Book introduction
Back to Insights
Privacy & AVG

AI and GDPR: What can SMEs do with customer data and AI?

7 min lezen
AI and GDPR: What can SMEs do with customer data and AI? — practical AI guide for SMEs

May you use customer information for AI tools? Read the GDPR rules for SMEs, what a processor agreement is and how to get started safely.

AI and GDPR: What can SMEs do with customer data and AI? As an entrepreneur, you want to deploy AI to make your business smarter — but as soon as you use customer data, GDPR rules apply. May you enter customer data into ChatGPT? Train an AI on your order history? This article gives clear answers for SMEs.

AI and GDPR: why this is relevant now

More and more SME businesses are deploying AI. A chatbot that answers customer questions, software that automatically sorts emails, a tool that analyzes customer profiles — it's becoming daily practice. But as soon as you enter customer data into those tools, you're engaged in data processing under GDPR.

GDPR (General Data Protection Regulation) is the European privacy law. It applies to every business processing personal data of people in the EU. And 'personal data' is broader than you think: a name, email address, phone number or customer ID already falls under it.

What makes this even more urgent: with the introduction of the EU AI Act in 2026, rules are being tightened further. Companies must be transparent about how AI is deployed, especially if AI decisions directly affect customers. Waiting is no longer an option.

Which customer data can you use for AI?

GDPR does not prohibit using customer data for AI — but it does set conditions. You need a valid processing basis. The three most relevant for SMEs:

1. Customer consent

Your customer explicitly consents to using his data. Note: pre-ticked boxes don't count. Consent must be free, specific and unambiguous. For AI applications, this is the most difficult basis — customers must understand what they are consenting to.

2. Performance of a contract

You use the data to deliver a service the customer has requested. A transport company using AI to calculate the optimal delivery route based on customer addresses may use those addresses — it's part of the agreed service.

3. Legitimate interest

You have a legitimate business interest in processing, and that interest outweighs the customer's privacy interest. This is the most commonly used basis for analytics and marketing applications, but also the most risky. Always document why this interest is justified.

What is absolutely forbidden?

Special categories of personal data — health data, religious beliefs, race, political views — are generally prohibited from processing, even for AI. A healthcare practice wanting to train an AI on patient files, or an employer using AI to predict sick leave based on medical background: not allowed without explicit consent and additional safeguards.

Processor agreement with AI services

Using an external AI tool — like ChatGPT (OpenAI), Claude (Anthropic) or Azure AI (Microsoft)? You send customer data to a third party's servers. That party becomes a processor under GDPR, and you remain the controller. That means: responsibility stays with you.

You are required to enter into a processor agreement (DPA — Data Processing Agreement) with every AI vendor processing customer data for you. In it:

  • which personal data are processed
  • what the data are used for (also: will they be used for model training?)
  • how long data are retained
  • what security measures are in place
  • whether data are stored outside the EU, and on what basis

How do the major AI providers handle this?

  • OpenAI (ChatGPT): Via the business API, OpenAI signs a DPA with you and your data are not used for model training. Via the free or consumer version of ChatGPT, that protection does not apply. Never enter customer data via a consumer interface.
  • Anthropic (Claude): Offers a DPA via the API. You can set it so data are not used for training. Check your account settings.
  • Microsoft Azure AI: Has extensive GDPR compliance, including option for EU data storage. Considered the most enterprise-suitable choice for SMEs with strict privacy requirements.

Practical rule of thumb: always use a business subscription or business API — never a free consumer version for customer-sensitive data.

Practical GDPR checklist for SMEs

Thinking of starting with AI and customer data? Go through these points:

  • Processing basis documented: on what GDPR basis are you processing the data?
  • Processor agreement: have you signed a DPA with your AI vendor?
  • Privacy statement updated: does your privacy statement mention that you use AI?
  • Data minimization: are you using only the data that are really necessary?
  • Retention policy: do you know how long data are kept and can you have them deleted?
  • Employees informed: do your employees know which customer data they may and may not enter into AI tools?
  • Processing register: have you recorded the AI application in your processing register?

Do you have more than 250 employees, or process large amounts of sensitive data? Then you are required to appoint a Data Protection Officer (DPO).

What to do if you're unsure

Can you use that specific customer data for that specific AI project? Unsure? Follow these steps:

Step 1: Minimize the data

The less personal data, the less risk. Anonymize or pseudonymize where possible. If a customer ID is enough, don't use name and email.

Step 2: Check your DPA

Does your AI vendor have a valid processor agreement? If not, stop immediately or switch to a vendor that does. Without a DPA, you're in violation.

Step 3: Consult the AP

The Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl) has free guidance on AI and privacy. For specific situations, you can also request an advance consultation.

Step 4: Consider a DPIA

A Data Protection Impact Assessment (DPIA) is mandatory if you create large-scale customer profiles or process sensitive data. But even if unsure, a DPIA is useful — it forces you to document the risks and safeguards.

Step 5: Get advice

A GDPR advisor or lawyer with AI knowledge costs a few hours — and that's cheaper than a fine from the AP. The AP can impose fines up to 4% of global annual turnover.

Frequently Asked Questions

Can I use customer data to train an AI?

Yes, but only with a valid GDPR basis — consent, a contract or legitimate interest — and a processor agreement with the AI vendor. Special categories like health data are extra protected and require explicit consent.

Do I have to tell my customers that I use AI?

Yes. Your privacy statement must mention that you use AI when processing customer data. If AI decisions have legal consequences for customers — such as credit scoring or pricing — they also have the right to human review.

Is ChatGPT GDPR-compliant?

Via the business API (with DPA) it can be. Via the free or consumer version, it is not. Never enter customer data via a consumer interface without an active DPA.

What exactly is a processor agreement?

A contract with your AI vendor that specifies how they may use your customer data, how they protect it and how long they keep it. Without this agreement, you violate GDPR, even if the vendor is otherwise GDPR-compliant.

How do I know if my AI vendor stores data outside the EU?

Check the DPA or privacy statement of your vendor. Microsoft Azure offers EU data storage by default. OpenAI and Anthropic process data primarily in the US, but offer EU data locations for business customers. Always verify this before you start.

Recommended for you

Related articles

Keep reading: articles that best match this topic in terms of content.

ChatGPT for businesses: privacy, GDPR and safe use - Can you use ChatGPT with customer data? Learn what GDPR obligations apply, how subscriptions differ, and which data should never go into ChatGPT.
24 mei 20267 min
ChatGPT for businesses: privacy, GDPR and safe use
Can you use ChatGPT with customer data? Learn what GDPR obligations apply, how subscriptions differ, and which data should never go into ChatGPT.
Read more
AI Security for SMEs: Prevent Data Leakage with ChatGPT and AI Tools - Learn how to safely use AI tools in your SME without leaking business data. Discover the 5 risks, data classification and a free policy template.
24 mei 20266 min
AI Security for SMEs: Prevent Data Leakage with ChatGPT and AI Tools
Learn how to safely use AI tools in your SME without leaking business data. Discover the 5 risks, data classification and a free policy template.
Read more
Rows review 2026: the AI spreadsheet with formulas, live data and honest drawbacks - Rows combines the familiarity of spreadsheets with AI formulas and live data integrations. Review with concrete example prompts, current pricing (verified April 2026) and honest drawbacks.
18 mei 20266 min
Rows review 2026: the AI spreadsheet with formulas, live data and honest drawbacks
Rows combines the familiarity of spreadsheets with AI formulas and live data integrations. Review with concrete example prompts, current pricing (verified April 2026) and honest drawbacks.
Read more
Customer service automation: what AI delivers - Your customer service team is expensive and doesn't scale. AI agents handle 65-80% of questions automatically. Calculate your ROI.
4 apr 202610 min
Customer service automation: what AI delivers
Your customer service team is expensive and doesn't scale. AI agents handle 65-80% of questions automatically. Calculate your ROI.
Read more

Next step

From insight to implementation

This article explains how it works — we help SMEs to actually build it and connect it to your software.

AI ConsultancyAI AgentsFree consultation

Roadmap in 2 weeks · implementation in 6–8 weeks

More from UnifyAI

Discover our services

AI ConsultancyStrategic advice and AI roadmapView AI TransformationFixed AI partner (12+ months)View AI AgentsIntelligent agents working 24/7View AI CoachingPersonal 1-on-1 guidanceView AI TrainingWorkshops and team trainingView