Compliance

GDPR & ChatGPT: A Practical Checklist for EU Teams

A workable checklist for teams inside the EU using ChatGPT, Claude and Gemini day-to-day — DPIA triggers, DPA gaps, cross-border transfers and the redaction control that closes them.

PromptShielder Security Team· Applied cryptography & privacy engineering February 25, 2025 7 min read

Start with the legal question, not the tool

The instinct is to write a ChatGPT policy first. Skip that. The right sequence is: (1) what personal data does the tool process, (2) on what legal basis, (3) with what safeguards. If any of those are undefined, no acceptable-use policy will save you.

Checklist

  1. Article 30 record: add every LLM provider you tolerate as a processor. Personal accounts count.
  2. Legal basis per use case: consent for marketing copy about a named person; legitimate interests for internal drafting; contract necessity for a support summary.
  3. Signed DPA with each provider whose service processes EU personal data. Consumer ChatGPT does not qualify.
  4. Cross-border transfer mechanism: Standard Contractual Clauses or an adequacy decision. Model-training servers are usually in the US.
  5. Purpose limitation: the prompt cannot include personal data unrelated to the stated task.
  6. Data minimisation control: a redaction tool at the browser edge that strips PII before it leaves the user's device.
  7. DPIA when the processing is likely high risk — health, legal, HR, minors.
  8. Retention and deletion: how do you honour an Article 17 erasure request when the prompt lives in a US inference log?

The three failure modes we see in audits

First, teams sign a DPA covering the API tier but never restrict employees to it — everyone still uses the consumer app. Second, teams build a proxy that redacts server-side but exempt 'trusted' senior staff, who then paste the most sensitive material. Third, teams treat pseudonymisation as anonymisation — a token like [NAME_1] mapped locally to 'Anna Nagy' is still personal data under GDPR because the mapping exists.

Where PromptShielder fits

Client-side redaction closes the data-minimisation and purpose-limitation controls in one step. The mapping stays in the tab, dies on close, and never traverses the network — which means the risk profile of the redacted prompt is materially lower than the raw one even though both are technically 'personal data' until the mapping is discarded.

Frequently asked

Does GDPR ban ChatGPT?+

No. It requires accountability. Ban comes only when the accountability cannot be satisfied — which is common for consumer tiers, rare for enterprise tiers with a DPA.

Is the Italian DPA precedent still relevant?+

Yes. Garante's 2023 order remains the clearest EU regulator statement on transparency, lawful basis and age verification. Every subsequent European probe has followed its outline.

What is the fastest way to reduce Data Subject request risk?+

Redact before send. If the prompt never carried the subject's name, the retained conversation cannot be linked to them without extra work.

Sources
ComplianceGovernance
Try PromptShielder

Redact prompts before they leave your browser.

Free to try. Nothing is sent to a server. Ever.