Using ChatGPT in Compliance with the GDPR: A Guide for Operations

Since the EU AI Act came into force on 1 August 2024 and with the obligations on AI literacy under Art. 4 AI Act since February 2025, the use of ChatGPT in operations can no longer be treated as a pure productivity topic. Personal data that flows into the prompt continues to be subject to the GDPR. Anyone who does not clarify the contractual situation risks fines under Art. 83 GDPR and liability under § 130 OWiG.

This guide describes how you introduce ChatGPT in a legally compliant way: from the processing agreement with OpenAI, through the record of processing under Art. 30 GDPR, to the data protection impact assessment under Art. 35 GDPR and the AI policy for the workforce. You receive a checklist that will withstand the next supervisory inspection, as well as a model with which even smaller companies without their own data protection team can work robustly.

The use of ChatGPT in operations is shaped by three sets of rules. First, the GDPR, as soon as personal data is processed, that is also with customer enquiries, CVs or internal email drafts. Second, the EU AI Act, which has been in force since August 2024 and regulates general-purpose AI models as a separate category. Third, national data protection law, in particular § 26 BDSG for employee data and labour-law co-determination under § 87(1) no. 6 BetrVG.

In practice this means: before the tool is approved, a legal basis under Art. 6 GDPR must be named. For special categories under Art. 9 GDPR, for example health data or trade-union membership, stricter requirements are added. The Data Protection Conference clarified in its guidance of May 2024 that responsibility remains with the deploying company, not with the model provider. Anyone working with an external data protection officer should involve them before the tool selection, not only after the introduction. The appointment certificate, signed, filed, verifiable.

OpenAI currently offers four main variants: ChatGPT Free, Plus, Team and Enterprise. Free and Plus are unsuitable for business use with personal data, because inputs can be used for model training by default and no processing agreement within the meaning of Art. 28 GDPR is concluded. Team and Enterprise allow a processing agreement to be concluded, exclude training with customer content by default, and offer extended security controls, including SAML SSO and administrative audit logs.

The question of data residency is important. ChatGPT Enterprise has allowed European data residency since 2024; with Team accounts, processing still takes place in the USA, which meets the requirements of the adequacy decision under the EU-US Data Privacy Framework, but carries Schrems III risks. Anyone with high requirements, for example with health data or client confidentiality, examines Microsoft Azure OpenAI Service in an EU region or a German hosting alternative. CIVAC documents the choice in an architecture decision with a risk assessment and files it in the workspace, so that the auditor calls, the evidence is ready.

OpenAI provides a standard processing agreement as a Data Processing Addendum (DPA), which is concluded via the self-service portal. The document refers to the EU standard contractual clauses (Module 2, controller-processor) and contains annexes on the processing, on sub-processors and on technical and organisational measures. Check the following points specifically: categories of data subjects, processing purposes, storage duration (standard 30 days of trust logs), the list of sub-processors and the procedure for their change, as well as the third-country clauses under Art. 44 et seq. GDPR.

The point of the notification obligation in the event of personal-data breaches is frequently overlooked: under Art. 33(2) GDPR, the processor must inform the controller without undue delay, so that the latter can meet the 72-hour deadline towards the supervisory authority. The clock starts on awareness. CIVAC maps this path as a 24/72 notification path in the workspace, with escalation levels, templates for the notification under Art. 33 GDPR, and audit templates that show who decided what and when. Anyone who only signs the processing agreement and does not link it in the record of processing creates a gap that immediately stands out in the inspection.

Under Art. 35(3) GDPR, a data protection impact assessment is mandatory when the processing is likely to result in a high risk to the rights and freedoms of natural persons. In its must-list of October 2018, supplemented in 2024, the Data Protection Conference expressly lists the use of AI for evaluation, profiling or behavioural analysis. ChatGPT therefore falls under the DPIA obligation in many use cases, for example when CVs are pre-filtered, sick notes are evaluated, or customer conversations are summarised.

Under Art. 35(7) GDPR, the DPIA comprises at least four building blocks: a systematic description of the processing, an assessment of necessity and proportionality, a risk analysis with protective measures, and consultation of the affected stakeholders, as a rule the data protection officer and the works council. In practice, a cleanly documented DPIA for ChatGPT in the mid-market takes between 12 and 30 working hours, depending on the scope of application. CIVAC provides a DPIA template in the workspace that specifies the must-have fields, marks residual risks and automatically links into the record of processing under Art. 30 GDPR. This produces a document that is audit-proof, documented and § 35-proof.

Without a written AI policy, the operation of ChatGPT is open to attack in terms of liability. Under § 130 OWiG, management bears the duty of proper supervision, which in the case of data processing concretely means: set up rules, train, monitor. A robust policy has six core components: permissible and impermissible use cases, input prohibitions (no client data, no patient data, no internal strategy papers without masking), an obligation to review content, an obligation to cite sources, proof of training under Art. 4 AI Act, and reporting channels for incidents.

If a works council exists, the co-determination under § 87(1) no. 6 BetrVG must be observed: AI tools count as a technical device suitable for monitoring the behaviour or performance of employees. A works agreement with clear purpose limitations is therefore the practicable route. CIVAC delivers an AI policy as a template in the workspace, aligned with the Data Protection Conference notes and the EU AI Act, and supports the coordination with the works council. Others run compliance like a filing cabinet. We run it like software.

Since 2 February 2025, Art. 4 EU AI Act has obliged providers and deployers of AI systems to ensure that their staff have a sufficient level of AI literacy. The norm applies regardless of risk class or employee numbers. It therefore also concerns law firms, practices and trades businesses that approve ChatGPT. Sanctions do not arise directly from Art. 4, but from the general duty of care and via § 130 OWiG, if an incident is co-caused by a lack of training.

In practice this means: you need a training concept with goals, content, frequency and attendee lists. The content covers at least the basics of the GDPR in the AI context, hallucinations and verification obligations, prompt hygiene, copyright under §§ 87a et seq. UrhG, and the company-internal input prohibitions. An initial training of 60 to 90 minutes plus an annual refresher is recommended. CIVAC documents attendance, training date and content tamper-proof in the workspace, so that the training obligation can be evidenced in an inspection with two clicks. The appointment certificate, signed, filed, verifiable.

An AI tool without logging is not auditable within the meaning of Art. 30 GDPR. The operational question is: which logs must be kept and how long may they be retained? ChatGPT Enterprise provides admin audit logs that capture login events, sessions and administrative changes. Content logs of the prompts and answers are more sensitive, because they can themselves contain personal data. Common practice is a retention of 30 to 90 days under strict access restriction, followed by erasure under Art. 5(1)(e) GDPR.

In the event of an incident, that is unauthorised input of sensitive data or model errors with adverse consequences, the notification path under Art. 33 GDPR takes effect. From the moment the responsible body becomes aware, 72 hours run until the notification to the supervisory authority; in parallel, a data subject notification under Art. 34 GDPR is to be examined. CIVAC maps this path in the workspace with escalation levels, mandatory fields and templates. The clock starts on awareness. The result: the auditor calls, the evidence is ready. In the NIS-2 context, the 24/72-hour notification path to the BSI is added, provided your company counts as an important or essential entity.

The full introduction of ChatGPT with all GDPR obligations costs, in the mid-market, typically between 30 and 80 working hours in the first year: processing-agreement review (4 to 8 hours), record of processing (6 to 10 hours), DPIA (12 to 30 hours), AI policy and works agreement (8 to 16 hours), training (4 to 8 hours per session), ongoing maintenance (10 to 20 hours per year). On top of this come license costs of about EUR 25 per user per month for ChatGPT Enterprise or comparable.

Anyone who has no internal data protection officer, or whose capacity for such special topics is lacking, has two sensible routes. License the workspace for your internal officers, or have our officers appointed. CIVAC offers both models: compliance platform and officer-as-a-service. In the platform model, your own DPO works with the templates and processes. In the officer model, an external DPO appointed under Art. 37 GDPR takes over the role, with an appointment certificate, a fixed SLA of two business days and audit readiness. Both routes lead to the same audit-proofness, but differ in effort and in the internal capacity they tie up.

ChatGPT can be operated in compliance with the GDPR, but not on the side. The obligations can be cleanly derived from the GDPR, the EU AI Act, the BDSG, the OWiG and the BetrVG, and they can be documented in a structured workspace without the operational side sinking into Excel chaos. What is decisive is that the contractual situation, the DPIA, the policy, the training and the notification paths are consistent, and that every decision is documented. Audit-proof, documented, § 30-proof.

CIVAC accompanies you on both routes: as a compliance platform with a workspace and audit templates for your internal DPO, or as officer-as-a-service with an external data protection officer appointed under Art. 37 GDPR. Turn reading into a mandate. Write to info@civac.de or use the contact form, and we will examine, in a 30-minute initial conversation, which model suits your size, sector and risk situation. Afterwards, you will receive a concrete effort estimate and an implementation plan that starts within two business days.