Checklist Ferrero Benelux

Security, GDPR & Responsible Use Checklist

Using AI at work comes with responsibilities. This checklist gives you the golden rules for working with Microsoft Copilot in line with GDPR, the EU AI Act, and Ferrero's data protection standards. Print it, keep it on your desk, and tick the boxes before each use.

The 5 golden rules

1. Never paste confidential Ferrero data into public AI tools

Recipes, formulas, unreleased financials, pricing, customer data, trade secrets, M&A or strategy documents must never leave Ferrero's secure perimeter. Free, consumer AI tools (public ChatGPT, Gemini, etc.) may store and reuse what you type.

What to do: Use Microsoft 365 Copilot for anything work-related. Your prompts and Ferrero files stay inside Ferrero's Microsoft 365 tenant and are not used to train the underlying models.

2. Know which tool you are in

Not all "Copilot" surfaces are equal. Microsoft 365 Copilot (signed in with your Ferrero account) gives enterprise data protection. Microsoft 365 Copilot Chat on the web is grounded on the public web with enterprise data protection — but treat it as web-facing for anything you upload outside your work files.

What to do: Check you are signed in with your Ferrero work account and that the enterprise/protected indicator is shown before working with anything sensitive.

3. Protect personal data — GDPR applies

Names, emails, phone numbers, addresses, ID numbers, health, performance reviews or any data that identifies a person are covered by GDPR. You are accountable for how that data is used.

What to do: Only feed personal data into Microsoft 365 Copilot, never public tools. Minimise: share only what's needed. Anonymise or pseudonymise when you can ("Employee A", "[email]"). Never use AI to make an automated decision about a person on its own.

4. Always verify the output

AI can sound confident and still be wrong — it can invent figures, quotes, references and "facts" (hallucinations). It does not know Ferrero's reality unless the right file is in front of it.

What to do: Re-read every output. Check critical facts, numbers and names against the source. Open the citations Copilot provides. Never forward or publish an AI draft you haven't validated.

5. You own the output, not the AI

The AI signs nothing. Your name is on the deliverable. An unverified AI error is your error.

What to do: Treat AI as a first draft, not a final answer. Be transparent about AI assistance when it matters, and keep human judgement on every decision.

GDPR & the EU Data Boundary — the basics

Why Microsoft 365 Copilot is different. It runs inside Ferrero's Microsoft 365 tenant and as an EU Data Boundary service, so EU/EFTA customer data is processed and stored within the EU. It respects your existing permissions: Copilot can only surface content you already have access to — it never grants you new access.

What this means for you: your prompts and the Ferrero files you work on are not used to train the public models, and stay within the enterprise boundary. Public consumer tools give you none of these guarantees.

Sensitivity labels & Purview — what to watch

Sensitivity labels do the heavy lifting. When a document carries a label (e.g. Confidential, Highly Confidential), its protection follows it. Microsoft 365 Copilot honours those labels, and content it generates from a labelled file inherits the label's protection.

Apply the right label to files and emails you create — it's your first line of defence, not an afterthought.
Don't strip or downgrade a label to "make Copilot work" with a sensitive file.
Ferrero's IT/security team may use Microsoft Purview (DLP) to keep certain labelled content out of Copilot. If Copilot won't use a file, there is probably a reason — ask, don't work around it.

What I can / cannot do

✓ I CAN

Draft emails, notes and decks in Microsoft 365 Copilot
Summarise my own Teams meetings, chats and documents
Analyse data inside Excel with Copilot
Brainstorm, structure ideas, reframe a message
Summarise public, non-confidential information
Translate non-confidential content
Use Copilot on files I already have access to
Open citations to check where an answer comes from

✗ I CANNOT

Paste Ferrero secrets into public/free AI tools
Feed personal data (names, contacts) into public tools
Strip or downgrade a sensitivity label to bypass a block
Let AI make an automated decision about a person
Forward or publish an output without verifying it
Assume an answer is correct because it sounds confident
Use AI images without checking usage rights
Ignore Ferrero's AI and data protection policy

EU AI Act — what to remember

Ferrero is a "deployer" of AI. That brings transparency duties and a need for AI literacy — which is exactly why you're here. The headline risk tiers:

Unacceptable risk (banned): social scoring, manipulation, untargeted mass biometric surveillance.
High risk (tightly governed): AI used in hiring, evaluation, credit, safety — transparency and human oversight required.
Limited risk (allowed with transparency): assistants and content generation like Copilot — be transparent that content is AI-assisted when relevant.

Shadow AI. When people use random public AI tools without a framework, the company is exposed to data leaks, undetected errors and legal risk. The goal isn't to ban AI — it's to use the approved, governed tool (Microsoft 365 Copilot) and do it well.

maars tip: when in doubt about a file or a use case, ask your manager or Ferrero IT/security before you paste. A 30-second question beats a data incident.

Express checklist — before every AI use

Could this contain confidential Ferrero data? ☐
Could this contain personal data (GDPR)? ☐
Am I in Microsoft 365 Copilot with my Ferrero account (not a public tool)? ☐
Are the sensitivity labels still in place (not stripped)? ☐
Have I verified the output against the source before sending? ☐
Am I ready to take responsibility for this content? ☐

If any answer is "no" → STOP. Adjust before you continue.