Almost every team already uses AI - just not always consciously and not always legally. HR pastes CVs into ChatGPT for a quick summary. Sales asks Copilot to rewrite an email to a customer. Accounting drops in an invoice scan to "pull the data into a table". Each of these operations is personal data processing under the GDPR - with specific obligations whose absence costs anywhere from a few thousand euros to millions.

In 2026 full enforcement of the EU AI Act is added on top. Below is a practical guide to what you can do, what you cannot, and what to configure in 30 minutes so the company uses AI without risking a regulator fine.

What happens when you paste data into ChatGPT

Every word you type into an AI chat goes to the model provider (OpenAI, Microsoft, Anthropic, Google) - it is processed, stored for a defined period, and on the free tier may be used to train the next version of the model. From a GDPR perspective this means two things:

  1. You become a controller entrusting data to a processor - often in the US or another third country.
  2. Without a data processing agreement (Art. 28 GDPR) and without a proper legal basis - the processing is unlawful, even if the model itself answered correctly.

European regulators (Italy's Garante, France's CNIL, Poland's UODO) have already issued the first ChatGPT-related decisions - from processing restrictions to multi-million-euro fines. The risk is no longer hypothetical.

5 most common AI scenarios at work

1. Recruitment - CV summary via ChatGPT

What happens: a recruiter pastes a CV (name, national ID, employment history, photo) and asks for a short summary or a candidate score.

Risk: processing of a broad range of personal data without legal basis, data leaves the EEA, the candidate has no idea. If AI assists a recruitment decision (e.g. ranking), Art. 22 GDPR kicks in as well - automated processing with significant legal effects.

Fix: use the enterprise tier with a signed DPA and EU hosting, anonymise the CV before pasting (remove name, contact details, photo - keep experience and skills), reference AI in the privacy notice for candidates, and keep human decision-making for any ranking.

2. Marketing - generating content with a customer list

What happens: marketing pastes a customer list or mailing segment and asks AI for personalised copy.

Risk: the marketing consent does not cover "sharing data with the US for AI". This is an additional processing purpose that requires its own legal basis.

Fix: before pasting, replace personal data with pseudonyms ("customer A", "segment X") and merge personalisation only on your internal mailing platform. Generate templates, not ready messages with data.

3. Customer support - AI in chat and email

What happens: the support team uses Copilot or ChatGPT to draft replies, feeding the full conversation history into the tool.

Risk: customer data (emails, names, addresses, order numbers, occasionally sensitive data) ends up in a tool the customer has not accepted. Missing this in the privacy notice = breach of Art. 13 GDPR.

Fix: restrict to tools running inside your infrastructure (enterprise tier with EEA hosting, dedicated assistants tied to your knowledge base - like our enuchat.com), and update the privacy policy with how AI is used in customer support.

4. Code and production data

What happens: a developer pastes a code snippet containing real test data (user emails, API keys, database passwords). Or Copilot suggests code drawing on the context of the entire repository.

Risk: leakage of application user data and company secrets (secret leakage). A second problem is shadow training - code from internal repositories ending up in a public model.

Fix: pre-prompt scrubbing tools that anonymise data before it goes to AI, Copilot Enterprise with training opt-out, an explicit policy banning the pasting of keys and passwords. Dev and prod environments separated at the secrets level.

5. Accounting - invoice and contract scans

What happens: "I'll drop the scan of the invoice / contract and let AI extract the data".

Risk: contracts contain the other party's data (tax ID, address, sometimes data of sole traders), invoices contain counterparty data. Every uploaded document is data entrusted to a US processor without an agreement.

Fix: OCR / AI tools with EU hosting and signed DPA (Azure AI Document Intelligence, local models), and for cloud-only tools - upfront anonymisation or the enterprise variant with guarantees.

AI data processing requires one of the six bases from Art. 6 GDPR. In practice, three make sense:

  • Consent (Art. 6(1)(a)) - rigid, easy to withdraw, does not fit internal processes (recruitment, support).
  • Contract (Art. 6(1)(b)) - fits when AI is necessary to perform a contract with the customer. Summarising CVs "for convenience" does not qualify.
  • Legitimate interest (Art. 6(1)(f)) - the most common basis for internal AI. Requires a balancing test documented on paper: business interest vs. the data subject's rights.

No documented basis = breach of the accountability principle (Art. 5(2) GDPR). Regulators consistently fine not the processing itself, but the lack of documentation showing the processing was lawful.

When AI requires a DPIA

A DPIA (Data Protection Impact Assessment, Art. 35 GDPR) is mandatory when processing "is likely to result in a high risk" to individuals. For AI at work this applies in practice in three cases:

  • profiling and automated decisions (recruitment ranking, customer scoring),
  • processing of special-category data (health, biometrics),
  • systematic monitoring (AI analysing staff communication, working time, productivity).

A DPIA is not bureaucracy - it is a few pages of: purpose, data, risks, technical measures, assessment. Done once, refreshed annually or on material process change.

Technical configuration - what to set in 30 minutes

If you use the official enterprise plans, you can reach a GDPR-compliant state in an hour:

  • ChatGPT Team / Enterprise - training opt-out default, DPA signable from the panel, EU region available.
  • Microsoft 365 Copilot - data stays in the customer tenant, DPA is part of the Microsoft Products and Services Agreement, processing region configurable.
  • Anthropic Claude for Work - training opt-out default, DPA available, retention configurable.
  • Google Workspace + Gemini - training opt-out available, standard DPA, EEA regions.

All four are an acceptable minimum. Free and consumer tiers - generally not.

EU AI Act 2026 - what changes

The AI Act complements GDPR with technical and organisational obligations - it classifies AI systems by risk, requires labelling of AI-generated content, transparency and human oversight. For a typical company this means:

  • Inventory of AI systems in use (Copilot, ChatGPT, assistants built into SaaS).
  • Risk classification - most internal use is "limited risk", but recruitment, customer scoring and employee monitoring are often "high risk" with extra obligations.
  • Transparency to the user - labelling chatbots, deepfakes, AI-generated content.
  • Human oversight of system decisions.

AI Act fines reach EUR 35 million or 7% of annual turnover - whichever is higher. If GDPR was considered "expensive", AI Act is stricter still.

AI policy at work - a one-page template

The fastest answer to most risks is a one-page document every employee knows. It should cover:

  1. List of allowed tools (with specific plans: "Microsoft 365 Copilot - yes; ChatGPT Free - no").
  2. Categories of data not allowed to be pasted (customer data, sensitive data, keys, passwords, financial data of others).
  3. Anonymisation requirement before pasting any examples.
  4. Incident reporting procedure (e.g. someone pasted personal data by mistake).
  5. Contact point (DPO or responsible person).

The policy only works if it is signed by employees and refreshed every six months.

Checklist for a 30-minute review

  • Inventory of AI tools in use (who, what, which plan).
  • All tools have a signed DPA or accepted Data Processing Addendum from the panel.
  • Consumer tiers (free, personal) removed from business processes.
  • Privacy notice and privacy policy list AI as a data processor.
  • DPIA for recruitment, scoring and monitoring - completed and documented.
  • Company AI policy - signed by employees.
  • Dry-run - what happens if someone pastes personal data by mistake.

Summary

AI at work is not "a risk to avoid" - it is a risk to manage. The legal framework (GDPR + AI Act) does not ban ChatGPT or Copilot; it requires that the use is deliberate, documented, and with the right tool.

Most companies in 2026 start with an inventory - we check who uses what, on which plans, and with which data. That is the first hour of an audit, and the results are usually surprising.

If this is topical for you, book a free conversation - in 30 minutes we will tell you whether you need a full GDPR audit targeted at AI, or whether closing a few specific gaps is enough. Related reading: GDPR audit step by step and 7 common GDPR mistakes in e-commerce. We deliver the technical side (in-tenant AI assistants tied to the customer's knowledge base, like enuchat.com) together with the legal analysis - without the second one, even the best tool leaves the company in a grey area.