GDPR stands for General Data Protection Regulation. It is the EU regulation that sets out how organisations may collect, store, and process the personal data of people in the EU. It has applied since May 2018 and is enforced by national data protection authorities, with fines that can reach four percent of global annual revenue.
The Dutch translation of GDPR is AVG (Algemene Verordening Gegevensbescherming). They are the same law, the same rules, the same fines, just different names depending on language.
What GDPR actually requires
The full text is dense. The practical principles are clear. Personal data must be collected for a specific purpose, only the minimum needed for that purpose, kept only as long as needed, and protected appropriately. People have the right to know what is held about them, to correct it, to receive a copy, and in many cases to demand its deletion.
If you process data on behalf of someone else (you are a "processor", they are the "controller"), you must do so under a contract called a Data Processing Agreement, follow the controller's instructions, and disclose any sub-processors you use.
Why GDPR matters for AI customer support
Customer support conversations are full of personal data. Names, email addresses, order details, sometimes payment information, sometimes sensitive complaints. Any vendor processing those conversations on your behalf is a processor under GDPR. They must offer a DPA, name their sub-processors, and protect the data with adequate technical and organisational measures.
AI complicates this. Some AI providers train models on the data customers send them. That is a problem for GDPR because personal data ends up in a training corpus, possibly with no way to delete it later. Many vendors have updated their terms to exclude training on customer data, but the burden is on you to read the contract.
Data residency and transfers
If personal data leaves the EU, the controller must ensure adequate protection at the destination. After the Schrems II ruling, transferring to the United States requires additional safeguards or, easier, hosting in the EU to begin with.
This is why EU buyers ask "where is the data hosted" and "do you train on it". A vendor with EU hosting and a no-training policy answers GDPR by construction, instead of by paperwork.
In Keloa
In Keloa, data stays in the EU, we do not train on your conversations, and the DPA, sub-processor list, and data residency statement are all public. See security for the full posture.