Quick answer The GDPR doesn't ban workplace AI, but it does require a lawful basis, data minimisation, and control over where personal data goes. Regulators put the responsibility on the employer, so the practical answer is to allow AI and keep personal data out of tools that shouldn't hold it.
When someone pastes personal data into an AI tool, the GDPR still applies. The law doesn't care whether the recipient is a colleague or a chatbot. That raises real questions about lawful basis, data minimisation, processor agreements, and where the data is actually stored.
Regulators have been clear about where the duty sits. The Dutch data protection authority points to the employer: it's the organisation's job to set clear rules for AI use and make sure people follow them, not the individual employee's. The EU AI Act adds another layer, phasing in from 2025, though for most teams the day-to-day risk is still ordinary personal data going into ordinary chatbots.
Banning AI tends to backfire into shadow use on personal devices. A more defensible position is the opposite: allow AI, write it down, and put a check in place so personal data doesn't cross the line in the first place.
These guides translate GDPR duties into a practical rollout: what belongs in policy, how to handle employee AI use, and the controls that keep you aligned with the rules without slowing people down.