Is this enough for a GDPR audit?

With DPA, model routing doc, data flow diagram and retention policy: yes for most industries. For sector specifics (BAIT, MaRisk) extra requirements apply — see Enterprise package .

What does the BfDI say?

No blanket pro/contra. The specific deployment is judged — model routing, DPA, data minimisation.

From 20 staff with personal data processing: yes, mandatory anyway. Manuel Streit is a certified DPO and can take this on if needed.

Guide

Run OpenClaw GDPR-compliant

OpenClaw + GDPR is feasible — but only with the right configuration. Here's the path to a compliance-grade setup.

Manuel Streit

/ May 11, 2026 / 3 min read

About this guide

Configure OpenClaw GDPR-compliant: EU models, data minimisation, retention, processor agreements, third-country transfer and subject rights.

Model routing by data class

First rule: not everything goes to OpenAI/Anthropic. Sensitive data (personal, health, finance) routes to EU Mistral or local Llama via Ollama. Only non-sensitive workflows hit US providers — and there with processor agreements.

Processor agreements (DPA)

Sign a DPA with each LLM provider: OpenAI offers an enterprise DPA, Anthropic via sales, Mistral via API plan. Hosting providers (Hetzner, AWS Frankfurt) too. We provide templates.

Data minimisation

Skills strip unnecessary personal data before LLM calls. Example: 'Manuel Streit, manuel@lol.marketing' becomes 'M. S., m@…' — pseudonymised but reconstructable in the OpenClaw daemon.

Retention policies

Logs, skill history, LLM calls with explicit deletion dates. Default: 90 days logs, 30 days detailed LLM calls, then deletion. Configurable in openclaw.json.

Subject rights

Access, rectification, erasure — controllable via skill. /dsar export "name" generates a GDPR access report. /dsar delete "name" deletes all data about that person from logs and skills.