{"id":3401,"date":"2025-12-12T12:00:08","date_gmt":"2025-12-12T11:00:08","guid":{"rendered":"https:\/\/saskialund.de\/?p=3401"},"modified":"2026-03-15T18:26:24","modified_gmt":"2026-03-15T17:26:24","slug":"ai-data-protection-2025-how-to-use-llms-in-compliance-with-the-gdpr-and-get-shadow-ai-under-control-in-your-company","status":"publish","type":"post","link":"https:\/\/isla-stud.io\/en\/allgemein\/ki-datenschutz-2025-wie-sie-llms-dsgvo-konform-nutzen-und-schatten-ki-im-unternehmen-in-den-griff-bekommen\/","title":{"rendered":"AI &amp; Data Protection 2025: How to use LLMs in compliance with GDPR \u2013 and get shadow AI under control in your company"},"content":{"rendered":"<p>There is a high probability that someone in your company has been using AI for some time now\u2014without any guidelines, approval, or AV contract.<\/p>\n\n\n\n<p>In marketing, texts are polished with ChatGPT; in sales, customer data ends up in prompts; in development, code is cross-checked using AI tools. Well-intentioned, but from the perspective of <strong>GDPR, EU AI Regulation, and corporate compliance<\/strong> It's a ticking time bomb: shadow AI.<\/p>\n\n\n\n<p>At the same time, it would be absurd to ignore the productivity gains of modern <strong>Large Language Models (LLMs)<\/strong> to refrain from doing so. The trick is to, <strong>AI and data protection<\/strong> bringing them together \u2013 with a clear framework that allows for innovation and limits risks.<\/p>\n\n\n\n<p>As <strong>Certified AI expert (MMAI\u00ae Business School certificate, Academy4AI) and future member of the German Federal AI Association<\/strong> I support companies precisely at this intersection of technology, law, and governance\u2014and as <strong>WooCommerce specialist &amp; WordPress developer for SMEs and industry<\/strong> I am very familiar with the practical perspective from projects.<\/p>\n\n\n\n<p>This article is about:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>such as GDPR and <strong>EU AI Regulation (AI Act)<\/strong> interact,<\/li>\n\n\n\n<li>which risks are truly relevant when using ChatGPT, Claude, Gemini, and similar platforms,<\/li>\n\n\n\n<li>which <strong>Practical rules for privacy-friendly AI use<\/strong> should introduce,<\/li>\n\n\n\n<li>and why a platform like <strong>InnoGPT<\/strong> is an exciting option if you want to give your teams a <strong>GDPR-compliant AI environment<\/strong> would like to provide.<\/li>\n<\/ul>\n\n\n\n<p><em>In this article, I share my professional perspective as a certified AI expert. However, this article does not replace individual legal advice. If you require a binding assessment of data protection law, I recommend consulting a qualified lawyer or data protection officer.<\/em><\/p>\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #2c292e;color:#2c292e\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewbox=\"0 0 24 24\" fill=\"none\" data-no-auto-translation=\"\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #2c292e;color:#2c292e\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewbox=\"0 0 24 24\" version=\"1.2\" baseprofile=\"tiny\" data-no-auto-translation=\"\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/isla-stud.io\/en\/allgemein\/ki-datenschutz-2025-wie-sie-llms-dsgvo-konform-nutzen-und-schatten-ki-im-unternehmen-in-den-griff-bekommen\/#1_Der_verbindliche_Rechtsrahmen_2025_DSGVO_EU-KI-Verordnung_AI_Act\">1. The binding legal framework for 2025: GDPR + EU AI Regulation (AI Act)<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/isla-stud.io\/en\/allgemein\/ki-datenschutz-2025-wie-sie-llms-dsgvo-konform-nutzen-und-schatten-ki-im-unternehmen-in-den-griff-bekommen\/#11_DSGVO_bleibt_die_Basis_fur_alle_personenbezogenen_Daten\">1.1 GDPR remains the basis for all personal data<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/isla-stud.io\/en\/allgemein\/ki-datenschutz-2025-wie-sie-llms-dsgvo-konform-nutzen-und-schatten-ki-im-unternehmen-in-den-griff-bekommen\/#12_EU-KI-Verordnung_AI_Act_Risk-based_Governance-getrieben\">1.2 EU AI Regulation (AI Act): Risk-based &amp; governance-driven<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/isla-stud.io\/en\/allgemein\/ki-datenschutz-2025-wie-sie-llms-dsgvo-konform-nutzen-und-schatten-ki-im-unternehmen-in-den-griff-bekommen\/#13_AI_Literacy_Governance-Pflichten_Warum_Unternehmen_seit_2025_nachweislich_KI-Kompetenz_brauchen\">1.3 AI literacy and governance obligations: Why companies need to demonstrate AI competence since 2025<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/isla-stud.io\/en\/allgemein\/ki-datenschutz-2025-wie-sie-llms-dsgvo-konform-nutzen-und-schatten-ki-im-unternehmen-in-den-griff-bekommen\/#AI-Literacy-Pflicht_Art_4_AI_Act_%E2%80%93_seit_Februar_2025_anwendbar\">AI literacy requirement (Art. 4 AI Act) \u2013 applicable since February 2025<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/isla-stud.io\/en\/allgemein\/ki-datenschutz-2025-wie-sie-llms-dsgvo-konform-nutzen-und-schatten-ki-im-unternehmen-in-den-griff-bekommen\/#AI-Governance_%E2%80%93_seit_August_2025_fur_General-Purpose-KI_relevant\">AI governance \u2013 relevant for general-purpose AI since August 2025<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/isla-stud.io\/en\/allgemein\/ki-datenschutz-2025-wie-sie-llms-dsgvo-konform-nutzen-und-schatten-ki-im-unternehmen-in-den-griff-bekommen\/#2_Was_Aufsichtsbehorden_zu_KI_LLMs_konkret_sagen\">2. What regulatory authorities specifically say about AI &amp; LLMs<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/isla-stud.io\/en\/allgemein\/ki-datenschutz-2025-wie-sie-llms-dsgvo-konform-nutzen-und-schatten-ki-im-unternehmen-in-den-griff-bekommen\/#3_Typische_Risiken_Wie_Schatten-KI_im_Unternehmen_entsteht\">3. Typical risks: How shadow AI arises in companies<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/isla-stud.io\/en\/allgemein\/ki-datenschutz-2025-wie-sie-llms-dsgvo-konform-nutzen-und-schatten-ki-im-unternehmen-in-den-griff-bekommen\/#4_10_Grundregeln_LLMs_datenschutzfreundlich_nutzen_Solo_im_Team\">4. 10 basic rules: Using LLMs in a privacy-friendly way (solo &amp; in a team)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/isla-stud.io\/en\/allgemein\/ki-datenschutz-2025-wie-sie-llms-dsgvo-konform-nutzen-und-schatten-ki-im-unternehmen-in-den-griff-bekommen\/#5_Warum_Consumer-Accounts_kostenfreie_oder_Basis-Konten_von_ChatGPT_Co_fur_Unternehmen_heikel_sind\">5. Why consumer accounts (free or basic accounts) from ChatGPT &amp; Co. are tricky for companies<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/isla-stud.io\/en\/allgemein\/ki-datenschutz-2025-wie-sie-llms-dsgvo-konform-nutzen-und-schatten-ki-im-unternehmen-in-den-griff-bekommen\/#6_Datenschutzkonforme_KI-Plattformen_%E2%80%93_InnoGPT_und_Langdock_im_Fokus\">6. Data protection-compliant AI platforms \u2013 Focus on InnoGPT and Langdock<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/isla-stud.io\/en\/allgemein\/ki-datenschutz-2025-wie-sie-llms-dsgvo-konform-nutzen-und-schatten-ki-im-unternehmen-in-den-griff-bekommen\/#61_Was_zeichnet_InnoGPT_aus\">6.1 What sets InnoGPT apart?<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/isla-stud.io\/en\/allgemein\/ki-datenschutz-2025-wie-sie-llms-dsgvo-konform-nutzen-und-schatten-ki-im-unternehmen-in-den-griff-bekommen\/#7_Praxisbeispiele_Wie_Mittelstand_Industrie_InnoGPT_nutzen_konnten\">7. Practical examples: How SMEs and industry could use InnoGPT<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/isla-stud.io\/en\/allgemein\/ki-datenschutz-2025-wie-sie-llms-dsgvo-konform-nutzen-und-schatten-ki-im-unternehmen-in-den-griff-bekommen\/#8_Governance_KI-Strategie_Vom_Einzeltool_zur_Unternehmenslosung\">8. Governance &amp; AI strategy: From individual tools to enterprise solutions<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/isla-stud.io\/en\/allgemein\/ki-datenschutz-2025-wie-sie-llms-dsgvo-konform-nutzen-und-schatten-ki-im-unternehmen-in-den-griff-bekommen\/#9_Checkliste_KI_im_Unternehmen_DSGVO-_AI-Act-ready_machen\">9. Checklist: Making AI in your company GDPR- and AI Act-ready<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/isla-stud.io\/en\/allgemein\/ki-datenschutz-2025-wie-sie-llms-dsgvo-konform-nutzen-und-schatten-ki-im-unternehmen-in-den-griff-bekommen\/#Quellen\">Sources<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"1_Der_verbindliche_Rechtsrahmen_2025_DSGVO_EU-KI-Verordnung_AI_Act\"><\/span>1. The binding legal framework for 2025: GDPR + EU AI Regulation (AI Act)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"11_DSGVO_bleibt_die_Basis_fur_alle_personenbezogenen_Daten\"><\/span>1.1 GDPR remains the basis for all personal data<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>As soon as you <strong>personal data<\/strong> Feed data into AI systems\u2014whether for training, responding to queries, or analysis\u2014the GDPR applies. Among other things, you must:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>one <strong>legal basis<\/strong> under Article 6 of the GDPR,<\/li>\n\n\n\n<li><strong>transparency<\/strong> guarantee to those affected,<\/li>\n\n\n\n<li><strong>data minimization<\/strong> take note of,<\/li>\n\n\n\n<li>Implement technical and organizational measures (TOMs),<\/li>\n\n\n\n<li>and, if applicable,. <strong>Data protection impact assessments (DPIA)<\/strong> carry out. (<a href=\"https:\/\/live.handelsblatt.com\/ki-und-datenschutz-so-nutzen-sie-ki-systeme-dsgvo-konform\/\" target=\"_blank\" rel=\"noreferrer noopener\">Handelsblatt Live<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>The German Data Protection Conference (DSK) has published a detailed <strong>Guidance on AI and data protection\u201e<\/strong> published. It makes it clear that whoever selects and uses AI applications is responsible for ensuring that this selection is made in compliance with data protection regulations\u2014including the choice of provider, data flows, and configuration. (<a href=\"https:\/\/www.datenschutzkonferenz-online.de\/media\/oh\/20240506_DSK_Orientierungshilfe_KI_und_Datenschutz.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">data protection conference<\/a>)<\/p>\n\n\n\n<p>The <strong>EDPB (European Data Protection Board)<\/strong> has, with his <strong>ChatGPT Task Force<\/strong> It also addresses specific questions regarding the legality of web scraping, transparency, and accuracy requirements for LLMs. (<a href=\"https:\/\/www.edpb.europa.eu\/our-work-tools\/our-documents\/other\/report-work-undertaken-chatgpt-taskforce_en\" target=\"_blank\" rel=\"noreferrer noopener\">EDPB<\/a>)<\/p>\n\n\n\n<p>In short: Even though AI is new \u2013 <strong>In terms of data protection law, it is not a legal vacuum.<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"12_EU-KI-Verordnung_AI_Act_Risk-based_Governance-getrieben\"><\/span>1.2 EU AI Regulation (AI Act): Risk-based &amp; governance-driven<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>With the <strong>EU AI Regulation (Regulation (EU) 2024\/1689)<\/strong> In 2024, the EU adopted the world's first comprehensive legal framework for AI systems. The AI Act has been in force since <strong>August 1, 2024<\/strong> in force and establishes a risk-based approach: from minimal risk to limited risk to <strong>High-risk AI<\/strong> and prohibited practices. (<a href=\"https:\/\/eur-lex.europa.eu\/eli\/reg\/2024\/1689\/oj\/eng\" target=\"_blank\" rel=\"noreferrer noopener\">EUR-Lex<\/a>)<\/p>\n\n\n\n<p>Important points:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Some <strong>Prohibitions on certain AI practices<\/strong> (e.g., certain forms of manipulative systems) and requirements for <strong>AI literacy<\/strong> have been in effect since <strong>February 2, 2025<\/strong>. (<a href=\"https:\/\/artificialintelligenceact.eu\/implementation-timeline\/\" target=\"_blank\" rel=\"noreferrer noopener\">Artificial Intelligence Law EU<\/a>)<\/li>\n\n\n\n<li>The majority of duties\u2014especially for <strong>High-risk AI<\/strong> \u2013 will be phased out by <strong>August 2, 2026<\/strong> effective, with further specifications and guidelines from the EU Commission and the new <strong>European AI Office<\/strong>. (<a href=\"https:\/\/ai-act-service-desk.ec.europa.eu\/en\/ai-act\/eu-ai-act-implementation-timeline\" target=\"_blank\" rel=\"noreferrer noopener\">AI Act Service Desk<\/a>)<\/li>\n\n\n\n<li>Among other things, the AI Act establishes requirements for <strong>Risk management, data quality, logging, technical documentation, transparency, human oversight, and governance structures<\/strong>. (<a href=\"https:\/\/eur-lex.europa.eu\/EN\/legal-content\/summary\/rules-for-trustworthy-artificial-intelligence-in-the-eu.html\" target=\"_blank\" rel=\"noreferrer noopener\">EUR-Lex<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>The EU is currently discussing, <strong>extend certain obligations for high-risk AI until 2027<\/strong>, to give companies more time to implement the changes. As of today (December 11, 2025), this is a political proposal that still has to go through the legislative process. (<a href=\"https:\/\/www.reuters.com\/sustainability\/boards-policy-regulation\/eu-delay-high-risk-ai-rules-until-2027-after-big-tech-pushback-2025-11-19\/\" target=\"_blank\" rel=\"noreferrer noopener\">Reuters<\/a>)<\/p>\n\n\n\n<p>Important for you:<br><strong>The GDPR remains fully applicable<\/strong>, The AI Act supplements them. In case of doubt, the following applies:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201eAI Act regulates <em>what<\/em> what an AI system is permitted to do \u2013 the GDPR regulates this., <em>how<\/em> You are permitted to handle personal data.\u201c (<a href=\"https:\/\/live.handelsblatt.com\/ki-und-datenschutz-so-nutzen-sie-ki-systeme-dsgvo-konform\/\" target=\"_blank\" rel=\"noreferrer noopener\">Handelsblatt Live<\/a>)<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"13_AI_Literacy_Governance-Pflichten_Warum_Unternehmen_seit_2025_nachweislich_KI-Kompetenz_brauchen\"><\/span>1.3 AI literacy and governance obligations: Why companies need to demonstrate AI competence since 2025<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The EU AI Regulation provides a clear framework for the first time for the <strong>organizational responsibility of companies<\/strong>, that use AI systems\u2014regardless of whether they develop their own models or use external tools.<\/p>\n\n\n\n<p>Two points have been particularly important since 2025:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"AI-Literacy-Pflicht_Art_4_AI_Act_%E2%80%93_seit_Februar_2025_anwendbar\"><\/span>AI literacy requirement (Art. 4 AI Act) \u2013 applicable since February 2025<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Companies that provide or use AI systems (\u201eproviders\u201c and, above all, \u201edeployers\u201c) must ensure that their employees have a <strong>sufficient level of AI expertise<\/strong> own. In practice, this means:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Employees must understand how AI works in principle, where the risks lie, and how to work with it safely.<\/li>\n\n\n\n<li>Companies must provide training, awareness measures, and internal guidelines.<\/li>\n\n\n\n<li>These measures must be documented in such a way that they can be verified within the framework of accountability.<\/li>\n<\/ul>\n\n\n\n<p>In other words:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201eSince February 2025, \u201cusing AI\u201e has been inextricably linked to \u201cdemonstrating AI competence.\".<\/p>\n<\/blockquote>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"AI-Governance_%E2%80%93_seit_August_2025_fur_General-Purpose-KI_relevant\"><\/span>AI governance \u2013 relevant for general-purpose AI since August 2025<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>With the start of application of the regulations on General Purpose AI (GPAI) in August 2025, additional organizational requirements will apply\u2014especially for providers, but indirectly also for companies that use such systems productively:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>structured documentation of the models used,<\/li>\n\n\n\n<li>Monitoring and logging of usage,<\/li>\n\n\n\n<li>Processes for incident management, risks, and complaints,<\/li>\n\n\n\n<li>Clear roles and responsibilities in the use of AI.<\/li>\n<\/ul>\n\n\n\n<p>Even though the full set of obligations for high-risk AI will not take effect until 2026\/2027, one thing is clear:<br>Without an AI governance concept\u2014i.e., documented responsibilities, guidelines, processes, and training\u2014it will become increasingly difficult for companies to credibly demonstrate AI Act and GDPR compliance.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"2_Was_Aufsichtsbehorden_zu_KI_LLMs_konkret_sagen\"><\/span>2. What regulatory authorities specifically say about AI &amp; LLMs<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>To make this more tangible, let's take a brief look at three key sources:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>DSK guidance document \u201eAI and data protection\u201c (2024)<\/strong> \u2013 provides companies and public authorities with criteria for selecting and using AI systems: purpose limitation, legal basis, data minimization, transparency, contract processing, technical and organizational measures. (<a href=\"https:\/\/www.datenschutzkonferenz-online.de\/media\/oh\/20240506_DSK_Orientierungshilfe_KI_und_Datenschutz.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">data protection conference<\/a>)<\/li>\n\n\n\n<li><strong>EDPB ChatGPT Task Force Report (May 2024)<\/strong> \u2013 highlights, among other things:\n<ul class=\"wp-block-list\">\n<li>how training involving web scraping of personal data should be assessed from a legal perspective,<\/li>\n\n\n\n<li>What transparency and information obligations exist towards users?,<\/li>\n\n\n\n<li>What requirements are placed on the accuracy and fairness of LLM responses? (<a href=\"https:\/\/www.edpb.europa.eu\/our-work-tools\/our-documents\/other\/report-work-undertaken-chatgpt-taskforce_en\" target=\"_blank\" rel=\"noreferrer noopener\">EDPB<\/a>)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>National information sheets, e.g., HWR Berlin \/ Data Protection Officer<\/strong> \u2013 show very specifically what data is generated when generative AI is used and how this use can be made privacy-friendly (e.g., no direct identifiers, pseudonymization, no sensitive data in freely available tools). (<a href=\"https:\/\/datenschutz.hwr-berlin.de\/wp-content\/uploads\/2024\/04\/Merkblatt_ChatGPT_Datenschutz_0423.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Data protection HWR Berlin<\/a>)<\/li>\n<\/ol>\n\n\n\n<p>The message is similar everywhere:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Principle: Enter as little personal data as possible into AI systems.<\/strong><\/li>\n\n\n\n<li><strong>Companies need clear rules<\/strong>, which tools may be used and how.<\/li>\n\n\n\n<li><strong>\u201eJust trying it out quickly\u201c is not a legal basis.<\/strong><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"3_Typische_Risiken_Wie_Schatten-KI_im_Unternehmen_entsteht\"><\/span>3. Typical risks: How shadow AI arises in companies<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Some typical situations that I see time and time again:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Marketing loads customer data (e.g., CRM export) into any AI web app to \u201equickly form segments.\u201c.<\/li>\n\n\n\n<li>HR has ChatGPT evaluate employment contracts or job applications\u2014including complete personal data.<\/li>\n\n\n\n<li>Sales copies entire email histories containing personal information into LLMs in order to formulate \u201ebetter answers.\u201c.<\/li>\n\n\n\n<li>Departments use free LLM tools without a corporate account, without an AV contract, without knowing where data is processed.<\/li>\n<\/ul>\n\n\n\n<p>From a data protection perspective, this raises several issues:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>unresolved <strong>Roles &amp; Responsibilities<\/strong> (Controller \/ Processor),<\/li>\n\n\n\n<li>possible <strong>Third country transfers<\/strong> (e.g., USA),<\/li>\n\n\n\n<li>unclear <strong>Storage and training use of data<\/strong>,<\/li>\n\n\n\n<li>missing or insufficient <strong>Information for those affected<\/strong>.<\/li>\n<\/ul>\n\n\n\n<p>It is precisely these cases that data protection supervisory authorities have been focusing on more closely in recent months\u2014even going so far as to impose short-term restrictions and conduct audits of individual providers. (<a href=\"https:\/\/streamlex.eu\/law-resources\/edpb-report-on-chatgpt\/\" target=\"_blank\" rel=\"noreferrer noopener\">StreamLex<\/a>)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"4_10_Grundregeln_LLMs_datenschutzfreundlich_nutzen_Solo_im_Team\"><\/span>4. 10 basic rules: Using LLMs in a privacy-friendly way (solo &amp; in a team)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Whether you are a sole trader or a medium-sized IT company, the following rules are very helpful in practice for <strong>LLMs GDPR-compliant<\/strong> to use:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>No sensitive personal data in consumer accounts<\/strong><br>Health data, special categories according to Art. 9 GDPR, confidential employee information, internal contracts, etc. have no place in freely accessible AI front ends. (<a href=\"https:\/\/datenschutz.hwr-berlin.de\/wp-content\/uploads\/2024\/04\/Merkblatt_ChatGPT_Datenschutz_0423.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Data protection HWR Berlin<\/a>)<\/li>\n\n\n\n<li><strong>Pseudonymize or anonymize wherever possible<\/strong><br>Instead of \u201eJohn Doe, IBAN, Project XY for Customer Z,\u201c it is preferable to use \u201eCustomer A, Budget B, Project in the field of mechanical engineering, Export country D.\u201c.<\/li>\n\n\n\n<li><strong>Clear tool strategy: separate private and professional use<\/strong><br>No \u201eI'll just use my private ChatGPT account.\u201c Define approved tools\u2014and if in doubt, block problematic domains on the company proxy. (<a href=\"https:\/\/www.ldi.nrw.de\/dsk-orientierungshilfe-ki-fuer-unternehmen-und-behoerden\" target=\"_blank\" rel=\"noreferrer noopener\">NRW state database<\/a>)<\/li>\n\n\n\n<li><strong>Create a company-specific policy (\u201eAI Policy\u201c)<\/strong><br>Short, understandable, practical: Which tools are permitted? Which data can be included? Who is the contact person for questions? An AI policy is no longer a \u201enice to have,\u201c but a central element of AI governance.<\/li>\n\n\n\n<li><strong>Clarify the legal basis<\/strong><br>Within the company, you will often rely on legitimate interests (Art. 6(1)(f) GDPR), contract fulfillment, or, where applicable, consent. It is important to maintain clear documentation in the <strong>List of processing activities<\/strong>. (<a href=\"https:\/\/www.datenschutzkonferenz-online.de\/media\/oh\/20240506_DSK_Orientierungshilfe_KI_und_Datenschutz.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">data protection conference<\/a>)<\/li>\n\n\n\n<li><strong>Check DSFA \u2013 especially for sensitive scenarios<\/strong><br>When AI systems significantly interfere with business processes or contain profiling elements, a <strong>data protection impact assessment<\/strong> often mandatory. (<a href=\"https:\/\/www.datenschutzkonferenz-online.de\/media\/oh\/20240506_DSK_Orientierungshilfe_KI_und_Datenschutz.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">data protection conference<\/a>)<\/li>\n\n\n\n<li><strong>Log and make traceable<\/strong><br>Who uses which system for what? Logging is not only an IT security issue, but also a governance issue\u2014and fits well with the documentation-oriented logic of the AI Act. (<a href=\"https:\/\/eur-lex.europa.eu\/EN\/legal-content\/summary\/rules-for-trustworthy-artificial-intelligence-in-the-eu.html\" target=\"_blank\" rel=\"noreferrer noopener\">EUR-Lex<\/a>)<\/li>\n\n\n\n<li><strong>Choose models and providers carefully<\/strong><br>Check: Hosting (EU\/EEA?), AV contract, storage and training policy, transparency, technical security features. Some providers now explicitly advertise \u201ezero retention\u201c and \u201eno training on customer data.\u201c<a href=\"https:\/\/www.ascomp.de\/blog\/2025\/10\/14\/ki-systeme-im-ueberblick-und-warum-innogpt-die-sichere-alternative-ist\/\" target=\"_blank\" rel=\"noreferrer noopener\">ASCOMP<\/a>)<\/li>\n\n\n\n<li><strong>Training employees \u2013 also a legal requirement since February 2025<\/strong><br>Short training sessions, live demos, small use case workshops \u2013 goal: understanding where opportunities lie and where red lines are drawn.<br>Since February 2025, the EU AI Regulation (EU AI Act) has explicitly required companies to ensure a sufficient level of AI literacy. Training, internal guidelines, and documented participation have thus become a mandatory part of AI compliance\u2014comparable to data protection or information security training.<\/li>\n\n\n\n<li><strong>Integrate AI and data protection with your existing web and SEO strategy<\/strong><br>Those who already use <strong>Technical SEO, performance, and structured data maintenance<\/strong> works, has a good basis for clean AI integrations. Are you familiar with my guide to <strong>technical SEO<\/strong> as well as my article on the <strong>Key SEO trends for 2024<\/strong> \u2013 because visibility, trust, and legally compliant technologies are intertwined. (<a href=\"https:\/\/isla-stud.io\/en\/advisor\/technical-seo-guide-2024\/\" target=\"_blank\" rel=\"noreferrer noopener\">saskialund.de<\/a>)<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"5_Warum_Consumer-Accounts_kostenfreie_oder_Basis-Konten_von_ChatGPT_Co_fur_Unternehmen_heikel_sind\"><\/span>5. Why consumer accounts (free or basic accounts) from ChatGPT &amp; Co. are tricky for companies<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Even with improvements in data protection settings, the use of traditional consumer accounts remains problematic in many business contexts:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Data flows to third countries<\/strong> and complex subprocessor chains,<\/li>\n\n\n\n<li>limited or absent <strong>order processing agreements<\/strong>,<\/li>\n\n\n\n<li>Unclear transparency for those affected,<\/li>\n\n\n\n<li>partial use of submissions for <strong>model training<\/strong> (depending on provider\/tariff), even though many providers now offer \u201eopt-out\u201c or business options. (<a href=\"https:\/\/www.e-recht24.de\/ki\/13409-chatgpt-datenschutz.html\" target=\"_blank\" rel=\"noreferrer noopener\">eLaw24<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>That doesn't mean you can't use such tools at all, but:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>In a business context<\/strong> they often require considerable coordination, contract review, and additional measures to ensure they are properly secured.<\/li>\n\n\n\n<li>Especially in a business context, it is therefore often worthwhile to take a step toward <strong>dedicated AI platforms<\/strong>, that are explicitly designed for GDPR-compliant use.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"6_Datenschutzkonforme_KI-Plattformen_%E2%80%93_InnoGPT_und_Langdock_im_Fokus\"><\/span>6. Data protection-compliant AI platforms \u2013 Focus on InnoGPT and Langdock<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>There are now platforms that offer various <strong>LLMs in an EU-hosted, GDPR-compliant environment<\/strong> bundle. Two of these are <strong><a href=\"https:\/\/www.innogpt.de\/?via=islastudio\" target=\"_blank\" rel=\"noreferrer noopener\">InnoGPT<\/a><\/strong> and <a href=\"http:\/\/www.langdock.com\/?ref=saskia\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">long dock<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"61_Was_zeichnet_InnoGPT_aus\"><\/span>6.1 What sets InnoGPT apart?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Publicly available descriptions provide the following summary:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>InnoGPT bundles <strong>leading language models<\/strong> (e.g., GPT-4, GPT-5, Gemini, Claude, Mistral, etc.) in a platform specifically designed for <strong>German and European companies<\/strong> targets. (<a href=\"https:\/\/www.sysbus.eu\/?p=30240\" target=\"_blank\" rel=\"noreferrer noopener\">sysbus.eu<\/a>)<\/li>\n\n\n\n<li>The platform focuses on <strong>Hosting in Europe<\/strong> and advertises with a <strong>contractually guaranteed \u201ezero retention policy\u201c<\/strong>, i.e., customer input is not used to train AI models and is processed exclusively on European servers \u2013 meaning that the input does not end up with the original third-country provider. (<a href=\"https:\/\/www.ascomp.de\/blog\/2025\/10\/14\/ki-systeme-im-ueberblick-und-warum-innogpt-die-sichere-alternative-ist\/\" target=\"_blank\" rel=\"noreferrer noopener\">ASCOMP<\/a>)<\/li>\n\n\n\n<li>It addresses typical business requirements such as <strong>Team functionalities, workflows, and integration into existing processes<\/strong>.<\/li>\n<\/ul>\n\n\n\n<p>If you would like to take a closer look, please use the following link:<\/p>\n\n\n\n<p><a href=\"https:\/\/www.innogpt.de\/?via=islastudio\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Get to know InnoGPT<\/strong><\/a> (affiliate link)<\/p>\n\n\n\n<iframe loading=\"lazy\" class=\"lund_style\" width=\"1120\" height=\"630\" src=\"https:\/\/www.youtube-nocookie.com\/embed\/pnxF5Fsbog4?si=v7082d1qRsIQ_PtM\" title=\"YouTube video player\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n\n\n\n<div style=\"height:1.5em\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>For companies that <strong>Replace shadow AI<\/strong> and at the same time want to provide their teams with modern tools, this approach is particularly exciting:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Your teams continue to work with powerful models\u2014but in a <strong>controlled, documentable, and GDPR-compliant environment<\/strong>.<\/p>\n<\/blockquote>\n\n\n\n<div style=\"height:1em\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"7_Praxisbeispiele_Wie_Mittelstand_Industrie_InnoGPT_nutzen_konnten\"><\/span>7. Practical examples: How SMEs and industry could use InnoGPT<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Some scenarios I am familiar with from projects and discussions with customers:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Technical Sales &amp; Quotation Preparation<\/strong>\n<ul class=\"wp-block-list\">\n<li>Technical texts, product descriptions, and offers are prepared using InnoGPT.<\/li>\n\n\n\n<li>Internally used documents can be integrated using retrieval techniques without the company losing control over the data. (<a href=\"https:\/\/arxiv.org\/abs\/2403.00039\" target=\"_blank\" rel=\"noreferrer noopener\">arXiv<\/a>)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Knowledge management &amp; documentation<\/strong>\n<ul class=\"wp-block-list\">\n<li>Internal guidelines, manuals, and SOPs are made available for Q&amp;A in a secure environment.<\/li>\n\n\n\n<li>Employees ask questions such as \u201eWhat test steps apply to product line X?\u201c InnoGPT provides answers based on internal documents without passing them on to external training systems. (<a href=\"https:\/\/arxiv.org\/abs\/2403.00039\" target=\"_blank\" rel=\"noreferrer noopener\">arXiv<\/a>)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Marketing &amp; content for B2B websites and shops<\/strong>\n<ul class=\"wp-block-list\">\n<li>Content drafts for <strong>WooCommerce stores, product pages, and blog articles<\/strong> are created and then reviewed by experts.<\/li>\n\n\n\n<li>Because it is stored and processed in Europe, it can be integrated much more easily into an existing data protection and compliance strategy than the use of scattered consumer tools. (<a href=\"https:\/\/www.capterra.com.de\/software\/1078804\/innoGPT\" target=\"_blank\" rel=\"noreferrer noopener\">Capterra<\/a>)<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"8_Governance_KI-Strategie_Vom_Einzeltool_zur_Unternehmenslosung\"><\/span>8. Governance &amp; AI strategy: From individual tools to enterprise solutions<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>If you don't want to leave AI in your company to chance, you need more than just a tool:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>inventory<\/strong>\n<ul class=\"wp-block-list\">\n<li>Who is already using which AI tools and for what purposes?<\/li>\n\n\n\n<li>Which data flows where?<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Define target vision<\/strong>\n<ul class=\"wp-block-list\">\n<li>Which use cases should be officially supported (e.g., text, code, research, meeting notes)?<\/li>\n\n\n\n<li>How does AI fit into your existing <strong>Digital &amp; SEO strategy<\/strong> one?<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Consolidate the tool landscape<\/strong>\n<ul class=\"wp-block-list\">\n<li>Instead of five different AI services running in the background: <strong>a shared platform<\/strong>, e.g., InnoGPT, supplemented by clearly defined special tools.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Establish guidelines and processes<\/strong>\n<ul class=\"wp-block-list\">\n<li>AI policy, AV contracts, directory of processing activities, training courses.<\/li>\n\n\n\n<li>AI policy, role model, escalation and approval processes.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Monitoring and continuous adjustment<\/strong>\n<ul class=\"wp-block-list\">\n<li>AI Act implementation, new guidelines from supervisory authorities, technical developments\u2014governance is not a one-time project, but an ongoing process. (<a href=\"https:\/\/www.akeuropa.eu\/sites\/default\/files\/2025-02\/KI%20Verordnung.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">AKEurope<\/a>)<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>Why this is more than just \u201ebest practice\u201c:<\/strong><br>The AI Act requires \u2013 gradually over 2025\u20132027 \u2013 a documented governance system for companies that use AI. Without an internally anchored AI governance structure (guidelines, training, monitoring), it will be very difficult in the medium term to prove to supervisory authorities and business partners that AI is being used in a controlled, responsible, and compliant manner.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"572\" src=\"https:\/\/isla-stud.io\/wp-content\/uploads\/2025\/12\/ai_compliance_governance_EU-1024x572.jpg\" alt=\"Gesch\u00e4ftsf\u00fchrung und IT-\/Datenschutzverantwortliche sitzen gemeinsam vor einem Dashboard mit KI- und Compliance-Elementen.\" class=\"wp-image-3404\" srcset=\"https:\/\/isla-stud.io\/wp-content\/uploads\/2025\/12\/ai_compliance_governance_EU-980x547.jpg 980w, https:\/\/isla-stud.io\/wp-content\/uploads\/2025\/12\/ai_compliance_governance_EU-480x268.jpg 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) and (max-width: 980px) 980px, (min-width: 981px) 1024px, 100vw\" data-no-translation=\"\" data-no-auto-translation=\"\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"9_Checkliste_KI_im_Unternehmen_DSGVO-_AI-Act-ready_machen\"><\/span>9. Checklist: Making AI in your company GDPR- and AI Act-ready<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>A brief <strong>checklist<\/strong>, that you can start using today:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>take inventory<\/strong> \u2013 Where is AI already being used in the company (tools, data types, processes)?<\/li>\n\n\n\n<li><strong>Perform risk assessment<\/strong> \u2013 Which operations are non-critical, and which involve sensitive data or core processes?<\/li>\n\n\n\n<li><strong>Review legal bases and contracts<\/strong> \u2013 GDPR, AV contracts, data flows, third-country transfers.<\/li>\n\n\n\n<li><strong>Define approved platform<\/strong> \u2013 e.g. <a href=\"https:\/\/www.innogpt.de\/?via=islastudio\" target=\"_blank\" rel=\"noreferrer noopener\">InnoGPT as a central, GDPR-compliant AI solution for teams<\/a><\/li>\n\n\n\n<li><strong>Adopt AI policy<\/strong> \u2013 understandable, practical, with examples and dos and don'ts.<\/li>\n\n\n\n<li><strong>Training &amp; Enablement<\/strong> \u2013 Empower employees to use AI in a targeted, responsible, and efficient manner \u2013 and document this training (AI literacy).<\/li>\n\n\n\n<li><strong>Documentation &amp; Monitoring<\/strong> \u2013 Take the logic of the AI Act and the GDPR seriously: document, evaluate, refine. (<a href=\"https:\/\/eur-lex.europa.eu\/EN\/legal-content\/summary\/rules-for-trustworthy-artificial-intelligence-in-the-eu.html\" target=\"_blank\" rel=\"noreferrer noopener\">EUR-Lex<\/a>)<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Quellen\"><\/span>Sources<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Data Protection Conference (DSK), Guidance on \u201eAI and Data Protection\u201c (as of May 6, 2024)<\/strong> \u2013 Criteria for selecting and using AI applications in companies and public authorities. (<a href=\"https:\/\/www.datenschutzkonferenz-online.de\/media\/oh\/20240506_DSK_Orientierungshilfe_KI_und_Datenschutz.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">data protection conference<\/a>)<\/li>\n\n\n\n<li><strong>European Data Protection Board (EDPB), \u201eReport of the work undertaken by the ChatGPT Taskforce\u201c (May 24, 2024)<\/strong> \u2013 First coordinated European assessment of ChatGPT's data processing practices in light of the GDPR. (<a href=\"https:\/\/www.edpb.europa.eu\/our-work-tools\/our-documents\/other\/report-work-undertaken-chatgpt-taskforce_en\" target=\"_blank\" rel=\"noreferrer noopener\">EDPB<\/a>)<\/li>\n\n\n\n<li><strong>Information sheet \u201eUse of generative AI and data protection\u201c (University \/ Data Protection Officer, as of 04\/2024)<\/strong> \u2013 Practical guide to using generative AI, especially ChatGPT, from a data protection perspective. (<a href=\"https:\/\/datenschutz.hwr-berlin.de\/wp-content\/uploads\/2024\/04\/Merkblatt_ChatGPT_Datenschutz_0423.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Data protection HWR Berlin<\/a>)<\/li>\n\n\n\n<li><strong>eRecht24, \u201eIs ChatGPT usable in compliance with data protection regulations?\u201c (2025)<\/strong> \u2013 Classification for data protection-friendly use of ChatGPT, including information on training use and settings. (<a href=\"https:\/\/www.e-recht24.de\/ki\/13409-chatgpt-datenschutz.html\" target=\"_blank\" rel=\"noreferrer noopener\">eLaw24<\/a>)<\/li>\n\n\n\n<li><strong>Regulation (EU) 2024\/1689 \u2013 Artificial Intelligence Act (AI Act)<\/strong> \u2013 Official EU legal framework for AI, including a risk-based approach, governance obligations, and application timeline. (<a href=\"https:\/\/eur-lex.europa.eu\/eli\/reg\/2024\/1689\/oj\/eng?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">EUR-Lex<\/a>)<\/li>\n\n\n\n<li><strong>EU AI Act Service Desk &amp; FPF Timeline<\/strong> \u2013 Overview of the phased implementation of the AI Act until 2026\/2027. (<a href=\"https:\/\/ai-act-service-desk.ec.europa.eu\/en\/ai-act\/eu-ai-act-implementation-timeline?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">AI Act Service Desk<\/a>)<\/li>\n\n\n\n<li><strong>Reuters &amp; Le Monde (2025), reports on proposals by the European Commission to extend the timeline for high-risk obligations under the AI Act<\/strong> \u2013 Indications of planned delays to certain regulations until 2027. (<a href=\"https:\/\/www.reuters.com\/sustainability\/boards-policy-regulation\/eu-delay-high-risk-ai-rules-until-2027-after-big-tech-pushback-2025-11-19\/?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Reuters<\/a>)<\/li>\n\n\n\n<li><strong>Handelsblatt Live, \u201eAI and data protection: How to use AI systems in compliance with the GDPR\u201c (2025)<\/strong> \u2013 Classification of the interaction between the GDPR, BDSG, and AI Act in a corporate context. (<a href=\"https:\/\/live.handelsblatt.com\/ki-und-datenschutz-so-nutzen-sie-ki-systeme-dsgvo-konform\/\" target=\"_blank\" rel=\"noreferrer noopener\">Handelsblatt Live<\/a>)<\/li>\n\n\n\n<li>ASCOMP, sysbus.eu, Capterra \u2013 Information about InnoGPT as a GDPR-compliant AI platform with EU hosting and a zero-retention approach. (ASCOMP, sysbus.eu, Capterra)<\/li>\n\n\n\n<li>arXiv \u2013 Technical articles on retrieval-based AI applications and knowledge management scenarios in a corporate context. (arXiv)<\/li>\n\n\n\n<li>AKEuropa \u2013 Analyses and background reports on the practical implementation of the AI Act in Europe. (AKEuropa)<\/li>\n<\/ol>\n\n\n\n<p><strong>Note:<\/strong> This article provides technical guidance on the use of AI systems in compliance with the GDPR and AI Act. It does not replace legal advice. For binding assessments, you should consult legal experts.<\/p>","protected":false},"excerpt":{"rendered":"<p>How to use AI &amp; LLMs such as ChatGPT in your company in compliance with the GDPR \u2013 with a view to the EU AI Regulation, shadow AI, and data protection-compliant platforms such as InnoGPT.<\/p>","protected":false},"author":1,"featured_media":3415,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_et_pb_use_builder":"off","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[1,754,13,37],"tags":[],"dipi_cpt_category":[],"class_list":["post-3401","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-allgemein","category-ki-b2b","category-ratgeber","category-rechtliches"],"acf":[],"_links":{"self":[{"href":"https:\/\/isla-stud.io\/en\/wp-json\/wp\/v2\/posts\/3401","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/isla-stud.io\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/isla-stud.io\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/isla-stud.io\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/isla-stud.io\/en\/wp-json\/wp\/v2\/comments?post=3401"}],"version-history":[{"count":5,"href":"https:\/\/isla-stud.io\/en\/wp-json\/wp\/v2\/posts\/3401\/revisions"}],"predecessor-version":[{"id":3421,"href":"https:\/\/isla-stud.io\/en\/wp-json\/wp\/v2\/posts\/3401\/revisions\/3421"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/isla-stud.io\/en\/wp-json\/wp\/v2\/media\/3415"}],"wp:attachment":[{"href":"https:\/\/isla-stud.io\/en\/wp-json\/wp\/v2\/media?parent=3401"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/isla-stud.io\/en\/wp-json\/wp\/v2\/categories?post=3401"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/isla-stud.io\/en\/wp-json\/wp\/v2\/tags?post=3401"},{"taxonomy":"dipi_cpt_category","embeddable":true,"href":"https:\/\/isla-stud.io\/en\/wp-json\/wp\/v2\/dipi_cpt_category?post=3401"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}