The short version: yes, you can run Google's Gemini on personal data and stay GDPR compliant, but only on the right path, and Gemini has two paths that are easy to confuse. With OpenAI and Anthropic the question is mostly about configuration. With Gemini, the first and biggest question is which product you are actually using, because the two front doors have very different data terms.
This is the companion to our guides on the ChatGPT / OpenAI API and the Claude API, written the same way: what is handled for you, and what you have to configure and document yourself.
Get articles like this. Compliance Engineering, practical AI compliance for engineers and founders, by a CIPP/E certified practitioner who builds these systems.
Need this checked for your setup? A £500 scoping review covers your provider configuration, DPA status, data flows, residency, and DPIA. Written report in one week.
The two Geminis, and why it decides everything
Google offers Gemini through more than one product, and for compliance the split that matters is this.
Google AI Studio (the free Gemini API tier). This is the fast way in for developers: a free key, quick prototyping. The cost is in the terms. Google's terms state that content submitted on the free tier is used to improve its products and services, including for machine learning, and that human reviewers may read and annotate inputs and outputs. For business personal data that is a non-starter. Treat the free AI Studio tier as you would the consumer chatbot: use it for testing with non-personal data only. It has no place in production processing of someone's personal information.
The paid Gemini API and Vertex AI. On the paid Gemini API, and on Vertex AI (Google Cloud's enterprise AI platform), Google commits not to train on your prompts and responses. Vertex AI is the enterprise path and carries the full contractual and technical controls: the Google Cloud Data Processing Addendum, region selection, EU data residency, retention controls, and regional endpoints in Europe.
So before anything else, confirm which Gemini your integration uses. A key from AI Studio and a Vertex AI deployment can look similar in code and could not be more different in law.
What the paid path gets right
On the compliant path, two of the things you usually have to chase are in good shape.
Training. On the paid Gemini API and Vertex AI, Google does not use your prompts and responses to train its models. No per-request setting to police, on the paid path.
Residency. Vertex AI offers European regions through regional endpoints (europe-west1, europe-west4 and others). The thing to know up front: the default global endpoint can route a request to the US, so EU residency is something you set per call by addressing a European endpoint; the global default will not do it for you. Once you pin the region, it keeps UK and EU data where you need it.
Neither removes your own duties as the controller. They lower the starting difficulty, on the right path.
Step 1: The Data Processing Agreement
Under Article 28 GDPR, using a third party to process personal data on your behalf needs a written contract, and a regulator asks for it first.
For Vertex AI and Google Cloud, that contract is the Google Cloud Data Processing Addendum, auto-incorporated into your Google Cloud terms and published without a sales call. It incorporates the Standard Contractual Clauses and the UK International Data Transfer Addendum for international transfers, and it sets out Google's processor obligations: security, sub-processors, assistance with data subject rights and breaches, deletion, and audit. Here are the eight DPA clauses to check against it, and CompanyScope's Google Gemini vendor profile sets the same terms out alongside OpenAI and Anthropic.
One precision that matters in practice: the robust Article 28 contract comes through the Vertex AI and Google Cloud path. The standalone Gemini API billed through Google AI Studio runs under the lighter Google APIs Terms of Service, which is not the full Cloud DPA, and the free AI Studio tier has neither that contract nor an Article 28 processor agreement for your data. Linking a billing account stops the training. The contract, the SCCs, and the residency controls you want for personal data live on Vertex AI, so that is the path to use.
Step 2: Set residency and retention
On Vertex AI, address a European regional endpoint (for example europe-west1 or europe-west4) so inference and the associated data stay in Europe. This is the step people miss: the default global endpoint can route your request to the US. You set EU residency on each call by choosing a European endpoint, and the project default does not guarantee it. Confirm it in your own integration before launch.
On retention, Vertex AI offers Zero Data Retention (ZDR): with it enabled, prompts and responses are not retained beyond the immediate request, configurable per project and model. Without it, expect limited logging for safety, abuse detection, and legal compliance. Match the retention to what you can justify, turn on ZDR where the workload allows, and record the choice.
Step 3: Minimise what you send
The controller duty bites here, and it bites the same on every provider. Sending an entire customer record when the model needs a fragment is a data minimisation failure regardless of how good the platform's terms are.
Strip names, emails, account numbers, and anything identifying that the model does not need to answer. Build minimisation into how you construct the prompt. Where you genuinely must send personal data, record why in the DPIA.
Step 4: Write the DPIA
A Data Protection Impact Assessment proves you assessed the risk before going live. For a Gemini integration it should cover: what personal data flows through the API and which Gemini product handles it; the lawful basis (usually legitimate interest or contract); the risks (a breach at Google, retention, the international transfer, inaccurate output) and the safeguards against each; and an automated-decision check. If an output drives a significant decision about a person by solely automated means, the UK GDPR Article 22A to 22D safeguards apply, set out in our reference on automated decisions under Article 22A to 22D. Our step-by-step DPIA guide for AI systems covers the structure.
Step 5: Update your privacy notice
Tell people you use an AI processor, in plain language: what the AI does, that the provider is Google, where the data is processed (relevant for transfers), how long it is kept, and their rights. If the AI runs in a chatbot, flag it at the start of the conversation too.
Step 6: International transfers
Google is a US company, so processing EU or UK personal data through Gemini is an international transfer. The mechanisms: Google is certified under the EU-US Data Privacy Framework, the Standard Contractual Clauses sit in the Cloud DPA, and the UK Addendum covers UK transfers. Record the transfer in your records of processing activities. The EU-residency option on Vertex AI reduces the exposure by keeping eligible processing in Europe in the first place.
Where the EU AI Act lands
Data protection and the AI Act are separate tracks. Under the AI Act, Google is a provider of a general-purpose AI model (Gemini), carrying the GPAI obligations in Articles 51 to 55, which have applied since 2 August 2025. You are the deployer, with your own obligations. Following the May 2026 Omnibus, the AI Act's high-risk obligations under Annex III apply from 2 December 2027, while the Article 50 transparency duties apply from 2 August 2026. Clearing your GDPR safeguards does not clear your AI Act duties.
Quick compliance checklist
Before you put Gemini into production with personal data:
- On the paid path (paid Gemini API or Vertex AI), never the free AI Studio tier, for business personal data
- Vertex AI chosen where you need the DPA, residency, and retention controls
- Cloud Data Processing Addendum accepted through your Google Cloud terms
- EU region pinned per request on Vertex AI (e.g. europe-west1); the default global endpoint can route to the US
- Zero Data Retention (ZDR) enabled on Vertex AI where the workload allows; retention otherwise set to the minimum you can justify
- Data minimisation built into the prompt
- DPIA completed and filed; automated-decision check done
- Privacy notice updated to name Google as a processor
- Transfer mechanism recorded (DPF, SCCs, UK Addendum)
- Confirm which Gemini product the integration actually calls, in writing, before launch
The bottom line
Gemini can be run GDPR compliant, but the first decision matters more than with the other providers. The free Google AI Studio tier trains on your data and humans may read it, so it stays out of production for personal data. The paid Gemini API and Vertex AI do not train on your data, and Vertex AI gives you the contract, the EU residency, and the retention controls that make the rest of the work straightforward. Confirm which Gemini you are on first, then do your own minimisation, DPIA, notice, and transfer record.
Michael K. Onyekwere is a CIPP/E certified data protection professional and the founder of Janus Compliance. For a real answer on your provider setup, transfers, DPIA, and retention, start with a £500 scoping review.
Current as at 23 June 2026. This is educational, not legal advice. Provider terms change; verify Google's current data-processing terms, the tier you use, and its certifications before you rely on them. See also: ChatGPT / OpenAI API and GDPR, Is the Claude API GDPR compliant?, AI vendor due diligence.
Frequently Asked Questions
Is the Gemini API GDPR compliant?
It can be, on the paid path. The whole answer turns on which Gemini you use. The free Google AI Studio tier uses your prompts and responses to improve Google's products, including machine learning, and human reviewers may read them, so it is not the path for business personal data. The paid Gemini API and Vertex AI do not train on your data. Vertex AI adds the Google Cloud Data Processing Addendum, EU data residency, and retention controls, which makes it the straightforwardly GDPR-configurable option.
Does Google train on Gemini API data?
On the free Google AI Studio tier, yes: Google's terms state that content is used to improve its products and services, including for machine learning, and that reviewers may annotate inputs and outputs. On the paid Gemini API and on Vertex AI, no: Google commits not to train on customer prompts and responses. The tier you are on is the difference, so confirm which one your integration actually uses before you send any personal data.
AI Studio or Vertex AI for GDPR work?
Vertex AI. It is the enterprise path and gives the strongest posture: the Google Cloud Data Processing Addendum, region selection so data can be processed in the EU, EU-only inference for eligible workloads, retention controls, and the broadest contractual protections. For EU or UK personal data, use Vertex AI (or at least the paid Gemini API), not the free AI Studio tier.
Do I need a DPA with Google for Gemini?
If you process EU or UK personal data, Article 28 requires a written processor contract. For Vertex AI and Google Cloud that is the Google Cloud Data Processing Addendum, which incorporates the Standard Contractual Clauses and the UK Addendum for international transfers and is accepted through your Google Cloud terms. The free AI Studio tier is not covered by the Cloud DPA, which is another reason business personal data does not belong there.
Can I keep Gemini data in the EU?
On Vertex AI, yes, with one catch worth knowing. You pin EU residency by addressing a European regional endpoint (such as europe-west1 or europe-west4) on the request; the default global endpoint can route to the US, so you set EU residency on each call by choosing a European endpoint. The free AI Studio tier processes data on Google's global infrastructure without that control. The reliable way to guarantee EU processing is the Vertex AI path with a European region pinned.
Start with a £500 scoping review
If you need GDPR documentation, AI Act work, or a compliant AI build, the first step is a written scoping review. You get a real report, not a generic discovery call.
Related Articles
GDPR
Is the Claude API GDPR Compliant? The 2026 Setup, Step by Step
Yes, the Claude (Anthropic) API can be run GDPR compliant, and the defaults start in a stronger place than most. The DPA is built into the Commercial Terms, API data is not used for training, and retention defaults to seven days. Here is exactly what to check and configure: the DPA, retention and zero-data-retention, data minimisation, the DPIA, international transfers, the Microsoft Copilot caveat, and where the EU AI Act lands.
GDPR
ChatGPT API and GDPR: Yes, It's Compliant If You Do These 6 Things
The API is GDPR-safe. The free chat isn't. Sign the DPA, enable zero-retention, minimise data, write the DPIA. Here's the exact setup, step by step.
GDPR
OpenAI API Compliance Setup: DPA, Zero-Retention, and Documentation Checklist for 2026
How to configure the OpenAI API for GDPR compliance. The DPA signing click path, zero-retention request flow, retention and logging controls, the PII sanitisation layer, the DPIA, and the documentation pack a procurement or DPIA reviewer will accept.