Beyond Prompt AI Studio

Making sense of AI in your business

Privacy & AI: GDPR basics

Once an AI tool touches customer or employee data, privacy stops being a side issue and becomes a precondition for using it. These basics help you judge vendor claims and risks realistically – they don't replace legal advice for your specific case.

One example per building block – to remember it

Try it yourself: the tier matters

Free tierBusiness tier with opt-out

You paste a draft contract with customer data into a chatbot.

Per the terms, often usable for model training – the data could remain in the system indefinitely.

Why AI use is almost always a GDPR topic

As soon as personal data – customer names, email addresses, employee data – goes into an AI tool, GDPR applies. That's true whether you're just testing a chatbot or running an automation in production.

The key building blocks

Data processing agreement (DPA)

If an AI vendor processes personal data on your behalf, you typically need a data processing agreement (Art. 28 GDPR). Without one, production use is legally risky – no matter how well the tool works.

Server location & third-country transfers

Many major AI vendors process data in the US. It's worth checking whether processing happens in the EU or whether data is transferred to a third country – and on what legal basis (e.g. the EU-US Data Privacy Framework) that transfer relies.

Training opt-out

Some vendors use your input by default to keep training their models – this can often be turned off in business or enterprise tiers. For confidential or personal data, that opt-out should be mandatory, not optional.

Data minimization as a baseline rule

The simplest safeguard remains: enter as little personal or confidential data as needed – anonymize or use placeholders wherever possible (see also the privacy risk covered in module 4).

Why this matters for you as a decision-maker

These basics aren't a brake on AI adoption – they're the checklist to run through once before any production use. Beyond Prompt builds these questions into automations from the start, instead of letting them become a problem afterward.

Key takeaways

  • As soon as personal data goes into an AI tool, GDPR applies.
  • Data processing on your behalf typically requires a DPA (Art. 28 GDPR).
  • Check the vendor's server location and any third-country data transfer beforehand.
  • For confidential data, a training opt-out should be mandatory, not optional.
  • Data minimization – enter only what's needed, anonymize where possible – is the simplest safeguard.

Quick check: did it land?

1 / 3

What's typically required when an AI vendor processes personal data on your company's behalf?

Want to roll out AI in your business in a privacy-compliant way?