Anthropic API and GDPR: DPA, EU Data Residency & Compliance Guide
Short answer
The Anthropic API can be used GDPR-compliantly: sign Anthropic's DPA, API inputs are excluded from model training by default, and EU-based inference is available via Amazon Bedrock in Frankfurt — verify DPA scope, transfer mechanisms, AI Act obligations, and works council requirements before deployment.
- Sign Anthropic's DPA before processing personal data via the API — establishes the Article 28 processor relationship and includes Standard Contractual Clauses.
- Choose EU-based inference via Amazon Bedrock (AWS eu-central-1, Frankfurt) to keep data processing within the EU for the strongest GDPR data residency posture.
- Confirm API data is excluded from model training by default and request zero data retention mode for the most sensitive use cases.
The Anthropic API can be used in a GDPR-compliant manner by German companies — but compliance requires deliberate setup. The API’s default policy of not training on user data removes one of the most common GDPR concerns with consumer AI tools, and Anthropic provides a Data Processing Agreement that includes Standard Contractual Clauses for EU–US transfers. However, data residency decisions, transfer documentation, AI Act obligations, and works council requirements all need to be addressed before deployment. For an overview of how Anthropic API compares with other AI platforms, see the AI tools assessed by Compound Law.
Is the Anthropic API GDPR Compliant?
Yes — when correctly configured. The Anthropic API can satisfy GDPR requirements under Regulation (EU) 2016/679 if three conditions are met:
- Anthropic’s Data Processing Agreement (DPA) is signed. This establishes Anthropic as an Article 28 processor and governs how your data is handled, including security obligations, subprocessor disclosure, and breach notification.
- A valid data transfer mechanism is in place. The DPA includes Standard Contractual Clauses (SCCs) covering EU–US data transfers under GDPR Chapter V. For companies requiring data to remain within the EU, deploying Claude via Amazon Bedrock with the Frankfurt region (AWS eu-central-1) eliminates the cross-border transfer entirely.
- Your organisation has a documented legal basis. Typically Article 6(1)(b) (contract performance) or Article 6(1)(f) (legitimate interests) for internal API integrations, or explicit consent where end-users’ personal data is involved.
What differentiates the Anthropic API from many consumer AI tools for GDPR purposes: Anthropic does not use API inputs or outputs to train its foundation models by default. This removes the training-data risk that makes direct consumer-grade usage of many AI services legally problematic for business deployment in Germany.
Anthropic’s Data Processing Agreement (DPA)
The Anthropic DPA is the contractual foundation for any GDPR-compliant API deployment. It is available and can be accepted through the Anthropic Console. Enterprise customers negotiating volume contracts may request a customised DPA with additional terms.
Key elements the Anthropic DPA covers:
- Article 28 GDPR processor obligations — Anthropic commits to process personal data only according to your documented instructions.
- Standard Contractual Clauses (SCCs) — The 2021 EU SCCs are incorporated to provide a valid legal mechanism for EU–US data transfers under GDPR Chapter V.
- Subprocessors — Anthropic discloses authorised subprocessors and provides advance notice of changes, with customer objection rights.
- Security measures — Technical and organisational measures (TOMs) cover encryption in transit and at rest, access controls, and incident response.
- Data breach notification — Anthropic commits to notify customers of security incidents affecting their data without undue delay.
- Data deletion — Customer data is deleted upon request or contract termination within defined timeframes.
Customer obligations: As the data controller, your organisation is responsible for maintaining a valid Record of Processing Activities (ROPA) that includes the Anthropic API deployment, establishing the legal basis for each processing purpose, and ensuring that application users do not submit data outside the documented scope. Legal teams building on the API for client-facing workflows should review the AI APIs for law firms in Germany guide.
EU Data Residency for the Anthropic API
Anthropic’s direct API (api.anthropic.com) routes inference requests to servers in the United States by default. The Anthropic DPA covers this transfer through Standard Contractual Clauses, but for German companies requiring data to remain within the EU, there is a dedicated infrastructure path.
Amazon Bedrock with AWS eu-central-1 (Frankfurt) provides the strongest EU data residency option for Claude models:
- Claude models — including Claude 3 Haiku, Sonnet, and Opus — are available on Amazon Bedrock in the Frankfurt region.
- Configuring Bedrock with
eu-central-1keeps model inference and any associated data within Germany’s geographic boundaries. - AWS eu-central-1 is backed by the AWS Data Processing Addendum, which satisfies Article 28 GDPR processor obligations for the underlying cloud infrastructure.
- German companies already running workloads on AWS Frankfurt benefit from consistent data governance across their entire stack.
This approach is directly comparable to deploying Azure OpenAI with Germany West Central data residency and is the recommended path for any API deployment involving sensitive personal data, healthcare records, or financial information requiring strict EU data processing controls.
Direct API with SCCs: For use cases where US-based processing is acceptable with appropriate legal documentation, the Anthropic DPA’s SCCs provide the transfer mechanism. Your organisation must complete a Transfer Impact Assessment (TIA) under GDPR Article 46 to document that SCCs provide adequate protection for your specific data flows, taking into account US surveillance law.
Data Retention and Training Policies
One of the most legally significant differences between the Anthropic API and consumer Claude.ai is data handling:
- API default policy: Anthropic does not use API inputs and outputs to train, fine-tune, or improve its foundation models. Submitted data is used only to fulfil the API request.
- Retention period: By default, Anthropic retains API request and response metadata for a limited period for abuse prevention and operational purposes. The current retention schedule is documented in the Anthropic privacy policy and DPA.
- Zero Data Retention (ZDR) mode: Enterprise customers can request Zero Data Retention mode, under which Anthropic does not persist prompts or completions beyond the API call itself. This is appropriate for deployments involving highly sensitive personal data, attorney-client privileged information, healthcare data, or regulated financial records.
- Consumer Claude.ai: The consumer-facing Claude.ai product operates under different, more permissive data usage terms. GDPR risk assessments should clearly distinguish between API access and consumer product usage within the same organisation — they are separate products with different legal treatment.
Document the applicable retention settings in your ROPA and internal data protection assessments, and review them whenever Anthropic updates its privacy policy.
Roles Under GDPR: Processor vs. Controller
Understanding who carries what GDPR obligation shapes your compliance programme when building on the Anthropic API:
Anthropic as data processor: When your application submits personal data to the Anthropic API to fulfil a task — for example, processing customer support messages, generating personalised content, or analysing user documents — Anthropic acts as a data processor under GDPR Article 4(8). Anthropic processes the data on your documented instructions and is bound by the DPA.
Your organisation as data controller: The company or developer deploying the API is the data controller responsible for:
- Determining the purpose and legal basis for processing (GDPR Article 6)
- Informing data subjects via a privacy notice that their data may be processed using AI systems
- Conducting a Data Protection Impact Assessment (DPIA) under GDPR Article 35 if the processing is likely to result in high risk — for example, large-scale automated processing of sensitive personal data or systematic profiling
- Documenting the Anthropic API deployment in your ROPA
Anthropic as independent controller: For internal purposes such as account management, billing, security monitoring, and abuse prevention, Anthropic acts as an independent controller under its own privacy policy. This processing is separate from the processor relationship governed by the DPA.
EU AI Act Implications
Claude models (Claude 3.x Haiku, Sonnet, Opus) are General Purpose AI (GPAI) models under the EU AI Act (Regulation EU 2024/1689). This triggers obligations for both Anthropic as the model provider and companies that build products on the API.
Anthropic’s obligations as GPAI model provider (Article 53):
- Maintain and publish technical documentation describing model capabilities, limitations, and training data provenance.
- Publish a model card or equivalent transparency documentation for downstream deployers.
- Implement a copyright compliance policy under EU Directive 2019/790.
- Cooperate with downstream deployers to enable them to meet their own AI Act obligations.
Your obligations as a deployer:
- Risk classification: Assess whether your application of Claude falls under the AI Act’s prohibited practices (Article 5), high-risk AI system categories (Annex III), or the limited/minimal risk tier. Standard business productivity and internal tooling applications typically fall under minimal or limited risk.
- Transparency: If your application uses Claude to interact with natural persons who might not realise they are communicating with an AI system, you must disclose the AI interaction (Article 50 AI Act).
- High-risk systems: Applications using Claude for CV screening, creditworthiness decisions, or determinations in education, employment, essential services, or law enforcement are high-risk under Annex III. These require conformity assessment procedures, human oversight measures, logging, and technical documentation before deployment.
- Professional services: Law firms, healthcare providers, and financial services using the API for client-facing decisions should review the professional services AI Act compliance guide and the legal services AI Act overview.
Setting Up a GDPR-Compliant Anthropic API Integration
A practical checklist for German companies and startups deploying the Anthropic API:
- Sign the Anthropic DPA — accept it in the Anthropic Console before any personal data is processed.
- Choose your data residency path — direct API with SCCs plus Transfer Impact Assessment, or Amazon Bedrock Frankfurt for EU-resident processing without cross-border transfer.
- Request Zero Data Retention mode — if the deployment involves sensitive personal data, healthcare records, or legally privileged information.
- Document the legal basis — record the applicable GDPR Article 6 ground and add the Anthropic API to your ROPA.
- Conduct a DPIA if required — high-volume or high-risk processing applications require a Data Protection Impact Assessment under Article 35 before go-live.
- Update your privacy notice — inform end-users that their data may be processed by an AI model provider acting as a sub-processor.
- Classify your AI Act risk tier — determine whether the application is minimal, limited, or high-risk before deployment.
- Engage your works council — if the API deployment changes how employees work in Germany, co-determination rights under §87 BetrVG may apply before rollout.
Anthropic API vs. Azure OpenAI: EU Compliance Comparison
| Anthropic API (direct) | Anthropic via Bedrock | Azure OpenAI | |
|---|---|---|---|
| EU data residency | US processing, SCCs cover transfer | AWS eu-central-1 (Frankfurt) | Germany North / Germany West Central |
| DPA available | Yes (Anthropic Console) | Yes (AWS DPA + Anthropic DPA) | Yes (Microsoft DPA) |
| Transfer mechanism needed | Yes (SCCs + TIA) | No (EU processing) | No (EU processing) |
| Training on API data | No (default policy) | No | No |
| Zero data retention | Available on request | Available on request | Configurable per deployment |
| AI Act model status | GPAI (Anthropic) | GPAI (Anthropic) | GPAI (Microsoft/OpenAI) |
Azure OpenAI offers the most mature EU data residency story for companies requiring processing strictly within Germany without routing through AWS infrastructure. AWS Bedrock with Claude is the preferred path for organisations already running their stack on AWS Frankfurt. For companies that prefer a fully managed enterprise SaaS product rather than a raw API integration, Claude Enterprise provides additional administrative controls and access management.
Works Council Requirements
If the Anthropic API affects how employees work in Germany — automating tasks previously performed by staff, generating content submitted under employees’ names, or processing workplace communications — the Betriebsrat (works council) may have co-determination rights under §87(1) BetrVG.
This is especially relevant if the API integration could monitor employee activity, influence performance evaluations, or fundamentally change work processes. Engage your works council early: explain the tool’s purpose, address data protection and surveillance concerns, and agree on an appropriate use policy before the deployment goes live.
How Compound Law Helps
- DPA review and gap analysis for Anthropic API deployments
- Transfer Impact Assessment (TIA) preparation for EU–US data flows
- DPIA preparation for high-volume or sensitive use cases
- AI Act risk classification and technical documentation support
- Works council coordination and Betriebsvereinbarung negotiation
- Ongoing compliance monitoring and policy updates as Anthropic’s terms evolve
