Dutch Privacy Regulator Draws GDPR Guardrails for Generative AI
Key Takeaways
- Two-Part GDPR Framework: The Dutch Data Protection Authority has issued legal guidance for generative AI developers and a practical checklist for organizations adopting the technology.
- Training Data Under Scrutiny: The guidance addresses legal bases, data-subject safeguards, indirect collection and the use of personal data in model training.
- Privacy Before Deployment: Organizations are expected to determine their GDPR obligations and necessary safeguards while generative AI projects are still being designed.
- Personal Data Should Not Be the Default: The AP advises organizations to first investigate whether generative AI can be used without processing personal information.
Deep Dive
The Dutch Data Protection Authority has published two documents on Monday. One provides GDPR guidance for developers of generative AI models. The other offers a practical checklist for organizations that want to purchase, implement and use the technology.
The publications move the AP’s earlier vision for responsible generative AI into the less forgiving territory of actual deployment. Principles are comparatively easy. Training data, legal bases and technical safeguards are where the trouble usually begins.
The guidance is intended for companies and other organizations that develop generative AI models or bear responsibility for their deployment. It provides the AP’s initial interpretation of how the General Data Protection Regulation applies to that work, addressing when personal data may be processed, which legal bases may be available and what safeguards are needed to protect the people whose information enters the system.
It also reaches into the machinery behind the model. The document considers how data is managed, cleaned, enriched and stored, along with the collection of personal information from sources other than the individuals concerned. The use of personal data to train AI models receives particular attention.
These are not marginal questions. A generative AI system may be acquired as a productivity tool, but its privacy implications depend on the information used to build it, refine it and operate it. Organizations processing personal data while developing or using such systems remain subject to the GDPR, regardless of how novel the technology may appear.
“Generative AI offers ample opportunities to increase productivity and accelerate innovation,” AP board member Katja Mur said. “For example, in healthcare, where new medicines could potentially be developed faster. But the same acceleration also applies to the scale and severity of the risks. Innovation is welcome, but it must be equipped with sturdy guardrails.”
The AP developed the guidance after consulting companies, scientists, civil society organizations and other experts. The regulator said the document reflects the current state of the art and is intended to remain aligned with the technological and societal developments surrounding generative AI.
Before the First Prompt
The companion checklist is aimed at the people who must decide what responsible deployment looks like inside an organization: privacy professionals, project managers and others accountable for a generative AI project. It walks them through three deceptively simple questions. Does the organization want to use generative AI? Can it? Is it allowed to?
The checklist then helps users identify the GDPR obligations that apply and the technical and organizational measures needed to address them. Its purpose is not merely to test a system at the end of procurement. The AP wants privacy considered while the project is still taking shape, when changing the design remains possible and the cost of doing so has not yet become an argument against it.
The regulator’s preferred starting point is avoidance. Organizations should first determine whether they can achieve their objective without processing personal data. If that is not possible, they must establish what processing is necessary and build the corresponding privacy protections into the project from the outset.
That sequencing places responsibility before adoption. The fact that a generative AI product can perform a task does not establish that an organization has a lawful basis for supplying it with personal information, or that every piece of data the system can ingest should be made available to it.
The AP is not presenting the guidance as the final word. It describes the document as an initial interpretation of the GDPR, grounded in the technology as it currently exists. Generative AI will continue to change, and the legal questions will change with it.
For developers and adopters, however, the immediate expectation is plain enough. They must understand what information their systems use, why they are entitled to use it and how the rights of the people behind that information will be protected. “The model needed the data” is not, by itself, an answer.
The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.

