They have IT policies to make sure it largely does not apply. Even in our policy officially any personal use is forbidden. Funnily there is also agreement with our employee board, that any personal use will not be sanctioned. So guess what happens. This done to circumvent not only GPR but also TTDSG in germany (which is harsher on 'spying' as it applies to telecoms. For any 'officially' gathered personal information though typical very specific agreements with our employee board exist though (reporting of illness, etc). Wonder how such information which is also sensitive in a workplace is handled. Also I see those systems used in hospitals etc, if other peoples data is pumped through this systems GDPR definitively applies and auditors may find it (I only know such auditing in finance though). In the future NIS2 will also apply so exactly the people that use such systems will be put under additional scrutiny. Hope this triggers also some auditing of the systems used and not just the use of more of such systems.
