The question comes back around the boardroom table every few months. Someone read an article. Someone heard the Italian regulator made noise again. Legal sent a cautious email. And the answer that gets passed back up the chain is usually some version of :

We bought the enterprise plan, we have a DPA, we’re fine.

You are probably not fine. And the reason is not that OpenAI has been sloppy about compliance paperwork. The reason is that ChatGPT, as a product and as a system, runs into GDPR at a level no procurement checklist can close. Executives who treat it as a box-ticking exercise are carrying risks they have never actually priced.

This is for the people who keep hearing the headline and want to understand the mechanics underneath it.

What GDPR actually asks of an AI system

GDPR does not care whether something is called AI. It cares about personal data, and it asks roughly four things of anyone processing it.

Is there a lawful basis under Article 6. Consent, contract, legitimate interest, one of the listed grounds. Without one, the processing is illegal. Is the processing transparent ,have the data subjects been told what is happening to their data and why, as Articles 13 and 14 require. Can data subjects actually exercise their rights when they ask: access, correction, deletion, objection. And can the controller demonstrate accountability rather than just assert it.

These are the yardsticks. Now hold ChatGPT up to them.

The training data problem

ChatGPT was trained on enormous quantities of text scraped from the open web. Inside that text sat the personal data of millions of EU citizens. Names. Biographies. Opinions written when the author was twenty and would now prefer to forget. Court records, forum posts, alt text describing photographs of identifiable people. None of those people consented. None were informed. Most have no idea their data is now sitting inside the statistical weights of a model that hundreds of millions of people use every week.

GDPR has no category for “we already trained on it, so the question is closed.” The lawful basis question still applies. So does transparency. So does the right of erasure. This is the heart of the Italian Garante’s objection, and why other European regulators have been circling the same issue: there is no clean answer to any of these questions once the data has been absorbed into a model.

OpenAI has put forward legitimate interest as the basis. Whether that survives a balancing test, weighed against the rights of people who never had a chance to object, is an open question European regulators are clearly not satisfied with. Several have already said so.

What happens when an employee opens the chat window

Set training aside for a moment. The second problem starts the instant an employee pastes something into the prompt box.

A sales manager at a Dutch insurer drops a customer email into ChatGPT to draft a faster reply. The email contains a name, an address, a policy number, a complaint about a recent claim. The moment it leaves the laptop, personal data has been transferred to a processor. Now the questions pile up. Was there a lawful basis for that specific transfer. Was the customer told her complaint would be handled by a US-based AI provider. Does the controller-processor agreement actually cover what just happened. Where did the data physically end up. Who at OpenAI, or which sub-processor, can technically reach it. How long is it kept. Can it be deleted on request, and if so, from where exactly.

Most organisations cannot answer these questions for a single prompt, let alone for the thousands their employees send every week. The enterprise plan helps with some of them. It does not turn the underlying flow into something a DPO can defend in front of a regulator without a lot of squinting.

The transfer problem nobody wants to reopen

Then there is where the data actually goes, and who can legally reach it once it gets there. Schrems II is not old news. It is the live reality that any transfer of EU personal data to the United States has to clear a bar most US providers find awkward. The EU-US Data Privacy Framework patched part of the wound, but the patch is politically exposed and already being challenged in court.

And the patch does not touch the part that matters most for a tool like ChatGPT: the US CLOUD Act. The CLOUD Act lets US authorities compel a US-headquartered company to hand over data in its possession, custody, or control, regardless of where the servers happen to live. OpenAI is a US company. So is Microsoft, which hosts much of the underlying infrastructure.

“Hosted in Europe” tells you where the machines are. It does not tell you which legal system the parent answers to when a court order shows up, and it cannot, because that answer is the same either way.

For a European controller, this is the part with real legal weight. Every contractual clause can be signed, every technical control can be in place, and the provider’s US parent can still receive a CLOUD Act order next Tuesday for data held by its European subsidiary. The European customer may never be told it happened, because gag provisions are part of the regime. GDPR does not permit that kind of disclosure. The CLOUD Act does not ask GDPR’s permission. The controller is the one standing in the middle of that gap.

This is why “sovereign” in sovereign AI is not marketing language. It means the legal entity, the infrastructure, and the chain of control all sit under European law, with no US parent in the structure who can be served an order somewhere else.

When data subject rights meet a probabilistic system

This is the part most executives have never had explained to them, and it is where the deepest non-compliance lives.

GDPR gives every data subject the right to know what personal data an organisation holds about them, to correct it if it is wrong, and in many cases to have it deleted. These rights were written for a world of databases. Rows, fields, records. You query the database, you find the entry, you change it or delete it, you confirm it is gone.

A large language model does not work like that. There are no rows. The “knowledge” the model has about a person is not stored anywhere you can point at. It is spread across billions of numerical weights that shifted, slightly, during training, in response to text that mentioned them. You cannot open the model and find the Jan de Vries record. You can prompt the model and see what it says about Jan de Vries, and the answer may be accurate, partly wrong, entirely fabricated, or different the next time you ask. None of that is fixable with a database update.

So when Jan exercises his Article 15 right of access and asks what personal data the system holds about him, there is no honest answer to give. When he exercises his Article 16 right of rectification because the model keeps telling people he was convicted of a crime he was not, there is no mechanism to reach in and correct the weights. When he exercises his Article 17 right of erasure, the only real option is a filter sitting on top of the model that suppresses the output. That is not deletion, and a regulator will eventually notice it is not deletion.

This is not a quirk that will be patched in the next release. It is the heart of why a model trained on personal data sits awkwardly inside a regulation built around the right to control your own information.

A scenario worth sitting with

Picture a mid-sized Dutch financial services firm. Around 400 employees. They rolled out ChatGPT Enterprise eighteen months ago. Legal signed off on the DPA, IT enabled SSO, the comms team sent a cheerful email about productivity, and nobody made a fuss because the procurement story was clean.

Then a customer files a complaint with the Autoriteit Persoonsgegevens. She had asked the firm, under Article 15, what personal data it held about her. The firm sent her the usual export from its CRM. What she actually wanted to know, and what she put in her complaint, was whether her data had been processed by ChatGPT. She had reason to believe it had, because a service email she received used phrasing that did not sound like the firm’s house style.

The AP opens an inquiry and starts asking questions. Which employees used ChatGPT to handle customer correspondence. What personal data appeared in those prompts. On what lawful basis. Was the customer informed. Where was the processing carried out. Which sub-processors had access. Can the firm produce a list of every prompt containing this customer’s data over the past two years. Can the firm confirm none of it ended up in model improvement. Can the firm demonstrate, not assert, that the data has been deleted from every system it touched.

The firm cannot answer most of it. Not because anyone acted in bad faith, but because the tool was never built to produce that kind of audit trail and the workflows around it were never designed with these obligations in mind.

The inquiry escalates. Processing is suspended pending review. The firm now has to tell its largest corporate clients, who have their own DPAs flowing obligations downstream, that a regulator is investigating its handling of personal data. Two of those clients pause renewals while their own legal teams take a look.

Nothing in that story requires bad intent. It requires only that the regulator ask the obvious questions and the answers be the honest ones.

What executives are actually carrying

Fines are the headline risk and the least interesting one. Yes, GDPR allows penalties of up to 4 percent of global annual turnover. Those are real. But the practical risks are quieter and arrive faster.

A regulator can order processing to stop. Overnight. If your customer service, your contract drafting, your internal knowledge search all depend on a tool that has just been suspended, the continuity problem hits before the fine does. There is the contractual exposure too: every serious B2B customer now has data processing terms that flow obligations back to their suppliers, and “our AI vendor got suspended” is not a defence those customers will accept gracefully. And then the reputational tail, which lingers longer than either, because “investigated by the regulator over its AI use” is the kind of headline that follows a brand around for years.

The deepest risk is the one that does not show up on a risk register. It is the risk of having built workflows on a system a regulator can switch off, and finding out on the day they do.

What defensible actually looks like

You can use generative AI inside a European organisation in a way that survives scrutiny. It just looks different from “we bought ChatGPT Enterprise.”

The lawful basis is established up front, in writing, before the first prompt. The infrastructure keeps data inside the EU all the way down the sub-processor chain, not just at the front door. The provider sits under European law, with no parent company elsewhere who can be compelled to hand the data over. The contractual commitment that client data will not train or improve the underlying model is verifiable, not just promised. The audit trail is something a DPO can actually hand to a regulator. The controller-processor relationship is structured so that when the awkward questions come, there are answers ready.

None of this is exotic. It is what GDPR has asked for since 2018. The only thing that has changed is that generative AI has made it much harder to fake.

What to take back to the table

The question is not whether ChatGPT is banned in Europe. It is not, and it probably will not be. The question is whether your organisation, on the day a regulator asks how it has been using it, will have answers worth defending. Most organisations using the standard product today would not. They inherited a tool built for a different regulatory climate and wrapped it in paperwork that does not reach the underlying problem.

That is the gap worth closing. Not because the headlines say so, but because the mechanics do.

About GLBNXT

GLBNXT builds sovereign AI infrastructure for European organisations operating under GDPR. EU-hosted, no US parent in the chain, no training on client data, designed for the audit questions before they get asked.