The short answer
Using AI tools at work in the EU is legal, but doing it compliantly depends almost entirely on what data you feed in and what contracts you have in place. GDPR does not ban AI; it governs the processing of personal data, and an AI tool is just another place that processing can happen. If you keep personal data out, or you use a properly contracted business tier with training disabled, you can use ChatGPT, Copilot, Gemini, and similar tools across a team without breaking the law. The risk lives in the careless middle ground — staff pasting customer data into personal consumer accounts.
Where the GDPR risk actually is
The moment you enter personal data — names, emails, customer records, employee details, anything identifying a living person — into an AI tool, you are processing personal data and GDPR applies in full. That means you need a lawful basis for the processing, the provider must act as your processor under a data processing agreement, the data must be secured and not used for purposes you have not authorised, and individuals retain rights over it. A free consumer account typically fails several of these tests at once: no DPA, inputs potentially used for training, and unclear retention. The same prompt entered into a contracted business tier with training off can be perfectly compliant.
Choosing a compliant configuration
Three settings turn most AI tools from risky to defensible. First, use a business or enterprise tier, not a personal account, because that is where providers offer the contracts and controls GDPR requires. Second, sign the provider’s data processing agreement and check where data is stored and processed, since transfers outside the EEA need their own safeguards. Third, disable training on your inputs — business tiers usually default to this, but confirm it. With those in place, define a clear internal policy on what categories of data staff may and may not enter, and prefer anonymised or synthetic data wherever the task allows it.
Practical rules for staff
Compliance fails in day-to-day habits, so give people simple rules. Never paste customer, patient, or employee personal data into a consumer AI account. Strip or pseudonymise identifiers before using AI to draft or summarise. Treat anything you would not email to an outside party as off-limits for an unapproved tool. Use only the tools and accounts the organisation has approved and contracted. And remember that AI output can be wrong or fabricated, so anything that affects a person — a decision, a communication, a record — needs human review before it is used. These rules are easy to follow and prevent the overwhelming majority of incidents.
When you need more than a configuration
Some uses go beyond settings and require a deliberate compliance assessment. Automated decisions that significantly affect people — screening job applicants, credit or eligibility decisions — trigger specific GDPR rules on automated decision-making and usually a data protection impact assessment. Processing special-category data such as health, biometrics, or political views raises the bar further. High-volume or systematic monitoring may also require a DPIA. In these cases, document the purpose, lawful basis, risks, and safeguards before you deploy, and involve your data protection officer or legal advisor. For everyday drafting, summarising, and coding with non-personal data, a sensible configuration and a clear policy are enough.