// GLOSSARY -- SECURITY & COMPLIANCE

What is GDPR (Agent Context)?

2 min read Updated

GDPR in an agent context refers to the application of the General Data Protection Regulation to AI agent operations — specifically how agents processing EU personal data via MCP tools must comply with data minimisation, purpose limitation, and consent requirements.

WHY IT MATTERS

The General Data Protection Regulation is the EU's comprehensive data protection law. It governs how personal data of EU residents is collected, processed, stored, and transferred. GDPR applies regardless of whether the data processor is a human or an AI agent — the obligations follow the data.

AI agents create specific GDPR challenges. Data minimisation (Article 5(1)(c)) requires that only data adequate, relevant, and necessary for the purpose is processed. An agent with broad MCP tool access might query an entire customer database when it only needs one field. Purpose limitation (Article 5(1)(b)) means data collected for one purpose cannot be used for another — but agents may chain tool calls in ways that repurpose data beyond the original intent.

Article 22 gives individuals the right not to be subject to decisions based solely on automated processing. If an AI agent makes decisions affecting EU residents — approving applications, scoring risk, determining access — this right may be triggered. The organisation must be able to demonstrate meaningful human oversight or provide an opt-out mechanism.

The penalties are severe: up to EUR 20 million or 4% of annual global turnover, whichever is higher. For AI-driven organisations processing EU data at scale, a single misconfigured agent could trigger a breach affecting millions of records. Policy enforcement at the tool-call level is not a nice-to-have — it is a regulatory requirement.

HOW POLICYLAYER USES THIS

Intercept enforces GDPR principles at the MCP proxy layer. YAML policies can implement data minimisation by restricting which database fields an agent can query, purpose limitation by tying tool access to specific task contexts, and access controls that prevent agents from processing personal data without a defined lawful basis. Every tool call decision is logged, providing the processing records required by Article 30. Policies can also enforce geographic restrictions — blocking tool calls that would transfer EU personal data to non-adequate jurisdictions.

FREQUENTLY ASKED QUESTIONS

Does GDPR apply if my AI agent is hosted outside the EU?
Yes. GDPR applies based on the data subjects, not the processor's location. If your agent processes personal data of EU residents — regardless of where the agent runs — GDPR applies (Article 3(2)).
Is an AI agent a data processor or data controller under GDPR?
The agent itself is neither — it's a tool. Your organisation is the data controller (or processor, depending on the arrangement). You are responsible for ensuring the agent's operations comply with GDPR, just as you would for any other system processing personal data.
How do I implement data minimisation for AI agents?
Define YAML policies that restrict tool call arguments to only the fields needed for the task. For example, if an agent needs to look up a customer's subscription status, the policy should block queries that also return email, address, or payment details.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.