← Blog

Security

AVG and AI Act disclosures: 11 things the AP checks first

The Autoriteit Persoonsgegevens does not open a chat-agent investigation by reading your privacy policy. It opens the chat. Here is what it checks, in order.

Jacob Molkenboer· Founder · A Brand New Company· 10 Jun 2026· 8 min
Closed leather ledger with green silk ribbon, wax seal and clay-red stamp on ivory paper by a window.

The letter arrives on a Tuesday. Two pages, Helvetica, Autoriteit Persoonsgegevens letterhead. We received a complaint about an automated response from your customer support system. The founder of a thirty-person Dutch SaaS reads it twice, then opens the chat agent they shipped four months ago and starts a session. The AP, in their browser, has already done the same.

This is how an AVG investigation into a customer-facing chat agent actually begins. Not with the privacy policy. With the product. The privacy policy gets read on day three, after the investigator has formed a view. By then, the order in which they checked things is the order that matters to you.

What follows is the field-tested ranking. Eleven obligations, sequenced the way the AP and (from August 2026) the AI Office tend to walk the surface of a customer-facing agent that makes automated decisions. The decisions in question are the ordinary ones: approving a refund, rejecting a discount code, routing a ticket, scoring a lead, choosing which document to send. A B2B SaaS under twenty million in revenue is the case I keep in mind.

1. The "you are talking to an AI" disclosure at session start

Article 50 of the EU AI Act, which applies from 2 August 2026, requires that any natural person interacting with an AI system is informed of that fact, unless it is obvious. "Obvious" is doing more work than it can carry. A chat widget in the corner of a SaaS dashboard with a friendly first name is not obvious. The AP opens here because it takes ten seconds to test. Either the first turn says so, or it does not.

The good version is one sentence in the first bot message, before the user has typed anything. The bad version is a tooltip on a question-mark icon next to the avatar.

2. A working human-handover route

Article 22(3) AVG gives a data subject the right to obtain human intervention on a decision based solely on automated processing. The EDPB Article 22 guidance is clear that the intervention has to be meaningful, not theatrical. The AP tests this by typing I want to speak to a person. If the agent answers I can help you with that and continues, the obligation is not met. Routing the message to a closed Slack channel nobody reads also does not count.

The handover must be reachable in one or two turns, must take the user out of the automated path, and must not require the user to know the magic phrase.

3. Article 13/14 notice coverage of the AI step

By the time the investigator reads your privacy policy, they already know what the agent does. They are looking for matching language. The policy must name the AI processing, identify it as automated decision-making where applicable, and explain the purposes and the consequences. Generic "we may use third-party tools" copy fails.

A practical pattern: a short, named section in the privacy policy ("Our AI assistant"), linked from the first message the chat widget posts.

4. Meaningful information about the logic

Articles 13(2)(f), 14(2)(g) and 15(1)(h) require meaningful information about the logic of automated decision-making, plus its significance and envisaged consequences. This is the obligation the industry has misread most. "Meaningful" does not mean "the system uses a large language model". It means the user can understand, at the level of a non-engineer, what factors drove the decision.

For a refund-approval agent, that means naming the categories the model uses: order age, product category, purchase-value bracket, prior refund history. Not the weights. The categories. If you swap the underlying model and the categories shift, the notice has to shift too. Hidden model changes are a real risk on managed APIs, and the user has a right to know when the thing deciding their refund stopped being the same thing.

5. A current DPIA

Article 35 AVG requires a Data Protection Impact Assessment for high-risk processing, which the AP has consistently interpreted to include automated decisions affecting a customer's access to a service. Their algorithm and AI guidance is the document to read first.

The DPIA does not need to be a forty-page master's thesis. It needs to be on file, dated, signed off, and to address necessity, proportionality, risks to data subjects, mitigations, residual risk. If the agent's behaviour materially changed (a model swap, a new tool the agent can call, a new data source it can read), the DPIA needs a revision date.

6. The LLM provider as named sub-processor

If your agent runs on Anthropic, OpenAI, Google, Mistral or anyone else, that provider is a sub-processor under Article 28. The AP checks that you have a signed DPA with them and that the provider is listed by name on your sub-processor page. "Various AI services" does not pass.

Bedrock, Vertex and Azure OpenAI add a layer. The cloud provider is the direct sub-processor and the model provider sits behind them, which needs to be reflected accurately. Worth re-checking after any platform-side policy change, because what gets shared with whom upstream is not always stable.

7. A lawful cross-border transfer mechanism

If inference happens outside the EEA, the AP wants to see your Article 46 mechanism. For most teams that means Standard Contractual Clauses with the provider, plus a Transfer Impact Assessment that addresses US government access. The EU-US Data Privacy Framework helps but is not unconditional and the Schrems II shadow has not fully lifted. Hosting in the provider's EU region is the cleanest fix when available, and most major providers now offer it.

8. ROPA entries for the AI processing

Article 30 ROPAs that predate the AI launch and were never updated are the most common finding in any AP file I have seen. The ROPA must include the AI processing as a distinct entry with its own purpose, legal basis, recipients, retention, and transfers. The AP asks for the ROPA early, because comparing it against the live product surfaces every other gap on this list.

Warning

The single most common finding is not a missing policy. It is a stale ROPA. The product changed, the document did not, and the gap between them tells the investigator the entire story.

9. A real opt-out from training-data use

Most major LLM APIs do not train on enterprise inputs by default, but users have a right under Article 21 to object to processing, and the AI Act reinforces the expectation that consumers know what their conversation is and is not used for. The AP looks for a clear statement of training-data status at the chat surface, not buried in a sub-page that nobody opens.

10. Cookie and tracking consent for the widget

The chat widget often loads from a third-party domain, drops cookies, and starts a session id before the user has typed anything. Under the Telecommunicatiewet, the Dutch implementation of ePrivacy, that requires prior consent for anything beyond strictly necessary cookies. The AP and the ACM both look at this and the ACM has been more aggressive about it through 2025-2026 than the AP itself.

11. Incident logging for AI-specific failures

Most SaaS chat agents are not high-risk AI systems under Annex III of the AI Act, so the formal AI Act incident-reporting obligation does not bite. Article 32 AVG still applies. A hallucinated refund denial that cites a non-existent policy clause is a data-accuracy incident under Article 5(1)(d). The AP increasingly asks: do you have a log, can you produce it, did the user receive a correction?

The civil-liability frontier is moving alongside the regulatory one. European courts are starting to settle who owns a statement an AI system makes about a customer. If your agent invents a fact about a person's account, the question of liability is being decided in active litigation, not in a future white paper. The cheapest defence is a log that shows you noticed and corrected.

A five-minute audit you can run today

Open your own chat agent in a private window. Type I want to speak to a human. Then type what are you. Then ask it to make a decision a user might want reversed: cancel my subscription, refund my last invoice. Read the privacy policy in another tab while you do this. The gap between what the agent does and what the policy says is the gap an investigator will document.

When we built the support agent for one of our SaaS clients, the obligation that bit hardest was number four, the meaningful-information one. The honest version of "what factors drove this decision" was hard to write without leaking the system prompt, and the lawyerly version was hard to write without being useless. We ended up shipping a short user-facing decision card that names the categories and links to a longer note for anyone who wants the detail. If you are designing similar surfaces, our AI agents work starts with exactly this question.

Key takeaway

The AP audits a chat agent in the order a user meets it: disclosure first, human handover second, written policy third. Build for that order.

FAQ

Does the EU AI Act apply to a small Dutch SaaS chat agent?

Yes. Article 50 transparency duties apply to any provider or deployer of an AI system that interacts with natural persons, regardless of company size, from 2 August 2026.

Is a customer-support chat agent a high-risk AI system?

Usually no. Most support agents fall outside Annex III. They still trigger AVG obligations, including Article 22 if they make solely automated decisions with significant effects.

Do we need a DPIA if our agent only answers questions?

If it can also decide things (approve, reject, route, score) that affect a user's access to a service, the AP expects a DPIA. Pure Q&A without decisioning is a weaker case.

Can we list the LLM provider as 'various AI tools' on our sub-processor page?

No. Article 28 requires the sub-processor to be identifiable. Name the provider, the service, and the region. Update the page when you change provider.

What is the first thing to fix if our budget for compliance is tiny?

Add the AI disclosure to the first bot message and make sure 'speak to a human' actually works in one or two turns. These are the two checks the AP runs first and they cost an afternoon.

ai agentschat agentssecuritystrategyoperationsbusiness

Building something?

Start a project