ChatGPT & Data Protection: A Guide for Businesses in the EU

ChatGPT is based on a General Purpose AI (GPAI) system trained on billions of publicly available texts. A critical point from a data protection perspective is that user inputs can, under certain conditions, be used to further develop the models. This is precisely where the data protection issue lies: it's often difficult to clearly define how data is stored, processed, or used for model training. This requires companies to have a deep understanding of AI system data processing.

Integrating ChatGPT into business processes brings specific data protection risks. Here are the main problems that companies must address:

Data Flows & Data Processing: The Pitfall of Third-Country Transfers

Many companies use ChatGPT via cloud platforms like Azure OpenAI. But even with EU hosting, there is often uncertainty regarding data transfers, complex subcontractor structures, and their impact on third-country transfers (e.g., to the USA). Without clear contractual arrangements, particularly Data Processing Agreements (DPAs) and a Transfer Impact Assessment (TIA), there's a risk of violating GDPR principles and incurring heavy fines.

Transparency & Information Obligations: Difficult to Implement with AI Models

Articles 13 and 14 of the GDPR require data controllers to comprehensively disclose the purpose, nature, and scope of data processing to data subjects. With LLMs, this information is often difficult to access due to the complexity and dynamic nature of data processing. This makes it nearly impossible to provide GDPR-compliant information to users and employees about AI data usage without implementing appropriate technical and organizational measures.

Careless use of ChatGPT can lead to significant data protection violations in various business areas. Here are typical scenarios and the associated data protection risks from AI:

• Marketing: When creating text or content suggestions, there is a risk that prompts may contain confidential CRM data like customer information or strategic plans.
• Human Resources (HR): In areas like applicant communication or training materials, the processing of special categories of personal data (e.g., health data or ethnic origin of applicants) poses a significant risk.
• Legal & Compliance: When using AI for research or contract review, there is a risk that the AI output, despite a lack of traceability, could be used as a basis for legal decisions or that confidential legal documents could be entered into the system.
• Customer Service: In tasks such as answering frequently asked questions or processing support chats, there is a risk of unintentionally disclosing personal customer data, including names, addresses, and order history.
• Research & Development: When generating code or analyzing data, companies face the risk of entering trade secrets or protected data that could then be used for model training.

On August 2, 2025, additional requirements of the EU AI Act will come into force, specifically targeting models like ChatGPT, such as those developed by GPAI. This creates indirect but highly relevant obligations for companies using these tools to ensure compliant AI use:

• Documentation and Transparency Obligations: Users must be able to trace how and why AI is used in internal processes. This also includes logging AI usage.
• Security Measures and Misuse Protection: Companies are required to implement protection against manipulation and to log critical inputs to minimize AI security risks.
• Governance Processes for Internal AI Use: The introduction of usage policies, targeted employee training, and risk assessments for AI use is essential to ensure AI compliance.

The voluntary, but de facto mandatory, “Code of Practice” for LLMs is becoming particularly important. Providers like Microsoft and OpenAI are increasingly aligning their products with it, which has a direct impact on the compliance of the companies that use them.

To integrate LLMs like ChatGPT into your company in a data-protection-compliant and secure manner, proactive measures are crucial. Here are our best practices for AI compliance:

• Define the Context of Use: Clearly define which departments can use ChatGPT and for what purposes. A clear AI usage policy is essential.
• Risk-Based Classification: Conduct a detailed risk assessment for AI applications. What data may be processed? Which tools access personal data and which do not?
• Technical & Organizational Measures (TOMs): Implement technical safeguards such as logging AI inputs, input filters to anonymize data, and strict access controls.
• Contractual Safeguards: Conclude Data Processing Agreements (DPAs) with providers and, in the case of third-country transfers, conduct a Transfer Impact Assessment (TIA) to ensure the legal and secure international transmission of data.
• Employee Training for AI Literacy: Training is essential for all employees who work with AI systems. Raise awareness of data protection risks associated with AI use.
• Governance and Control Mechanisms: Establish clear guidelines for AI use, define audit procedures, and assign responsibilities for AI compliance.

heyData does not offer traditional legal advice on the AI Act. Our services in the AI context are designed to empower companies and offer smart solutions:

• Risk assessment of AI use in your company.
• Training on AI literacy and the data protection-compliant use of AI systems.
• Providing GDPR-compliant templates and policies for AI use.

ChatGPT and similar AI systems are here to stay. However, to operate safely in the long term, you need clear internal processes, technical safeguards, and a fundamental understanding of the regulatory framework. The EU AI Act and GDPR are not obstacles but rather guardrails for responsible and innovative AI use.

With heyData, companies get exactly the tools, training, and structures they need to drive innovation securely and in compliance with both the GDPR and the AI Act.

Is it possible to use ChatGPT in a GDPR-compliant way? 
Yes, it is possible, but it requires a proactive approach from companies. Businesses must implement specific safeguards and policies, such as using enterprise versions of ChatGPT (like ChatGPT Enterprise or Team), avoiding the input of sensitive or personal data, and establishing clear internal usage guidelines. These measures are crucial to ensure compliance with principles like data minimization and transparency.

What are the biggest data protection risks for my company when using ChatGPT? 
The main risks include the accidental disclosure of personal or confidential data in prompts, which could be used for model training or retained in logs. Another major concern is the handling of third-country data transfers, especially to the USA, which necessitates a proper contractual basis like a Data Processing Agreement (DPA) and a Transfer Impact Assessment (TIA).

How do the EU AI Act and GDPR interact with each other? 
The EU AI Act and GDPR are complementary but distinct. The GDPR focuses on the protection of personal data in general, regardless of the technology used. The AI Act, on the other hand, introduces new safety, transparency, and governance requirements specifically for AI systems, including GPAI models like ChatGPT. The AI Act adds a new layer of compliance on top of the existing GDPR obligations, and for many AI applications, both regulations will apply simultaneously.

What new obligations will companies have under the EU AI Act starting in August 2025? 
Starting August 2, 2025, companies using GPAI systems like ChatGPT will have new indirect but highly relevant obligations. These include documenting how and why AI is used, implementing security measures to prevent misuse, and establishing clear governance processes. Businesses will need to ensure they can track and justify their AI usage to comply with the new transparency and safety standards.

What practical steps can my company take right now to prepare for these regulations? 
To prepare, a company should first define a clear AI usage policy that specifies what data is allowed and what is prohibited in prompts. It is essential to conduct a risk assessment for each AI application, secure the necessary contractual agreements with providers (e.g., DPAs), and provide mandatory training for all employees on AI literacy and the associated data protection risks.