Skip to content
GDPRJuly 4, 20266 min read

Is It a GDPR Breach If Staff Put Customer Data into ChatGPT?

An employee pastes a customer email into a prompt to save time. Whether that is a reportable breach — and who answers for it — is decided by GDPR, not by the employee.

A

AIovert Security Team

GDPR & EU AI Act practitioners · Last updated July 4, 2026

The short answer

Entering a customer’s personal data into ChatGPT can be a GDPR breach if there is no lawful basis for that processing or no appropriate safeguards in place. Your organisation stays the data controller, so it is responsible for the transfer even though an employee performed it. Whether it is reportable depends on the risk to the individuals affected, assessed under GDPR Article 33.

The core problem is that pasting personal data into a consumer AI tool is a further processing operation and, often, a transfer to a third party (and potentially outside the EEA) without a lawful basis, transparency, or a data processing agreement.

Why the employer carries the risk

Under GDPR Article 4, the controller determines the purposes and means of processing. An employee acting in the course of their work does so on the organisation’s behalf, so the organisation — not the individual — answers for the processing. Regulators expect controllers to have technical and organisational measures that prevent foreseeable misuse.

When it becomes reportable

Article 33 requires notification to the supervisory authority within 72 hours where a personal data breach is likely to result in a risk to the rights and freedoms of individuals. A one-off paste of low-sensitivity data may not meet that bar; repeated exposure of special-category data (such as health information) is far more likely to. Document your assessment either way — the accountability principle expects it. See your GDPR Article 33 breach-notification obligations.

Reducing the risk

The practical defence is preventing the paste in the first place with a browser control that inspects prompts before submission, combined with an acceptable-use policy. Prevention is stronger than after-the-fact detection because it stops the data leaving the endpoint at all. See how to stop employees pasting confidential data into ChatGPT and how to make AI tools GDPR compliant for your company.

Frequently asked questions

Who is liable — the employee or the company?

The company, as data controller, is primarily accountable to the supervisory authority. Internal disciplinary matters are separate, but regulators pursue the controller organisation, not the individual employee, for compliance failures.

Do we have to report every paste of personal data to our DPA?

No. You must assess whether the incident is likely to result in a risk to individuals under Article 33. If it is, notify within 72 hours. If not, you should still record the incident and your reasoning as part of your accountability documentation.

Is anonymising the data before pasting enough?

If data is genuinely anonymised so that individuals can no longer be identified, GDPR no longer applies to it. But true anonymisation is difficult; pseudonymised data (where re-identification remains possible) is still personal data and still in scope.

Primary sources

Regulatory dates and requirements can change — verify against the official EU sources above before relying on them. This page is informational and not legal advice.

Stop customer data reaching ChatGPT.

AIovert blocks personal data at the browser input field and keeps an audit log — so a paste never becomes a breach you have to report. Deploys in 15 minutes.