There's a conversation I have over and over with Belgian companies. It goes: "We started using an AI tool and it's brilliant — it processes our customer emails / screens our CVs / summarises our support tickets." And then I ask one question that changes the mood: "What personal data are you putting into it, and where does that data go?"
Usually, nobody knows.
This is the gap that matters. The EU AI Act gets all the headlines, but for most Belgian businesses the more immediate legal exposure isn't the AI Act at all — it's the GDPR, which has had teeth since 2018 and applies the moment your AI touches a single piece of personal data. And the Belgian Data Protection Authority made its position explicit: in December 2024 the GBA/APD published formal guidance on AI systems and the GDPR. They are watching this space.
I'm an engineer, not a lawyer — this isn't legal advice. But here's the practical version I give to the businesses I work with.
The core problem: AI tools are data processors you didn't vet
When you adopt a SaaS AI tool, you're usually sending data to a third party's servers. Under the GDPR, if that data includes personal information — names, emails, anything that identifies a person — you've just created a processing relationship with legal obligations attached.
The questions you're supposed to be able to answer:
- What's the legal basis? You need a lawful reason to process personal data (consent, contract, legitimate interest…). "It made the work faster" is not a legal basis.
- Where does the data go? If the AI vendor processes data outside the EU, there are extra rules. Many popular tools route data to the US.
- Is it used to train the model? Some consumer AI tools use your inputs to improve their models. If you've pasted a customer's personal data in, you may have shared it in a way you can't take back.
- Do you have a data processing agreement (DPA) with the vendor? For a processor relationship, the GDPR generally requires one.
Most Belgian SMEs using AI tools can't answer these for the tools their teams adopted informally. That's the real risk — not the official, vetted system, but the dozen unofficial ones.
The four things that actually get companies in trouble
In my experience, the exposure clusters around four mistakes.
1. Staff pasting personal data into public AI tools
Someone drops a customer list, a CV, or a contract into a free public chatbot to "clean it up." That data has now left your control and may be retained or used for training. This is the single most common one, and the cheapest to fix: a clear policy and a fifteen-minute briefing.
2. AI making decisions about people without oversight
The GDPR has specific rules (Article 22) about decisions made solely by automated means that significantly affect someone — think automated rejection of a job application or a loan. If an AI is making those calls with no meaningful human review, you have a problem that's both a GDPR issue and, often, an AI Act high-risk issue at the same time.
3. No transparency to the people affected
If you're using AI to process customer or employee data, those people generally have a right to know. "We process your data using automated tools including AI" is the kind of line that needs to be in your privacy notice — and often isn't.
4. Special-category data, handled carelessly
Health data, biometric data, data revealing ethnicity or beliefs — these get extra protection. An AI tool that touches any of it raises the stakes considerably. Recruitment AI is a frequent offender here, because CVs and interviews can surface special-category data without anyone intending it.
What the Belgian DPA's guidance signals
The December 2024 guidance from the GBA/APD doesn't invent new rules — it clarifies how the existing GDPR principles apply to AI. The signal underneath it is what matters: the regulator considers AI-and-personal-data a priority, and "we didn't realise the rules applied to AI" will not be a defence.
It also reinforces something I tell every client: the AI Act and the GDPR are two separate rulebooks pointing at the same systems. A recruitment AI can be high-risk under the AI Act and a significant automated decision under the GDPR. You don't get to pick one. You have to satisfy both.
The practical checklist
You don't need a legal department to get the basics right. You need to do this honestly:
-
List every AI tool that touches personal data. Official and unofficial. Customer data, employee data, anything identifying a person.
-
For each one, answer: where does the data go, and is it used for training? Read the vendor's terms. For business-grade tools you can usually turn off training-on-your-data and get an EU data residency option — but only if you check.
-
Get a data processing agreement in place with vendors who process personal data for you. Reputable tools offer one.
-
Write the rule everyone needs: never paste personal or confidential data into a public/free AI tool. Use the approved, configured tools only. This one line prevents most incidents.
-
Add AI to your privacy notice and make sure any AI that makes significant decisions about people has genuine human oversight, not a rubber-stamp.
-
For anything involving special-category data or automated decisions about people, get proper advice. This is where the consequences are real.
Steps 1, 2, 4 and 5 you can do this month. They prevent the large majority of problems.
The honest bottom line
AI doesn't change GDPR — it just makes it incredibly easy to break, fast, at scale, by well-meaning staff who don't realise that pasting a spreadsheet into a chatbot is a data transfer with legal weight.
You don't need to ban AI. The companies that handle this well aren't the ones with the strictest rules — they're the ones who picked properly configured tools, wrote one clear policy, and made sure their team understood why. That's a few hours of work, and it's the difference between AI being an asset and AI being a liability sitting quietly in your inbox.
I write a short, practical newsletter on this exact intersection — GDPR, the EU AI Act, and senior engineering for Belgian businesses, in plain language. If that's useful, subscribe below.
And if you want someone to actually map which of your tools touch personal data and where it goes, that's part of what WDC's AI Readiness Audit covers — an honest, written review, no fear-selling.