May I train an AI chatbot on customer data?

See also our article customer data AI training. Core: chatbot training with customer data = separate processing + GDPR + AI Act + sector requirements. Requirements: (1) Specific new consent for AI purpose — not via general terms. (2) DPIA required (Art. 35 — high risk). (3) Anonymisation or synthetic data — training model on real customer conversations without pseudonymisation = unsuitable. (4) AI Act: customer-facing chatbots fall under "limited risk" (transparency duty: "You're talking to an AI") or "high-risk" if they decide on access to services/credit/benefits. (5) Retention + erasability: Art. 17 erasure request must remove data from training set. Technically hard — nearly impossible in deep learning. Recommended approach: (a) use synthetic data or anonymised transcripts. (b) Ask explicit opt-in for "may your conversation be used anonymously to improve our AI?". (c) External LLM (OpenAI, Anthropic, Google) — check whether your API account has "data used for training" OFF (often default off for business plans). Recent AP enforcement: 2024-2025 investigation at multiple NL businesses training chatbots on customer service conversations without basis. Fines €100k-€500k foreseen.