GDPR Art. 28 and local inference
When AI inference runs locally, there is no third party processing the data, so the GDPR Article 28 processing-agreement obligation falls away. Data that never leaves your network cannot leak at a processor.
GDPR Article 28 governs the relationship with a “processor” — a third party that processes data on your behalf. Cloud AI is typically such a processor. Local inference simply removes that relationship.
What that means concretely
- No cross-border data transfer
- No processor to contract and audit
- A smaller risk surface for sensitive data
For organizations with sensitive data — healthcare, the public sector — this isn't cosmetics, it's risk mitigation built into the architecture.
Note: this is general information, not legal advice; your DPO or legal team confirms specific compliance.