Comparing AI Tools: ChatGPT, Copilot & Gemini Under GDPR Scrutiny

Data Minimization as a Fundamental Principle  

Data Minimization is among the most important principles of the GDPR (Art. 5). Only the processing of personal data strictly necessary for the processing purpose is permitted. AI tools often require large amounts of data for their function. Companies face the challenge of limiting the processing of personal data when using AI to a reasonable extent.

• ChatGPT (especially in the Enterprise or API version) allows business customers to specifically restrict web access. The use of user input for training purposes can be contractually excluded. However, a complete deactivation of "Abuse Monitoring" is generally not possible, as OpenAI – like all providers – remains legally obligated to detect abuse.

• Microsoft Copilot accesses Microsoft 365 data, but admins can granularly control data access via the Admin Center. Microsoft extensively documents this in the Compliance Center and Data Processing Agreement. The separation of business and training data is standard, and training data is not derived from customer data.

• Google Gemini in Google Workspace is directly linked to several Google services – from Gmail to Docs. According to the Data Protection Terms and Admin Guide, access control is managed via admin policies. However, it must be actively adjusted to ensure data protection-friendly settings; otherwise, the default configuration is usually very broad.

Practical example: When using AI for contract drafting, companies should restrict access to sensitive HR data or emails. This is the only way to truly implement data minimization in practice.

Using AI tools in compliance with data protection: Stay up to date.

Get expert advice from Proliance now on the AI Regulation and the key requirements for businesses, so you can confidently master future compliance challenges.

To AI Consulting

Transparency in AI Data Processing  

Transparency obliges providers and users to disclose how personal data is processed.

• ChatGPT provides information on data processing procedures in its Trust Portal. In the Enterprise version, companies can configure storage duration and deletion routines. By default, conversations are stored for a limited period. The exact duration and deletion options depend on the chosen product variant and contractual agreements.
• Microsoft Copilot stands out with clear documentation and a Data Processing Addendum (DPA), which details the terms of data processing.
• Google Gemini offers data protection information, which varies in transparency depending on the version. In the Workspace version, the Google Controller-Data Protection Terms apply.  

Beware of the Black Box: Despite improved documentation, the automated decision-making logic of many AI tools remains difficult for users to comprehend – it is crucial to regularly review data flows.

Current legal dispute regarding data storage at OpenAI:

In the ongoing legal dispute between OpenAI and the New York Times the NYT demands that OpenAI store all user data, API logs, and outputs that could relate to NYT content indefinitely. OpenAI is resisting this court order arguing that such comprehensive and indefinite storage is technically disproportionate, poses massive data protection risks for all users, and violates its own privacy-by-design philosophy. It is emphasized that chat histories are generally not stored unless users actively consent, and that for enterprise customers with Zero Data Retention (ZDR), no data is stored anyway. The case demonstrates that external legal requirements can also influence data protection practices and that providers like OpenAI actively advocate for the protection of user data.

Controllability of AI Tools  

GDPR and best practices require that AI-supported decisions always remain controllable by humans.

• ChatGPT Enterprise offers admin functions to manage conversations and set security levels. However, full insight into all user data is not provided for data protection reasons; instead, functions are available to implement deletions and access restrictions.
• Microsoft Copilot integrates with Microsoft 365 rights management and offers extensive control and tracking options.
• Google Gemini allows admins to granularly control app access and permissions – with complexity increasing as functionality expands.  

Tip: Company policies should stipulate that critical AI decisions require human review (so-called human-in-the-loop).  

GDPR Risk Assessment  

According to Art. 35 GDPR, a Data Protection Impact Assessment (DPIA) is mandatorywhenever there is a high risk to the rights of data subjects – which is almost always the case with modern AI tools. Typical risks include discrimination effects due to algorithmic bias, data leaks due to incorrect configuration, misuse of data, and opaque decision-making.

• ChatGPT: Risks arise particularly from the processing of personal data on servers outside the EU. The risk can be reduced through appropriate contractual agreements (e.g., standard contractual clauses, Data Processing Addendum) and technical measures. However, full GDPR compliance is only guaranteed with consistent implementation of all protective measures.
• Microsoft Copilot: Thanks to the EU-US Data Privacy Framework and well-established Microsoft security architectures, good conditions exist – provided that data access is restrictively configured.  
• Google Gemini: Extensive integration and long storage times for prompts (up to 18 months) increase the risks, especially for companies with sensitive data.  

Recommendation: Conduct a separate DSFA for each tool and document all identified risks and implemented protective measures.  

Accountability as a Central GDPR Obligation (GDPR Accountability, Good AI Tools)

Accountability under Art. 5 Para. 2 GDPR requires demonstrating data protection – from configuration to daily use.

• ChatGPT: In the Enterprise version, a separation of usage data and training data is possible, provided this has been contractually agreed upon. Server locations are also within the EU, allowing for exclusive processing within the EU to be selected. Admins can delete conversations and make certain settings, but control over all data flows must be technically and organizationally verified.
• Microsoft Copilot provides tools such as Microsoft Purview to secure audit and compliance evidence.  
• Google Gemini offers auditable logs – these vary depending on the chosen product version.  

Practical Tip: Control mechanisms should be continuously reviewed and documented through audits.  

Tools in Detail: A GDPR Comparison

Case Study: Microsoft Copilot Data Leak Bug (January 2026) – Warning Sign for Systemic Risks

In January 2026, a serious security incident involving Microsoft Copilot came to light, highlighting the limitations of purely contractual compliance commitments: A bug in the Data Loss Prevention (DLP) configuration led to confidential emails from protected mailboxes ending up in publicly accessible Copilot responses.

What happened?

• DLP Misconfiguration: A faulty implementation of DLP rules allowed Copilot to access email folders that should have been protected by compliance policies

• Affected Data: Sensitive information from mailboxes (potentially personal data, trade secrets)

• Reporting & Response: The bug was reported via the Microsoft Security Response Channel (CW1226324); Microsoft confirmed the issue, but the exact rollout schedule for the fix remained unclear

• Source: First reported by Bleeping Computer and Golem.de

Compliance Implications

This incident demonstrates:

✅ Contractual commitments are necessary, but not sufficient: Even with an existing DPA and EU data processing, technical errors can lead to data breaches

✅ DPIA must reflect technical risks: A one-time Data Protection Impact Assessment is not enough – continuous updates for software changes are mandatory (Art. 35 GDPR)

✅ DLP configuration is critical: Correctly setting Data Loss Prevention rules requires technical expertise and regular audits

✅ AI governance required: Such incidents highlight the need for structured AI governance processes, as required by the AI Act for high-risk AI systems

Recommendations for action

For companies using or planning to use Microsoft Copilot:

1. Update DPIA: Technical security vulnerabilities like DLP bugs must be included in the risk assessment

2. Review DLP rules: Regular audits of the configuration (especially for sensitive data such as HR, Finance, Legal)

3. Incident response plan: Clear processes for handling AI-related data breaches (Art. 33/34 GDPR)

4. Admin training: IT and compliance teams must understand AI-specific security risks

5. Establish governance: Implementation of a structured AI governance framework (see AI Act Art. 9, 17)

Conclusion: The Copilot bug is not an isolated incident but a warning sign – contractual compliance must be supplemented by technical governance and continuous risk monitoring.

Need support?

Our AI training courses provide practical know-how on DLP configuration, DPIA, AI Act compliance, and much more.

To the AI training

DeepSeek: A negative example of AI tools under the GDPR  

DeepSeek is an AI language model from China that is considered a prime example of tools problematic under data protection law:  

• The tool stores numerous user data, including IP addresses, all keyboard inputs, and uploaded documents – without transparency regarding storage locations and data flows.  

• According to the provider, Chinese authorities can access stored user data; there is no adequacy decision between the EU and China.  

• DeepSeek does not provide data processing agreements (DPAs) and is unwilling to sign them – a serious violation of Art. 28 and 32 GDPR.

• Information obligations, purpose limitation, and data security are not met, and massive data leaks have also been documented.  

• Companies face drastic risks when using it – from fines and data/reputation loss to loss of control over sensitive information.  

Conclusion: The use of DeepSeek is currently not recommended from a GDPR perspective.

Companies should exclusively rely on transparent, certified AI solutions that comply with clear data protection requirements.

What are the best practices for GDPR-compliant use of AI tools?  

• Develop clear data protection policies and usage rules for AI tools.

• Train your employees on AI and data protection.

• Conduct regular audits and risk reviews.

• Always conclude data processing agreements with providers and verify their compliance.

Conclusion: Configure AI tools correctly for compliance

The comparison shows: Even powerful AI tools like ChatGPT, Copilot, and Gemini are only GDPR-compliant if they are configured and controlled correctly. Special caution is advised for non-European tools (like DeepSeek), as central GDPR principles can be violated here. Especially when such AI tools are used without IT approval, this is referred to as Shadow AI.

Recommendation for companies: Carefully review tools, consistently focus on data minimization, transparency, control mechanisms, and regular risk analyses. Only then can you use AI innovatively – and still in compliance with data protection.

Sources: Golem, OpenAI Trust Portal, Harwardreview, OpenAI Response, OpenAI Enterprise Privacy, Google Support, Microsoft Copilot Privacy, Recommendation of the LfD Lower Saxony on the Use of DeepSeek