AI data residency requirements
for EU and UK security teams
What GDPR and UK GDPR actually require when AI tools move personal data across borders, what regulators have signaled, and how to verify a vendor's residency claims in the DPA. Written for security and privacy teams, in plain language.
The short answer
Neither GDPR nor UK GDPR flatly requires data to stay in the EU or the UK. Both permit international transfers, but only on a valid legal mechanism, and since the Schrems II ruling the burden of assessing and documenting those transfers sits with you, the customer. For AI tools that capture prompts and usage data, in-region storage is the cleanest position: it removes the transfer analysis instead of defending it. The practical work is verifying that a vendor's residency claim is real, contractual, and complete.
This guide walks through the transfer rules at a working level, the UK's differences from the EU regime, what regulators have signaled about AI tools, and the specific clauses to verify in vendor DPAs.
Last updated: 12 June 2026
This guide is general information for security and privacy teams, not legal advice. Confirm your obligations with qualified counsel.
What GDPR actually requires about transfers
GDPR's Chapter V governs transfers of personal data outside the European Economic Area. A transfer is lawful when the destination benefits from an adequacy decision by the European Commission, or when the exporter puts appropriate safeguards in place, most commonly standard contractual clauses (SCCs), or in limited cases binding corporate rules or specific derogations.
Schrems II, the 2020 judgment of the Court of Justice of the European Union, added the part that changed vendor due diligence. The court invalidated the EU-US Privacy Shield and held that SCCs only work where the law of the destination country does not undermine them. Exporters are expected to assess the destination jurisdiction, document that assessment, and add supplementary measures, such as strong encryption with keys held in the EEA, where protections fall short. The EU-US Data Privacy Framework later restored an adequacy route for certified US companies, but it covers that single corridor and does not remove the assessment work for transfers anywhere else.
Why this lands on AI tooling: prompts and AI usage records routinely contain personal data, customer names in a draft email, an HR issue being summarised, patient details in a clinical note. When an AI tool, or the security platform monitoring it, ships that content to servers in another jurisdiction, Chapter V applies. Under the accountability principle, you need to know where the data goes and be able to demonstrate the protection, in records of processing and, for higher-risk monitoring, in a data protection impact assessment. The EU AI Act adds AI-specific obligations on top, but it does not replace any of this: data protection and transfer rules continue to apply to AI systems.
UK GDPR nuances
After Brexit, the UK retained the GDPR as UK GDPR, sitting alongside the Data Protection Act 2018. The principles mirror the EU regime, but the machinery is separate. The UK maintains its own adequacy regulations deciding which countries UK data can flow to freely, and its own transfer tools: the International Data Transfer Agreement (IDTA), or the UK Addendum attached to the EU SCCs. The ICO expects organisations to carry out a transfer risk assessment when relying on these tools.
Data flows between the EU and the UK currently rest on the European Commission's adequacy decisions for the UK, granted in 2021 and renewed in 2025. Adequacy is periodically reviewed rather than permanent, and the UK's Data (Use and Access) Act 2025 amends parts of the UK regime, so UK teams should watch for divergence from the EU baseline over time.
The practical consequence for buyers: an AI vendor whose paperwork answers the EU question has not automatically answered the UK question. UK security teams should look for UK-specific transfer documentation, or remove the issue by selecting a vendor region inside the United Kingdom. Many UK regulated buyers, particularly in financial services and the public sector, now ask for a UK answer rather than an EU answer in security reviews.
Regulatory positions evolve. This section describes the regime at a practical level as at June 2026 and is not legal advice.
What regulators have signaled about AI tools
None of these actions invented new law. Each applied existing data protection law to AI tools, which is exactly why transfer questions belong in your AI vendor reviews now.
Italy's Garante and ChatGPT
In 2023, Italy's data protection authority temporarily restricted ChatGPT over data protection concerns, including legal basis and transparency. It was the clearest early signal that general-purpose AI tools sit inside ordinary data protection enforcement.
EDPB coordination
The European Data Protection Board set up a taskforce to coordinate how EU authorities scrutinise ChatGPT, signalling that AI questions will be handled consistently across member states rather than left to single regulators.
CNIL's AI programme
France's CNIL published an AI action plan and has followed it with practical guidance and recommendations on applying GDPR to AI systems, including how training and deployment interact with data protection principles.
ICO guidance on AI
The UK ICO maintains guidance on AI and data protection, covering fairness, transparency, and accountability, and expects organisations to run data protection impact assessments for higher-risk AI processing.
How residency interacts with AI governance tooling
Here is the part many programmes miss. To govern AI use, you deploy tooling that observes it: which tools employees use, what they paste into prompts, which files they upload. That tooling processes employee personal data and, through prompt capture, whatever sensitive content those prompts contain. Your AI governance platform is itself a processor of exactly the data you are trying to protect.
If that platform stores its records offshore, you have recreated the problem one layer up: a cross-border transfer of customer records, source code, and legal material, made by your own compliance stack. The transfer analysis, records of processing, and impact assessment all still apply, and employee monitoring data attracts particular scrutiny, including from works councils in Germany and under ICO guidance on monitoring at work in the UK.
Keeping the governance layer in-region collapses this neatly. The monitoring data lives inside the same legal boundary as the activity it documents, the DPIA gets simpler, and procurement reviews stop stalling on the tooling itself. That is why data residency has become a selection criterion for AI governance platforms, not just for the AI tools they watch.
What to verify in vendor DPAs
Residency claims are only as good as the contract behind them. Work through these seven checks for any AI tool or AI security platform handling EU or UK data.
A named storage region
The DPA should state where data is stored at rest, or list the regions you can choose from. A hosting provider name without a region is not a residency commitment.
Processing location, not just storage
Confirm that analysis and enrichment happen in-region too. Storage in Frankfurt with processing elsewhere still puts you in transfer territory.
Sub-processors with locations
Every sub-processor that touches your data, with its jurisdiction, plus the right to be notified of changes and to object. Watch for model providers and analytics services.
Transfer mechanisms for the residue
If anything does leave the region, the DPA should name the mechanism: an adequacy decision, EU standard contractual clauses, or the UK IDTA or Addendum, with the supporting assessment.
Support and admin access
Where vendor staff access data from, under what controls, and whether access is logged. Cross-border support access is a transfer that DPAs often leave vague.
Retention, deletion, and backups
A configurable retention period, deletion timelines at contract end, and how backups are handled. Residency promises mean little if backups replicate to another region.
Audit evidence and breach terms
Independent audit evidence such as a SOC 2 Type II report with the relevant systems in scope, and breach notification timelines that let you meet your own 72-hour obligations.
In-region by design, including Paris, Frankfurt, and London
Aona, the Workforce AI Security platform, runs 7 live data-residency regions: Australia (Sydney), France (Paris), the United Kingdom (London), Germany (Frankfurt), the United States (Central), Singapore, and Hong Kong. EU buyers can keep data in France or Germany, and UK buyers get an in-country UK answer. You choose your region at the start of your deployment, and prompts, file-upload content, audit logs, and policy data are processed and stored in that region on dedicated regional infrastructure.
Aona is SOC 2 Type II certified, and data retention is configurable per customer, for example 30, 90, or 180 days. The full region list, what stays in-region, and the residency FAQ are on the AI data residency page.
Frequently asked questions
Govern AI use without creating
a new transfer problem
Aona keeps prompts, file uploads, and audit logs resident in the region you choose, with Paris, Frankfurt, and London live today alongside four more regions.