ChatGPT for businesses: privacy, GDPR and safe use

You can use ChatGPT at work, but not with just any data. The free version sends your input to OpenAI by default for model training — including customer data and confidential information. For business use with personal data, GDPR obligations apply that most companies haven't yet put in place.

What 88% of employees don't know about ChatGPT and privacy

Employees use ChatGPT massively at work, but most don't know how the platform handles what they enter. Nearly nine out of ten employees don't know that with the free version, their input is used by default to further train the model.

That sounds abstract, but it has concrete consequences. An employee who summarizes a customer conversation in ChatGPT shares that customer's personal data with OpenAI. An HR employee who has a performance review rewritten sends sensitive personnel data to the cloud.

The core question is not whether ChatGPT is useful — it is. The question is: what rules do you set as an employer to ensure use remains GDPR-compliant?

Free vs Team vs Enterprise: how your data is handled per subscription

Not every ChatGPT subscription handles your data the same way.

Free and Plus

Your input is used by default for model training. You can manually turn this off via Settings → Data Management → Turn off Model Improvement, but this only applies to new conversations. What you've entered before is already processed.

ChatGPT Team (~€23 per user per month)

Your data is not used for training. As an administrator, you have control over the workspace, can create shared GPTs for your team, and get higher usage limits. This is the minimum level for business use where you work with customer data or personal information.

ChatGPT Enterprise

Extended security options: SSO, audit logs, AES-256 encryption and certification for SOC 2 Type 2 and ISO 27001. For companies with strict compliance requirements or sensitive sectors like healthcare, finance or legal, this is the right level.

The rule of thumb: working with business data? Use at least Team. Have compliance obligations? Choose Enterprise.

GDPR obligations: processor agreement, DPIA and registration requirement

If your employees use ChatGPT with personal data, you as a company are responsible for the correct processing of that data. That brings three direct obligations.

1. Processor Agreement (mandatory)

Under GDPR, you are required to enter into a processor agreement with OpenAI as the processor. Companies using ChatGPT Team or Enterprise can conclude this via the OpenAI customer portal. Without a processor agreement, you violate GDPR — regardless of whether anything goes wrong.

2. DPIA (Data Protection Impact Assessment)

For large-scale processing of personal data or the use of new technologies like AI, you are required to conduct a DPIA. A DPIA maps out the privacy risks of your AI use and shows that you manage those risks. The Dutch Data Protection Authority expects this for structured use of AI tools in business processes.

3. Processing Register

All processing of personal data must be recorded in your processing register. ChatGPT use where customer data is entered also counts there. A simple description of who, what, why and how long is being processed is sufficient.

Fines for violations can be high: up to €10 million or 2% of global annual turnover. In practice, several SMEs received fines between €10,000 and €50,000 in 2024 for similar violations.

Which data is allowed and which must never go into ChatGPT

A practical breakdown for your team:

Green: safe to enter

• Texts without names or contact information (general email templates, process descriptions)
• Publicly available information
• Internal communication without personal data
• Creative brainstorms and idea generation

Red: never enter — even in business accounts without DPIA

• Names, addresses, emails or phone numbers of customers or employees
• Medical or health data
• Customer financial data (account numbers, debts, loans)
• Confidential contracts or quotes with customer information
• HR data such as performance reviews, sick leave or salary information

Make this breakdown a simple one-pager and share it with your team. One clear list does more than an extensive privacy policy that nobody reads.

Safe alternatives for sensitive business data

Sometimes you want to work with sensitive data via AI. Then there are better options than the standard ChatGPT environment.

Microsoft Copilot (via Microsoft 365 Business)

If you already use Microsoft 365, Copilot is a logical choice. Data stays within your company's Microsoft tenant and falls under the existing processor agreement. Ideal for companies in professional services or healthcare that already work in the Microsoft ecosystem.

Azure OpenAI / private deployment

For companies that want maximum control, a private Azure OpenAI environment is possible. Your data is not shared with OpenAI and stays within the EU. This requires more technical setup, but offers the strongest compliance guarantees.

Local AI models

For very sensitive data, locally running models offer an option where no data leaves the organization. Less user-friendly, but maximum control for sectors with strict data rules.

Practical business rules you can implement tomorrow

You don't need to write a large policy to get started. Three concrete steps that have immediate effect:

1. Create a data classification list

One page with "green/red"-data (see above). Share it via email or post it at workstations of employees who use AI frequently.

2. Set up a minimal AI usage policy

Two rules are enough for most SMEs: only use business accounts for work-related AI tasks, and never enter customer or employee data without explicit manager approval.

3. Upgrade to ChatGPT Team

If your employees use ChatGPT regularly, switching to Team is the easiest way to mitigate the biggest risks. The cost (~€23/month per person) far outweighs the risk of a data breach or GDPR fine.

Frequently Asked Questions

Can I use ChatGPT at work with customer data?

Yes, but only if you have taken the right measures: a business subscription (Team or Enterprise), a processor agreement with OpenAI, and clear rules for employees about which data they may enter. Without these steps, you violate GDPR.

What are the GDPR risks of ChatGPT for businesses?

The biggest risks are: data shared without consent with OpenAI, lack of a processor agreement, and failure to conduct a DPIA for large-scale AI use. The Dutch Data Protection Authority actively monitors this and has already issued fines to Dutch companies.

Is ChatGPT Team GDPR-proof?

ChatGPT Team is a step in the right direction: data is not used for training and you can enter into a processor agreement. Whether it's fully GDPR-proof depends on what you enter and how you've regulated use internally. For sectors with strict compliance requirements (healthcare, finance), Enterprise or private deployment is recommended.

How expensive is switching to ChatGPT Team?

ChatGPT Team costs approximately €23 per user per month (annual subscription). For a team of ten employees, that's €230 per month. Compared to potential fines for GDPR violations (€10,000 to €10 million), this is a modest investment.

Which data should I absolutely never enter into ChatGPT?

Never enter: names, addresses or contact information of customers or employees, medical data, customer financial data, confidential contracts and HR information such as salaries or performance reviews. This applies to both the free version and business accounts without explicit data classification and DPIA.