29 May 2026
European AI and GDPR: What Public-Sector Archives Should Ask Before They Process
Archives hold some of the most sensitive personal data any public body processes: oral history testimony, social care files, medical records, correspondence naming living individuals, photographs of children. When you decide to run that material through an AI tool to help describe it, you are not just choosing a piece of software. You are choosing where your data goes, who processes it, and on what legal basis. For a public-sector archive, that is an information governance decision before it is a technology one.
The convenience of modern AI tools can obscure this. You upload a file, a description appears, the work feels effortless. But every one of those uploads is a transfer of personal data to a processor — and under the UK GDPR and the EU GDPR, transfers, processing locations, and processor obligations are exactly what you are accountable for. This article sets out why the where matters, and the specific questions a procurement or information governance team should put to any AI vendor before a single record is processed.
Why processing location matters
Most general-purpose AI services route data to wherever the provider’s infrastructure happens to sit — frequently the United States. For a private individual that may be immaterial. For a public-sector archive processing special category data, it is a live compliance question.
International transfers of personal data require a lawful transfer mechanism and a transfer risk assessment. They draw the attention of your Data Protection Officer and, potentially, of the people whose records you hold. The simplest way to take that whole category of risk off the table is to keep processing inside the European Economic Area in the first place. If the data never leaves the EEA, the international-transfer problem does not arise.
This is a deliberate design choice for Archivers.ai. The platform is European-core: it uses Mistral, a model provider based in France, and offers an EU-only processing mode so that your collection data is processed within the EU rather than shipped across the Atlantic. For an archive whose lawful basis and risk appetite were defined for European processing, that alignment is not a marketing point — it is the difference between a straightforward sign-off and a months-long assessment.
The three commitments to insist on
When we talk about trust, we mean specific, contractual things — not reassuring language. There are three commitments a public-sector archive should treat as non-negotiable.
A Data Processing Agreement (DPA). Under Article 28 of the GDPR, processing personal data through a third party requires a written contract setting out the subject matter, duration, nature and purpose of processing, and the obligations of the processor. If a vendor cannot provide a DPA, you cannot lawfully use them for personal data, full stop. Archivers.ai makes a DPA available so that your processing rests on a proper Article 28 footing.
An explicit no-training commitment. The single most common concern in heritage procurement is whether material uploaded to an AI tool will be absorbed into a model’s training set. The honest position is precise: customer collection data is not used to train foundation AI models, and we follow our vendor’s no-training commitments. That precision matters because it is verifiable, where a vague “we respect your privacy” is not. Your sensitive testimony is processed to produce your descriptions — and then it is not repurposed to improve a general model.
Defined processing location. Ask explicitly where processing occurs and whether an EU-only mode is available. “The cloud” is not an answer your DPO can sign off.
What procurement and IG teams should actually ask
Use this as a checklist when assessing any AI tool for an archive. The right vendor will answer all of it without hesitation.
- Where is our data processed, and can you guarantee it stays in the EEA? Look for a named processing region and an EU-only option, not a general assurance.
- Will you sign a DPA, and can we see it before purchase? The answer should be yes and yes.
- Is our collection data used to train any AI model — yours or a third party’s? You want a clear no, with the no-training commitment passed through from any sub-processor.
- Who are your sub-processors, and where are they located? The model provider is a sub-processor; you are entitled to know who it is and which jurisdiction applies.
- How long is our data retained, and how is it deleted? Retention should be defined and deletion should be something you can request and verify.
- Is there a human review step before anything is finalised? For sensitive material, automated decision-making without human oversight is both a governance and an ethical problem. Archivers.ai keeps an archivist in the loop at every step — AI proposes, the archivist disposes.
If a tool cannot answer these, it is not ready for public-sector archival data, however impressive the demo.
Tying it to public-sector procurement
Public-sector procurement already demands this rigour for other systems; AI tools should not get a pass. The Data Protection Impact Assessment you would complete for any new processing activity is the natural home for these questions, and a vendor designed for the public sector should make that assessment easier, not harder. Standards-aligned exports — EAD3, Dublin Core, BagIt with PREMIS — mean the records you produce remain portable and auditable, which is itself a procurement virtue: no lock-in, and an exit you can demonstrate.
For directors and heads of service signing off the spend, the framing is simple. A tool that processes in the EU, signs a DPA, commits to no training, and keeps a human in the loop is one your information governance colleagues can approve quickly. A tool that does none of those things will consume weeks of assessment and may still be refused. The cheaper-looking option is often the more expensive one once compliance time is counted.
This matters as much for community archives handling living-memory oral histories as for a county record office processing case files. The sensitivity of the material does not scale with the size of the organisation.
Make the safe choice the easy choice
Good data protection is not about adding friction. It is about choosing tools where the safe option is also the default option — where processing stays in Europe, the contract is in place, and your data works for you and is not quietly repurposed. That is what European-core, GDPR-aligned design is for.
If your archive is weighing up AI-assisted description and needs to satisfy an information governance review, talk to us about your requirements and we will walk your procurement team through the DPA, the EU-only processing mode, and our approach to trust and security. You can also join the waitlist for early access and see the workflow first-hand on non-sensitive material — with transparent pricing published when we launch, a full evaluation will be easy to cost. Where your AI processing happens is a decision worth making deliberately.
Planning a cataloguing or digitisation project?
Archivers.ai sits in front of your existing repository or CMS, clears digitised backlogs faster, and exports into the systems you already use. Now in early access — join the waitlist and we’ll onboard you personally.