KI-Recht & Compliance
GDPR Fines and AI: What Companies Can Learn from Real Cases
Million-euro fines against AI providers are making headlines β but what do they mean for companies that only use AI? A sober analysis of real cases and the patterns behind them.

Headlines about million-euro fines against AI providers cause uncertainty β rightly so as a warning signal, but often misinterpreted. Because most companies are not providers, but users of AI. A look at the real cases shows what really matters.
The Real Cases
Three groups of cases are most prominent:
Clearview AI β several European authorities each imposed 20 million β¬: Italy (2022), France (17.10.2022), and Greece (13.07.2022). The allegation: mass collection of facial images and conversion into biometric data without a legal basis β a clear violation of Art. 9 GDPR (special categories).
Replika / Luka Inc. β the Italian Garante imposed 5 million β¬ against the provider of the AI chatbot in April 2025 β due to a lack of legal basis, lack of transparency, and missing age verification.
OpenAI β the Garante imposed 15 million β¬ against OpenAI at the end of 2024. Important: This fine was overturned again by a court in Rome in March 2026 β however, for purely procedural reasons (jurisdiction), not because of the substantive legality.
The OpenAI case is a good example of reading headlines carefully: "fine overturned" does not mean "everything was legal" here, but only that the wrong authority had decided. The substantive data protection questions remain open.
The Recurring Patterns
As different as the cases are, the causes are similarly aligned. In almost every case, there was a lack of legal basis according to Art. 6 GDPR at the beginning. Added to this are recurring issues: processing special categories without permission (Art. 9), violations of transparency obligations (Art. 12β14), violated data subject rights, and lack of protection for minors. The fine framework is serious: Up to 20 million β¬ or 4% of the total worldwide annual turnover β whichever is higher (Art. 83 GDPR).
What Users Can Learn From This
The crucial insight: Anyone who enters personal data into a public AI tool shifts exactly the risks that the providers failed on onto themselves. Five consequences:
Legal Basis First β clarify the basis before any AI use involving personal data (consent, contract, legitimate interest).
No Personal Data in Public Tools β this is the most common avoidable mistake; see ChatGPT & Data Protection.
Order Processing Agreement (Art. 28) β with every provider that processes personal data.
EU Hosting β reduces transfer and access risks; see Data Sovereignty.
Think of GDPR and the AI Act together β both apply cumulatively, as our contribution to the AI Act shows.
Those who use AI on a GDPR-compliant platform with EU hosting, an OPA, and clear governance do not need to fear these fine patterns β the sources of risk are structurally excluded there.
Conclusion
Real AI fines have so far hit providers with questionable data handling β not companies that use AI responsibly. The lesson is not to fear AI, but to have a clean foundation: legal basis, no personal data in open tools, EU hosting. The complete framework is provided by our Guide to GDPR-compliant AI for Companies.
Sources
GDPR-compliant AI from a real German data center
Kasimir runs on its own infrastructure in Germany β no detour via US providers, no CLOUD Act reach.


