GDPR considerations when using AI in a business context

Under the GDPR, software must be designed with data protection in mind. This requirement “data protection by default” is set out in Article 25 and aims to ensure that personal data is protected whenever digital tools are used.

AI platforms typically function by collecting extensive amounts of data, which they use to continuously improve their models. Consequently, these platforms often seek to use all user inputs as part of their training processes.

When using AI platforms developed outside the EU, it is particularly important to verify that they comply with GDPR principles before deploying them within the EU. Some platforms, especially free versions, require users to manually opt out of having their inputs used for training. This practice is generally inconsistent with the GDPR requirement of data protection by default. Opting out helps ensure that the information entered is not automatically used in model training.

Businesses should therefore carefully assess whether their use of AI complies with GDPR when processing information that may include personal data.

Always remember: if a service is free, you are paying with something else. Do not let that “something else” be the personal data of your customers or employees.

This article does not constitute and cannot replace legal advice. Raadgiver.dk ApS assumes no liability for any damage or loss, directly or indirectly, attributable to the use of the information provided in the article.

Published April 2026