (including Article 22 on automated decisions) preserved. For Irish SMEs adopting third-party AI tools, the practical implication is that the DPC will hold the deploying organisation - not the AI vendor - accountable for whether prompts contain personal data the controller has no lawful basis to share, whether the chosen tier of the tool offers an enterprise DPA, and whether the controller has documented its AI risk assessment.
Why it matters for software choice
Irish SMEs cannot point at the EU AI Act in isolation and treat it as the floor. GDPR obligations enforced by the DPC are stricter and already in force, and the DPC has shown willingness to act against AI vendors and the controllers who deploy them. Reading the DPC's own published positions before procurement is a low-cost compliance step that demonstrates due diligence if a complaint later lands.
Authority sources
- Data Protection Commission - AI, Large Language Models and Data Protection (www.dataprotection.ie)
- Data Protection Commission - DPC guidance index (www.dataprotection.ie)
Software categories this affects
Vendors covered by this term
ChatGPT Enterprise
OpenAI's enterprise AI assistant with advanced reasoning, data analysis, and custom GPTs
Claude for Business
Anthropic's AI assistant with strong safety focus, long context handling, and business-grade data privacy
Microsoft Copilot
AI assistant integrated into Microsoft 365, with EU data boundary for European customers
Gemini Business
Google's AI assistant integrated with Google Workspace, with EU data processing for European customers
Related terms
Data Protection Commission
Ireland's national data protection authority. Lead supervisory authority for many large US tech companies headquartered in Dublin under the GDPR's one-stop-shop mechanism.
Data Processing Agreement
Mandatory contract under GDPR Article 28 between a data controller and a data processor. Sets out subject matter, duration, processing purposes, and required security measures.
DPIA for AI
A documented assessment under GDPR Article 35 that an Irish controller must complete before deploying an AI tool likely to result in high risk to data subjects. The DPC treats most AI deployments as triggering this obligation.
EU AI Act
EU regulation on artificial intelligence, in force from 1 August 2024. Bans some practices, regulates 'high-risk' AI systems, and imposes transparency obligations on general-purpose AI models.
GDPR Article 22
The GDPR provision that gives data subjects a right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. Constrains how Irish employers and lenders can use AI to make decisions.