The problem: using ChatGPT at work is a risk #
Every day, millions of employees use ChatGPT to write emails, summarise documents, and generate reports. It seems harmless. But according to a 2025 report, 77% of employees paste company data into AI services like ChatGPT – and 82% do so with personal accounts, completely outside corporate control.
This phenomenon is called shadow AI: the unauthorised use of artificial intelligence tools in the workplace. And the damage can be enormous.
The Samsung case: source code leaked into ChatGPT #
In 2023, three Samsung engineers pasted into ChatGPT:
- Proprietary source code for semiconductors while searching for a bug
- Confidential code to troubleshoot equipment issues
- An entire recording of an internal meeting to generate minutes
The result: Samsung banned all generative AI tools on corporate devices and networks. They are not alone: JP Morgan, Goldman Sachs, Apple, Deutsche Bank, and Bank of America have done the same.
GDPR and ChatGPT: what your business risks #
The 15 million euro fine in Italy #
In December 2024, the Italian Data Protection Authority imposed a 15 million euro fine on OpenAI – the first significant penalty worldwide against a generative AI company. The violations cited:
- No legal basis for processing personal data used to train ChatGPT
- Failure to notify the data breach of March 2023
- Inadequate privacy notice: only in English and too vague
- No age verification to prevent access by minors
What happens when an employee pastes data into ChatGPT #
Under the GDPR, the company remains liable – even if the employee acted without authorisation. Pasting personal data (of customers, employees, patients) into ChatGPT without a legal basis constitutes a GDPR violation by the data controller.
The possible consequences:
- Mandatory notification to the supervisory authority within 72 hours (Art. 33 GDPR)
- Fines up to 20 million euros or 4% of global annual turnover
- Incalculable reputational damage
The problem of data transfers to the US #
ChatGPT processes data on US-based infrastructure. The EU-US Data Privacy Framework was confirmed in 2025, but Max Schrems’ organisation NOYB has already announced a challenge before the Court of Justice of the EU. If the framework is struck down – as happened with the Privacy Shield in 2020 – every transfer of personal data to OpenAI could become potentially illegal.
AI Act: new obligations for European SMEs #
The EU Artificial Intelligence Regulation (AI Act, Reg. EU 2024/1689) entered into force on 1 August 2024 with a phased rollout:
| Date | What changes |
|---|---|
| February 2025 | Banned AI practices prohibited + AI literacy obligation for all |
| August 2025 | Obligations for general-purpose AI models (GPAI) |
| August 2026 | Full obligations for high-risk AI systems, transparency, human oversight |
The AI literacy obligation is already in force #
Since 2 February 2025, every company that uses AI tools must ensure its staff has a “sufficient level of AI literacy”. This applies to everyone – from a 5-person SME to a multinational corporation.
The risk is not the tool, but how you use it #
The same ChatGPT can be:
- Minimal risk: for drafting emails or brainstorming
- High risk: for screening job candidates, assessing creditworthiness, or making decisions that affect people
If you use AI for decisions that impact individuals, heavy obligations kick in: impact assessments, human oversight, and registration in the EU database.
AI Act penalties #
| Violation | Maximum penalty |
|---|---|
| Prohibited practices | 35 million euros or 7% of turnover |
| High-risk systems | 15 million euros or 3% of turnover |
| False information to authorities | 7.5 million euros or 1% of turnover |
For SMEs, the penalty is always calculated on the lower amount between the fixed figure and the turnover percentage. But even the lower figure can be significant.
The solution: private AI #
Private AI solves the problem at its root: your data never leaves the corporate perimeter.
Instead of sending data to American servers, a private AI system runs on controlled infrastructure – European, on-premise, or in your certified provider’s data centre. Large language models (LLMs) run locally, documents stay where they are, and no data ends up training third-party models.
What changes with private AI #
| ChatGPT (cloud) | Private AI | |
|---|---|---|
| Where data goes | US servers (OpenAI) | Controlled infrastructure |
| Trained on your data | Possible (free tier) | Never |
| GDPR compliance | Complex, risky | Native |
| AI Act compliance | User’s responsibility | Built into the design |
| Extra-EU transfer | Yes | No |
| Access control | Limited | Full |
| Audit trail | Partial | Full |
How PRISMA works: HTX’s private AI stack #
At HTX, we built PRISMA – a private AI platform designed for businesses that handle sensitive data.
Where PRISMA operates #
PRISMA can operate within the Data Centre of BIC Incubatori FVG, the certified incubator of the Friuli Venezia Giulia Region. Dedicated infrastructure, redundant connectivity, physical and logical security. For workloads requiring additional computing power, we rely on TriesteValley HPC, the high-performance computing cluster equipped with NVIDIA GPUs.
What PRISMA does #
- Enterprise AI chat: an AI assistant that answers solely based on your internal documents (RAG – Retrieval Augmented Generation)
- Text-to-SQL (MANTA): ask your databases questions in natural language and get precise answers without writing code
- AI classification (KOI): models trained on your data to classify, categorise, and decide – with full transparency and human oversight
- No data leaves: everything stays on European infrastructure, under your control
Why Trieste #
HTX operates in the scientific hub of Trieste – the European city with the highest density of researchers per capita (37 per 1,000 workers). In April 2025, the AGORAI Innovation Hub was launched here, a partnership between Generali and Google Cloud for AI. Our ecosystem includes SISSA, ICTP, the University of Trieste, Fincantieri, and illycaffe'.
What to do now: 5 steps for your business #
- Audit the AI tools your employees are using – including unauthorised ones
- Classify each use by risk level according to the AI Act (minimal, limited, high)
- Start AI literacy training – it has been mandatory since February 2025
- Write a corporate AI policy that defines what is and is not allowed
- Evaluate a private AI solution that keeps your data under your control
Want to learn more? #
If you want to understand how private AI can work for your business – without GDPR risks, without extra-EU transfers, without shadow AI – get in touch. We will respond within 24 hours.
This article was written by the team at HTX – Human Technology eXcellence. We design private artificial intelligence systems for healthcare and industry, from our data centre in Trieste.
Related Articles #
- AI Act Single Information Platform | AI Act Service Desk - AI
- EU-funded TildeOpen LLM delivers European AI breakthrough for multilingual innovation | Shaping Europe’s digital future - AI, Foundation Model, LLM
- GitHub - yichuan-w/LEANN: RAG on Everything with LEANN. Enjoy 97% storage savings while running a fast, accurate, and 100% private RAG application on your personal device. - Python, Open Source