"But if I upload my client data to ChatGPT, where does it end up?". It's perhaps the number one concern we hear when a company starts using AI seriously. It's a completely legitimate question, and the answer is less scary than feared — provided you understand a distinction that changes everything.

The distinction that changes everything: personal or business account

It's not the tool that makes the difference. It's the type of account you use it with. The exact same AI behaves in two opposite ways depending on whether you sign in with a personal/free account or with a business/enterprise account.

With personal and free accounts, in many cases your conversations are used to train the models (by default or depending on a setting). With business and enterprise accounts, the main providers contractually commit not to use your data to train the models. It's the difference between "your data feeds someone else's product" and "your data stays yours."

OpenAI (ChatGPT) — used for training (can be turned off) · NOT used (contractual commitment)

Anthropic (Claude) — used for training (can be turned off) · NOT used (contractual ban)

Microsoft (Copilot) — used for training, but NOT for EU users · NOT used (contractual commitment)

Google (Gemini) — depends on the "Activity" setting · NOT used (contractual commitment)

The practical conclusion is clear: using free ChatGPT, personal Claude, or consumer Gemini to work on client data means, at best, gifting that data to train someone else's model. For a company you need a business or enterprise account, with the right contract signed.

The number one risk isn't technological: it's "shadow AI"

The most widespread and least visible danger isn't a hacker attack. It's your colleague who, in good faith, pastes the client list or a draft contract into free ChatGPT with their personal account, to get help writing an email. In that gesture you're transferring personal data to an external party without legal basis, without a contract, often to servers outside the EU. It's a potential GDPR breach, and it happens every day in thousands of companies that "don't use AI." The first line of defense isn't software: it's a clear internal policy on which tools can be used and which data can be entered.

Where the data physically ends up (EU residency)

"Does it stay in Europe?" is the second question. It depends on the provider and the plan. Microsoft offers an "EU Data Boundary" and, from late 2025, processing in 15 countries including Italy — with a caveat: some Copilot features that use third-party models may leave the EU, and must be enabled consciously. Google Workspace allows you to select the "Europe" region for eligible plans. Claude offers European residency through cloud infrastructure (AWS, Google Cloud). OpenAI processes data mainly in the United States and, to date, isn't certified under the EU-US agreement (the Data Privacy Framework): for transfers, Standard Contractual Clauses are required, which are included in its enterprise contract.

A note that applies to all: the EU-US data transfer agreement is in force as of June 2026, but it's under appeal before the European Court of Justice. Law firms recommend not relying solely on that certification and keeping the Standard Contractual Clauses active as a safety net anyway.

GDPR in practice, without panic

Translated into things to do, without lawyer-speak. When your company uses an AI tool, you are the "controller" of the processing (you decide why and how to use it) and the vendor is the "processor" (they process the data on your behalf). This involves some concrete steps.

Sign the DPA. The Data Processing Agreement is mandatory when you share personal data with a vendor. All enterprise vendors provide one — but it must be requested, signed, and archived: it's not automatic.

Document the legal basis. Watch out for a common mistake: for employees, consent is usually not valid, because they aren't free to refuse. Another basis is needed, documented.

Consider the DPIA. For adopting AI tools across the entire workforce or on customers, an impact assessment is almost always mandatory. There's an updated European template to rely on.

Update the privacy notice. Employees and customers must be informed that their data may be processed through AI tools.

Enable EU residency. In the products that offer it (Copilot, Workspace) it must be selected by the administrator: it's not active by default.

The AI Act: something is already mandatory today

Many think of the European AI Act as something "that's coming." Partly it's already here. Since February 2025, the AI literacy obligation is in force: companies must ensure that those who use these tools have adequate skills — and it must be documented. Some practices are already banned, such as emotion recognition systems in the workplace. And from August 2, 2026, the transparency obligation kicks in: a chatbot facing the public must declare it's an AI. This isn't distant theory: it's a calendar that has already started.

Italy means business: the Data Protection Authority isn't joking

For those who think that in Italy these rules stay on paper, look at what happened. In 2023 the Data Protection Authority blocked ChatGPT, re-admitted only after OpenAI accepted a set of conditions; in 2024 it issued a €15 million fine (later annulled in March 2026 by the Rome Court over a jurisdictional issue, not on the merits). At the beginning of 2025 it definitively blocked DeepSeek over the processing of Italian users' data. And it fined the company behind the Replika chatbot €5 million — a fine actually paid. The lesson for a company is simple: the authority intervenes, and AI is in its sights.

A practical checklist for your company

Summarizing everything into an actionable list, here are the minimum steps to use AI compliantly.

  • Use only business/enterprise accounts for company activities; never personal accounts on client data.
  • Sign and archive the vendor's DPA; check their sub-processors.
  • Conduct the impact assessment (DPIA) for deployments on employees or customers.
  • Document the correct legal basis (for employees, not consent).
  • Update privacy notices to employees and customers.
  • Enable EU data residency where available and verify Standard Contractual Clauses.
  • Train people: from 2025 AI literacy is an obligation, not a nice-to-have.
  • Write an internal policy on AI use: allowed tools, allowed data, who does what.

In summary

"Where does my data end up?" almost always depends on a choice of yours: personal or business account. With the right tools, a signed contract, and a bit of care, AI can be used compliantly and without fear. The risk isn't the technology itself: it's using it blindly, with the wrong accounts and no policy. The good news is that putting things in order costs little — much less than a Data Protection Authority investigation.

Sources

Information updated as of June 2026. This article has informational and educational purposes and does not constitute legal advice: for your company's specific case, we recommend the opinion of a data protection professional.