Datenschutz & Souveränität
ChatGPT and Data Protection in the Company: What You Need to Consider
Employees have long been using ChatGPT — often without approval. What the supervisory authorities say about it, where the GDPR risks lie, and how to use AI in your team in compliance with data protection laws.

ChatGPT has arrived in everyday work life — often faster than the IT department could approve it. According to a representative Bitkom survey (October 2025), 40% of companies assume that employees use private AI tools for work — but only 26% officially provide AI access. This "shadow AI" gap is the actual data protection risk.
Where the GDPR risks lie
As soon as personal data is included in a prompt — customer names, applicant profiles, health data —, the GDPR is affected. Every input is an individual processing operation and requires a legal basis according to Art. 6 GDPR (for employee data, usually § 26 BDSG); for special categories, Art. 9 additionally applies. In the public version of ChatGPT, three risks converge:
Data transfer to the USA — the provider is a US corporation, US law may apply (more on this in our post on the US CLOUD Act).
Further processing of inputs — in the free version of ChatGPT, training on user inputs is active by default and must be actively disabled.
Lack of control — without a data processing agreement, companies do not know where and for how long data is stored.
What the supervisory authorities say
All EU data protection authorities jointly presented a report from the EDPB ChatGPT Task Force in May 2024. Two statements are central for companies. First, technical complexity is not considered an excuse:
„…technical impossibility cannot be invoked to justify non-compliance…“
Second, responsibility cannot be shifted to the person entering the data via T&Cs or guidelines:
„…controllers should not transfer the risks of the enterprise to data subjects.“
The German authorities are becoming specific: The Hamburg Data Protection Commissioner has published a 15-point checklist that warns against entering personal data and recommends business accounts instead of private accounts. The Data Protection Conference (DSK) provides a practical orientation guide for this.
A real fine: 15 million €
The fact that the authorities are serious is shown by the Italian data protection authority Garante: In December 2024, it imposed a fine of 15 million € against OpenAI — partly due to a lack of legal basis for training and transparency violations. The proceedings are not yet legally binding following OpenAI's appeal, but mark the first major GDPR enforcement case against an LLM provider.
The good news: It is not ChatGPT as a technology that is the problem, but the how. With clear rules, the right plan, and the appropriate infrastructure, generative AI can be used in compliance with the GDPR.
What companies should concretely do
The distinction is important: With Business, Enterprise, and API products, OpenAI does not train by defaultnot on inputs and outputs and concludes a data processing agreement. With the free version of ChatGPT, training is on and must be deactivated. Robust AI governance includes:
a binding AI policy (which data may enter, which may not) — supported by technical and organizational measures, not just declaratory;
approved tools in the Business/Enterprise tariff with a concluded DPA;
a clear prohibition of personal and confidential data in prompts of the public version;
training and awareness — and above all, an approved alternative so that no one resorts to the private app (the shadow AI gap is closed through provision, not through prohibition).
Conclusion
Banning AI in the company is not a solution — employees use it anyway. The better way is a secure, approved platform that incorporates data protection from the ground up. Which criteria such a platform must meet is shown in our article GDPR-compliant AI: the 7 selection criteria — a general overview is provided by our Guide to GDPR-compliant AI for companies.
Sources
GDPR-compliant AI from a real German data center
Kasimir runs on its own infrastructure in Germany — no detour via US providers, no CLOUD Act reach.



