Back to Blog

Shadow AI: Why Employees Using Free ChatGPT Is a GDPR Nightmare

December 30, 2025 11 min read Privacy, AI, GDPR, Security

Disclosure: This article contains affiliate links. We may earn a commission at no extra cost to you.

December 30, 2025: The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) issues a stark warning. They've received dozens of data breach reports related to AI chatbot usage in 2024 and 2025—and the numbers are rising.

The culprit? Shadow AI: employees using free versions of ChatGPT, Claude, and Gemini to "help with their work"—without their employer's knowledge, without proper data processing agreements, and without understanding the privacy implications.

This isn't a hypothetical risk. Just weeks ago, the city of Eindhoven discovered that employees had uploaded 2,368 files containing personal data to public AI tools in just 30 days. Youth welfare documents. CVs of job applicants. Internal case files about vulnerable citizens. All sent to servers owned by OpenAI and Anthropic.

The Reality: If a Dutch city government under enhanced privacy supervision can accidentally leak citizens' data to AI companies, imagine what's happening at organizations with less oversight. Shadow AI is everywhere—and most organizations don't even know it.

What is Shadow AI?

Shadow AI refers to the unauthorized use of AI tools by employees without their organization's knowledge or approval. It's the AI equivalent of "shadow IT"—when employees use personal apps or cloud services for work without going through official channels.

Here's a typical scenario:

  1. Your company provides Microsoft 365 with Copilot (a secured, enterprise AI tool)
  2. But Copilot requires training, and the free ChatGPT is just... there
  3. An employee pastes a client email into ChatGPT to "help draft a response"
  4. That email—with names, addresses, maybe even sensitive business details—is now on OpenAI's servers
  5. The organization has no idea this happened

Multiply this by hundreds or thousands of employees, and you have a massive, invisible data leak.

Why Shadow AI Is Different from Regular Shadow IT

Traditional shadow IT (like using Dropbox instead of company SharePoint) is a security concern. But Shadow AI is a legal timebomb:

Aspect Traditional Shadow IT Shadow AI
Data exposure Files stored on unauthorized services Data actively processed and potentially used for AI training
Legal liability Potential security breach GDPR violation (no data processing agreement)
Data retention Can be deleted from service May be permanently embedded in AI models
Detection Visible in network traffic Looks like normal web browsing
Recovery Delete files, migrate data Cannot "untrain" an AI model

The Numbers: AP's Warning

The Autoriteit Persoonsgegevens (AP), the Netherlands' privacy watchdog, revealed alarming statistics:

  • Dozens of data breach reports related to AI chatbots in 2024 and 2025
  • More reports in 2025 than in 2024 (the trend is accelerating)
  • Most breaches occur when employees independently experiment with free AI tools
  • Organizations often don't know the breach happened until much later

Privacy lawyer Stephan Mulders, specialized in technology law, confirms the pattern:

"Organizations can't constantly monitor their employees. When people start experimenting with AI bots on their own initiative, data breaches happen faster. And it's not just personal data—confidential business information, trade secrets, and market-sensitive details can all end up in these chatbots."

Key insight: The AP only sees reported breaches. Many organizations don't even realize they have a Shadow AI problem. The actual number of incidents is likely far higher.

Case Study: Eindhoven

The Eindhoven incident perfectly illustrates the Shadow AI problem. On December 18, 2025, the city government disclosed that employees had been uploading sensitive files to public AI chatbots.

What was leaked:

  • Youth welfare (Jeugdwet) documents about children and families
  • CVs of job applicants with personal contact details
  • Internal reflection reports about vulnerable citizens
  • Photos attached to case files

How it was discovered:

A 30-day sample analysis (September 23 - October 23, 2025) caught the uploads. But because logs only go back 30 days, the full scope is unknown. Files uploaded earlier? Gone. Untracked. Possibly already used to train AI models.

The response:

The city blocked public AI websites and switched employees to a secured Microsoft Copilot environment. They also asked OpenAI to delete the data—but if it's already been used for training, it's too late.

Read our full analysis: Dutch City Uploads Thousands of Personal Files to ChatGPT

The Legal Problem: GDPR and AI Act

Shadow AI isn't just a security issue—it's a legal violation under both GDPR and the new EU AI Act.

GDPR Violations

Under GDPR, processing personal data requires:

  1. A legal basis (consent, contract, legitimate interest, etc.)
  2. A data processing agreement when using third-party processors
  3. Transparency about how data is used
  4. Data minimization (only process what's necessary)

When an employee pastes personal data into free ChatGPT:

  • No data processing agreement with OpenAI
  • No consent from the data subjects
  • No transparency (citizens don't know their data went to AI)
  • Potential data transfer outside EU (OpenAI is US-based)

Fines can reach €20 million or 4% of global annual turnover—whichever is higher.

AI Act Requirements

The EU AI Act (Verordening Kunstmatige Intelligentie), which came into force in 2024, adds new obligations:

New Requirement: Organizations must provide AI literacy training to employees. Staff must understand the risks of AI tools and how to use them responsibly. This isn't optional—it's legally mandated.

According to Mulders: "The AI Act is still young legislation, and not yet fully in force. With GDPR (introduced in 2018), we saw it took time for organizations to adapt. The same will happen here."

How Organizations Can Prevent Shadow AI

The AP and privacy experts recommend a multi-layered approach:

1. Block Public AI Websites

The most direct solution: prevent employees from accessing free AI tools on the corporate network.

  • Block chat.openai.com, claude.ai, gemini.google.com
  • Block related domains and API endpoints
  • Monitor for circumvention attempts (VPNs, mobile hotspots)

Caveat: This alone isn't enough. Employees can still use personal devices or mobile networks.

2. Provide Secure Alternatives

If you block free AI, you must provide enterprise alternatives:

Tool Data Processing Agreement Training Opt-Out EU Data Residency
Microsoft Copilot (Enterprise) Yes Yes Available
ChatGPT Enterprise Yes Yes Limited
Claude for Enterprise Yes Yes Limited
Free ChatGPT No No (default) No

3. Mandatory AI Training (AI Literacy)

Under the AI Act, organizations must train employees on:

  • What AI tools can and cannot do
  • Privacy risks of sharing data with AI
  • Which tools are approved vs. prohibited
  • How to recognize sensitive data
  • Reporting procedures for accidental data sharing

4. Clear Policies and Guidelines

Create explicit policies about AI usage:

  • Approved tools: List exactly which AI tools employees may use
  • Prohibited actions: Never upload personal data, confidential documents, or code
  • Consequences: What happens if policies are violated
  • Reporting: How to report accidental data sharing

The Dutch bar association (Orde van Advocaten) recently published AI guidelines for lawyers. More industry-specific guidance is expected to follow.

5. Technical Controls

Implement technical measures to detect and prevent Shadow AI:

  • DLP (Data Loss Prevention): Scan outgoing traffic for sensitive data patterns
  • CASB (Cloud Access Security Broker): Monitor cloud service usage
  • Endpoint monitoring: Detect AI tool installations on company devices
  • Network analysis: Identify traffic to AI services

What Employees Should Know

If you're an employee, protect yourself and your organization:

Before Using Any AI Tool, Ask:

  1. Is this tool approved? Check with IT or your manager
  2. Does this contain personal data? Names, addresses, IDs, health info = NO
  3. Is this confidential? Client data, trade secrets, internal communications = NO
  4. Would I be comfortable if this leaked? If not, don't paste it

Safe Alternatives

  • Use approved enterprise tools provided by your employer
  • Anonymize data first: Replace names with "Person A", companies with "Company X"
  • Use general scenarios: "How should I handle a client complaint?" not "Client John Smith complained about..."
  • Local AI models: Run AI on your own computer (no data leaves your device)

Remember: Just because something is convenient doesn't make it legal. Using free ChatGPT for work might seem harmless, but you could be creating a GDPR violation that exposes your employer to millions in fines—and yourself to disciplinary action.

Protecting Your Personal Data

As an individual, your data might already be in AI training sets without your knowledge. Here's how to minimize your exposure:

1. Use a VPN

Hide your IP address and location from AI services. Even if an organization leaks your data to AI tools, your location stays private.

Recommended: NordVPN encrypts your connection and masks your real IP address. Verify it's working at myip.foo.

2. Exercise Your GDPR Rights

  • Right to access: Ask organizations what data they hold about you
  • Right to erasure: Request deletion of your data
  • Right to object: Refuse AI-based processing of your data
  • File complaints: Report violations to the Autoriteit Persoonsgegevens

3. Be Mindful of What You Share

Assume any organization you interact with might use AI tools. Provide only the minimum information necessary.

Learn more: What ChatGPT Knows About You

Frequently Asked Questions

Is using free ChatGPT at work illegal?

It depends on what data you share. Using it for general questions is fine. But if you paste personal data, confidential information, or client details, you're likely violating GDPR. Your employer could face fines, and you could face disciplinary action.

Can my employer see if I use ChatGPT?

On a corporate network, yes—IT can see traffic to AI websites. On your personal device with mobile data, probably not. But if a data breach is discovered later, logs and investigations can reveal who was responsible.

What if I accidentally shared sensitive data with AI?

Report it immediately to your IT department or data protection officer. Early reporting can help contain the damage and demonstrates good faith. Trying to hide it only makes things worse if discovered later.

How do I know if my data was leaked to AI?

You often won't know. Unlike traditional data breaches, there's no notification when your data is used for AI training. This is part of why Shadow AI is so dangerous—victims may never be informed.

What's the difference between free ChatGPT and ChatGPT Enterprise?

Enterprise versions come with data processing agreements, don't use your data for training, offer audit logs, and provide compliance features. Free versions have none of these protections.

Conclusion

Shadow AI is the invisible data breach happening in organizations everywhere. Employees trying to work more efficiently are accidentally feeding sensitive data to AI companies—without consent, without contracts, and without understanding the legal consequences.

Key takeaways:

  • The Dutch privacy authority has received dozens of AI-related data breach reports—and the trend is accelerating
  • Shadow AI creates GDPR violations that can result in massive fines
  • The AI Act mandates AI literacy training for employees
  • Organizations must block public AI tools and provide secure alternatives
  • Once data is used for AI training, it cannot be "untrained"

The Eindhoven incident is just the tip of the iceberg. As AI tools become more accessible, Shadow AI will only grow—unless organizations take proactive steps to control it.

For organizations: Block public AI, provide enterprise alternatives, train your employees, and create clear policies. The cost of prevention is far less than the cost of a GDPR fine.

For individuals: Be cautious about what you share, use a VPN to protect your identity, and exercise your GDPR rights. Your data deserves better than ending up in an AI training set without your knowledge.

Protect Your Privacy:

  1. Check what you're exposing at myip.foo
  2. Hide your IP with NordVPN
  3. Read: What ChatGPT Knows About You
  4. Case study: Eindhoven AI Data Breach

Shadow AI is a GDPR nightmare. Don't let your organization become the next cautionary tale.

Sources: Autoriteit Persoonsgegevens (Dutch DPA), Het Financieele Dagblad, Municipality of Eindhoven public disclosure, EU AI Act (Regulation 2024/1689).