GDPR and AI Act Compliance. Practical, operational legal support

Does your business process personal data relating to individuals in the EU, develop or use AI systems, or operate on the European market? These regulatory obligations can apply regardless of where your business is established.

I advise tech companies and SMEs on identifying their actual obligations and implementing compliance in a practical, business-oriented way, in English, French, and Spanish, with an operational approach shaped by 15 years of international in-house practice.

EU Digital Compliance

Regulations covered

GDPR. General Data Protection Regulation, Regulation (EU) 2016/679

Applies to any business processing personal data relating to individuals in the EU, regardless of where the business is established in the relevant scope scenarios. Data processing audits, documentation, processor arrangements, international transfers, management of data subject rights, and incident response.

AI Act. EU Artificial Intelligence Act, Regulation (EU) 2024/1689

The AI Act applies progressively and on a risk-based basis, with obligations depending on your role, the systems concerned, and their risk classification. Identification and mapping of relevant AI systems, technical documentation, conformity assessment support where required, internal AI use policies, client-facing FAQs on AI use, and internal AI governance.

DSA and DMA. Digital Services Act, Regulation (EU) 2022/2065, and Digital Markets Act, Regulation (EU) 2022/1925

Obligations for online platforms and digital intermediaries operating in the EU, including content moderation, transparency, and platform governance under the DSA, and obligations for designated gatekeepers under the DMA. Applicability analysis and practical compliance support based on your business model.

Data Act. Regulation (EU) 2023/2854

New rules on access to and use of data generated by connected products and related services. Contractual and organisational implications for businesses handling large volumes of industrial or product-generated data, including data portability and cloud switching. Applicable since 12 September 2025.

How PSL Avocat helps

Audit and gap analysis

• Mapping personal data processing activities and identifying GDPR gaps.

• AI Act applicability analysis, including classification of relevant AI systems and corresponding obligations.

• Review of existing processor and transfer agreements, including DPAs and SCCs.

Documentation and implementation

• Records of processing activities, privacy policies, legal notices, and cookie policies.

• GDPR-compliant data processing agreements.

• AI Act technical documentation, including transparency notices and risk assessment support.

• Internal AI policy and governance framework for AI systems.

Compliance by design

• Embedding compliance into product and business processes from the outset.

• Training for sales, product, and tech teams on practical compliance obligations.

• Roll-out of internal forms and tools to manage compliance efficiently.

Incident and request handling

• Data breach response procedures, including the GDPR 72-hour framework.

• Handling data subject requests, including access, erasure, and portability.

International experience, aligned with operational reality

Built on 15 years of in-house practice with ESA, the OECD, the ITER Organization, CMA CGM and ADP, my approach combines legal rigour with a clear understanding of business constraints. I know what it means to be on the client side, and I structure my support accordingly.

Admitted to the Paris Bar and registered with the Barcelona Bar Association, ICAB. Barcelona and Paris. English, French, Spanish.

Frequently asked questions

My company is established outside the EU but sells to European customers. Does the GDPR apply?

Yes. The GDPR can apply as soon as you target individuals in the EU or process their personal data in circumstances falling within its territorial scope, even if your company is established outside the EU.

How can I tell whether my AI system is covered by the AI Act?

The AI Act uses a risk-based framework. The applicable obligations depend on the role you play, the type of AI system involved, and the relevant risk category. An initial legal assessment helps identify quickly what applies in practice to your specific situation.

What is the maximum penalty under the AI Act?

Broadly speaking, the AI Act provides for three main levels of administrative fines for most infringements. Prohibited AI practices can lead to fines of up to EUR 35 million or 7% of worldwide annual turnover, whichever is higher. Certain other breaches can reach EUR 15 million or 3%, and some transparency or information-related infringements can reach EUR 7.5 million or 1.5%. Competent national authorities are responsible for enforcement, and the Commission has a dedicated enforcement role for certain general-purpose AI model obligations.

We already have a data protection policy. Are we compliant?

Not necessarily. GDPR compliance is not limited to a policy published on your website. It also requires internal organisation, appropriate contracts with processors, a workable process for handling data subject rights, and the ability to respond to incidents effectively. A focused audit usually reveals the real gaps.

How long does a GDPR compliance project take?

For an SME or startup, a first practical layer of operational GDPR compliance can often be achieved within 4 to 8 weeks, depending on the complexity of the processing activities.

DSA and DMA. Is my company one of the platforms concerned?

The DSA applies broadly to online intermediary services and platforms offering services in the EU, including marketplaces, social media services, app stores, hosting services, and other digital intermediaries. The DMA is narrower. It targets very large digital platforms designated by the European Commission as gatekeepers. If you are not designated as a gatekeeper, the DMA does not apply directly to you, although it may still affect your access to those platforms. If your model relies on a marketplace, platform intermediation, or content distribution to EU users, a DSA assessment is usually worthwhile.

What is the Data Act, and who is affected?

The Data Act regulates access to and use of data generated by connected products and related services. It is particularly relevant for manufacturers of connected devices, providers of related digital services, and providers of data processing services such as cloud and edge services. If you make connected products, offer SaaS linked to physical equipment, or process large volumes of industrial data for clients, the Data Act is likely relevant to your business.

Assess your data and AI compliance. Reply within 24 business hours

Describe your situation using the form or contact me directly: contact@pslavocat.com · +34 672 939 146