Does GenZAgents satisfy GDPR requirements for AI processing?

GDPR Article 22 restricts decisions based "solely" on automated processing. To rely on the 22(2)(a) exemption (necessary for contract + suitable safeguards including human oversight), you need to evidence the human involvement. Receipts capture reviewer_human_id + decision timestamp + the review duration. This becomes the "meaningful human oversight" evidence.

GDPR Article 5(2) requires the controller to demonstrate compliance with the principles. AI-mediated processing is in scope. Receipts demonstrate that processing has lawful basis tracking, data minimisation (digest-only mode), supervision, and audit trail. This is the accountability evidence.

Article 30 requires records of processing activities. AI-mediated processing falls in scope. The receipt feed IS the Article 30 record for the AI activity dimension: what processing happened, which controller / processor, what categories of data, which recipients, retention period, security measures. Cross-walk to your Article 30 template via the dashboard export.

When a data subject requests "what AI activity touched my data?", the receipt feed lets you answer concretely. Filter receipts to the subject's scope; present the AI-mediated processing events. Without receipts, the answer is necessarily vague; with, it's specific.

If the LLM provider is in a third country (Anthropic / OpenAI / Google are US-based), Schrems II + DPF rules apply. Receipts log provider + region + SCC reference per call. Your transfer-impact assessment has the operational data to support it. The provider-side data flow is between you and them; we evidence the audit layer.

GenZAgents is a controller for some processing (account data, billing) and a processor for receipts (we process them on your behalf). Standard DPA available. UK / EU hosting options for data residency. See /privacy for the full breakdown.