AIAI use cases in business

What is allowed with AI and what needs formal controls AI Act + RODO

A practical decision matrix for organizations: 20 business scenarios, risk status, and required actions under the AI Act and GDPR.

Regulatory timelineAI literacy (Art. 4) and Article 5 prohibitions apply from February 2, 2025. Broad AI Act application starts on August 2, 2026 (with transitional provisions under Art. 113).

Allowed

Management: AI summaries of contracts and board resolutions

Allowed
Scenario

AI prepares document summaries for management, but does not make decisions on behalf of the company.

What must be in place

AI literacy training, human validation of outputs, and secure prompting policy.

Legal basisAI Act + GDPR (when personal data appears in documents)AI Act Art. 4; GDPR Art. 5 and Art. 6
Practical notes

Keep a strict human-in-the-loop rule and avoid sending highly sensitive data to public models.

Generating draft sales emails

Allowed
Scenario

AI assists with B2B/B2C outreach drafts while final wording is approved by a salesperson.

What must be in place

Editorial standards, hallucination checks, and clear accountability for final content.

Legal basisAI Act (competence and oversight) + GDPR if customer data is processedAI Act Art. 4; GDPR Art. 5(1)(d), Art. 6
Practical notes

Do not send AI-generated messages automatically without review and fact-checking.

Translating internal company documents

Allowed
Scenario

AI translates internal policies, procedures, and communications across working languages.

What must be in place

Human quality review, legal-context review for regulated texts, and version control.

Legal basisAI Act general use + GDPR where personal data is includedAI Act Art. 4; GDPR Art. 5 and Art. 32
Practical notes

For legal or contractual texts, always add a specialist review before publication.

Drafting procedures and FAQ content

Allowed
Scenario

AI accelerates first drafts of operational procedures and support knowledge-base content.

What must be in place

Process owner approval, compliance check, and change traceability.

Legal basisAI Act (internal governance and competence)AI Act Art. 4
Practical notes

Treat AI output as draft material, not as automatically binding policy.

Trend analysis on aggregated data

Allowed
Scenario

AI analyzes aggregated KPIs (sales, support load, operations) without identifying individuals.

What must be in place

Anonymization/pseudonymization, access controls, and documented data lineage.

Legal basisGDPR data minimization and purpose limitation + AI Act general obligationsGDPR Art. 5(1)(b)–(c), Art. 25; AI Act Art. 4
Practical notes

Ensure aggregates cannot be easily re-identified back to specific persons.

Conditionally allowed (formal controls required)

Management: AI-assisted contract risk analysis with personal data

Conditionally allowed
Scenario

AI reviews clauses on liability, data transfers, and privacy obligations in contracts.

What must be in place

DPIA where needed, NDA and processor safeguards, records of processing, legal sign-off.

Legal basisGDPR + AI Act process transparency and competenceGDPR Art. 28, Art. 30, Art. 35; AI Act Art. 4 and Art. 50
Practical notes

Never base a final contract signature decision solely on AI recommendations.

AI customer-support chatbot

Conditionally allowed
Scenario

A chatbot handles standard customer questions and escalates sensitive cases to human staff.

What must be in place

Clear notice that users are interacting with AI, human escalation path, logging and QA.

Legal basisAI Act transparency + GDPR for customer dataAI Act Art. 50; GDPR Art. 12–14, Art. 32
Practical notes

The AI notice should be visible at interaction start, not hidden in legal pages.

Meeting transcription and summaries

Conditionally allowed
Scenario

AI generates meeting notes and action items from recorded calls.

What must be in place

Valid legal basis for recording, participant notice, retention limits, restricted access.

Legal basisGDPR + AI Act (competence and oversight)GDPR Art. 6, Art. 13, Art. 5(1)(e); AI Act Art. 4
Practical notes

Communicate purpose and retention period before recording starts.

Marketing personalization and profiling

Conditionally allowed
Scenario

AI segments audiences and tailors campaign content based on user behavior.

What must be in place

Legal basis assessment, transparent notice, and objection/opt-out mechanism.

Legal basisGDPR profiling rules + AI Act transparency for AI interactionGDPR Art. 21, Art. 22, Art. 13(2)(f); AI Act Art. 50
Practical notes

Avoid sensitive attributes and manipulative design patterns.

AI for anomaly/fraud detection

Conditionally allowed
Scenario

AI flags suspicious patterns while a human analyst makes the final blocking decision.

What must be in place

Human oversight, documented criteria, appeal procedure, and decision audit trail.

Legal basisGDPR automated-decision safeguards + AI governance dutiesGDPR Art. 22; AI Act Art. 4, Art. 50
Practical notes

High-impact alerts should always be manually reviewed before final action.

Initial support-ticket classification

Conditionally allowed
Scenario

AI classifies ticket priority and route to improve response times.

What must be in place

SLA rules, team-lead oversight, false-classification monitoring and correction loop.

Legal basisAI Act general-use obligations + GDPR for ticket contentAI Act Art. 4; GDPR Art. 5, Art. 32
Practical notes

Do not convert ticket classification directly into disciplinary decisions about employees.

AI-assisted B2B lead scoring

Conditionally allowed
Scenario

AI scores lead potential from company-level and website interaction signals.

What must be in place

Transparent scoring criteria, sales-owner oversight, periodic bias validation.

Legal basisGDPR where personal data exists + AI Act transparency and competenceGDPR Art. 5, Art. 6; AI Act Art. 4, Art. 50
Practical notes

Use scoring for prioritization support, not as the only go/no-go criterion.

High-risk (AI Act Annex III)

Recruitment: automated CV filtering

High-risk
Scenario

AI rejects or prioritizes candidates based on CV content and application metadata.

What must be in place

High-risk classification handling, risk management, technical documentation, data governance.

Legal basisAI Act high-risk (employment) + GDPR decisions affecting individualsAI Act Art. 6 + Annex III; Art. 9–15, Art. 26–27; GDPR Art. 22
Practical notes

Deploying this without high-risk controls creates major regulatory exposure.

Recruitment: candidate ranking and hiring recommendation

High-risk
Scenario

AI ranks candidates and recommends hiring outcomes to hiring managers.

What must be in place

Human oversight, anti-discrimination testing, metrics documentation, candidate-facing transparency.

Legal basisAI Act high-risk + GDPR profiling/decision rightsAI Act Annex III (employment); GDPR Art. 13–15, Art. 22
Practical notes

Candidates must have a meaningful way to contest outcomes.

HR: employee assessment for promotion or termination

High-risk
Scenario

AI evaluates employee signals to support high-impact HR decisions.

What must be in place

Proportionality assessment, human review, anti-bias governance, training-data audits.

Legal basisAI Act high-risk (employment) + GDPR employee protectionsAI Act Art. 6 + Annex III; GDPR Art. 5, Art. 22, Art. 88
Practical notes

This area has elevated litigation and supervisory risk; procedural safeguards are critical.

Finance: credit scoring of a natural person

High-risk
Scenario

AI predicts creditworthiness and recommends loan approval or rejection.

What must be in place

Full high-risk controls, model drift monitoring, explainability, and appeal channel.

Legal basisAI Act high-risk (access to essential private services) + GDPRAI Act Annex III; GDPR Art. 22, Art. 15
Practical notes

You need strong evidence that decisions are fair and non-discriminatory.

Education: AI for exam grading and admissions support

High-risk
Scenario

AI supports grading or admissions decisions in education/training contexts.

What must be in place

High-risk obligations, expert human oversight, appeal rights, fairness and quality tests.

Legal basisAI Act high-risk (education and vocational training)AI Act Art. 6 + Annex III; GDPR Art. 5
Practical notes

AI output should not be the sole basis for final educational decisions.

Prohibited practices (AI Act Art. 5)

Social scoring based on behavior or traits

Prohibited
Scenario

AI assigns a person-level reputation score used to limit access to services.

What must be in place

No compliant implementation path in this form.

Legal basisProhibited AI practice under the AI ActAI Act Art. 5(1)(c)
Practical notes

This is generally banned and exposes organizations to the highest penalty tier.

Emotion recognition in workplace or education settings

Prohibited
Scenario

AI infers emotions of workers/students from voice or image for monitoring/performance use.

What must be in place

Generally prohibited, with narrow statutory exceptions (for example, medical or safety use).

Legal basisProhibited practice with limited exceptionsAI Act Art. 5(1)(f)
Practical notes

Even when an exception applies, labor and data-protection law must be assessed separately.

Untargeted face scraping for recognition databases

Prohibited
Scenario

Mass collection of facial images from internet/CCTV for biometric identification training.

What must be in place

No compliant implementation path in the EU.

Legal basisProhibited AI practice under the AI ActAI Act Art. 5(1)(e)
Practical notes

This is explicitly listed as prohibited and subject to top-tier penalties.

Want to structure AI compliance across your organization?

Start with a use-case map and implement decision rules across business, legal, and IT teams.

Start for free See documentation