ChatGPT at Work: The Mittelstand Guide to What’s Allowed, What’s Forbidden, and What to Train

Two things are true in most Mittelstand companies today. First, your employees are already using ChatGPT - on their own phones, on their own accounts, for your work. Second, almost nobody has a clear policy on what they can paste into it, what they cannot, and what happens if someone leaks a customer contract into a consumer chat window.

The answer is not a ban. Bitkom 2025 found 66 percent of German employees already use AI at work, and most usage is private and invisible to employers¹. Banning ChatGPT pushes the behaviour underground. The answer is also not unchecked freedom - IBM 2024 reports that shadow AI adds USD 670,000 to the average cost of a data breach².

What you need is a one-page policy, a sanctioned tool, and a 60-day rollout your works council can sign. This guide gives you all three - built for Mittelstand reality, not Silicon Valley abstraction.

The Shadow AI Reality

Most Mittelstand leaders underestimate how far ChatGPT use has spread inside their own walls. The data from 2025 is unambiguous - people are using it everywhere, usually without you knowing.

• 66 percent of German employees use AI at work - up from 49 percent the year before, according to Bitkom 2025¹. The overwhelming majority use consumer tools, not enterprise tools.
• Shadow AI is the default state - BCG 2025 reports that 75 percent of managers use AI regularly but only 51 percent of frontline workers do. That gap is almost entirely private-account ChatGPT¹².
• The financial exposure is real - IBM 2024 found shadow AI adds an average USD 670,000 to the cost of a breach². That is a single incident, before reputational damage.
• The Samsung lesson - in 2023, Samsung engineers pasted proprietary source code into ChatGPT. Samsung banned it company-wide within weeks⁸. It became the canonical example of why banning after a leak is expensive.
• The coaching signal - 37 percent of employees say they worry AI will erode their skills¹³. That worry pushes them toward private use, where they feel less observed.

What’s Allowed: Green-Light Use Cases

A useful policy is specific about what people can actually do, not a wall of legal caveats. These five categories cover roughly 80 percent of day-to-day use for most Mittelstand employees.

1. Drafting and editing internal content - memos, emails to colleagues, internal policies, meeting notes, project briefs. Low risk, high productivity. Encourage it.
2. Summarising public documents - analyst reports, research papers, news, competitor public filings. Paste the document, get a structured summary. No confidential data involved.
3. Explaining and learning - “explain this legal clause”, “what does this error message mean”, “walk me through this industry term”. The model as a patient tutor is one of its highest-value uses.
4. Generating first drafts - code prototypes, SQL queries, marketing copy, translations, structured lists, interview questions. Always reviewed by a human before use.
5. Brainstorming and structuring ideas - meeting agendas, project plans, pro and con lists, SWOT analyses, creative options. The model is a thought partner, not a decision maker.

What’s Forbidden: The Red Lines

Red lines matter more than green lights. A policy that is vague about what is forbidden creates the exact grey zone where leaks happen. State the red lines in plain language, with concrete examples.

DSGVO and EU AI Act Compliance

Most Mittelstand companies overestimate the legal complexity of using ChatGPT in a compliant way. The core requirements are surprisingly concrete - and the EU AI Act layers on top rather than replacing DSGVO.

The DSGVO essentials

• Lawful basis - identify the legal basis for any personal data you process. For internal productivity use, typically Art. 6 (1)(f) legitimate interest is the right basis, documented in a balancing test.
• Data processing agreement - you must have a signed DPA with OpenAI, Microsoft, Anthropic, or Google. All three major vendors provide one for enterprise tiers⁶¹⁵¹⁶.
• Purpose limitation - document what the tool is for. “General productivity assistance for drafting and summarisation” is a legitimate, documentable purpose.
• Data minimisation - employees only paste what is needed. The policy enforces this, training reinforces it.
• DPIA when required - for high-risk processing (Art. 35 DSGVO), run a data protection impact assessment. Routine drafting rarely triggers it; HR screening or customer profiling usually does.
• Records of processing - add AI tool usage to your Art. 30 records. Simple entry, high compliance value.

The EU AI Act layer

• Most ChatGPT use is minimal or limited risk - productivity use falls into the lightest obligation tier. Transparency where output faces customers (Art. 50)⁵, no conformity assessment required.
• Article 4 literacy training - mandatory from 2 August 2026 for employees who interact with AI systems³. Covers prompting basics, risks, and boundaries.
• High-risk zones to watch - AI in hiring, evaluation, credit scoring, or access to essential services is high-risk. Using ChatGPT to screen CVs is likely high-risk under Annex III and requires additional controls.
• Penalties for violations - up to EUR 15 million or 3 percent of global revenue for high-risk non-compliance; SMEs get proportionate caps⁴.

The 1-Page ChatGPT Policy Template

The best policies fit on one page. Employees actually read them. Works councils actually approve them. Lawyers actually update them. Use this template as a starting point and tune the specifics to your company.

1. Purpose - This policy defines how employees of [Company] may use ChatGPT and similar AI assistants in day-to-day work.
2. Sanctioned tools - ChatGPT Enterprise / Microsoft Copilot / Claude for Work. Use of consumer accounts (ChatGPT Free, Plus) for company data is not permitted.
3. Green-light use cases - internal drafting, summaries of public documents, explanations, first-draft generation (with human review), brainstorming.
4. Red lines (never paste) - customer data, source code with business logic, non-public financials, personal data of employees, security-sensitive content, regulated legal advice.
5. Review duty - any AI output used in a decision, sent externally, or affecting a contract must be reviewed by a human competent in that domain.
6. Disclosure - disclose AI assistance when the output goes to a customer, regulator, or public audience, or when it materially shapes a decision.
7. Incidents - if data was pasted into a non-sanctioned tool, report to the Datenschutzbeauftragter within 24 hours. Treated as a process failure on first instance.
8. Training - mandatory 2-hour onboarding plus annual 1-hour refresh. Required under EU AI Act Art. 4 from August 2026.
9. Review cadence - this policy is reviewed quarterly in 2026, then twice a year from 2027.
10. Contact - questions go to [Datenschutzbeauftragter] or [AI Lead].

Works Council and Training

The works council conversation is where most Mittelstand AI rollouts slow down. The fix is not legal firepower - it is early, respectful engagement.

Works council alignment in 30 days

1. Week 1 - informal conversation - brief the works council chair before drafting anything. Intent, timeline, which tool, who benefits. No legal documents yet.
2. Week 2 - draft works council agreement - cover scope, monitoring boundaries, employee protections, training, and data handling. Section 87 BetrVG gives them co-determination rights on monitoring tech¹⁴.
3. Week 3 - joint review - sit with works council, data protection officer, and HR. Adjust. Mittelstand councils are usually constructive when the tool genuinely helps and protections are clear.
4. Week 4 - sign and announce - joint announcement from management and works council. Single voice, same message. Builds trust.

Training that actually sticks

• Format - 2-hour hands-on onboarding per employee, not a one-hour webinar. Employees use the tool with real (sanitised) examples during training.
• Content - prompting basics (30 min), red lines with real cases (30 min), verification habits (30 min), practical exercises (30 min).
• Role-specific modules - HR, finance, sales, engineering each get a 30-minute add-on with use cases relevant to their work.
• Record keeping - attendance logged per employee for EU AI Act Art. 4 compliance³.
• Refresh cadence - 1-hour refresher annually. EY reports employees with 81+ hours annual AI training deliver 14 hours per week in productivity gains¹³.

ChatGPT Free vs Team vs Enterprise

Most employees know ChatGPT Free. Few leaders know the difference between Team and Enterprise. Here is what actually matters for a Mittelstand deployment.

Picking the right tier

• Under 50 employees - Team is usually enough. SSO via Google, admin basics, no training on data. Lowest friction to start.
• 50-200 employees - Team still works, but evaluate Microsoft 365 Copilot if you are already Microsoft-heavy. Often cleaner integration and identity than standalone ChatGPT Team.
• 200+ employees - Enterprise makes sense. Full SAML SSO, EU residency, audit logs, procurement-grade SLA. Budget EUR 40-60 per user per month depending on scope.
• Regulated industries - healthcare, financial services, defence - Enterprise with EU residency is almost always the right call regardless of size.
• Hybrid reality - most Mittelstand companies end up running Copilot (daily productivity) plus Claude or ChatGPT Enterprise (heavier tasks) plus one or two custom agents. That hybrid is fine and often the most cost-effective stack.

Rollout in 60 Days

A 60-day rollout gets you from “we have a shadow AI problem” to “we have a sanctioned tool, a policy, and trained employees”. The discipline matters more than the speed.

Days 1-14: Foundations

1. Map current shadow use - brief, anonymous survey. How many use AI at work? Which tools? For what? The results drive the next 6 weeks.
2. Select the sanctioned tool - Team for small, Enterprise for large, Copilot if you are Microsoft-heavy. Get the DPA draft from the vendor.
3. Draft the policy - use the one-page template. Tune to your company. Legal review in parallel.
4. Inform works council - informal conversation in week 2. Avoid surprises in week 4.

Days 15-30: Legal and governance

5. Sign DPA - with chosen vendor. Add SCC if needed. Store in the central contracts repository.
6. Art. 30 entry - add AI tool to records of processing. Ten minutes of work, high compliance value.
7. Balancing test - document the Art. 6(1)(f) assessment. Template exists in your data protection documentation.
8. Works council agreement - signed by end of week 4. If it drags, pause the rollout rather than ship half-aligned.

Days 31-45: Pilot

9. Pilot cohort - 20-30 users across marketing, operations, and engineering. Provision the sanctioned tier. Train them first.
10. Training delivery - 2-hour hands-on session per cohort. Collect feedback on what confuses people.
11. Fix the policy edges - the pilot always surfaces gaps. Update the policy in week 5 based on real questions.
12. Measure adoption - weekly usage, top use cases, incidents. Share within the pilot group.

Days 46-60: Company-wide launch

13. Full provisioning - accounts for all eligible employees. Old shadow accounts retired where possible.
14. Training for the rest - cohort-based, 2 hours each. Record attendance for Art. 4 compliance.
15. Joint announcement - CEO and works council lead. Single message. Calm tone. Policy attached.
16. Observe and adjust - daily admin console review for week 1, weekly thereafter. First policy refresh at day 90.

How Superkind Fits

Superkind helps Mittelstand companies run this rollout in 60 days, then builds the custom agents that go beyond generic ChatGPT use. ChatGPT policy is the starting line, not the finish line.

• Policy workshop - we adapt the template to your reality, sit with your DPO, and draft the works council agreement in week 2.
• Tool selection - honest recommendation on Team, Enterprise, Copilot, or a hybrid. No reseller incentives pushing a specific tier.
• Training delivered - hands-on, role-specific, recorded for Art. 4 compliance. Onboarding and annual refreshers.
• Works council engagement - we join the session, explain the architecture, answer technical questions. Mittelstand councils respond well to clear technical explanations.
• Beyond ChatGPT - once generic chat is handled, we build custom agents that solve workflows ChatGPT cannot: SAP automation, DATEV integration, sector-specific processes.
• Process-first mindset - we map your workflows before touching a vendor. The policy reflects what you actually do, not a template from a different industry.
• Ongoing partnership - policy refreshes, training refreshes, incident reviews. AI is not a one-time rollout.
• Compliance built in - DSGVO, EU AI Act Article 4, works council, audit trail. All of it part of delivery.

Frequently Asked Questions

Related Articles

• Shadow AI in the Mittelstand: The Governance Playbook
• EU AI Act 2026: What the Mittelstand Must Know
• Which LLM Should the Mittelstand Choose?
• AI Agents vs Microsoft Copilot
• Sovereign AI for the Mittelstand
• The 12-Month AI Strategy Roadmap

Henri Jung

Co-founder of Superkind, where he helps SMEs and enterprises deploy custom AI agents that actually fit how their teams work. Henri is passionate about closing the gap between what AI can do and the value it creates in real companies. He believes the Mittelstand has everything it needs to lead in AI - it just needs the right approach.