Last updated: May 25, 2026
Is AI safe for business data? GDPR privacy explained
You want to use ChatGPT or Claude to draft quotes or answer customer questions, but you're unsure: is this allowed under GDPR (known as AVG in the Netherlands), and what if confidential business data ends up in the model? This article explains the risks, what the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) expects, and how you can deploy AI safely without endangering your customers or your business. For the bigger picture, start with our guide to AI for businesses. We'll cover data protection impact assessment (DPIA) requirements, when you need a data processing agreement (verwerkersovereenkomst), and how to handle personal data without breaking privacy rules. A 2025 Talentech survey found that 63% of HR professionals cite data security as their biggest concern when implementing AI, so you're not alone in asking these questions.

| Criterion | ChatGPT (OpenAI) | Claude (Anthropic) | Google Gemini |
|---|---|---|---|
| EU servers available | Yes (Business plan) | Yes (API) | Yes (Workspace) |
| Data processing agreement | Yes (Business/Enterprise) | Yes (API customers) | Yes (Workspace) |
| Trains on your input | No (opt-out available) | No (API), unclear (web) | No (Workspace), yes (free) |
| Best for Dutch SMEs | Customer support, drafting | Long documents, research | Google Workspace users |
What GDPR (AVG) requires when you use AI
GDPR demands that you know which personal data you process, why you're processing it, and how long you keep it. AI tools like ChatGPT or Claude often process text containing names, email addresses, or other personal information. Four principles apply to every Dutch SME:
- Data minimisation: only send what's strictly necessary for the task.
- Legal basis: either explicit consent from the data subject, or legitimate interest (you must document why the processing is necessary and proportionate).
- Transparency: inform customers when their data flows through an AI system.
- Security: protect data in transit and at rest, and log who accessed what.
When you use an external AI service (ChatGPT, Claude, any SaaS tool), you're the data controller and the AI vendor is your processor. Under GDPR Article 28, you must sign a data processing agreement (verwerkersovereenkomst) that spells out what the vendor may and may not do with your data. Without that contract, you're non-compliant the moment personal data leaves your network.
Data minimisation: send only what's truly needed
Before you paste a customer email into ChatGPT, ask: does the AI need the customer's full name and address to draft a reply, or can I anonymise those fields first? In practice, every piece of data that can be traced back to an individual counts as personal data under GDPR, even if you think it's "just metadata."
Legal basis: consent or legitimate interest
You can't process personal data without a legal basis. For most business automation, legitimate interest is the practical route: you document that the processing (for example, using AI support tickets) serves a real business need, is proportionate, and doesn't override the customer's rights. Consent is harder to manage because it must be freely given, specific, and revocable at any time.
Data processing agreement: when required and what it must contain
Any time an external service processes personal data on your behalf, GDPR Article 28 requires a written agreement. That agreement must state the subject matter, duration, nature and purpose of processing, the type of personal data, and the categories of data subjects. It must also bind the processor to your instructions, require them to delete or return data at the end of the contract, and allow you to audit their security measures. OpenAI, Anthropic, and Google all offer standard data processing agreements for business customers, but you have to actively sign up for the right plan. The free tier of most AI tools explicitly excludes these protections.
What this means for you: don't use the free consumer version of any AI tool for business data that contains customer names, email addresses, or order details. Upgrade to a business plan that includes EU data residency and a signed processing agreement, or work with an automation partner who handles that contract layer for you.
How ChatGPT, Claude, and other AI tools handle your data

Not every AI tool works the same way. ChatGPT (OpenAI) offers a Business subscription with EU servers and a data processing agreement, but the free version may train on your input unless you opt out. Claude (Anthropic) promises not to train on API data, but the web version has different terms. Google Gemini and Perplexity have their own rules. The table above compares the four most popular tools on GDPR criteria: where the data lives, whether the vendor trains on it, and whether you can sign a processing agreement.
For Dutch SMEs running AFAS, Exact Online, or Moneybird, the practical question is: can I connect my accounting or CRM system to an AI without violating GDPR? The answer depends on three factors:
- Data residency: does the AI vendor store and process data on EU servers, or does it leave the EU?
- Training policy: does the vendor use your prompts and outputs to improve its model?
- Contract: can you sign a data processing agreement that meets Article 28 requirements?
In our business automation work, we see that most GDPR violations happen not because the AI itself is unsafe, but because the integration layer (Zapier, Make, n8n) sends data to the wrong endpoint or the wrong plan tier. A workflow that pulls customer records from AFAS and sends them to the ChatGPT free API has no processing agreement and no EU residency guarantee, so it's non-compliant by default.
What this means for you: audit every step in your automation chain. If customer data flows through five tools (CRM → n8n → OpenAI → email → Slack), you need a processing agreement with each one, and you need to document the data flow in your processing register.
Running into this at your own business? We'll spend 30 minutes with you for free, no sales pitch. Book a free intro call
The three biggest GDPR risks of AI for SMEs (and how to avoid them)
A 2025 Talentech survey found that 63% of HR professionals name data security as their top concern when implementing AI. For Dutch SMEs, three concrete risks stand out.
Risk 1: confidential data in a public AI chat
An employee pastes a customer's quote request, including name, email, and project details, into the free ChatGPT web interface. That data now lives on OpenAI's servers, potentially outside the EU, with no processing agreement and no guarantee it won't be used for training. Under GDPR, you're liable for that breach even if the employee acted without permission. The fix: internal policy that forbids pasting customer data into public AI tools, plus a business-tier subscription with EU residency for any AI work that touches personal data.
Risk 2: re-identification of anonymised data
You anonymise a dataset by removing names and email addresses, then feed it to an AI for analysis. The European Data Protection Board warns that modern AI models can sometimes re-identify individuals by combining metadata (timestamps, location, purchase patterns). If re-identification is reasonably possible, GDPR still applies. The fix: use pseudonymisation (replace identifiers with tokens you control) instead of simple deletion, and run a data protection impact assessment (DPIA) before processing large volumes of sensitive data.
Risk 3: no right to erasure from a trained model
GDPR Article 17 gives individuals the right to have their personal data deleted. But if your data was used to train an AI model, removing it from the model is technically very hard. The Belgian DPA notes that language models like GPT scrape vast amounts of text without consent, and once that data is baked into the model weights, you can't simply "unlearn" a single person's information. The fix: never use a vendor that trains on your data unless you have explicit consent from every data subject, or use API-only services that contractually exclude training.
What this means for you: the safest path is to use AI tools in API mode with a signed processing agreement, keep training opt-outs active, and document every data flow in your processing register so you can respond to erasure requests.
Why most AI automations fail on GDPR compliance (and how we do it differently)

At SW Automation, we see Dutch SMEs build a Zapier or Make scenario that pulls customer names or quote data and sends it to ChatGPT, with no processing agreement or audit log. The problem is rarely the AI itself; it's almost always the missing processing register, unclear legal basis, or the fact that nobody knows exactly which data flows through the chain. When we deliver AI agent projects for Dutch SMBs, we make GDPR compliance part of the build from day one:
- Processing agreements with every link: n8n (self-hosted or cloud), OpenAI (Business API), your CRM (AFAS, Pipedrive, HubSpot), and any other service that touches personal data.
- EU data residency: we configure workflows to use EU endpoints where available, and we document when data leaves the EU (for example, if you choose a US-based tool that offers Standard Contractual Clauses).
- Audit logging: every workflow logs which records it processed, when, and what it did with them, so you can answer a data subject access request or prove compliance to the Dutch DPA.
Concrete example: a Dutch consultancy wanted an AI agent to draft project quotes based on client briefs stored in AFAS. We built the workflow in n8n (self-hosted on an EU server), connected it to the AFAS REST API with a signed processing agreement, and routed prompts to OpenAI's EU endpoint under their Business plan. The client owns the code, the data never leaves EU jurisdiction, and the audit log shows exactly which customer records were read and when. That's GDPR-compliant AI automation.
What this means for you: don't bolt GDPR compliance onto an existing workflow after the fact. Design it in from the start, or work with a partner who knows how to structure the contracts and the infrastructure correctly.
Step-by-step: deploy AI safely without a privacy officer or lawyer
Most Dutch SMEs don't have a Data Protection Officer and don't want to spend months on legal analysis. This four-week plan takes you from zero to GDPR-compliant AI:
- Week 1: Inventory. List the processes you want to automate and the personal data involved. For example: "Draft quote emails (customer name, email, project description)" or "Summarise support tickets (customer email, issue description)." Write down where that data lives today (CRM, email, spreadsheet) and who has access.
- Week 2: Choose tools and contracts. Pick an AI tool with EU servers and sign a data processing agreement. OpenAI Business, Claude API (Anthropic), or Google Workspace with Gemini all qualify. If you're using an automation platform (n8n, Make, Zapier), check whether it offers EU hosting and a processing agreement. If not, consider self-hosting n8n on a Dutch or EU server.
- Week 3: Internal policy. Write down what employees may and may not put into the AI. Example rule: "Customer names and emails are allowed in the Business ChatGPT account, but never in the free web version. Financial data (bank accounts, tax IDs) is never allowed in any AI tool." Assign one person to audit compliance monthly.
- Week 4: Documentation and DPIA. Add the new AI processing to your processing register (verplicht under GDPR Article 30). If you process special-category data (health, biometric, criminal records) or make automated decisions that significantly affect individuals, you must complete a data protection impact assessment (DPIA) before you go live. The Dutch DPA offers a DPIA template on their website.
Checklist to tick off:
- Processing register updated with AI tool name, purpose, data categories, retention period, and legal basis.
- Data processing agreement signed with AI vendor (and any middleware like n8n cloud or Zapier).
- Internal policy document: who may use AI, for what, and with which data.
- DPIA completed if required (large-scale processing of special categories or automated decision-making).
- Audit log or workflow documentation so you can trace which records were processed.
What this means for you: GDPR compliance is not a one-time legal checkbox. It's an operational habit. Start small, document as you go, and expand once you're confident the first workflow is clean.
AI is safe for your business data when you know which tool you're using, sign a processing agreement, and set internal rules about what may and may not go into the system. Begin with one process, check the GDPR requirements, and build from there. The risk isn't AI itself, it's using AI without understanding where your data goes and who controls it. Take the four-week plan above, adapt it to your business, and you'll have a compliant foundation that scales as you automate more.
For a related angle, see our post on What is AI? Practical explanation for entrepreneurs.
Frequently asked questions
Can I use ChatGPT for customer emails without asking the customer's permission?
Yes, if you have a legitimate interest (for example, improving response speed) and you use a business-tier ChatGPT plan with a signed processing agreement and EU data residency. You must inform customers in your privacy policy that their emails may be processed by AI, and you must offer them a way to object. Explicit consent is not required for every email, but you do need a documented legal basis under GDPR Article 6.
What is a data processing agreement and when do I need one?
A data processing agreement (verwerkersovereenkomst) is a contract required by GDPR Article 28 whenever an external service processes personal data on your behalf. It must specify what data the vendor may process, for what purpose, how long they keep it, and what security measures they apply. You need one for every AI tool, CRM, email service, or automation platform that touches customer names, emails, or other personal data. Without it, you're non-compliant the moment data leaves your network.
Do I have to notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) when I start using AI?
No, there's no general notification requirement just for using AI. You do have to update your internal processing register (Article 30) to document the new AI processing activity. You must notify the DPA only if you suffer a data breach that poses a risk to individuals' rights and freedoms, and you must do so within 72 hours of becoming aware of the breach. If you process special-category data (health, biometric, criminal records) or make automated decisions with significant effects, you must complete a data protection impact assessment (DPIA) before you go live, but you don't have to submit it unless the DPA asks.
What are special-category personal data and why can't I put them in an AI?
Special-category data (Article 9 GDPR) includes health information, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, and data about sex life or sexual orientation. Processing these categories is prohibited unless you have explicit consent or another specific legal basis (for example, employment law or public health). You can use AI with special-category data if you meet those conditions, but you must complete a DPIA first and apply extra security measures like encryption and access controls.
Can I get a data breach if I use AI, and do I have to report it?
Yes. If an employee pastes confidential customer data into a public AI chat or if your AI vendor suffers a security incident, that's a personal data breach under GDPR. You must report it to the Dutch DPA within 72 hours if it's likely to result in a risk to individuals' rights and freedoms (for example, if customer email addresses and order details were exposed). You must also notify affected individuals directly if the risk is high. The best defence is prevention: use business-tier AI plans with signed processing agreements, restrict which employees can access AI tools, and log every workflow so you can trace what happened if something goes wrong.
Are there Dutch or European AI tools that are safer than ChatGPT?
Safety depends more on the contract and configuration than the vendor's nationality. OpenAI (US-based) offers EU data residency and a GDPR-compliant processing agreement on its Business and Enterprise plans. Anthropic (Claude, also US-based) does the same for API customers. European alternatives like Aleph Alpha (Germany) or Mistral (France) offer similar guarantees and may appeal if you prefer to keep data within the EU for policy reasons, but the legal requirements are the same: you need a signed processing agreement, EU data residency, and a documented legal basis regardless of where the vendor is headquartered.
Sources
- EDPB — Report of the ChatGPT taskforce
- AI in HR groeit snel, maar is jouw HR-data wel veilig?
- 5 Vuistregels om de toepasbaarheid van de GDPR op AI trainingsdata te herkennen
- Advies van het EDPB over AI-modellen: GDPR-principes ondersteunen verantwoorde AI
- Gegevensbeschermingsautoriteit België — Informatiebrochure AI en AVG
Curious what AI can do for your business?
We listen, think along, and quickly deliver something that works. No obligations, no pressure.