Book a consultation

Back to all articles

AI

How AI Tool Usage Affects Your GDPR Compliance Obligations

Picture of Team PRMT

Team PRMT

/

5 min read

AI and GDPR

AI is already at work inside your business. That ship has sailed. What many companies still haven’t caught up with is the AI and GDPR fallout. The moment employees start dropping prompts, customer notes, HR details, internal docs, or other personal data into third-party AI tools, data protection obligations stop being theoretical and start getting very real. It’s not about whether your business is “using AI.” It’s whether AI slipped into day-to-day work before your governance, legal review, and data handling rules were ready for it. 

Things get messy when data moves through unapproved tools and sensitive information is being shared with too few guardrails and considerations for data handling. The European Data Protection Board has made clear that GDPR principles still apply to AI models.

That matters because many businesses are already using AI tools in ways that involve personal data, even if nobody has ever labeled those workflows as privacy-sensitive. For SMBs the real issue is that AI makes existing privacy problems easier to trigger, harder to spot, and much more likely to show up through ordinary employee behavior instead of formal system design.

Key Takeaways

  • GDPR applies to AI tools when they process personal data
  • Businesses outside the EU can still be in scope if they handle EU customer or employee data in covered circumstances
  • AI use can trigger obligations around lawful basis, transparency, data minimization, vendor review, and data subject rights
  • ChatGPT and similar tools are not all the same from a privacy standpoint. Product tier, settings, and contract terms matter
  • The EU AI Act adds another compliance layer for certain AI use cases, but it does not replace GDPR
  • The fix is not banning AI. It is getting control over how it is being used

What Is the Relationship Between AI and GDPR?

GDPR predates generative AI, but it still applies to it.  Many companies treat AI as if it sits outside the old rules because the tools feel new, fast, and slightly magical. They do not. If personal data is being processed, GDPR is still in the room.

That includes more daily activity than many teams realize. Customer emails pasted into a chatbot. Employee notes summarized in an assistant. Support transcripts run through AI for analysis. Meeting recordings turned into searchable summaries. None of that feels especially dramatic in the moment, which is exactly why it becomes a governance problem so quickly. 

Does GDPR apply to AI tools?

Yes. If an AI tool processes personal data, GDPR applies.

That answer is simpler than the surrounding conversation often makes it sound. The confusion tends to come from treating AI as a separate category of risk rather than a new way of processing familiar types of information. But from a compliance perspective, the key question is still the old one: are you handling personal data, and if so, under what conditions?

For businesses, that means AI use should be reviewed the same way any other data-processing activity would be reviewed, just with more attention to speed, visibility, vendor controls, and how easily employees can create risk without intending to. 

Who does GDPR AI compliance apply to?

AI GDPR compliance applies to a lot more companies than people think. EDPB guidance on the territorial scope of the GDPR makes clear that businesses outside the EU can still fall within scope.

So if your company is based in the U.S. or elsewhere but handles EU customer data, EU employee data, or EU prospect data, GDPR may still apply to those workflows.

That point gets missed all the time. Teams hear “GDPR” and assume it is mostly somebody else’s problem. But if your staff uses AI tools in ways that involve personal data from people based in the EU, geographic distance does not automatically create legal distance. The law may still be relevant, even if your office is nowhere near Brussels.

How AI Tool Usage Affects Your GDPR Compliance Obligations

AI turns this from a policy discussion into an operational one. It changes where compliance obligations show up and who triggers them.

Lawful basis for processing personal data through AI

One of the first questions businesses tend to skip is the simplest one: why are we allowed to process this data through this tool in the first place?

If personal data is being entered into an AI system, the business should be able to explain the lawful basis for that processing and how it relates to the original purpose for collecting the data, which sounds obvious until you look at how AI actually gets used. A team collects customer information for one business purpose, then later pastes it into an AI assistant for summarization, drafting, analysis, or workflow acceleration.. 

This represents s one of the biggest compliance gaps in workplace AI adoption because the tools make it easy to start doing something before anyone has asked whether they should.

Data processor agreements and AI tools

AI vendors are still vendors. That part should not get lost just because the interface looks conversational.

If a third-party provider is processing personal data on your behalf, businesses need to understand the contract terms, the processing relationship, the sub-processors involved, and where the data may be going. A lot of “we’re just testing it” AI usage starts in consumer-grade products and only later gets pulled into a more serious internal discussion. By then, the business may already have real data flowing through a tool nobody vetted properly.

Compliance debt builds through a hundred small assumptions that the tool is fine because it is popular, easy, or already in use.

Data minimization and AI tool usage

Employees want better outputs, so they share fuller documents, longer prompt histories, richer notes, and more identifying detail. General warnings are not enough. Staff need clear rules on when to anonymize, redact, summarize, or avoid entering data at all.

This is one of the clearest tensions between AI and GDPR in everyday practice. AI tools often perform better when users give them more context. GDPR, meanwhile, is not built on a “the more the merrier” philosophy which creates a very practical problem inside real businesses. 

This is where a practical internal AI policy does real work.

The right to erasure and AI data protection

AI also creates a more awkward version of an older data protection question: what happens when someone wants their data deleted?

In a traditional system, deletion may already be messy. In an AI-related workflow, it can get messier. Data may exist in prompts, logs, outputs, vendor systems, connected apps, or internal documentation derived from earlier inputs. So while the legal principle behind erasure is familiar, the practical reality becomes harder when the data has moved through more layers and touched more tools.

Before teams start pasting real information into external systems, somebody should know what happens to the input, how long it is retained, whether it is used for model improvement, and what deletion options actually exist in practice. 

Employee Monitoring and AI Compliance Obligations

AI use also gets more sensitive when it starts touching workers directly.

Productivity scoring, communication analysis, behavior inference, performance trend detection, and people analytics can all sound efficient in a slide deck. They can also create serious transparency and proportionality questions when they involve employee data.

If AI is being used to monitor or assess employees, the review should be more deliberate, the documentation should be clearer, and the governance should be tighter because AI makes intrusive monitoring easier to scale. 

ChatGPT Data Protection: What Businesses Need to Know

ChatGPT is usually the first tool people ask about, and fairly enough. It is the most familiar name in the category and often the one employees use first. “Is ChatGPT compliant?” is usually the wrong question. The better question is whether the business is using the right version, under the right contract, with the right controls, for the right data.

OpenAI states that, by default, it does not use data from ChatGPT Business, ChatGPT Enterprise, or its API platform to train its models, which is an important distinction for businesses because it means account type and configuration matter. Not every employee using “ChatGPT” is necessarily using the same privacy setup.

Businesses still need to look at what data is being entered, whether a processor agreement is needed, what internal guidance exists, and whether the way employees are using the tool matches the organization’s assumptions about acceptable use.

In other words, the real risk is the gap between what leadership thinks is happening and what staff are actually doing.

GDPR AI Regulation — What the EU AI Act Adds

GDPR is not the only regulatory framework businesses should have on their radar anymore.

The EU’s official summary of the AI Act explains that the regulation adds a separate, risk-based layer of obligations for certain AI systems.

For SMBs, the important takeaway is understanding that privacy is no longer the only compliance conversation attached to AI.

The AI Act and GDPR are not interchangeable. GDPR focuses on personal data. The AI Act focuses on AI systems and their risk level. So if your business uses AI in areas like hiring, employee management, customer profiling, or decision support, the regulatory picture may be broader than a privacy review alone.

For SMBs, this means AI governance can no longer be treated like an optional add-on for “later.”

What Are My GDPR Obligations When Using AI Tools at Work?

At a practical level, most businesses should start with the basics:

  • Inventory of which AI tools are actually being used
  • Identify where personal data is entering those tools
  • Review whether the use is appropriate for that type of data
  • Check vendor terms and processing arrangements
  • Update privacy notices, policies, and internal guidance where needed
  • Train employees on acceptable use
  • Flag higher-risk AI use cases for more deliberate review

This is also where ownership matters. If nobody knows who owns AI governance internally, the policy usually ends up being nobody’s full job, and everybody’s vague concern.

How an IT Partner Can Support AI and GDPR Compliance

Most SMBs do not need a dramatic “ban AI” moment, they just need structure.

That usually means helping employees understand which tools are in use, where personal data is flowing, how vendors are being evaluated, and what guardrails employees actually need. That is where an IT partner can help, by making AI usable without letting convenience rewrite your data protection posture.

Picture of Team PRMT

Team PRMT

PRMT delivers the modern technology, bespoke solutions, and a reliable team to handle your IT challenges.

Connect with us

Get Industry-Best Support, Starting at Only $99/user.

Set up a short consultation call today. Our team will help you create a clear IT plan, giving you the right blend of ongoing and project-based support.

Book a consultation
prmt newsletter

Every week, get the latest AI and IT news in your inbox.

read next
AI and GDPR
AI

How AI Tool Usage Affects Your GDPR Compliance Obligations

Using AI tools at work? Your GDPR obligations may have changed. Learn how AI tool usage affects data protection compliance — and what your business...
Picture of Team PRMT

Team PRMT

/

5 min read

AI colleague
Robot Corner 🤖

AI: The Colleague You Didn’t Know You Had

Why the working relationship professionals build with AI tools deserves more nuance than the usual extremes of caution or hype....
Picture of Andrew Lawless

Andrew Lawless

/

2 min read

Tools and Operations

Your IT Onboarding Process Tells New Hires Everything They Need to Know About Your Company

Your IT onboarding process tells new hires more than where to find their login credentials. It signals how your company manages technology, security, and operational...
Picture of Team PRMT

Team PRMT

/

5 min read

Dark Web Scan Terms and Conditions

1. Public Report – Important Legal Notice (Read Before Use)

This Dark Web Exposure Report (“Report”) is generated automatically by Promethean IT, LTD, a New York State corporation (“PRMT,” “we,” “us”), using third-party and open sources. The Report may be incomplete, outdated, contain errors, or include information that is misattributed to the domain searched. The presence of information associated with a domain does not prove that the domain owner, any organization, or any person has been compromised, acted wrongfully, or experienced a current security incident.

This Report is provided for informational and defensive security purposes only and is not a security audit, penetration test, incident response service, breach notification, legal opinion, compliance determination, or a guarantee of security. Do not rely on this Report as the sole basis for decisions, and do not use it to target, harass, investigate individuals, or attempt unauthorized access.

Public availability & indexing. This Report is provided on a public website and may be accessible to anyone. It may be indexed, cached, archived, screen-captured, or copied by third parties beyond PRMT’s control.

By accessing or using this Report, you agree to the Dark Web Exposure Report Terms applicable to PRMT’s dark web monitoring pages and subpages (the “Site”).

2. How to Interpret This Report

  • The Report surfaces signals that may indicate exposure of credentials, identifiers, or domain-associated artifacts in third-party datasets (including, without limitation, breach corpuses, malware logs, paste sites, and other sources).

  • Results may reflect historical events and may include false positives, duplicates, synthetic/test data, “look-alike” domains, recycled addresses, forwarding aliases, data entry errors, or data unrelated to the current domain operator.

  • “Exposure” does not necessarily mean an active compromise or current vulnerability, and absence of findings does not mean no exposure exists.

  • The Report is not an attribution statement and should not be interpreted as alleging fault, negligence, or wrongdoing by any organization or individual.

3. Submission Form Language

Authorization & Proper Use Certification

I certify and agree that:

  1. I control the email address I provided and am authorized to request cybersecurity exposure information for the domain derived from that email address (the portion after “@”) (the “Domain”), either as (i) the Domain owner/operator, (ii) an employee/contractor acting within the scope of my duties, or (iii) an agent with written permission;

  2. I will use the Report solely for lawful, defensive security and risk-management purposes relating to the Domain;

  3. I will not use the Report to target, harass, stalk, defame, phish, spam, extort, or attempt unauthorized access to systems, accounts, or data;

  4. I understand and accept that the Report may be publicly accessible and may be indexed/cached/archived by third parties beyond PRMT’s control; and

  5. I have read and agree to the Dark Web Exposure Report Terms and acknowledge PRMT’s disclaimers and limitations of liability.

Email Delivery Consent

I request and consent to receive the Report and related service communications at the email address provided. I understand the message is service-related/transactional and may contain security information.

The Report will be generated only for the Domain derived from the email address provided, as determined by PRMT’s normalization and validation logic. PRMT may refuse, restrict, or suppress outputs in its discretion to mitigate abuse or risk.

4. Dark Web Exposure Report Terms

Effective: January 1, 2026

These Dark Web Exposure Report Terms (“Terms”) govern access to and use of the dark web exposure reporting features made available by Promethean IT, LTD, a New York State corporation (“PRMT,” “we,” “us”), on PRMT’s dark web monitoring pages and subpages (the “Site”). By searching a domain, requesting a Report, accessing a Report, or receiving a Report by email, you (“you,” “Requester”) agree to these Terms.

1. Definitions

  • “Report” means any output, score, summary, finding, alert, visual, or display generated by the Site in connection with a Domain search or request.

  • “Domain” means the internet domain derived from the email address submitted (generally, the portion after “@”), as determined by PRMT in its discretion, including normalization (e.g., handling of subdomains, internationalized domain names, aliases, and domain equivalents).

  • “Service” means the Site features that generate, display, or email Reports.

2. Eligibility; Authority to Request

You represent and warrant that you: (a) are at least the age of majority in your jurisdiction; and (b) are authorized to request and use the Service with respect to the Domain (e.g., you own/control the Domain, are acting within the scope of your employment/engagement, or have express permission from the Domain owner/operator).

No obligation to verify. PRMT may use technical measures to reduce unauthorized requests (including Domain-based email delivery), but PRMT does not guarantee that any Requester is authorized. You acknowledge that identity and authority verification may be limited and that PRMT is not responsible for misrepresentations by Requesters.

3. Public Nature of Reports; No Confidentiality

Reports are made available on a public website. You acknowledge and agree that:

  • Reports may be indexed by search engines and stored via caching, archiving, or mirroring services;

  • Copies may persist even if PRMT later updates, suppresses, or removes a Report; and

  • You will not treat Reports as confidential and you assume all risk of public exposure, republication, and downstream dissemination.

4. Permitted Use

Subject to these Terms, you may use the Service and Reports only for lawful, defensive security, risk management, and internal assessment purposes relating to the Domain.

5. Prohibited Use

You agree not to, and not to permit any third party to:

(a) use the Service or Reports to compromise, attempt to compromise, or gain unauthorized access to any system, account, or data;

(b) use the Service or Reports for phishing, credential stuffing, doxxing, harassment, extortion, fraud, spamming, social engineering, or any unlawful purpose;

(c) use the Service or Reports to investigate, evaluate, or make determinations about individuals (including employment, housing, credit, insurance, eligibility, or similar decisions), or otherwise use Reports as a “consumer report” or similar regulated report;

(d) scrape, crawl, bulk download, or systematically extract data from the Service (including via bots, automation, or any non-public interface), except as expressly permitted in writing by PRMT;

(e) reverse engineer, bypass, or interfere with Service security, rate limits, access controls, or anti-abuse measures;

(f) misrepresent your identity, authorization, or affiliation with any Domain;

(g) introduce malware or malicious code, or use the Service to distribute or facilitate malicious activity; or

(h) use the Service in a manner that could reasonably be expected to create liability, reputational injury, or harm to PRMT or others.

PRMT may investigate suspected violations and may suspend, block, limit, suppress, remove, or refuse Service access at any time.

6. Nature of the Data; No Statement of Fact; No Endorsement

The Service aggregates, analyzes, and summarizes information from third-party and open sources. Reports are indicators and signals, not verified facts. PRMT does not independently verify the completeness, accuracy, timeliness, source provenance, legality of upstream collection, or attribution of underlying data.

No implication of wrongdoing. Reports do not allege, and must not be interpreted as alleging, wrongdoing, negligence, breach, or fault by any Domain owner/operator, employee, contractor, or user. Any labels, severity indicators, or summaries are for informational triage only.

7. No Security Audit; No Incident Response; No Duty to Update

The Service is not a penetration test, vulnerability assessment, audit, certification, compliance determination, managed detection and response (MDR), or incident response service. PRMT does not guarantee that:

  • the Service will identify all exposures, threats, incidents, compromised credentials, or affected individuals;

  • any finding reflects a current risk; or

  • the Service will continuously monitor or update any Report.

PRMT may change the Service, sources, scoring, display logic, or reporting format at any time without notice.

8. Your Responsibilities

You are solely responsible for:

(a) determining whether you are authorized to request and use a Report for a Domain;

(b) verifying results through your own security processes and qualified advisors;

(c) using the information lawfully and responsibly; and

(d) complying with all applicable laws and policies (including privacy, cybersecurity, employment, and communications laws) relating to your access and use of Reports.

9. Email Delivery; Consent; Misdelivery and Compromised Mailbox Risk

By submitting an email address, you request that PRMT send the Report and related service communications to that address. You acknowledge that:

  • PRMT cannot guarantee deliverability or confidentiality of email in transit or at rest outside PRMT’s systems;

  • email may be forwarded, archived, accessed by administrators, or viewed by unintended recipients; and

  • if the mailbox is compromised or shared, a Report may be accessed by unauthorized parties.

PRMT is not responsible for unauthorized access to emails outside PRMT’s control.

10. Privacy; Personal Data; Redaction; Sensitive Information Handling

Reports may reference datasets that include identifiers (including email addresses) associated with a Domain. PRMT may redact, mask, hash, summarize, aggregate, or otherwise transform data to reduce sensitivity, and may change presentation at any time in its discretion.

You agree not to publish, share, reidentify, or misuse sensitive data obtained from the Service, and to handle any personal data in compliance with applicable law.

Your use of the Service is also governed by PRMT’s Privacy Notice.

11. Takedown / Dispute / Correction Process

If you believe a Report is inaccurate, unlawfully published, defamatory, infringes rights, or was requested without authorization, you may contact PRMT at [email protected] with: (i) the Domain, (ii) the specific Report URL or identifying details, (iii) the basis for your request, and (iv) evidence of authority to act for the Domain (which may include DNS-based verification or other reasonable proof requested by PRMT).

PRMT may, but is not obligated to, correct, suppress, or remove Reports, and may require verification before acting. PRMT may retain records necessary for security, audit, or legal compliance.

12. Intellectual Property; License

The Service and its underlying software, design, compilation, and presentation are owned by PRMT and its licensors and are protected by applicable laws. Subject to these Terms, PRMT grants you a limited, non-exclusive, non-transferable, revocable license to access and use the Service solely for the permitted purposes. No other rights are granted.

13. Disclaimer of Warranties

TO THE MAXIMUM EXTENT PERMITTED BY LAW, THE SERVICE AND REPORTS ARE PROVIDED “AS IS” AND “AS AVAILABLE,” WITH ALL FAULTS AND WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, ACCURACY, COMPLETENESS, TIMELINESS, OR THAT THE SERVICE WILL BE UNINTERRUPTED OR ERROR-FREE.

14. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW:

(a) PRMT WILL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR ANY LOSS OF PROFITS, REVENUE, DATA, GOODWILL, BUSINESS INTERRUPTION, REPUTATIONAL HARM, OR THIRD-PARTY CLAIMS, ARISING OUT OF OR RELATED TO THE SERVICE OR REPORTS, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES; and

(b) PRMT’S TOTAL LIABILITY FOR ALL CLAIMS ARISING OUT OF OR RELATED TO THE SERVICE OR REPORTS WILL NOT EXCEED THE GREATER OF US$100 OR THE AMOUNT YOU PAID TO PRMT FOR THE SERVICE IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM (IF ANY).

Some jurisdictions do not allow certain limitations; in those jurisdictions, liability is limited to the minimum extent permitted by law.

15. Indemnification

You agree to defend, indemnify, and hold harmless PRMT and its officers, directors, employees, contractors, agents, and affiliates from and against any claims, demands, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or related to: (a) your submission of a request for a Domain; (b) your access to or use of any Report; (c) your violation of these Terms; (d) your violation of any law or the rights of any third party; or (e) any allegation that your request or use was unauthorized, deceptive, abusive, defamatory, or otherwise improper.

16. Suspension; Termination; Removal

PRMT may suspend, restrict, or terminate access to the Service and may remove, suppress, modify, or reissue any Report at any time, with or without notice, including to prevent abuse, comply with law, mitigate risk, correct errors, or improve the Service.

17. Changes

PRMT may update these Terms at any time by posting an updated version on the Site. Continued use after the effective date of updated Terms constitutes acceptance.

18. Governing Law; Dispute Resolution; Venue

These Terms are governed by the laws of the State of New York, excluding conflict of laws principles. Any dispute arising out of or relating to the Service, Reports, or these Terms must be brought exclusively in the state or federal courts located in New York County, New York, and you consent to personal jurisdiction and venue there.

19. Contact

Questions or notices: [email protected]

Mailing address: Promethean IT, LTD, 426 West Broadway, 6D, New York, NY 10012

5. Dispute or Request Suppression of a Domain Report

If you are the owner/operator (or an authorized agent) of a domain and you believe a Report is inaccurate, unlawfully published, or was requested without authorization, you may submit a dispute or suppression request to [email protected].

Please include:

  1. Domain name

  2. The Report URL or identifying details (e.g., screenshot + timestamp)

  3. Your role and proof of authority (PRMT may request DNS TXT verification, an email from an administrative mailbox at the domain, or other reasonable evidence)

  4. The specific correction/suppression requested and the basis for the request

PRMT may request additional verification before acting. PRMT may retain limited records for security, audit, abuse prevention, and legal compliance.