Synthetic data: the GDPR and AI Act compliance guide

Synthetic data consists of artificial datasets generated by algorithms that mimic the statistical properties of real data without being derived from it. While they allow for training AI models and testing without using real data, they are not automatically exempt from GDPR. In its guidelines dated July 7, 2026, the EDPB established three cumulative criteria—individualization, correlation, and inference—that a dataset must meet in its entirety to be classified as anonymous. It also strictly regulates web scraping used to train generative models. Here is a breakdown of the rules and a compliance checklist for DPOs.

By
Calixte Descamps
1
Min
Share this article
Algorithm

For DPOs, CISOs, and General Counsels, the current equation feels like an unsolvable puzzle: how can technical teams be empowered to innovate at lightning speed—particularly by training artificial intelligence models or conducting rigorous testing—while scrupulously complying with the GDPR and the brand-new European AI Act?

This is where the promise of synthetic data comes in. Presented as the ultimate alternative to traditional anonymization, it promises to unlock corporate innovation potential without the constraints of compliance.

But is it really that simple? The recent guidelines from the EDPB (European Data Protection Board) published on July 7, 2026, have reshuffled the deck and established a very precise framework. To navigate these shifting regulatory waters, relying on GDPR compliance software has become essential. Here is the full breakdown.

Discover Adequacy

One of our experts introduces Adequacy to you in a real situation.

What is synthetic data generation?

Synthetic data generation involves creating an entirely artificial dataset using mathematical algorithms and machine learning models (such as GANs—Generative Adversarial Networks—or large language models).

Unlike real-world datasets, this data is not derived from direct measurements or observations of actual individuals. It simply mimics their statistical characteristics, correlations, and behaviors.

Testing without real data: the fraud detection example

A bank wants to validate a new fraud detection algorithm in pre-production. Rather than exposing real customer transactions—which would violate the principle of data minimization and pose a major cyber risk—it uses synthetic data. This data accurately replicates the purchasing habits, transaction volumes, and behavioral anomalies of fictitious users.

For development teams, the benefits are immense: they can test without real data, eliminate the risk of data breaches, and drastically accelerate their delivery cycles (DevOps).

Synthetic data vs. anonymization: the EDPB's verdict

For a long time, the debate remained unclear: is synthetic data inherently anonymous and therefore exempt from GDPR? The question is directly linked to traditional techniques ofanonymization and pseudonymization.

The EDPB provided clarity in its July 2026 guidelines, drawing notably on the landmark ruling by the Court of Justice of the European Union (CJEU) in September 2025 (EDPB/CRU, C-413/23 P). The answer is nuanced: it all depends on the success of your anonymization and generation process.

Contextual or simplified approach: how to evaluate your project?

The EDPB now offers two frameworks for data controllers to follow:

  • The contextual approach : this involves assessing whether, given all objective circumstances and the reasonable means available to a third party (or the company itself), it is possible to re-identify an individual.
  • The simplified approach : stricter in nature, it recommends treating synthetic data as subject to GDPR by default if any doubt remains regarding re-identification, thereby offering maximum legal certainty while being more restrictive.

The 3 criteria for synthetic data anonymity

For a synthetic dataset to fall permanently outside the scope of the GDPR (in accordance with Recital 26), it must successfully pass the crash test of the three cumulative criteria formalized by the EDPB:

  • Individualization : is it impossible to isolate the record of a specific individual within the synthetic dataset?
  • Correlation : is it impossible to link two separate records concerning the same real individual?
  • Inference : is it impossible to deduce, with a significant degree of probability, sensitive information about a real person from the synthesized data?

If your generative AI model suffers from overfitting, it risks memorizing and recreating real profiles from your training base almost identically. In this case, the inference criterion fails: the synthetic data remains legally classified as personal data subject to the GDPR.

Discover Adequacy

One of our experts introduces Adequacy to you in a real situation.

Real, pseudonymized, or synthetic data: a comparison

Criteria Real data Pseudonymized data Synthetic data (pure)
GDPR compliance Yes (strictly) Yes No (if compliant with the 3 EDPB criteria)
AI Act compliance Yes Yes Yes (if used to train a model)
Utility for testing and AI Maximum Average (utility loss due to masking) Excellent (statistical consistency maintained)by design (dès la conception).
Re-identification risk Maximum Moderate to high Near zero (if generated correctly)
GDPR compliance
Real data Yes (strictly)
Pseudonymized data Yes
Synthetic data (pure) No (if compliant with the 3 EDPB criteria)
AI Act compliance
Real data Yes
Pseudonymized data Yes
Synthetic data (pure) Yes (if used to train a model)
Yes (if used to train a model)
Real data Maximum
Pseudonymized data Average (utility loss due to masking)
Synthetic data (pure) Excellent (statistical consistency maintained)
Re-identification risk
Real data Maximum
Pseudonymized data Moderate to high
Synthetic data (pure) Near zero (if generated correctly)

Training a synthetic data model: web scraping rules

It is often overlooked: to generate high-quality synthetic data, you must first train an AI model. This training process requires massive volumes of real-world data.

If your company uses web scraping techniques to fuel this training, the EDPB took a particularly strict stance in July 2026.

Legitimate interest as a legal basis: EDPB requirements

The EDPB reiterates that the automated scraping of personal data from the internet to train generative AI must still adhere to the principles of transparency and purpose limitation. If you rely on legitimate interest (Article 6(1)(f) of the GDPR) as the legal basis for this training, you must:

  • provide an effective and easily accessible right to object (simple opt-out mechanisms)
  • ensure the reliability of sources and precisely record the timestamp of each collection

The prohibition on scraping sensitive data (Article 9)

The EDPB is clear: the processing of special categories of data (health, political opinions, sexual orientation) is prohibited in principle. Unrestricted scraping does not benefit from any general exemption. You must implement rigorous technical filters at the collection stage to exclude this sensitive data before it enters your training models.

Only under these conditions can you legitimately develop models capable of generating synthetic data while complying with the data governance requirements of the EU AI Act .

Discover Adequacy

One of our experts introduces Adequacy to you in a real situation.

Implementing synthetic data: the DPO checklist

To integrate synthetic data into your business processes with confidence, rigorous governance is essential.

Document training in your record of processing activities

Even if the final deliverable (the synthetic dataset) is not subject to GDPR, the upstream phase (training the generative AI with real data) constitutes a full-fledged processing of personal data. It must be included in your record of processing activities, specifying its purpose, the categories of data used, and the associated security measures.

Conduct a DPIA to manage overfitting

Using generative AI algorithms to create test data presents technological risks (such as the aforementioned overfitting). Before launching such a project, the DPO must oversee and conduct a Data Protection Impact Assessment (DPIA) to evaluate the risks of re-identification through inference and to validate mitigation measures.

Checklist: is your synthetic data outside the scope of GDPR?

  • Zero individualization : is it technically impossible to isolate the profile of a real individual within the generated dataset?
  • Zero correlation : is it impossible to link two pieces of synthetic information to reconstruct the identity of a real user?
  • Zero inference : has the AI model been audited to ensure it does not suffer from overfitting (rote reproduction of real information)?
  • Validated training origin : if the training data comes from the web (scraping), has the legal basis been validated and have sensitive data (Article 9) been systematically filtered at the source?

If you check all these boxes, your synthetic data meets the EDPB security requirements and can be treated as anonymous data.

FAQ - Synthetic data and GDPR

Is synthetic data considered personal data under the GDPR?

No, provided it results from a robust synthesis process that meets the three cumulative criteria of the EDPB: absence of singling out, correlation, and inference. If these criteria are met, it is classified as anonymous data and falls outside the scope of the GDPR. Otherwise, particularly if the generative model suffers from overfitting, it remains personal data fully subject to the regulation.

What is the difference between synthetic data and pseudonymized data?

The main difference lies in their nature and their legal status under the GDPR:

  • Pseudonymized data remains personal data and is fully subject to the GDPR. Pseudonymization is a security measure (such as replacing a name with an alphanumeric code) used to minimize the impact of a breach in the event of unauthorized access. However, it does not prevent re-identification if the information is cross-referenced.
  • Synthetic data is, by nature, fictitious and artificial. Since it does not relate to any real individual, it falls completely outside the scope of the GDPR (provided it meets the criteria set by the EDPB). By definition, the concept of pseudonymization does not apply to synthetic data, as there are no real identifiers to mask.

Can web scraping be used to train an AI for synthetic data generation?

Yes, but under strict compliance conditions detailed by the EDPB in July 2026. You must, in particular, have a solid legal basis (such as rigorously documented legitimate interest), respect the principles of transparency and purpose limitation, provide an effective right to object, and implement technical filters to exclude any accidental collection of sensitive data (Article 9 of the GDPR).

Does using synthetic data exempt you from complying with the AI Act?

No. Even when synthetic data is classified as anonymous and falls outside the scope of the GDPR, the AI models used to generate or process it remain subject to the data governance, transparency, and risk management requirements set out in the European AI Act, particularly Article 10 for high-risk AI systems.

Regulatory note : The EDPB guidelines on anonymization and data scraping adopted on July 7, 2026, are open for public consultation until October 30, 2026. Their practical application within companies should be closely monitored by compliance professionals.

Discover Adequacy

One of our experts introduces Adequacy to you in a real situation.

The latest news

They have trusted us for years

Discover Adequacy

One of our experts introduces Adequacy to you in a real situation.