How do you know if AI usage at your workplace complies with GDPR?
Learn how to audit AI usage at your workplace, block unauthorized models, and work GDPR-compliant with enterprise or local AI.
Jack van der Vall
8 min read
Summary: Employees use AI at work, often without IT or management knowing what data is being sent where. This article helps technical directors inventory AI usage, understand GDPR risks, block unsafe models, and choose a responsible alternative: enterprise AI with contractual protection or local AI that never leaves your network.
Last updated: 6 April 2026 · By Jack van der Vall, AI Engineer
Related reading: see which business processes can be automated responsibly, how AI contract analysis reduces business risk, and our services for secure AI infrastructure.
What is shadow AI and why is it a problem?
Your employees are using AI. The question is not whether they do, but what data they enter and which provider ends up with it.
Research by Software AG shows that 50% of employees use AI systems that have not been approved by their employer. They type customer names into ChatGPT, paste contract fragments into translation systems, or have quotes summarized by free AI services.
This phenomenon is called shadow AI: the use of AI systems outside the visibility and control of the organization. For technical installation companies, the risk is particularly concrete. Quotes contain pricing information, customer addresses, and technical specifications. Contract documents contain liability clauses and personal data of clients. When this information ends up in an external AI model, you lose control over who has access to it.
Which AI models train on your input?
Not every AI model processes your data the same way. The difference lies in the distinction between consumer versions and business environments.
The table below summarizes how major AI providers handle input data:
| AI provider | Version | Trains on your data? | Data location | GDPR data processing agreement available? |
|---|---|---|---|---|
| OpenAI | Free (ChatGPT) | Yes by default, opt-out possible | US | No |
| OpenAI | Enterprise / API | No | US, EU option available | Yes |
| Vertex AI | No | EU region configurable | Yes | |
| Microsoft | Copilot (M365 tenant) | No, within your tenant | Per your M365 region | Yes |
| DeepSeek | All versions | Unclear, data goes to China | China | No |
| Local model | Ollama, vLLM | No, nothing leaves your network | Your own server | Not applicable |
The core message is clear: free AI services and models without a data processing agreement pose a GDPR risk when employees enter personal data or business information.
Google Cloud explicitly documents that Vertex AI models are not used to train or fine-tune models without prior permission. Microsoft Copilot operates within your existing Microsoft 365 tenant and processes data under the same contractual agreements as your email and files.
With providers like DeepSeek, the situation is fundamentally different. Input data is stored on servers in China and falls under Chinese legislation. A General Data Protection Regulation (GDPR)-compliant data processing agreement is not available. For a European company processing personal data, that constitutes a direct compliance violation.
What does GDPR say about AI usage in the workplace?
GDPR is technology-neutral. The rules for processing personal data apply regardless of whether your data sits in a spreadsheet, an email, or an AI prompt. When an employee enters a customer name, address, or contract detail into an external AI system, that is a processing operation.
European regulators are actively enforcing. In December 2024, the Italian data protection authority (Garante) imposed a €15 million fine on OpenAI for inadequate information about data processing. The European Data Protection Board (EDPB) has also established a dedicated task force for AI enforcement.
For a technical SME, this means three concrete obligations:
- Processing register: You must document which AI systems process personal data, what data goes in, and where that data is stored.
- Data processing agreement: If you use an AI service that stores or processes data, you need a data processing agreement that meets GDPR requirements.
- Policy and instructions: Employees must know which AI systems they are allowed to use and what data they may not enter.
Without these three elements, you carry enforcement risk as a data controller.
How do you conduct an AI audit?
An AI audit does not need to be a months-long project. For a technical installation company with 10 to 50 employees, it is a structured inventory of four elements:
Step 1: Inventory which AI systems are in use
Map which AI services employees use. Think beyond ChatGPT. Browser extensions for translation, email assistants, and speech recognition also count. Ask each department which services they use daily.
Step 2: Classify the data flows
For each identified AI service, determine what data goes into it:
graph TD
A[Employee uses AI system] --> B{What data goes in?}
B -->|No personal data| C[Low risk]
B -->|Customer data or contracts| D{Does provider have DPA?}
D -->|Yes, GDPR-compliant| E[Permitted if registered]
D -->|No| F[Block or replace]
B -->|Business-critical information| G{Where is data stored?}
G -->|EU or local| H[Assess per case]
G -->|Outside EU, no adequacy decision| I[Block]Accessible summary: A decision tree that classifies AI usage based on data type, availability of a data processing agreement, and storage location. Usage without personal data is low risk. Usage with customer data requires a GDPR-compliant data processing agreement. Storage outside the EU without an adequacy decision must be blocked.
Step 3: Establish an approved list
Define which AI systems employees may use and under what conditions. An effective AI policy for technical SMEs contains at minimum:
- A list of approved AI systems with their classification
- Rules about which data types may be entered in which system
- An explicit block list for providers without a data processing agreement
- Instructions for reporting newly discovered AI usage
Step 4: Implement technical controls
Policy without technical enforcement is a paper tiger. Effective controls include:
- DNS blocking of blocked AI services on the company network
- Endpoint monitoring to flag unauthorized AI usage
- Browser management to prevent unapproved extensions
- Periodic re-audit (at minimum quarterly)
Which AI infrastructure is GDPR-compliant for SMEs?
There are two routes to responsible AI usage. The choice depends on your data volume, budget, and technical complexity.
Route 1: Enterprise cloud with contractual protection
Major cloud platforms offer business AI services with full GDPR coverage. Google Vertex AI and Microsoft Azure OpenAI Service are the most mature options for European SMEs.
The advantages are clear: no own hardware, scalable capacity, and a legally enforceable data processing agreement. Costs are usage-dependent, typically several hundred euros per month for an SME application.
Route 2: Local AI infrastructure
For companies with high confidentiality requirements or that structurally process large volumes of commercially sensitive data, local AI is a serious alternative. Modern open-source models run on standard server hardware.
What does local AI cost in 2026?
| Component | Specification | Estimated cost |
|---|---|---|
| Server with professional GPU | NVIDIA RTX 4090 or A4000, 64GB RAM | €5,000 – €8,000 |
| Compact workstation option | NVIDIA RTX 4060, 32GB RAM | €2,500 – €3,500 |
| Software | Ollama, vLLM (open source) | €0 |
| Energy consumption | 300-500W during active use | €50 – €100/month |
| Maintenance and updates | In-house or outsourced | Variable |
With an investment of €3,000 to €8,000, you run models suitable for document analysis, contract screening, and quote assistance. That investment is comparable to a standard workstation and significantly less than the potential cost of a GDPR fine.
The trade-off is not absolute. Many companies combine both routes: local AI for processing sensitive contracts and customer data, enterprise cloud for tasks requiring scalable computing power.
Raw data available: AI Audit & Compliance Benchmark Data
Why low adoption increases risk, not reduces it
According to the CBS AI Monitor 2025, only 4.6% of companies in the Dutch construction sector use AI technology. In the broader SME segment (10-249 employees), the figure is 29.8%.
Those low adoption figures do not suggest AI is irrelevant. They mean most technical companies do not yet have a formal AI policy. It is precisely in this situation that shadow AI is most dangerous: employees experiment individually, without frameworks, without oversight, and without a data processing agreement.
The companies that conduct an audit now and establish a policy framework are not behind. They are ahead of the 95% that still have no answer to the question of who is training on their business data.
Frequently Asked Questions
Can an employee use ChatGPT for work-related tasks?
That depends on the version and your GDPR policy. The free version of ChatGPT may use input for model training. The Enterprise version does not. Without a company-wide policy, you risk personal data or commercially sensitive information being processed by a third party without your knowledge.
Is local AI feasible for a company with 20 employees?
Yes, but it depends on the use case. For document processing and contract analysis, a server with a single professional GPU is sufficient. Hardware costs are between €3,000 and €8,000, comparable to a standard workstation. For complex applications, an enterprise cloud solution with contractual data protection is often more cost-effective.
What if an employee has been entering company data into a free AI service for months?
Map the scope and document which data types were entered. Check whether personal data was involved. If so, a notification obligation to the data protection authority may apply. Block the service immediately and offer an approved alternative.
Key Takeaways
- Half of employees use AI without IT approval. In technical companies, this involves quotes, contracts, and customer data.
- Free AI services and providers without a data processing agreement pose a direct GDPR risk.
- An AI audit for SMEs consists of four steps: inventory, classify, authorize, and technically enforce.
- Local AI infrastructure is feasible from €3,000 and keeps sensitive data within your own network.
- Enterprise cloud solutions with contractual GDPR protection are suitable for scalable, less sensitive applications.
About the author
Jack van der Vall is an AI Engineer at Opusmatic, specializing in AI automation for technical installation companies and SMEs in Zuid-Holland. He helps companies audit their AI usage and implement secure, GDPR-compliant AI infrastructure that protects business data.
Read next
How does AI contract analysis reduce business risk?
Discover how AI contract analysis helps technical SMEs reduce failure costs, handle Wkb compliance, and review standard terms like UAV 2012 in minutes.
Which business processes you can responsibly automate in the technical sector
Discover how technical contractors can reduce administrative burden and effectively comply with strict quality assurance regulations through robust system architecture.
How do installation companies create quotes faster — without starting from scratch on every request?
Discover how to accelerate your quoting process by connecting fragmented systems with robust system integration and AI architecture.