An AI tool used my data without consent — what now?
GDPR Art. 15 + Art. 17 + AI Act on training data. Request access, demand erasure, complain to AP. Major enforcement theme 2025-2026.
AI tools (ChatGPT, Claude, Gemini, Stable Diffusion, Midjourney) train on massive datasets — often without per-individual consent. Two problem types: (1) Training data: your photos, posts, emails may have been used to train the model. (2) Output: AI generates content about you — often with errors (hallucinations), or deepfakes. Routes: For training data: GDPR Art. 15 access request to AI provider ("what data about me is in training set?"). OpenAI, Google, Meta have mandatory response procedure since 2024. Italian, French, German rulings 2023-2024 = providers forced into access. For incorrect output: GDPR Art. 16 rectification + Art. 17 erasure. On refusal: AP complaint + AI Act Art. 86 explanation duty (high-risk system). Deepfakes with your image: Sr Art. 139h expanded in 2024 to AI-generated. Police report + erasure request + platform takedown. NOYB (Schrems' NGO) has filed hundreds of AI complaints 2024-2025 — use their precedent. EU AI Act: high-risk AI must facilitate your rights — otherwise fine up to €35m / 7%.
Step by step
Access request to AI provider
OpenAI: privacy@openai.com. Google: privacy portal. Ask: training data + output records. letter generator.
On incorrect output: rectification/erasure
GDPR Art. 16 + 17. letter generator.
On deepfake: police + takedown
Sr Art. 139h (incl AI-generated). Helpwanted.nl for platform takedown.
AP complaint on refusal
AI cases are AP priority 2025-2026. letter generator.
Ready to act?
We'll draft the right letter for you
Personalised PDF · Send-ready · One-off €9,99
- ⚡ PDF in your inbox in 60 seconds
- 📄 BTW-compliant invoice included
- ↩️ 30-day fix-it guarantee
Sources
🔎 Common search variants
Recognise your own search? Our answer above covers these too.
- “chatgpt my data gdpr”
- “ai training data erasure”
- “deepfake netherlands”
- “ai act access”