GDPR and law firms: what obligations apply?
Data controller, processors, sensitive data: law firms face specific GDPR obligations, compounded by professional secrecy. A practical overview.
This article is informational and does not constitute personalized legal advice.
Law firms handle some of the most sensitive data that exists: party identities, financial situations, health data in certain disputes, information covered by professional privilege. GDPR fully applies to this activity — with an added difficulty specific to the profession: attorney-client privilege and GDPR's transparency obligations need to be reconciled, not opposed.
The firm as data controller — most of the time
For managing its clients, case files and activity, the firm is generally the data controller: it determines on its own the purposes and means of personal data processing. This notably implies:
- maintaining a register of processing activities (GDPR Article 30), including for internal digital tools;
- informing data subjects about the processing carried out (often included in engagement terms or the firm's privacy notice);
- implementing appropriate security measures (Article 32), proportionate to the sensitivity of the data processed.
The specific risk of third-party AI tools
Using general-purpose AI assistants (chat, summarization, drafting) to process client documents raises a fundamental question: where does the data sent to that service go, and is it reused to train a model? Two GDPR reflexes are essential:
- Check the provider's DPA (Data Processing Agreement): purposes, retention period, data location, and an explicit commitment against reuse for training.
- Anonymize or pseudonymize documents before sending them to any external service, whenever the document contains identifying data — which is almost always the case for a legal file.
This is the core role of our pseudonymization tool: detect and replace identifying data (parties, addresses, ID numbers) before a document ever reaches a language model, internal or third-party. We cover our technical approach in a dedicated article: Why anonymizing legal documents for AI is (actually) hard.
Data subject rights, applied to a legal case file
GDPR grants rights (access, rectification, erasure, objection) that need to be reconciled with retention obligations specific to legal practice (statutes of limitation, case-file retention duties). An erasure request on a still-active or recently closed file generally can't be fully honored — but it must be handled and justified, not simply ignored.
Practical checklist for a firm
- Up-to-date processing register, including digital tools (document management, AI, CRM)
- Signed DPA with every vendor processing personal data on the firm's behalf
- Documented pseudonymization procedure before any external AI use on client documents
- Retention policy aligned with applicable statutes of limitation
- Documented procedure for handling rights requests, including justified refusals
GDPR compliance for a law firm isn't a one-off project but an ongoing discipline — all the more critical given the profession handles data at a sensitivity level few other sectors match.
Frequently asked questions
Is a law firm a data controller or a processor under GDPR?
Most often a data controller for the data it collects and processes for its own purposes (client management, case files), and sometimes a processor when it processes data on a client's behalf under a specific mandate the client defines. The classification depends on who determines the purposes and means of processing.
Does the firm need a DPA (Data Processing Agreement) with every AI tool it uses?
Yes, as soon as a third-party tool processes personal data on the firm's behalf — including a general-purpose AI assistant. The DPA should specify purposes, retention period, security measures, and whether (and under what conditions) data may be reused for model training.
Does anonymization exempt the firm from its GDPR obligations?
Robust pseudonymization significantly reduces risk and helps demonstrate appropriate security measures (GDPR Article 32), but doesn't exempt the firm from general obligations: maintaining the processing register, informing data subjects, handling rights requests. True, irreversible anonymization can take processing outside GDPR's scope entirely — but it's rarely achievable in practice on reusable legal documents.