Loading…
Six questions a regulator, a DPO, or an enterprise customer will ask you about AI and customer data. Grounded in 2025-2026 enforcement, CNIL guidance, and the Court of Rome OpenAI annulment.
On 18 March 2026 the Court of Rome annulled the €15 million fine that the Italian Garante had imposed on OpenAI in December 2024 for training ChatGPT without a proper Article 6 lawful basis (Wilson Sonsini client alert; Reuters via Startup News). The court's full reasoning is not out yet. The Garante's decision is gone. And with it goes the only major Article 6 enforcement action against a generative AI provider in Europe.
If you are running a small company that uses AI tools with customer data, the honest read is: this changes very little for you. The annulment narrows the regulator's proven track record, not the underlying rules. Your DPO, your enterprise customers, your next auditor, and the CNIL's guidance from February 2025 are all asking the same six questions they were asking the day before the ruling. It makes sense to have the answers ready.
This piece walks the six questions, with the concrete 2025-2026 sources that ground each one.
Before anything else, you need a real picture of where personal data is flowing through AI systems in your product and your operations. Not a policy. A map.
Build a simple inventory row for every AI tool touching customer data. For each one, answer:
That last question is where most teams get surprised, so we will come back to it.
The inventory has to include the obvious tools — the OpenAI or Anthropic API your product calls, Azure OpenAI, Vertex AI, Bedrock — and the less obvious ones. The Chrome extension your sales team installed. The Notion AI toggle someone enabled on the company workspace. The Slack bot a developer built on a Friday. The transcription tool running on a senior manager's laptop. Most "shadow AI" risk discovered in the wild is not a rogue startup tool; it is one of the big consumer apps running with the wrong account.
The cheapest way to run this inventory is to ask every team lead for a five-minute list of "every AI tool my team uses, with or without approval." You will learn more in thirty minutes than from a quarter of endpoint scanning. It only works once — don't waste it by turning the output into a blame exercise.
Whatever the AI tool does, if it touches personal data, you need a legal basis under Article 6 for the processing. Pick one deliberately — do not default to "legitimate interest" because it is the least-friction box to tick.
The Italian Garante's original December 2024 decision against OpenAI found that OpenAI had no appropriate Article 6 basis for training on user data between the product launch in November 2022 and late March 2023 (Lewis Silkin analysis). The Court of Rome annulled the decision in March 2026 without publishing the reasoning. I am not sure what the court objected to — procedural overreach, factual error, or a substantive disagreement about Article 6 scope are all live possibilities until the reasoning is published. What I am sure of is that an AI provider cannot retroactively pick a legal basis for processing that has already happened, and neither can you.
Document your basis for each AI use case before the processing starts. Store it somewhere a DPO can find it without asking you.
If a third party processes personal data on your behalf, Article 28 requires a Data Processing Agreement between you and them. Every serious AI provider offers one. The trap is signing a DPA and then never reading it again as the sub-processor cascade underneath it changes.
Four things to check on the DPA itself.
The sub-processor list. The DPA should either list every sub-processor or commit the provider to notifying you before changes. Major providers update these quarterly or more often — Anthropic's October 2025 announcement of its expanded use of Google Cloud TPUs (Anthropic) is the kind of change that adds a new entity to the cascade and a new physical location for the data.
The data location and transfer mechanism. If you are subject to GDPR and data leaves the EEA, the DPA needs to reference a valid transfer mechanism — Standard Contractual Clauses at minimum, and a Data Privacy Framework listing for US providers where that applies. Check that the version of the SCCs referenced is the 2021 modules, not the legacy text.
The retention window. How long does the provider keep prompts, completions, and logs after processing? Caching for abuse monitoring is processing. A 30-day retention on prompts counts.
The breach notification window. GDPR gives you 72 hours from becoming aware of a breach to notify your supervisory authority. Your processor has to give you enough lead time to meet that clock, which means a commitment to notify you "without undue delay" is thinner than it sounds — push for 24-48 hours.
And then there is the sub-processor cascade itself — the chain of entities below your direct provider that your customer data also flows through. Most DPAs expose the first layer. Very few expose the second and third, which is where the actual forwarding happens. I wrote more about this in When you call OpenAI, who actually processes your data?. The one-line summary: the entities on the sub-processor list change more often than almost any team watches for, and a DPA you last read six months ago may be referencing sub-processors that are no longer current.
This is the question that catches the most teams, and it is the one I think carries the highest leverage of the six.
OpenAI's API terms (as of the February 2026 sub-processor list update) state that API data is not used for training by default. ChatGPT's consumer terms say data may be used for training unless you opt out in settings. ChatGPT Team and Enterprise have API-equivalent no-training defaults.
Anthropic's Claude API does not use customer data for training by default, and Claude for Work has the same posture. Google's Gemini API distinguishes between the API tier and the consumer Gemini product, with different defaults on each side.
The pattern is consistent and load-bearing. Consumer-tier and API-tier products from the same provider usually have different data terms. The training opt-out you configured for your API key gives you zero protection if a support agent pastes a customer email into chatgpt.com on their personal browser.
Most of the "a team member leaked customer data to ChatGPT" stories I have read trace back to this exact confusion. The company signed up for the API, locked down training, and never checked that employees were actually using the API path instead of the consumer website. The fix is not technical — it is a written policy plus a team-wide ChatGPT Team or Enterprise subscription so the default path is the safe one. This is the single highest-leverage item on this entire list.
Check each tool individually. Read the actual terms page, not the marketing page. When a vendor tells you "we don't train on your data," ask which product tier that applies to and where it is written down.
Your privacy policy likely says nothing specific about AI. Articles 13 and 14 of the GDPR require you to tell data subjects how their data is processed, and the CNIL's February 2025 recommendations on Informing Data Subjects made it explicit that a generic line about "third-party tools" is not enough when AI is in the loop.
Add the following to your privacy policy, specifically for AI processing:
Article 22 is where most teams quietly make a mistake. The instinct is that "our AI just gives suggestions and a human clicks the button" takes you out of Article 22. The SCHUFA ruling from the CJEU (Case C-634/21, 7 December 2023) made that position far less safe. The Court held that a probability value produced by a credit scoring agency is itself an "automated individual decision" under Article 22 whenever a third party relies heavily on it to decide a contract (IAPP analysis). The human click-through does not necessarily save you. The question is how much weight the decision actually puts on the AI output.
I am not sure where the line falls between "an AI feature" and "an automated individual decision" for any given product. SCHUFA made it less abstract but did not give a bright-line test, and the Court of Rome just annulled the biggest generative-AI enforcement action in Europe without publishing its reasoning. The case law here is genuinely fuzzy. For now: if removing the AI from the loop would materially change the outcome for the affected person, assume Article 22 is in scope and plan your transparency and rights-of-objection mechanisms accordingly.
A Data Protection Impact Assessment under Article 35 is required when processing is likely to result in a high risk to the rights and freedoms of individuals. The EDPB's criteria kick in at two or more of: large-scale processing, novel technology, evaluation or scoring of individuals, automated decision-making with legal or significant effect, sensitive data categories, vulnerable data subjects, matching or combining datasets.
Most AI use cases involving customer data trip at least two of these. Novel technology is almost always one. Large-scale is often the other.
The CNIL's July 2025 practical guidance on AI and data protection recommended DPIAs specifically for any AI system that processes personal data at scale during development or deployment. That is not the same as a legal requirement, but it is the standard a French supervisory authority now expects.
A DPIA does not have to be a fifty-page document. A four-to-six page assessment that describes the processing, the necessity and proportionality argument, the identified risks to individuals, and the concrete mitigations is enough for a small-team product. The companion article Do you need a DPIA for your AI feature? walks the practical check in detail. What matters is that the document exists, is dated, is reviewed when the AI use case changes materially, and is something your DPO or an enterprise procurement team can read without twenty minutes of explanation from you.
Pick up the consumer-vs-API tier question first. Open your expense dashboard or SSO logs and find every person at your company who has logged into chatgpt.com, claude.ai, or gemini.google.com in the last month. If you do not have a team-wide paid subscription that gives them API-equivalent data protection by default, that is the most urgent item on your list — and it is probably the fastest to close.
Everything else on this page — the inventory, the DPA review, the privacy policy update, the DPIA, the Article 22 read — matters, and a well-run small team can close each of them in a few days. But the tier question is the one where the delta between "addressed" and "ignored" is the difference between a slow compliance backlog and an actual data leak that ends up in a support ticket from a regulator.
The Court of Rome just annulled the biggest generative-AI enforcement action in Europe, and the underlying compliance questions did not move an inch. A regulator, a DPO, or an enterprise buyer will ask you the same six questions they were asking before the ruling. The single highest-leverage fix is boring: make sure the people at your company who use AI tools with customer data are using tiers where training is off by default, and write it down. Everything else follows from that.
A time-anchored runbook for handling the most common AI incident in 2026: a team member pasted personal data into a consumer-tier ChatGPT account. First hour through the policy that stops the next one.
The trigger question is settled. The harder question is which assessment, and when. EDPB Opinion 28/2024, CNIL July 2025, and the Article 27(4) FRIA carry-over.
A clause-by-clause read of OpenAI's DPA in April 2026: what changed in the last 12 months, what still trips deployers, and the operational decisions that follow each clause.
Free tool · live
AI Data Flow Checker
Map how personal data flows through your AI integrations and spot the privacy risks before they spot you.