☕ aban news
Updated: May 2026 · not legal advice

Using AI in a GDPR-compliant way — the practical guide

Data protection isn't a reason to avoid AI — it's a reason to think for a moment before the first click. Here's the check that takes five minutes and saves expensive mistakes. Practical, for solopreneurs, without the legal fog.

Most solopreneurs hesitate about AI not because of the technology, but because of four letters: GDPR. The worry is healthy — it just often blocks more than necessary. The point isn't "stay away", but "know what you're doing before client data goes into the tool".

The most common mistake isn't bad intent, it's convenience: quickly dropping a client call into a free transcription tool, pasting a whole email thread with real names because it's handy right now. That's exactly where the problems start that later cost money. This guide hands you a check you run once per tool — after that you know where you stand.

Ground rule: whatever has to be correct, you verify at the source — not with the AI and not in a blog post. This page gives orientation, but does not replace legal advice.

The 5-question data-protection check

Run these five questions once per tool. Answer them honestly and you avoid the expensive beginner mistakes.

1 Where are the servers?

Processing data in the EU is the simple path. With US providers you need a solid legal basis; many large tools now offer EU data residency or business plans with better guarantees. If the provider's page says nothing about it, that too is an answer.

2 Is there a data processing agreement (DPA)?

As soon as you process personal data, you need a DPA with the provider (Art. 28 GDPR). It records that the provider only processes the data on your instructions. Reputable providers offer it as a standard document. If you can't find one, no client data belongs there.

3 Are my inputs used for training?

On many free plans yes, on business plans often not — but only if you set it actively or choose the right plan. Check this setting once, deliberately, in your account settings instead of hoping.

4 What actually needs to go in? (data minimisation)

The best protective measure is leaving things out. "Client A, construction sector, job X" is plenty for a draft quote. You don't need names, addresses and contract numbers for that — so leave them out. Anonymising is almost always faster than the later conversation with the supervisory authority.

5 Would I explain it to my client this way?

A simple test: if you could openly tell your client how you handle their case with AI, it's usually fine. If you'd have to hide it, something is off. Your gut is a surprisingly good first filter here.

Anonymise where you can. A DPA where needed. And when in doubt, do the part that really has to be right yourself.

Rules by tool type

Text models (ChatGPT, Claude & co.)

For text, summaries, rewrites. Choose a paid business plan, check EU data residency and a DPA, switch off training use. Real client names only when unavoidable — otherwise work anonymised.

Transcription (calls, voice notes)

Get the consent of everyone involved for client calls. Local processing (e.g. Whisper on your own machine) is more privacy-friendly than a web service, because the audio file never leaves your device.

Images & graphics

Here it's rarely about personal data, more about rights and trademarks: check usage rights and don't blindly use generated images as your own brand mark.

Automation (Make, n8n & co.)

As soon as workflows push client data between services, you need clarity on the DPA and server location for every service involved. Self-hosting (e.g. n8n) gives you the most control.

The three most common mistakes

  • Real data out of convenience: pasting whole email threads with names and addresses because it's faster right now. That's exactly the expensive reflex.
  • Free for sensitive: using the free tier for client data, even though there's no DPA and inputs go into training.
  • "It's just a test": data protection applies in tests too. A trial run with real personal data is not a harmless trial run.

In brief: DPA and the EU AI Act

Data processing agreement (DPA)

When a provider processes personal data on your behalf, you are the controller and they are the processor. The DPA under Art. 28 GDPR puts this relationship in writing. Without it, a key basis is missing — which is why "is there a DPA?" is question 2 above.

EU AI Act

The EU's AI Regulation (Regulation (EU) 2024/1689) adds risk classes and transparency duties for AI systems on top of the GDPR. For most solopreneurs that mainly means: where AI content is involved, labelling and transparency duties increasingly apply. The GDPR stays in force alongside it.

Frequently asked

Can I use ChatGPT or Claude for business?
Yes — if you have a legal basis and follow the provider's terms. For personal data you usually need a DPA and should choose EU data residency plus a business plan without training use.
Do I really need a DPA for AI tools?
As soon as personal data runs through the tool, yes. The DPA under Art. 28 GDPR is the written basis for it. Reputable providers offer it as a standard document.
Are my inputs used for training?
On many free plans yes, on business plans often not — but only if you set it actively or choose the right plan. Check the setting once, deliberately.
Is the free version GDPR-compliant?
Not automatically. Free tiers often offer no DPA and use inputs for training. Unsuitable for real client data — pick a business plan or anonymise first.
Do I have to tell clients that I use AI?
If you process clients' personal data with AI, the processors you use belong in your privacy notice. Self-test: could you openly explain it to your client?

Free eBook: “Anti-Hype”

The data-protection chapter as part of the whole: my free eBook shows you the 3-question filter, your minimal AI stack and the data-protection check in five minutes. No sign-up.

Read the eBook →

Every workday: AI without the bullshit, in 5 minutes

aban news brings you the AI developments that matter for your work, Mon–Fri — including the data-protection and tool topics that affect you as a solopreneur.

Get the 5-min AI briefing →

No spam. Unsubscribe in one click. GDPR-compliant.

Read on

AI tools for the self-employedThe honest stack 2026 ChatGPT for solopreneursReal value, not gimmicks Free eBook “Anti-Hype”Use AI without the bullshit The newsletterDaily AI for solopreneurs

Sources (official, free)

  • GDPR full text — EUR-Lex, Regulation (EU) 2016/679. Relevant e.g. Art. 6 (legal bases) and Art. 28 (processors).
  • EU AI Act — Regulation (EU) 2024/1689, also via EUR-Lex.
  • Your data protection authority — the national/state authority where you operate. First port of call for concrete questions.

Important note: this guide is practical orientation from experience, not legal advice. In an individual case it does not replace a review by a professional or guidance from your data protection authority. AI tools and their terms change fast — check the current status with the provider yourself. No affiliate links.