GDPR and Generative AI: What Every Company Using AI Tools Must Know

Generative AI tools like ChatGPT, Claude, Gemini, and Copilot have become embedded in daily workflows across departments. Marketing uses them to draft campaigns. HR uses them to screen resumes. Legal uses them to summarize contracts. Customer support uses them to generate responses. Every one of these use cases processes personal data, and every one triggers GDPR obligations that most organizations are not meeting.

This guide maps the specific GDPR articles that apply to generative AI usage, explains what each requires in the AI context, details the penalties for non-compliance, and provides a comprehensive compliance checklist.

What It Requires

Article 5: Principles Relating to Processing. All GDPR processing principles apply when personal data enters a generative AI system. Lawfulness requires a valid legal basis before any personal data is submitted to an AI tool. Purpose limitation means data collected for customer support cannot be repurposed for AI training without a separate legal basis. Data minimization requires that employees only enter the minimum personal data necessary for the AI task, not entire customer records when only a name is needed. Accuracy obligations extend to AI outputs containing personal data, meaning organizations must verify AI-generated information about individuals before acting on it. Storage limitation requires understanding how long AI vendors retain submitted data and ensuring retention periods align with GDPR requirements.

Article 6: Lawful Basis for Processing. Every submission of personal data to a generative AI tool requires a lawful basis. The most commonly relied-upon bases are legitimate interest (Article 6(1)(f)) for internal business uses and consent (Article 6(1)(a)) for customer-facing AI applications. Organizations must document the lawful basis for each AI processing activity in their Records of Processing Activities. Relying on legitimate interest requires completing a Legitimate Interest Assessment that weighs the organization's interest against the impact on data subjects, particularly given that many individuals are uncomfortable with their data being processed by AI.

Articles 13 and 14: Transparency and Information. Data subjects must be informed when their personal data is processed by AI. Privacy notices must disclose the categories of personal data processed by AI tools, the specific AI tools or services used, the purposes of AI processing, the legal basis relied upon, data retention periods for AI processing, and any cross-border data transfers to AI vendors. Many organizations' privacy notices predate their adoption of generative AI and do not mention AI processing at all. This is a compliance gap that DPAs are actively investigating.

Article 22: Automated Decision-Making. When generative AI is used to make decisions that produce legal effects or similarly significant effects on individuals, Article 22 restrictions apply. Data subjects have the right not to be subject to solely automated decision-making in these circumstances. This means organizations using AI to screen job applicants, assess creditworthiness, determine insurance premiums, or make other significant decisions must ensure meaningful human involvement in the decision process, not just rubber-stamping AI outputs. Organizations must also inform individuals about the existence of automated decision-making, provide meaningful information about the logic involved, and explain the significance and envisaged consequences.

Article 28: Data Processing Agreements. When an organization uses a third-party AI vendor, the vendor typically acts as a data processor under GDPR. Article 28 requires a Data Processing Agreement (DPA) with every processor. For generative AI vendors, the DPA must address what personal data the vendor processes, the duration and purpose of processing, the vendor's obligations regarding data security, sub-processor management (AI vendors often use cloud infrastructure providers as sub-processors), data deletion upon termination, and audit rights. Organizations using free-tier AI tools without DPAs are in violation of Article 28. This is one of the most common and easily avoidable GDPR failures in AI deployments.

Article 35: Data Protection Impact Assessments. A DPIA is required when processing is likely to result in a high risk to individuals' rights and freedoms. Generative AI processing triggers DPIA requirements in most cases because it often involves new technologies processing personal data at scale, automated evaluation of individuals, and processing of sensitive categories of data. DPIAs for generative AI must assess the specific risks introduced by the technology, including hallucination risks where AI generates false information about real individuals, data leakage through model memorization, and the potential for AI outputs to be used in ways that affect individuals' rights.

Key Dates

Penalties

GDPR penalties for AI-related violations fall under the same enforcement framework as any other GDPR breach, but DPAs have shown increasing willingness to pursue AI-specific enforcement actions.

Upper tier (Article 83(5)): Violations of core GDPR principles (Articles 5, 6, 7), data subject rights (Articles 12-22), or international transfer provisions carry penalties of up to 20 million euros or 4% of total annual worldwide turnover, whichever is higher. AI violations most likely to trigger upper-tier penalties include processing personal data through AI without a lawful basis, failing to honor data subject rights regarding automated decision-making, and failing to provide transparency about AI processing.

Lower tier (Article 83(4)): Violations of controller and processor obligations (Articles 25-39) carry penalties of up to 10 million euros or 2% of annual worldwide turnover. AI violations in this tier include failing to execute DPAs with AI vendors, failing to conduct DPIAs for high-risk AI processing, and inadequate security measures for AI systems processing personal data.

DPA enforcement actions beyond fines: DPAs can also order organizations to cease specific processing activities. The Italian DPA's temporary ban on ChatGPT demonstrated that DPAs will order AI tools blocked entirely if GDPR requirements are not met. This operational disruption often exceeds the impact of financial penalties.

Private right of action: Under Article 82, individuals have the right to compensation for material or non-material damage resulting from GDPR violations. AI-related privacy violations are increasingly the subject of individual and class-action claims, particularly when AI processes data in ways individuals did not expect or consent to.

How PolicyGuard Helps

GDPR compliance for generative AI requires visibility into which AI tools process personal data, documentation of lawful bases and processing activities, and ongoing monitoring for unauthorized AI usage. PolicyGuard delivers all three through automated AI discovery, compliance documentation generation, and continuous monitoring.

PolicyGuard's AI inventory identifies every generative AI tool in use across your organization, including shadow AI tools that employees adopted without going through procurement. For each tool, the platform maps data flows to determine what personal data is being processed and generates GDPR-specific documentation including Records of Processing Activities entries, DPA status tracking, and DPIA templates pre-populated with AI-specific risk factors. The monitoring layer detects when employees attempt to enter personal data into AI tools that lack DPAs or have not been approved for personal data processing, preventing violations before they occur. For organizations also navigating the EU AI Act, PolicyGuard provides integrated compliance management covering both GDPR and AI Act requirements. See our EU AI Act compliance guide for the additional AI-specific obligations, and our GDPR and AI tools guide for deeper guidance on vendor management. Our 2026 regulatory compliance overview places GDPR AI compliance in the broader regulatory context.

FAQ

Does using ChatGPT at work trigger GDPR?

Yes, if any employee enters personal data of EU/EEA residents into ChatGPT or any other generative AI tool. Personal data includes names, email addresses, phone numbers, IP addresses, and any information that can identify an individual directly or indirectly. Even summarizing a customer email in ChatGPT constitutes personal data processing under GDPR if the email contains any identifying information. The organization is the data controller for this processing regardless of whether the employee used the free or enterprise version of the tool.

Do we need a DPA with every AI vendor?

Yes, for every AI vendor that processes personal data on your behalf. Under Article 28, processing personal data without a DPA is itself a GDPR violation regardless of whether any data breach occurs. This includes enterprise AI platforms like OpenAI, Anthropic, and Google, as well as smaller AI tools integrated into workflows. Free-tier AI tools typically do not offer DPAs, which means they cannot be used to process personal data under GDPR. Enterprise versions of major AI platforms generally include DPA terms, but organizations must review these carefully to ensure they meet Article 28 requirements.

Can we rely on legitimate interest for AI processing?

Legitimate interest is a valid lawful basis for many internal AI processing activities, but it requires a documented Legitimate Interest Assessment for each use case. The assessment must weigh the organization's interest in using AI against the impact on data subjects, considering factors like whether individuals would reasonably expect their data to be processed by AI, the sensitivity of the data, and whether less intrusive alternatives exist. DPAs have indicated that legitimate interest claims for AI processing will be scrutinized closely, particularly for use cases involving sensitive data categories or large-scale profiling.

What happens if an employee accidentally enters personal data into an AI tool?

The organization is still responsible under GDPR because the employee is acting as an agent of the controller. If the AI tool lacks a DPA, this constitutes an unauthorized disclosure to a third party and may trigger breach notification obligations under Articles 33 and 34 if the disclosure poses a risk to individuals' rights and freedoms. Organizations should implement technical controls to prevent accidental personal data entry into unauthorized AI tools and have incident response procedures specifically covering AI data exposure scenarios.

How does the EU AI Act interact with GDPR for generative AI?

The EU AI Act and GDPR are complementary, not overlapping. GDPR governs the processing of personal data, while the AI Act governs the development and deployment of AI systems. An organization using generative AI must comply with both simultaneously. For example, a high-risk AI system under the AI Act must meet technical requirements for accuracy and robustness, while the same system must also satisfy GDPR requirements for lawful processing and data subject rights. The AI Act explicitly states that it does not affect GDPR obligations, meaning compliance with one does not satisfy the other. PolicyGuard manages both frameworks in a single platform to prevent gaps.