In September 2025, France's data protection authority CNIL fined Google €200 million for cookie consent violations that affected Gmail users across Europe. The ruling found that Google had inserted advertisements disguised as emails into user inboxes without valid consent. The same authority had already fined Google Ireland €125 million earlier that year for similar consent failures during account creation.
These weren't edge cases or technical violations. CNIL found that Google's consent interface failed to clearly explain third-party data collection and didn't provide a simple way to refuse cookies. Users' consent was deemed invalid because they weren't properly informed about what they were agreeing to.
This pattern of enforcement matters for anyone using Gemini with personal data. The same company facing hundreds of millions in GDPR fines is the company handling your conversations, uploaded documents, and the personal information they contain.
The short version: If you need to redact sensitive documents before they reach AI systems, PaperVeil handles that layer. The rest of this article explains where it fits in the broader governance architecture.
The Direct Answer: It Depends on Which Gemini
Is Gemini GDPR compliant? The answer splits cleanly based on which version you're using.
Consumer Gemini (free and paid personal accounts): Not compliant for processing EU personal data. Your conversations may be used for model training by default. Human reviewers can read your chats. Data retention extends up to 18 months, and some data persists even after you delete it.
Enterprise Gemini (Google Workspace, Vertex AI): Can be configured for GDPR compliance. Google acts as a data processor with contractual obligations. Data isn't used for training. Regional data residency options exist for EU processing.
The distinction matters because GDPR doesn't just regulate where data goes. It regulates how data is processed, who can access it, and whether individuals maintain control. Consumer Gemini fails on multiple counts. Enterprise Gemini provides the controls that compliance requires.
What GDPR Actually Requires
Understanding why consumer Gemini fails requires knowing what GDPR demands.
Lawful Basis for Processing
GDPR requires a lawful basis for every processing operation. The six bases include consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. For AI processing of personal data, organizations typically rely on consent or legitimate interests.
Consent under GDPR must be freely given, specific, informed, and unambiguous. It requires a clear affirmative action. Pre-checked boxes don't count. Bundled consent doesn't count. And consent must be as easy to withdraw as it was to give.
Data Minimization
Article 5(1)(c) requires that personal data be "adequate, relevant and limited to what is necessary." You can't collect everything just because it might be useful. This principle directly conflicts with AI training, where more data generally produces better models.
Purpose Limitation
Data collected for one purpose cannot be processed for incompatible purposes without additional consent. If someone submits a support ticket, using that conversation to train an AI model is a different purpose than resolving their issue.
Right to Erasure
Article 17 establishes the "right to be forgotten." When individuals request deletion, organizations must erase their personal data without undue delay. This becomes complicated when data has been incorporated into model training.
Data Subject Rights
GDPR grants individuals the right to access their data, correct inaccuracies, restrict processing, object to processing, and receive their data in portable formats. Any system processing EU personal data must accommodate these rights.
Cross-Border Transfer Protections
Transferring personal data outside the EU requires adequate safeguards. Standard Contractual Clauses, Binding Corporate Rules, or adequacy decisions from the European Commission. The Schrems II ruling invalidated the Privacy Shield framework, making EU-US transfers particularly complex.
Where Consumer Gemini Falls Short
Consumer Gemini creates GDPR problems across multiple dimensions.
Training Data Usage
Google's default setting uses your Gemini conversations to train future models. When you paste a document containing customer names, addresses, or other personal data, that information potentially becomes training material. The individual whose data you uploaded never consented to this use.
You can disable this through Gemini Apps Activity settings, but the default is on. And the toggle doesn't affect processing that's already occurred or data that human reviewers have already accessed.
Human Review Without Consent
Google explicitly states that human reviewers "read, annotate, and process" Gemini conversations. This includes chats, uploaded files, images, and screen content from connected apps. The privacy hub warns users not to "enter confidential information they wouldn't want a reviewer to see."
This human review happens regardless of your activity settings. Google uses reviewed conversations to improve safety and train models. Data reviewed by humans isn't deleted when you delete your Gemini activity. Instead, it's retained for up to three years in a separate data store.
For GDPR purposes, human review of personal data requires its own lawful basis. The individuals whose data appears in your conversations never consented to Google employees reading their information.
Data Retention Complexity
Gemini Apps Activity stores conversations for up to 18 months by default. You can adjust this to 3 or 36 months, but even with activity turned off, Google retains data for 72 hours minimum. Human-reviewed conversations stay for three years regardless of your settings.
This creates problems for GDPR's erasure requirements. If someone exercises their right to be forgotten and you've already uploaded their data to Gemini, you can't fully delete it. Some portion may persist in Google's review archives or derivative training data.
July 2025 Access Expansion
Google announced that starting July 2025, Gemini would access Phone, Messages, WhatsApp, and other applications "whether your Gemini Apps Activity is on or off." This expansion happened automatically across Android devices without explicit opt-in consent.
European privacy advocates questioned whether this approach satisfies GDPR's standards for informed and freely given consent. An October 2025 lawsuit alleged Google enabled Gemini by default across Gmail, Google Chat, and Meet despite marketing it as an opt-in feature.
Cross-Border Data Flows
Consumer Gemini conversations route through Google's global infrastructure. While Google Ireland Limited serves EEA users, data may still process through US systems. The adequacy of transfer safeguards has been repeatedly challenged since Schrems II.
How Enterprise Gemini Differs
Enterprise deployments through Google Workspace or Vertex AI operate under different terms.
Contractual Protections
Google Workspace with Gemini is a "core" service covered by Google's Data Processing Addendum. This makes Google a data processor operating under your instructions, with contractual obligations that align with GDPR requirements. The DPA includes Standard Contractual Clauses for international transfers.
No Training Usage
For paid enterprise versions, Google contractually commits not to use customer data to train AI models for the general public. Prompts, uploaded files, and responses stay within your organizational boundary. This addresses the purpose limitation problem that plagues consumer versions.
Limited Retention
Enterprise and education users benefit from different retention rules. Activity is saved for up to 72 hours for security and service purposes, then automatically deleted. Human review is turned off by default for enterprise contexts.
Regional Data Residency
Enterprise customers can specify regional data centers for processing. This addresses cross-border transfer concerns by keeping EU data within EU infrastructure. Google's extensive compliance infrastructure supports these residency guarantees.
Compliance Certifications
Gemini achieved ISO 42001 certification in May 2025, specifically for AI management and governance. It also holds ISO 27001/27017/27018 for information security, ISO 27701 for privacy management, HITRUST, SOC 2, and PCI-DSS v4.0. Enterprise deployments inherit these certifications.
The Workaround: Using Gemini While Maintaining Compliance
If you need Gemini's capabilities with EU personal data, several approaches can maintain compliance.
Option 1: Enterprise Deployment
The most straightforward path is using Gemini through Google Workspace Enterprise or Vertex AI with appropriate contractual terms. This requires enterprise licensing costs and proper configuration, but it provides the legal framework GDPR demands.
Ensure your DPA with Google includes appropriate Standard Contractual Clauses. Configure regional data residency for EU processing. Verify that training exclusions apply to your specific use cases.
Option 2: Remove Personal Data Before Processing
The alternative approach removes the GDPR problem at its source. If Gemini never receives personal data, GDPR's processing rules don't apply to that interaction.
This means redacting documents before upload:
Original document:
"Customer complaint from Marie Dupont ([email protected]) regarding order #12345 shipped to 15 Rue de la Paix, 75002 Paris. Credit card ending 4521 was charged €299.99 on 15 January 2026."
After redaction:
"Customer complaint from [NAME] ([EMAIL]) regarding order [ORDER_ID] shipped to [ADDRESS]. Credit card ending [CARD] was charged [AMOUNT] on [DATE]."
Gemini processes the redacted version. You get AI assistance with analysis, drafting, or summarization. The personal data never leaves your environment.
This approach works regardless of which Gemini tier you use. It works regardless of Google's privacy policy changes. It eliminates the GDPR risk at its source rather than managing it through contracts and configurations.
Option 3: Data Protection Impact Assessment
If you must process personal data through consumer Gemini, GDPR may require a Data Protection Impact Assessment. Article 35 mandates DPIAs for processing that's "likely to result in a high risk" to individuals' rights.
A DPIA would need to address:
- What personal data enters the system
- The lawful basis for this processing
- How data subject rights will be honored
- Technical and organizational security measures
- The risks to individuals and how they're mitigated
Realistically, a thorough DPIA would likely conclude that consumer Gemini isn't appropriate for EU personal data given the training usage, human review, and retention practices.
Implementation Steps for Compliant Gemini Use
For Enterprise Deployment
-
Review contractual terms. Ensure your Google agreement includes the Data Processing Addendum with appropriate Standard Contractual Clauses. Verify that Gemini is covered under your existing Workspace agreement.
-
Configure regional settings. Enable EU data residency if available for your deployment. Document the configuration for compliance records.
-
Disable unnecessary features. Turn off any features that expand data access beyond what's necessary for your use case.
-
Train your staff. Employees need to understand what data can appropriately enter the system even with enterprise protections. Not all personal data processing is covered by legitimate business purposes.
-
Document your DPIA. Even with enterprise protections, processing personal data through AI likely requires an impact assessment documenting your compliance rationale.
For Redaction-First Workflows
-
Identify sensitive data patterns. Beyond obvious PII like names and emails, consider what constitutes personal data in your context. Order numbers, case references, and project codes may all link to individuals.
-
Implement detection automation. Manual redaction doesn't scale. Use tools that automatically detect and flag personal data before documents reach Gemini.
-
Establish consistent replacement. Replace personal data with category placeholders that preserve document structure. Gemini can still analyze "[CUSTOMER_NAME] complained about [PRODUCT]" effectively.
-
Create audit trails. Document what was redacted from each document. This proves compliance if questions arise and enables reconstruction of original meaning when needed.
-
Review before submission. Even with automation, human review catches edge cases. Brief review of redacted documents before AI submission prevents accidental exposure.
Alternatives to Consider
If enterprise Gemini pricing exceeds your budget and redaction workflows seem excessive, consider alternatives.
Microsoft Copilot with Microsoft 365 enterprise agreements provides similar AI capabilities with Microsoft's Data Processing Addendum. EU data residency options exist. The compliance profile is comparable to Google's enterprise tier.
Anthropic Claude offers API access with Zero Data Retention options and enterprise agreements that exclude training usage. The API approach requires more technical implementation but provides strong contractual protections.
Self-hosted open source models eliminate third-party data transmission entirely. Models like Llama run on your infrastructure, processing data locally. Capability may be lower than frontier models, but GDPR concerns essentially disappear.
Each alternative involves trade-offs between capability, cost, and compliance burden. There's no free solution that provides frontier AI capabilities with complete GDPR alignment.
The Enforcement Reality
CNIL's €200 million fine against Google demonstrates that enforcement is real and substantial. The €5.88 billion in cumulative GDPR fines by January 2025 shows regulators aren't hesitant to act.
The violations that trigger fines often involve exactly the issues Gemini raises: inadequate consent, unclear processing purposes, insufficient user control. Organizations that process EU personal data through consumer Gemini are betting that regulators won't investigate their specific use.
That's a bet with known odds. Enforcement depends on complaints, supervisory authority resources, and the visibility of your organization. A small business using Gemini for occasional document analysis faces different practical risk than a large enterprise processing thousands of customer records daily.
But GDPR doesn't create exceptions based on organization size. The €200 million fine proves regulators will pursue significant penalties when they find violations. The question is whether your use case attracts attention.
The Bottom Line
Consumer Gemini isn't GDPR compliant for processing EU personal data. The training usage, human review, retention practices, and consent mechanisms fail to meet GDPR's requirements. Using it with personal data creates legal exposure.
Enterprise Gemini can be configured for GDPR compliance through appropriate contractual terms, regional data residency, and training exclusions. This requires enterprise licensing and careful configuration.
The most reliable approach removes the problem entirely: strip personal data from documents before they reach any AI system. This works regardless of which AI you use, regardless of their privacy policy changes, and regardless of enforcement trends.
The productivity benefits of AI are real. The compliance risks are equally real. The organizations that succeed will be those that find ways to capture the benefits while managing the risks systematically.
PaperVeil removes personal data from documents before they reach AI systems. Automatic detection, immediate redaction, audit trail generation. The compliance layer that makes AI document processing actually safe for GDPR-regulated data.