GDPR and artificial intelligence: what you can and can't do with data
GDPR doesn't ban you from using AI. It governs what you do with people's data. A hype-free guide for decision-makers: when you can put data into an AI and when you can't.
GDPR doesn’t ban you from using artificial intelligence. That’s the first idea I want to get out of your head, because almost all the fear surrounding this topic comes from confusing the two things. What the regulation governs is what you do with people’s data, and it just so happens that putting information into someone else’s AI tool is, in the eyes of the law, doing something with that data.
So the line that separates what you can do from what gets you into trouble isn’t drawn by the tool. It’s drawn by four decisions of yours: what data you put in, with what reason, with what contract behind it, and where that data ends up traveling. This article is the map of those four decisions, in business language and without selling you lawyer hours.
One warning before we go on, and I mean it. This is not legal advice. It’s a mental map so you know what to ask and where to start. For your specific case, with your sector and your data on the table, talk to a professional. What’s here helps you reach that conversation knowing what it’s about.
Does GDPR ban me from using AI?
No. GDPR, the European data-protection law that has applied since 2018 [1], doesn’t even mention artificial intelligence as something to ban. What it governs is something much older: the processing of personal data. And “processing” is almost anything you do with that data, including copying and pasting it into a chat.
Personal data is any information about an identified person or one who can be identified [1]. A name, an email, a phone number, a photo, a CV, a customer’s conversation with your support desk. All of that, the moment you enter it into an AI tool, stops being “a text I hand to a machine” and becomes a processing of data with all the legal obligations that drags along.
That’s why the right question isn’t “can I use AI?”. It’s “am I putting people’s data into it?”. And that’s where it gets interesting.
The first decision: is there a person behind that data?
If what you put into the tool doesn’t identify anyone, GDPR eases off a lot. Asking an AI to draft a generic email, summarize a market report or translate a text without proper names doesn’t touch personal data, and there you have a free hand.
The problem is that people think anonymizing is easier than it is. The classic mistake sounds like this: “no worries, I removed the name”. Removing the name doesn’t turn personal data into anonymous data if the person is still recognizable from the rest. A purchase history with the date, the postal code and the amount can point to a single person even when the name appears nowhere. The law looks at whether someone could re-identify that person by reasonable means, not at whether you deleted the name field.
Anonymizing for real is hard and often destroys exactly the value you wanted to analyze. So, in practice, if you’re unsure whether a piece of data is personal, treat it as if it were. It’s the cheap, safe stance.
Let’s assume yes, that there’s people’s data involved. Then comes the second decision.
What reason do you have to process that data?
GDPR requires every processing of personal data to have a legal basis, a valid reason from the ones the law recognizes. Article 6 of the regulation lists six of them [1], and you don’t need to know them by heart. You need to know that having one, identifying it and being able to explain it is mandatory before you start, not something you justify afterwards if someone asks.
These are the ones a normal business actually uses:
| Legal basis | What it means in your business | Example with AI |
|---|---|---|
| Consent | The person has clearly and freely said yes | Analyzing survey responses where you warned you’d use AI |
| Performance of a contract | You process the data to deliver what you promised that person | Using AI to manage the order of a customer who bought from you |
| Legitimate interest | You have a reasonable business reason and it doesn’t override the person’s rights | Classifying support emails to reply faster, after weighing the impact |
| Legal obligation | A law requires you to process that data | Keeping invoicing that the tax authority requires you to store |
The table isn’t for you to pick at random. It’s so you see that “because it’s convenient for me” isn’t on the list. If you can’t say under which of these reasons you’re putting a customer’s data into an AI, that’s exactly the gap you need to close. The Spanish Data Protection Agency publishes guidance on AI and data written so that someone from the business side can understand it [2]. If you’re only going to read one official source, make it that one.
Having a legal basis, mind you, doesn’t give you free rein to dump everything in.
Minimization: put in only what you need
Here’s the principle people break most without noticing. GDPR requires you to process only data that is adequate, relevant and limited to what is necessary for your purpose [1]. In plain terms: you put into the tool just what the task needs, not the whole file for convenience.
The gesture that breaks this is so everyday it’s almost invisible. You want an AI to help you draft the reply to a complaint, and instead of pasting the text of that complaint, you paste the full export of your CRM “so it has context”. You’ve just sent the data of hundreds of customers who had nothing to do with that task. If something goes wrong with that provider, your exposure isn’t one person: it’s all of them.
Minimizing is boring and a bit of a drag. It’s also what turns a huge incident into a small one. Before pasting anything, strip out what the specific task doesn’t need.
And now the decision that changes the outcome most of all: who you’re dealing with.
The contract that changes everything: the processor
When you use a third-party AI with your customers’ data, that provider is processing data on your behalf. The figure the law places there is called a processor: someone who processes data following your instructions, with security and confidentiality obligations, and bound to you by a contract [1]. Article 28 of the GDPR requires that relationship to be in writing.
This is what separates, in practice, using a tool well from using it badly, and it almost always comes down to which version you contracted:
| Consumer version (free or personal) | Enterprise version (with contract) | |
|---|---|---|
| What it’s designed for | Personal use | Professional use with third-party data |
| Processor contract | No, usually | Yes, the provider signs on as a processor |
| What they do with your data | They may use it to improve the model | They commit to processing it only on your behalf |
| Fit for customer data? | No | Yes, if the contract covers what you need |
The key word of this whole article, if I had to keep one, is contract. Consumer versions are designed for a private individual to use with their own things, and their terms often allow the provider to make use of what you write to train its models. Enterprise versions exist precisely to close that door. The case of pasting data into a free chat I break down in uploading customer data to ChatGPT, because it’s the most common mistake and the most expensive. And exactly what happens to the data that goes out to a third party you’ll find in sending data to third-party AI models.
Signing the paid version isn’t a blank check either. Complying is still your job. But without that contract, you start out already at fault.
Where does your data travel?
The fourth decision is missing, and it’s the one most people ignore because it’s invisible. Many of these providers process the data on servers outside the European Union. GDPR doesn’t prohibit your data from leaving Europe, but it puts conditions on those international transfers [1], because it wants the data to receive protection abroad equivalent to what it has here.
A provider having servers in the United States doesn’t automatically make it illegal. What you have to be able to answer is whether that transfer is covered by one of the mechanisms the law accepts. Serious enterprise versions tend to document this and offer options, sometimes including processing within the EU. It’s a question you ask before signing, not after a scare.
With those four decisions made, the real risk drops a lot. The hard part isn’t understanding them, it’s remembering to apply them in a hurry on any given Tuesday.
Four questions before pasting any data into an AI
You don’t need a legal department for this. You need to stop for four seconds before hitting Enter and answer this:
- Is there data about an identifiable person here? If in doubt, the answer is yes, and you carry on.
- Under what reason am I processing it? If you can’t name the legal basis, stop and find it first.
- Am I putting in only what’s necessary? Strip out anything this specific task doesn’t need.
- Does this tool have an enterprise contract behind it? If it’s the free consumer version, don’t put in customer data.
That small habit, spread across your team, covers most of the real risk. Telling apart what AI really can do for your business from what you’ll be sold that it can, and using it with judgment instead of by fashion, is exactly what we work on in the course AI without hype. It’s not about learning to program. It’s about making better decisions on where to put this technology and where not to.
If you want the full map, with the AI Act on top of GDPR, you’ll find it in the guide to AI, GDPR and the AI Act for businesses, which is the starting point for this whole topic.
One new concept every week
Sources
- Regulation (EU) 2016/679 (GDPR), EUR-Lex: concept of personal data and processing (art. 4), lawfulness and legal bases (art. 6), minimization principle (art. 5.1.c), the processor (art. 28) and international transfers (chapter V).
- Spanish Data Protection Agency (AEPD): Spain’s data-protection authority and its guidance on artificial intelligence and GDPR for controllers and processors.
Frequently asked questions
Can I use ChatGPT with my customers’ data?
It depends on the version. In the free consumer version, designed for personal use, putting in customer data is a processing of personal data without the guarantees GDPR requires, and that’s where the problems come. In a contracted enterprise version, where the provider signs on as a processor, the answer can be yes, provided the contract covers your case.
If I anonymize the data, am I off the hook with GDPR?
Only if the anonymization is real, and that’s harder than it seems. Removing the name isn’t enough if the person is still identifiable from the rest of the information. The law looks at whether someone could re-identify them by reasonable means. When in doubt, treat the data as personal.
Does the paid version comply with GDPR for me?
Not entirely. The processor contract is an essential requirement, but keeping up with the legal basis, minimization and the rest is still your responsibility. The enterprise version puts you at the right starting line, it doesn’t carry you to the finish.
What legal basis do I need to put data into an AI?
One of those in article 6 of the GDPR that fits what you do: usually the person’s consent, the performance of a contract with them, or your well-assessed legitimate interest. What matters isn’t which one you pick at random, but that you have it identified and can explain it before you start the processing.
Does the provider train its model with my data?
In many consumer versions, it can, because their terms allow it. In serious enterprise versions it’s usually excluded by contract. It’s one of the first things you should read in the terms before putting in any customer’s data.
Where do I start tomorrow without spending a fortune?
With a simple inventory: which AI tools your team uses, what for, and which ones touch people’s data. With just that you already see where your real risk is, which is almost never theoretical and almost always a customer’s data in a free tool. Switching those to a contracted version and briefing the team on the four questions is the second step, and it doesn’t cost money either.