lights-out.ai logo

GDPR, customer data and AI agents: the questions e-commerce leaders must ask

Bookshelf with legal references and data protection

AI in e-commerce is quickly becoming a data protection issue. It starts innocently enough. An agent summarises customer support cases. An internal tool analyses orders. But the moment personal data is processed, responsibilities, instructions, security and sub-processors must be clearly defined. This is not legal formalism. It is operational hygiene.

Why data protection is an operational question

E-commerce companies handle customer data, order history, addresses, payment-related information, support cases, returns and sometimes sensitive commercial patterns. When AI systems gain access to that data, the company needs to know where the data is processed, who can see it, what the model is allowed to do and what happens when the contract ends.

Eight questions to ask before AI goes live

1. Who is the data controller and who is the processor? If a supplier processes personal data on your behalf, a data processing agreement is normally required. The agreement should describe the subject matter, duration, nature, purpose, types of data and categories of data subjects.

2. Which sub-processors are used? Cloud providers, model providers, logging, support and infrastructure may all be sub-processors. They must be known, approved and bound by equivalent protections.

3. Is data processed only according to documented instructions? An AI supplier should not use customer data for its own purposes, training or product development unless this is explicitly agreed and lawful. Instructions must be documented.

4. Where is data stored and processed? EU/EEA, third-country transfers, model APIs and support access must be clear. "We use AI" is not an answer.

5. What is logged? Too little logging makes the system impossible to audit. Too much logging can create new data protection risks. Balance is needed: traceability without unnecessary data duplication.

6. Who does the agent act on behalf of? An agent that only suggests text has one risk profile. An agent that writes back to customer, order or finance systems has a completely different one. Permissions must be restricted.

7. How are incidents handled? Who alerts whom? How quickly? What counts as a personal data breach? What logs exist? Who assists with investigation?

8. What happens at termination? Personal data should be deleted or returned according to the agreement, unless law requires continued storage.

Regulatory context and AI Act

This aligns with what both IMY and the EDPB highlight regarding data processing agreements: instructions, confidentiality, security, sub-processors, assistance, audits and deletion or return at contract end.

The AI Act also means more organisations need to think structurally about transparency, human oversight and risk classification. Not all e-commerce workflows are high-risk, but the discipline is useful regardless.

The point

AI projects should not be stopped by data protection. But they should not be smuggled in alongside it either.

Built correctly, AI can make e-commerce work faster, safer and more traceable than today's manual exports and informal routines. But only if platform, contracts and operating model hold together from the start.

That is why SafeZone and GuardRails exist in lights-out.ai. Not to make AI slow. But to make it possible to use AI where it actually matters.