The short answer is yes: you can run the Claude API and stay GDPR compliant, and Anthropic's defaults start the job for you in a few useful places. API data is not used to train models, the Data Processing Agreement is already inside the Commercial Terms, and retention defaults to seven days rather than thirty.
That head start does not finish the work. The defaults sit on Anthropic's side of the line. Your obligations as the controller, the DPIA, the data you send, the privacy notice, and the transfer record, still sit on yours. This is the companion to our ChatGPT API guide, written the same way: what is already handled, and what you have to configure and document yourself.
Get articles like this. Compliance Engineering, practical AI compliance for engineers and founders, written by a CIPP/E certified practitioner who builds these systems.
Need this checked for your setup? A £500 scoping review covers your provider configuration, DPA status, data flows, retention, and DPIA. Written report in one week.
The consumer app and the API are two products
Most GDPR trouble with any LLM comes from treating the consumer chat and the API as the same thing. They are governed by different terms.
Consumer Claude (claude.ai Free, Pro, Max):
- The training default flipped to opt-in on 8 October 2025, with retention of up to five years where a user enables it
- No Data Processing Agreement
- No guaranteed data residency or retention controls for business use
Claude API (commercial):
- API inputs and outputs are not used for model training, by default and contractually
- The DPA is built into the Commercial Terms
- Retention is configurable, with a seven-day default and a zero-retention option for qualifying enterprise customers
If your team is pasting customer details into the consumer app, that is the exposure. The API, configured properly, is the path that holds up.
What Anthropic's defaults already get right
Two of the things you usually have to chase on an LLM provider are set the way you want from the start.
Training. For commercial products, Anthropic does not use API inputs or outputs for model training. There is no per-request opt-out to remember and no setting to police across a team, because the position is contractual and on by default.
Retention. On 14 September 2025 Anthropic reduced its default API retention from thirty days to seven, kept only for abuse monitoring. Shorter default retention is a direct help on the data minimisation principle, because there is less data sitting on the processor's side and a shorter window in which it exists.
Neither of these removes your own duties. They lower the starting difficulty.
Step 1: The Data Processing Agreement
Under Article 28 GDPR, using a third party to process personal data on your behalf requires a written contract. That contract is the DPA, and a regulator asks for it first.
Anthropic's DPA is incorporated into its Commercial Terms of Service. Accepting the Commercial Terms accepts the DPA, with no separate signing step for standard deployments, and the current version applies from 1 January 2026. Free and Pro plans do not include a DPA, which is another reason business personal data belongs on the commercial API.
The agreement is governed by Irish law, with disputes resolving in the Irish courts, and it carries the Standard Contractual Clauses, the UK International Data Transfer Addendum, and a Swiss addendum for international transfers. Here are the eight DPA clauses to check when you review one, and a current summary of Anthropic's terms sits at the Anthropic compliance review.
Step 2: Retention and zero data retention
The seven-day default exists for abuse monitoring. For most production builds that is acceptable, and you document it. Two adjustments are worth knowing about:
- A thirty-day retention option is available via a DPA opt-in, if your own monitoring or support workflow needs the longer window.
- Zero data retention is available to qualifying enterprise customers. With ZDR, inputs and outputs are not stored beyond what abuse screening requires, which is the configuration to ask for when the data is sensitive or the volume is high.
Match the retention to what you can justify. The less Anthropic keeps, the simpler your minimisation and deletion story becomes.
Step 3: Minimise what you send
This is where the controller obligation bites, and where most builds slip. Sending an entire customer record when the model needs a fragment is a data minimisation failure regardless of how good the provider's terms are.
More than needed:
"Customer Jane Doe (jane@email.com, account #45678,
DOB 12/04/1990, 42 Oak Street, London) is asking
about her recent order."
Minimised:
"A customer is asking about order status. Question:
'When will my order arrive?' Order date: 12 June.
Expected delivery: 17 June."
Strip names, emails, account numbers, and anything identifying that the model does not need to answer. Build minimisation into how you construct the prompt itself; it is an architectural choice you make as you design the call. Where you genuinely must send personal data (medical, legal, or financial queries), record exactly why in the DPIA.
Step 4: Write the DPIA
A Data Protection Impact Assessment is the document that proves you assessed the risk before going live. For a Claude API integration it should cover:
- What personal data flows through the API. Be specific: "customer first name, support query text, order reference," not "customer data."
- The lawful basis. For most business assistants this is legitimate interest or contract performance. Write down which and why.
- The risks. A breach on Anthropic's side, unexpected retention, and the international transfer. Note the safeguards against each.
- The safeguards. DPA in place, retention minimised or ZDR enabled, data minimisation in the prompt, encryption in transit, access controls and staff training on your side.
If you need the structure, we have a step-by-step DPIA guide for AI systems, and a separate one for when a DPIA is mandatory. If the system acts on the world rather than only answering, the DPIA for AI agents covers the added duties.
Step 5: Update your privacy notice
Tell people you use an AI processor, in plain language:
- What the AI does ("we use AI to help answer support questions faster")
- Who the processor is (Anthropic)
- Where data is processed, which matters for transfers
- How long it is retained
- Their rights: access, deletion, objection
This goes in the privacy policy, and if the AI runs in a chatbot, flag it at the start of the conversation too.
Step 6: International transfers
Anthropic is a US company, so processing EU or UK personal data through the API is an international transfer. Three mechanisms cover it:
- Anthropic is certified under the EU-US Data Privacy Framework
- The UK International Data Transfer Addendum covers UK transfers
- Standard Contractual Clauses in the DPA, with a Swiss addendum, provide the fallback
Record the transfer in your records of processing activities. If the Data Privacy Framework is ever struck down, as Safe Harbor and Privacy Shield were before it, the SCCs are what you fall back on.
The Microsoft Copilot caveat
One trap is worth calling out. If you reach Claude through Microsoft 365 Copilot rather than Anthropic's own API, Anthropic's processing falls outside the Microsoft EU Data Boundary. A business that has promised customers EU-boundary processing can break that promise without realising it by routing through the integration. If the EU Data Boundary is part of your commitment, confirm the path your requests actually take before you rely on it.
Where the EU AI Act lands
Data protection and the AI Act are separate tracks, and you can be on both. Under the AI Act, Anthropic is a provider of a general-purpose AI model, carrying the GPAI obligations in Articles 51 to 55, which have applied since 2 August 2025. You are the deployer, with your own obligations.
Following the May 2026 Omnibus, the AI Act's high-risk obligations under Annex III apply from 2 December 2027, while the Article 50 transparency duties apply from 2 August 2026. Clearing your GDPR safeguards does not clear your AI Act duties, and the reverse holds too.
Certifications you can point to
When due diligence asks what backs the provider's claims, Anthropic holds SOC 2 Type I and Type II, ISO 27001:2022, and ISO/IEC 42001:2023 (the AI management-system standard), and offers a HIPAA Business Associate Agreement for qualifying healthcare use. Its sub-processors are AWS as the primary, with Google Cloud and, since 7 January 2026, Microsoft Azure. Name the sub-processors in your records, because that is where the data flows.
Quick compliance checklist
Before you put the Claude API into production with personal data:
- On the commercial API, not the consumer app, for business data
- Commercial Terms accepted, so the DPA is in place
- Retention set to the minimum you can justify; ZDR requested if the data is sensitive
- Data minimisation built into the prompt (strip unnecessary PII)
- DPIA completed and documented
- Privacy notice updated to name Anthropic as a processor
- Lawful basis identified (legitimate interest or contract)
- Transfer mechanism recorded (DPF, UK IDTA, SCCs)
- Copilot routing checked if you rely on the EU Data Boundary
- Sub-processors listed in your records
- Deletion process in place on your side
The bottom line
The Claude API gives you a head start on a few of the things that usually take effort to lock down: no training on API data, the DPA already inside the Commercial Terms, and a seven-day retention default. The rest is the standard controller work, and it is the part regulators check. Configure the provider, then do your own minimisation, DPIA, notice, and transfer record.
When these systems fail in production, the consequences become public and someone carries the liability. The AI Agent Incident Register analyses real agent failures for exactly that, including a company bound by its chatbot's invented policy.
Michael K. Onyekwere is a CIPP/E certified data protection professional and the founder of Janus Compliance. For a real answer on your provider setup, transfers, DPIA, and retention, start with a £500 scoping review. If you also need the build done, see the AI Chatbot and Compliance Package.
Current as at 18 June 2026. This is educational, not legal advice. Provider terms change; verify Anthropic's current DPA, retention, and certifications before you rely on them. See also: ChatGPT API and GDPR, the GDPR-compliant ChatGPT API setup guide, AI vendor due diligence.
Frequently Asked Questions
Is the Claude API GDPR compliant?
Yes, with the right configuration. The commercial Claude API can be run in a GDPR-compliant way: Anthropic's Data Processing Agreement is built into its Commercial Terms, API inputs and outputs are not used for model training, the default retention is seven days, and zero data retention is available to qualifying enterprise customers. The consumer app at claude.ai (Free, Pro, Max) is a separate product with no DPA, so business personal data belongs on the API, not the consumer chat.
Does Anthropic train its models on Claude API data?
No. For commercial products (the API, Team, and Enterprise), Anthropic states that API inputs and outputs are never used for model training, and this is a contractual position rather than an opt-out you have to find. It is the default. The consumer claude.ai product is governed separately: its training default flipped to opt-in on 8 October 2025, with retention of up to five years where a user turns it on. Keep business personal data on the API and the training question does not arise.
Do I need to sign a Data Processing Agreement with Anthropic?
If you process personal data of EU or UK individuals through the API, Article 28 GDPR requires a written processor contract, which is the DPA. Anthropic's DPA is incorporated into its Commercial Terms of Service, so accepting the Commercial Terms also accepts the DPA, with no separate signature needed for standard deployments. The current version applies from 1 January 2026. Free and Pro plans do not include a DPA. The agreement is governed by Irish law and carries Standard Contractual Clauses, the UK International Data Transfer Addendum, and a Swiss addendum for transfers.
How long does Anthropic retain Claude API data?
The published default is seven days for trust-and-safety abuse monitoring, reduced from thirty days on 14 September 2025. A thirty-day retention option is available via a DPA opt-in if you need it. Zero data retention is available to qualifying enterprise customers, where inputs and outputs are not stored beyond what abuse screening requires. For data minimisation purposes, the shorter the retention you can operate on, the easier the GDPR story.
Claude API or ChatGPT API for GDPR compliance?
Both can be made GDPR compliant once configured. Anthropic does not use commercial API data for training by default, so there is no training opt-out to remember, and its DPA uses Irish governing law with SCCs, which some privacy teams prefer. OpenAI reaches the same compliant position once you opt out of training use, sign the DPA, and set retention. Choose on technical fit, then configure and document either one properly. We compare both in the ChatGPT API guide.
Start with a £500 scoping review
If you need GDPR documentation, AI Act work, or a compliant AI build, the first step is a written scoping review. You get a real report, not a generic discovery call.
Related Articles
GDPR
ChatGPT API and GDPR: Yes, It's Compliant If You Do These 6 Things
The API is GDPR-safe. The free chat isn't. Sign the DPA, enable zero-retention, minimise data, write the DPIA. Here's the exact setup, step by step.
GDPR
OpenAI API Compliance Setup: DPA, Zero-Retention, and Documentation Checklist for 2026
How to configure the OpenAI API for GDPR compliance. The DPA signing click path, zero-retention request flow, retention and logging controls, the PII sanitisation layer, the DPIA, and the documentation pack a procurement or DPIA reviewer will accept.
GDPR
DPIA Ireland: Do You Need One for Your AI System?
If you deploy AI in Ireland, you almost certainly need a DPIA under GDPR. What the DPC expects, what triggers the requirement, and how to do one that actually holds up.