IQONEX
DEBook a call

AI consulting · GDPR

Use ChatGPT GDPR-compliantly — architecture, pseudonymization, documentation.

What it really takes to use ChatGPT (or comparable LLMs) productively in regulated German businesses without crossing GDPR lines.

Short and honest

  • Standard ChatGPT plus personal data is hard to defend under Article 28 + Schrems II.
  • Azure OpenAI in an EU region with a Microsoft Germany DPA is the most defensible foundation.
  • Pseudonymization keeps personal references inside your domain — the model only sees tokens.
  • A DPIA per Article 35 plus TOMs per Article 32 closes the documentation loop.

GDPR risks of standard ChatGPT

Four problems show up consistently: (1) data transfer to the US without adequate Schrems II protection on standard plans; (2) inputs used for training; (3) no reliable deletion or subject-access path; (4) no DPA that meets Article 28.

Each one is a hurdle in regulated industries. Together they make the standard plan effectively unusable for client or patient data.

Azure OpenAI as the foundation

Azure OpenAI gives you the same models with a DPA from Microsoft Germany, EU data residency (Frankfurt or Sweden), Entra ID authentication and Azure Monitor logs. That changes Schrems II exposure, training reuse and DPA coverage in one move.

Pseudonymization done right

Pseudonymization replaces names, addresses, emails, file numbers with stable tokens before the model call. The model sees only structured pseudo-data. Re-identification happens locally after the response.

  • Detect personal references via field marking, regex, or NER.
  • Replace with stable tokens (Name → Person_42) using a per-request mapping.
  • Re-identify after the response — server-side, in your domain.
  • Log mapping with appropriate access protection so prompts stay reproducible.

DPIA without theater

A data-protection impact assessment under Article 35 is the central document. It describes the processing, identifies risks, lists the measures and documents residual risk. We use the WP248 methodology extended with AI-specific aspects (training data, explainability, re-identification risk).

Audit-ready documentation

  1. Article 28 DPA with the provider (e.g. Microsoft Germany).
  2. Article 32 technical and organizational measures (TOMs).
  3. Article 35 DPIA, reviewed by your DPO.
  4. Subprocessor list, deletion concept, training records.

Ready for a call?

30 minutes, free, no strings attached. We listen to your case and tell you honestly whether and how we can help.

Pick a timeReach us in writing

Frequently asked

What are the concrete GDPR risks with standard ChatGPT?

First: data transfer to the US without adequate protection per Schrems II (unless reviewed SCCs apply). Second: use of inputs for model training on the standard plan (not on ChatGPT Business/Enterprise or Azure OpenAI). Third: no reliable deletion or subject-access path. Fourth: no DPA that meets Article 28 GDPR.

Does pseudonymization really help?

A lot — when done properly. Direct personal references (name, address, email) are replaced by tokens before the model call. The model only sees structured pseudo data. Re-identification happens locally, after the model response. Personal references never leave your area of responsibility.

Is a DPA with OpenAI enough?

OpenAI's DPA (standard) formally meets Article 28 — but transfer to the US and subprocessor chain are tricky. For regulated industries, Azure OpenAI with a DPA from Microsoft Germany is far more defensible: data residency, subprocessor list and audit rights are better documented.

How do we certify our architecture as GDPR-compliant?

There's no 'GDPR-certified AI system' in a strict sense. What's defensible: a data-protection impact assessment (DPIA) per Article 35 reviewed by the DPO, plus TOMs per Article 32, plus a DPA with the provider. We deliver all three in audit-ready form.

Do we need to consult the supervisory authority up front?

Only if the DPIA shows a high risk you cannot mitigate. In most architectures we build, that's not the case. Some authorities (e.g. HmbBfDI in Germany) have published their own guidelines — we follow them and document accordingly.