AI, GDPR and the AI Act: what your business needs to know in Europe

If your business uses third-party AI, the AI Act barely applies to you, but the GDPR does. A hype-free guide for decision-makers: what you can do, what you can't, and what gets you fined.

AI, GDPR and the AI Act: what your business needs to know in Europe

If your business uses ChatGPT, an office copilot or a customer-support chatbot, but doesn’t build those tools, I have good news: the bulk of the AI Act, the European Union’s artificial intelligence law, isn’t aimed at you. What does apply to you, from day one and without exception, is the GDPR, the moment you put a person’s data into any of those tools. That’s the headline.

The rest of the article unpacks it, without scaring you to sell you lawyer hours and without telling you not to worry because AI is the future. The framework I use is simpler: this you can do, this you can’t, and this is what gets you fined.

One warning before we go on. This is not legal advice. It’s a mental map so you know what to ask and where to start. For a specific case, with your sector and your data on the table, talk to a professional. What’s here helps you reach that conversation knowing what it’s about and without paying to have the basics explained to you.

Does this apply to me? Building AI is not the same as using it

The AI Act treats whoever builds an AI system very differently from whoever only uses it. That distinction is what decides almost all of your legal burden, so it’s worth being clear on it before anything else.

A provider is whoever builds, trains or sells the AI system, or puts it on the market under their brand. OpenAI with ChatGPT, Microsoft with Copilot, Google with Gemini: those are providers. The weight of the law falls on them, because they’re the ones who decide how the machine works on the inside.

A deployer, or responsable del despliegue in the wording of the regulation, is whoever uses an AI system under their responsibility within a professional activity. In other words, your company when it puts its team to work with one of those tools. The law defines it expressly this way [1], with a single exception: purely personal, non-professional use doesn’t count.

Here’s the reassuring part. The vast majority of small and medium businesses are deployers, not providers. You don’t train models or sell AI systems: you hire other people’s and use them. And a deployer’s obligations are far lighter than those of whoever builds. A good chunk of the noise you’ve heard about the law is meant for providers and for large high-risk systems, not for the office that uses an assistant to draft emails.

That said, “deployer” doesn’t mean “no obligations”. It means yours depend on what you use the AI for. And that’s decided by risk levels.

Decision tree showing how to tell whether a company is a provider or a deployer of an AI system, and how that distinction determines whether the AI Act's burden of obligations is heavy or light
Do you build the system or only use it? That question decides almost all of your legal burden under the AI Act.

The four risk levels of the AI Act, in plain terms

The AI Act doesn’t regulate “AI” as a block: it looks at what each system is used for and puts it into one of four boxes according to the harm it could cause to people [2]. The box determines what you have to do.

Risk levelExample use in a companyWhat you have to do
UnacceptableSocially scoring people; certain uses of manipulation or emotion recognition at workProhibited. It can’t be used, no nuance
HighAI that screens CVs, supports a promotion or influences granting or denying creditAllowed, but with strong obligations of control and oversight
LimitedA chatbot that talks to your customers; AI-generated images or texts that you publishAllowed, with a transparency obligation: warn that it’s an AI or that the content is generated
MinimalDrafting an email, summarizing a document, translating, searching internal informationNo new obligations

The two extremes are the easy ones to understand. Unacceptable risk is a short list of prohibited uses, like social scoring in the style of a citizen ranking, and normally it wouldn’t even cross your mind to do them. Minimal risk is where almost all office use lives: asking a tool to draft a first version or summarize a set of minutes adds no new obligation.

The high level is the one to watch closely, because it’s easy to fall into without realizing. It’s not about the tool, but about the decision. Using an AI to rank candidates in a selection process, or to help decide who you give financing to, enters high-risk territory precisely because it affects a person’s life.

The limited level is the one for chatbots and generated content. The rule here is common sense: a person has the right to know they’re talking to a machine and not a human, and to know when an image or a text was produced by an AI. If you have a customer-support chatbot, this applies to you.

A warning about dates. The AI Act entered into force on 1 August 2024 and its obligations apply in phases. The prohibitions and the training duty are enforceable from February 2025; the rules for general-purpose AI models, from August 2025. The deadlines for high-risk obligations are later and have been the subject of postponement proposals within the EU itself [2], so don’t fix a date in your head as definitive: check the official source for the current schedule. If you want the operational detail of levels and deadlines, I develop it in the AI Act summary for businesses.

Ladder of the AI Act's four risk levels from lowest to highest severity (minimal, limited, high, unacceptable), with the business obligation associated with each level
Four boxes, four different obligations: this is how the AI Act classifies any use of AI in your company.

If I only use other people’s AI, what do I have to do?

As a deployer, your obligations fit in a short list and none of them forces you to have a legal department. These are the ones that matter in practice.

  • Don’t use it for what’s prohibited. The unacceptable level applies to you always, whoever’s tool you use.
  • Human oversight when there’s a high-risk decision. If an AI takes part in deciding about a person, a person with competence and authority must review and be able to correct that decision. The regulation asks that whoever oversees knows what they’re doing [1]. No signing off blindly on whatever the machine says.
  • Transparency when it’s due. If you operate a chatbot or publish generated content, you give notice. That’s it.
  • AI literacy. This is the one almost everyone skips. The AI Act requires your team to have a basic level of understanding of the tools it uses, and this obligation is enforceable from 2 February 2025 for any company that uses AI, whatever the risk level [3].

That last one doesn’t call for a master’s degree. It asks that the person who uses the tool understands what it does, where it goes wrong and what shouldn’t be put into it. A team that knows a model can make up data with total confidence, and that doesn’t paste the customer base into a free chat, already meets the spirit of the rule better than many large companies.

Notice what doesn’t appear in this list: registering the system, running conformity audits, technical markings. That’s provider burden, not yours. That’s why I insist on the distinction from the start. Getting your role wrong is the fastest way to scare yourself more than you should.

The one that almost always applies to you: the GDPR and your customers’ data

Here’s the real risk for a small business, and it doesn’t come from the AI Act but from the GDPR, the European data-protection law that has been in force since 2018 [4]. In practice, what gets fined most isn’t using AI: it’s mishandling people’s data while using it.

Personal data is any information about an identified person or one who can be identified. A name, an email, a phone number, a CV, a photo, a customer’s conversation with support. The moment you copy that into an AI tool, you’re carrying out data processing, with all the legal consequences that drags along.

The typical problem is easy to see coming. Someone on the team, with good intentions, pastes the customer database or a CV into a free public chat so it can help analyze it. With that gesture they’ve just sent personal data to an external provider, probably to servers outside the European Union, without a clear legal basis and without a contract governing what they do with it. I break down the specific case in uploading customer data to ChatGPT, because it’s the most common mistake and the most expensive.

The difference between doing it right or wrong usually comes down to one word: contract. The consumer versions of these tools are designed for personal use and don’t give you guarantees about your data. The enterprise versions are contracted with an agreement in which the provider acts as a processor, that is, processes the data on your behalf, following your instructions and with security and confidentiality obligations. If you’re going to put in customer or employee data, that’s the way. All the detail of how the GDPR fits with AI is in GDPR and artificial intelligence.

The authority that oversees this in Spain is the AEPD, the Spanish Data Protection Agency, and it publishes guidance on AI and data written so that someone from the business side can understand it [5]. If you’re only going to read one official source, make it that one.

What document do I need to be able to show if I’m asked?

Nothing you can’t put together yourself in an afternoon. It’s not a legal dossier or a master’s degree: it’s an organized folder that answers four questions, and it serves whether an inspector asks you for it or a large customer demands it before signing with you.

  • Which AI tools the company uses and what for. A simple inventory. Name of the tool, who uses it, for what task.
  • Where personal data is involved and on what basis. Mark in that inventory which tools touch people’s data and why you’re entitled to process it.
  • Which decisions about people an AI supports and who oversees them. If something affects a customer, a candidate or an employee, note down who the human responsible for reviewing that decision is.
  • The enterprise contracts and terms of the tools. Keep the agreements for the paid versions, especially the ones that govern data processing.

Having this in writing changes the conversation. You go from “we don’t really know what we use” to being able to show in five minutes that you have control over your tools. That folder is, by far, the best investment of time you can make this week.

This you can, this you can’t, this gets fined

All of the above boils down to three boxes. It’s the map I wanted to give you.

This you can do without fear:

  • Use AI to draft, summarize, translate or generate ideas with information that doesn’t identify any person.
  • Use enterprise versions with a contract to work with customer or employee data.
  • Automate internal office tasks, which are almost always minimal risk.

This you shouldn’t do:

  • Use it for any of the prohibited uses of the unacceptable level.
  • Let an AI decide on its own about a person, in hiring or in credit, without a competent human overseeing.
  • Paste personal data into free consumer tools without a contract governing what happens to it.

This is what really gets fined:

In the day-to-day of a small business, what ends up in a penalty is almost always the GDPR: a leak or an improper handling of personal data. The AI Act also provides for penalties, with tiers that depend on the seriousness of the infringement, and the highest ones are reserved for the prohibited uses. I won’t give you figures because the exact amounts depend on factors I can’t promise you here without misleading you. Keep the order of magnitude: skipping a prohibition is the most expensive thing, and mishandling people’s data is the most likely.

Telling apart what AI really can do from what you’ll be sold that it can, and using it with judgment instead of by fashion, is exactly what we work on in the course AI without hype. It’s not about learning to program: it’s about making better decisions on where to put this technology in your business and where not to.

One new concept every week

Sources

  1. Regulation (EU) 2024/1689 (AI Act), EUR-Lex: definitions of provider and of deployer, and the deployer’s human-oversight obligations for high-risk systems (Article 26).
  2. Regulatory framework on AI, European Commission: classification into four risk levels and the AI Act’s phased application schedule.
  3. Article 4: AI literacy, AI Act: AI literacy obligation for providers and deployers, enforceable since 2 February 2025.
  4. Regulation (EU) 2016/679 (GDPR), EUR-Lex: concept of personal data, processing, processor and international transfers.
  5. Spanish Data Protection Agency (AEPD): Spain’s data-protection authority and its guidance on artificial intelligence.

Frequently asked questions

Is my company bound by the AI Act if we only use ChatGPT and similar tools?

For the most part, no. If you only use third-party AI tools in your activity, you’re a deployer, not a provider, and the weight of the regulation falls on whoever builds the system. What does apply to you right away is giving your team basic training in using those tools, and the transparency rules if you operate a chatbot or publish generated content.

Can I put my customers’ data into an AI tool to help me?

It depends on which version you use. In a free consumer version, designed for personal use, putting in customer data is a processing of personal data without the guarantees the GDPR requires, and that’s where the problems come. In a contracted enterprise version, where the provider signs on as a processor and commits on security and confidentiality, things change. The key word is contract.

What happens if I use AI to help decide who I hire or who I give credit to?

You enter high-risk territory, because that decision directly affects a person’s life. It’s not prohibited, but real human oversight is required of you: someone with competence and authority has to review and be able to correct the decision, not just sign off on what the machine suggests. And since there’s personal data involved, the GDPR also comes into play.

Do I have to warn my customers that they’re talking to an AI?

Yes. A customer-support chatbot falls under the limited risk level, whose main obligation is transparency. A person has the right to know they’re interacting with a machine and not a human, and also to know when a piece of content was generated by an AI. You don’t need a huge legal notice: it’s enough that it’s clear.

What fines does the AI Act provide for?

It provides for penalties in tiers according to the seriousness of the infringement, and the highest amounts are reserved for skipping the prohibited uses of the unacceptable level. I won’t give you a specific figure because the real amount depends on circumstances only a professional can assess in your case. The useful thing you can hold on to is the hierarchy: what’s prohibited is the most expensive, and in everyday practice what ends up fined most is the poor handling of personal data under the GDPR.

Where do I start tomorrow without spending a fortune?

With the folder. Make an inventory of which AI tools your team uses and what for, mark which ones touch people’s data and check whether those use a contracted version or a free consumer one. With just that you already cut most of the real risk, which is almost never the AI Act and almost always a customer’s data in the wrong place. Training the team in those two or three basic precautions is the second step, and it doesn’t cost money either.