← Blog

KI-Recht & Compliance

GDPR Fines and AI: What Companies Can Learn from Real Cases

Million-euro fines against AI providers are making headlines β€” but what do they mean for companies that only use AI? A sober analysis of real cases and the patterns behind them.

Felix StΓΌrmerΒ· 08 January 2026Β· 3 min read
GDPR Fines and AI: What Companies Can Learn from Real Cases

Headlines about million-euro fines against AI providers cause uncertainty β€” rightly so as a warning signal, but often misinterpreted. Because most companies are not providers, but users of AI. A look at the real cases shows what really matters.

The Real Cases

Three groups of cases are most prominent:

  • Clearview AI β€” several European authorities each imposed 20 million €: Italy (2022), France (17.10.2022), and Greece (13.07.2022). The allegation: mass collection of facial images and conversion into biometric data without a legal basis β€” a clear violation of Art. 9 GDPR (special categories).

  • Replika / Luka Inc. β€” the Italian Garante imposed 5 million € against the provider of the AI chatbot in April 2025 β€” due to a lack of legal basis, lack of transparency, and missing age verification.

  • OpenAI β€” the Garante imposed 15 million € against OpenAI at the end of 2024. Important: This fine was overturned again by a court in Rome in March 2026 β€” however, for purely procedural reasons (jurisdiction), not because of the substantive legality.

Real GDPR Fines Around AI
Clearview AI (per proceeding, 3x)20 Mio. €
Replika (Luka)5 Mio. €
GDPR Maximum Framework (Art. 83)20 Mio. €
ℹ️

The OpenAI case is a good example of reading headlines carefully: "fine overturned" does not mean "everything was legal" here, but only that the wrong authority had decided. The substantive data protection questions remain open.

The Recurring Patterns

As different as the cases are, the causes are similarly aligned. In almost every case, there was a lack of legal basis according to Art. 6 GDPR at the beginning. Added to this are recurring issues: processing special categories without permission (Art. 9), violations of transparency obligations (Art. 12–14), violated data subject rights, and lack of protection for minors. The fine framework is serious: Up to 20 million € or 4% of the total worldwide annual turnover β€” whichever is higher (Art. 83 GDPR).

What Users Can Learn From This

The crucial insight: Anyone who enters personal data into a public AI tool shifts exactly the risks that the providers failed on onto themselves. Five consequences:

  1. Legal Basis First β€” clarify the basis before any AI use involving personal data (consent, contract, legitimate interest).

  2. No Personal Data in Public Tools β€” this is the most common avoidable mistake; see ChatGPT & Data Protection.

  3. Order Processing Agreement (Art. 28) β€” with every provider that processes personal data.

  4. EU Hosting β€” reduces transfer and access risks; see Data Sovereignty.

  5. Think of GDPR and the AI Act together β€” both apply cumulatively, as our contribution to the AI Act shows.

βœ…

Those who use AI on a GDPR-compliant platform with EU hosting, an OPA, and clear governance do not need to fear these fine patterns β€” the sources of risk are structurally excluded there.

Conclusion

Real AI fines have so far hit providers with questionable data handling β€” not companies that use AI responsibly. The lesson is not to fear AI, but to have a clean foundation: legal basis, no personal data in open tools, EU hosting. The complete framework is provided by our Guide to GDPR-compliant AI for Companies.

Sources

GDPR-compliant AI from a real German data center

Kasimir runs on its own infrastructure in Germany β€” no detour via US providers, no CLOUD Act reach.