May I use customer data for AI training?
GDPR + AI Act. Specific consent for AI purpose + DPIA + anonymisation. Hot 2025-2026 AP priority. NL businesses already fined for unlawful AI training.
Using customer data for AI training is a separate processing with separate basis. Purpose limitation (Art. 5(1)(b)): data collected for your sales purpose may NOT be used for AI training without more. Requirements: (1) Specific new consent for AI training. Generic "we may analyse your data" in terms = NOT sufficient. (2) DPIA required (Art. 35 — high risk). AI system with personal data is by default high risk. (3) Anonymisation or pseudonymisation — training model on real data without anonymisation = unsuitable. (4) AI Act requirements (from 2 Aug 2026 for high-risk): risk management, transparency, human oversight. (5) Retention control: used data must be removable from model (Art. 17). Technically hard — nearly impossible in deep neural networks. What is NOT allowed: using client photos for image-generation model, client emails for LLM fine-tuning without consent, sensitive data (Art. 9 — medical, biometric) for profile analysis. Recent precedent: NOYB complaint against Meta about EU users' data for Llama training (2024). EDPB ChatGPT Task Force report. NL AP designated AI training as enforcement priority since 2024. Alternatives: fully anonymous synthetic data, federated learning (model goes to data instead of vice versa), differential privacy techniques.
Sources
🔎 Common search variants
Recognise your own search? Our answer above covers these too.
- “customer data ai training gdpr”
- “llm fine-tuning customer data”
- “ai act consent”