Bjorn, a planner at a care provider, pastes a referral letter into ChatGPT to turn it into a tidy summary. The name, date of birth, and diagnosis go along with it. Convenient, and done in two seconds. Under the GDPR, though, that is processing of special-category data, outside the organisation, with no one having reviewed it.
The GDPR was written before everyone had an AI assistant in the browser. That changes nothing about the rules: if you put personal data into an AI tool, that is processing, and all GDPR obligations apply. So the question is not whether the GDPR applies, but which measures you concretely have to take. Here is the practical list.
Measure 1: lawful basis and purpose limitation
Every processing of personal data needs a basis, such as a legitimate interest, a contract, or consent. And the data may only be used for the purpose it was collected for. A customer address you hold for invoicing cannot simply go into an AI tool for a different purpose. So start with the question: why is this data in this prompt, and is that allowed?
Measure 2: data minimisation
Article 5 of the GDPR requires data minimisation: do not process more data than needed for the purpose. With AI this is the measure with the most impact, because the problem usually sits in the prompt itself. Rewriting a support reply works without a real name, account number, or IBAN. Sharpening an assessment works without the salary or medical context. Keep the task, drop the traceable data. See also what you can and cannot share with AI.
Measure 3: settling the processor role
Whoever decides why and how data is processed is the controller. An AI vendor that processes personal data on your behalf is a processor, and then a data processing agreement (Article 28 GDPR) is usually required. It sets out what the vendor may and may not do with the data.
Watch the difference between accounts. Many free and personal AI accounts run under a consumer policy without a processing agreement, and may use your input to improve the model. For business use with personal data, a managed business environment with a processing agreement is the starting point.
Measure 4: international transfers
Many AI providers are based outside the EU, often in the US. Sending personal data outside the EU is only allowed with a valid transfer basis: an adequacy decision, standard contractual clauses (SCCs), or another lawful route. This is a reason to check, when choosing an AI tool, where the data is processed. More on this in data sovereignty and AI prompts.
Measure 5: appropriate security
Article 32 requires appropriate technical and organisational measures. With AI use, that includes approved tools and account tiers, agreements on what staff may share, and a way to prevent sensitive data from being sent by accident. So security here is not only about the vendor, but also about behaviour on the work floor.
Measure 6: a DPIA for high risk
For processing likely to result in a high risk to individuals, a Data Protection Impact Assessment is required. Think of large-scale processing of special-category data or systematic monitoring. For sensitive AI use a DPIA is often needed, and it is the moment you test whether the processing is proportionate.
Measure 7: data subject rights
People have the right of access, rectification, and erasure. That means you need to know which personal data is processed through AI tools and where it ends up. See also how to turn off training on your data and request deletion.
How BeeSensible supports these measures
Most GDPR measures come together in one moment: the prompt. That is where it is decided which personal data leaves the organisation. BeeSensible highlights sensitive data while someone types in browser-based AI tools, so it can be removed, replaced with a realistic alternative, or masked before the prompt is sent.
An example: an employee pastes a customer email with a name, an IBAN, and a phone number. The sensitive data gets a highlight. The employee replaces the name with "Customer A" and removes the IBAN. The task, drafting a polite reply, stays intact, but the traceable data does not leave the organisation. That supports data minimisation (measure 2), security (measure 5), and in practice purpose limitation too.
The infrastructure BeeSensible runs on is ISO 27001 certified; BeeSensible itself is not. BeeSensible does not replace your GDPR work, but it makes the most important measure concrete at the moment it counts.
Further reading: Compliance and AI and the AI Act alongside the GDPR.