GDPR-compliant customer support, the practical version.
GDPR (AVG in Dutch) is not a privacy-policy box you tick. It is a set of operational decisions that show up in your support tooling whether you noticed or not. Where is the data, who else can see it, how long do you keep it, what happens when a customer asks you to delete it. The answers should be obvious. With many tools, they are not.
GDPR-compliant customer support means data inside the EU, a signed Verwerkersovereenkomst (DPA) with your tool vendor, an openly listed sub-processor chain, personal-data redaction before AI calls, clear retention windows, and one-click export and deletion for your customers' rights requests.
- ✓Data inside the EU, not just "available in an EU region". Check the sub-processor chain too.
- ✓DPA (Verwerkersovereenkomst) signed before you process any customer message. Article 28 is not optional.
- ✓Personal data redacted before any AI call leaves the platform. Emails, phone, IBAN, card numbers.
- ✓One-click data export and deletion for your customers' rights requests. Make compliance a button.
What GDPR actually requires from a support tool
Three articles do most of the work. Article 6 says you need a lawful basis (usually performance of contract for support replies). Article 28 says any third party you let process the data needs a signed Verwerkersovereenkomst (DPA). Articles 15-22 say your customers can ask to access, correct, port, and delete their personal data. A compliant support tool makes all three trivial: lawful basis is obvious, DPA is included by default, and the rights requests are one-click. Anything harder than that, you are paying compliance overhead.
Where compliance breaks in practice
Three common failures. One, the tool stores data in the EU but ships analytics, audit logs, or AI inference through US infrastructure, the data trail still leaves the EU. Two, the DPA is hidden behind enterprise sales or charged for, which means smaller teams operate without one. Three, the sub-processor list is private or out of date, so you cannot tell your customers who is touching their data. A truly GDPR-compliant tool closes all three loops on day one.
PII redaction, the underrated control
When an AI agent answers a customer message, the original message often contains personal data: an email address in the signature, a phone number for a callback, an IBAN for a refund request. Sending that raw to a model provider is unnecessary and risky. Keloa redacts emails, phone numbers, IBANs and card numbers in the message before any model call. The model sees "my [IBAN] is on file", not the actual account number. The original stays in your EU-hosted audit log. It is a small thing that prevents a lot of headaches.
Retention and the right to be forgotten
GDPR does not pick a retention period for you, it just says you need one and you need to be able to justify it. For support conversations, two years is a defensible default (covers most legal limitation periods in the EU), though some industries demand shorter. Keloa lets you set retention per workspace and applies the policy automatically, including to backups. The right to be forgotten is honored as a hard delete from active stores and within the standard backup retention window, fully propagated.
How Keloa makes GDPR support boring
GDPR compliance should be a non-event. Keloa is built that way. Data stored in Amsterdam, disaster recovery in Dublin, a signed Verwerkersovereenkomst (DPA) on every plan including the free Starter, a public sub-processor list, personal data redacted before any AI call, one-click data export and deletion, configurable retention windows. None of this costs extra. None of this requires a procurement call. The hard part of AVG-klantenservice is making sure your own content (return windows, policies, FAQs) is accurate. The tool should not be the hard part.
Frequently asked questions about GDPR customer support.
What does GDPR require from a customer support tool?
A lawful basis for processing, a signed Verwerkersovereenkomst (DPA) under Article 28, a documented sub-processor chain, the ability to honor data-subject rights (access, correction, deletion, portability), and reasonable retention policies. Most of those are operational, not technical, and a good tool makes them defaults you do not have to think about. If a vendor cannot show you all of those without a sales call, that is a signal.
What is the difference between GDPR and AVG?
There is no practical difference. GDPR is the English acronym (General Data Protection Regulation). AVG is the Dutch acronym (Algemene Verordening Gegevensbescherming). Same law, same articles, same obligations. Dutch organizations use AVG in everyday language and GDPR in international contexts. The regulation applies identically.
Do I need a separate DPA with my AI customer support vendor?
Yes. If the vendor processes your customers' personal data on your behalf (which any support tool does), Article 28 GDPR requires a Verwerkersovereenkomst (DPA) before they touch the data. Keloa includes a signed DPA on every plan including the free Starter. You download it from your workspace settings and sign electronically. The standard text covers most teams without negotiation.
Can I use an AI agent on customer data under GDPR?
Yes, with the right setup. You need a lawful basis (typically performance of contract or legitimate interest for support replies), transparency in your privacy policy (tell customers AI may be used to answer), and appropriate safeguards (data minimization, redaction of personal data before model calls, retention limits). Keloa is configured this way by default, so the only paperwork most teams add is a short clause in their privacy policy.
How do I honor a customer's request to delete their data?
In Keloa, find the customer in your contacts, click delete, confirm. The conversation history, the contact record, and any related audit-log entries are removed from active storage and propagated to backups within the standard retention window. You can also export the customer's data first if they requested portability. Both actions are one click and do not require a support ticket to our team.
What if my support tool is based in the US?
It can still be GDPR-compliant if it has standard contractual clauses in place and stores data in the EU, but you are taking on more risk. US-based vendors are subject to US law including the CLOUD Act, which can compel data disclosure regardless of storage location. For European businesses handling personal data of European customers, an EU-headquartered vendor with EU infrastructure removes that risk entirely. The tradeoff is usually worth it.
GDPR-compliant customer support, included.
Free Starter, signed DPA, EU hosting, public sub-processor list. Built so the compliance work is already done. Try it in ten minutes.