AI & Data Protection: A Pragmatic Overview
Note: This information is general in nature and does not constitute legal advice. For binding assessments, please involve your data protection officer and, where appropriate, legal counsel.
AI is More Than "Chat"
Today, AI is not only used for chatbots, but also to automate recurring tasks – e.g. in analysis, specification, code and testing.
This is exactly where we come in: we use our AI agents in tools and projects to reduce throughput times and safeguard quality.
What Happens to Your Data with Cloud AI?
When you send text, code or document excerpts to a cloud AI service, inputs (prompts) and outputs are processed on the provider’s infrastructure. Two questions are crucial:
- Are contents stored – and for how long?
- Are contents used for training/improvement?
Typical Retention (Highly Simplified)
- OpenAI / ChatGPT (Temporary Chat): according to OpenAI, deletion within 30 days. Source: https://help.openai.com/en/articles/8983778/chat-and-file-retention-policies-in-chatgpt
- OpenAI API: depending on use/endpoint, typically 30 days retention; there are also options such as Zero Data Retention (ZDR) for certain configurations. Source: https://platform.openai.com/docs/guides/your-data
- Anthropic (Claude) API/Organization: inputs/outputs are typically deleted from the backend within 30 days (with exceptions, e.g. files, policy/security cases, legal obligations). Source: https://privacy.claude.com/en/articles/7996866-how-long-do-you-store-my-organization-s-data
- Anthropic Consumer: if users consent to use for model improvement, retention can be significantly longer (Anthropic mentions up to 5 years in this case). Source: https://www.anthropic.com/news/updates-to-our-consumer-terms
Important: it’s not the model (e.g. “Sonnet/Opus”) that is decisive, but the usage model (consumer vs. business/API) and the settings.
What Is Realistically Possible in the “Worst Case”?
Typical risk sources in practice are:
- Too much / overly sensitive data entered (personal data, trade secrets, full documents).
- Exceptions on the provider side (e.g. support/security review/abuse detection; longer retention in policy or security cases).
- Legal requests (disclosure may be required depending on jurisdiction/obligations).
- Security incidents (residual risk as with any cloud service).
The main lever is therefore almost always: what do we enter – and in which setup?
Practical Guardrails (Do/Don’t)
These guardrails are often more helpful in practice than blanket bans.
Do
- Use excerpts instead of full documents where possible.
- Pseudonymize (remove names/IDs; use “Supplier A”, “Customer B”).
- Define clear data classes: what may go into AI, what may not?
- For sensitive use cases, prefer business/API setups and configure retention/logging consciously.
Don’t
- Upload raw personal data “just in case”.
- Enter trade secrets into consumer chats without necessity.
- Roll out AI “wildly” in the organization without policies, roles/permissions and release processes.
Alternatives: Local Hosting / Private Cloud / Hybrid
If cloud AI conflicts with internal policies, there are options:
- On-premises (local hosting): processing within your own infrastructure.
- Private cloud / VPC: isolated environment with controllable data flows.
- Hybrid: sensitive preprocessing internally (masking/pseudonymization), cloud only for non-critical parts.
We provide such setups on request – aligned with your required protection level and operational reality.
EU AI Act: Context for Operational Use
The EU AI Act has been in force since 1 August 2024 and will apply in stages over time.
In day-to-day operations, the following points are particularly relevant for many organizations:
- Avoid prohibited practices (check the use case before you start). Source: https://ai-act-service-desk.ec.europa.eu/en/faq
- Transparency & governance (depending on use case: labelling/information, solid documentation, clear responsibilities).
- AI literacy (Article 4): organizations should establish measures to build AI competence among employees. Source: https://digital-strategy.ec.europa.eu/en/faqs/ai-literacy-questions-answers
Important: whether a specific use case is classified as high-risk depends on the context of use and should be assessed carefully where in doubt.
How We at talsen team Support You
Data protection and compliance should not block AI – they should make it controllable. That’s why we combine technology with clear operational rules:
AI Automation in Projects and Products
We support digital initiatives from clear, testable specifications through to reliable implementation, using AI agents in a targeted way to automate and accelerate analysis, specification, code and tests.
Operating Model Aligned with Your Policies
Depending on protection needs: business/API setup, hybrid architecture or, on request, local hosting / private cloud (VPC) / on-premises.
Data Protection & Legal Framework as an Integral Part
We bring together data protection, security and liability aspects and define practical criteria (data classes, do/don’t, approvals, logging/retention, roles & permissions) – including an EU AI Act perspective tailored to your operational use.
Implementation & Scaling
In addition, we offer cost-effective nearshoring and non AI development of custom solutions – from prototype to production integration.