In August 2024, the Autoriteit Persoonsgegevens — the Dutch Data Protection Authority, known as the Dutch AP — handed Uber a €290 million fine for transferring European driver data to servers in the United States without a valid legal mechanism. The data involved was not particularly exotic: location history, identity documents, pay records, driving records, tax files. The kind of data any employer holds about its workforce. The violation was that it crossed the Atlantic without the paperwork to make it legal.
Most Dutch sales leaders read that headline and moved on. Ride-hailing, right? Not their problem. But the Dutch AP's 2025 enforcement priorities tell a very different story — one in which the category of software your revenue team uses every day is explicitly named as a target. If your commercial team uses a call intelligence tool, a conversation recorder, or an AI sales assistant built and hosted in the United States, this article is for you.
What the Uber fine actually means for B2B software
The Uber ruling is not primarily a story about employment law or gig-economy ethics. It is a story about data transfer architecture. Uber's violation was structural: the company routed European employee data — collected in the Netherlands and France — to US-based infrastructure that lacked a lawful transfer agreement for a period spanning more than two years after the Schrems II ruling invalidated the EU-US Privacy Shield in July 2020.
The Dutch AP reached this case because Dutch and French drivers filed complaints. In 2023 alone, the AP handled over 21,400 complaints — a volume that ranks it among the busiest supervisory authorities in Europe. That workload is not shrinking. The authority has expanded its enforcement capacity and published increasingly specific priority lists. The complaint pipeline is open to employees, customers, and competitors alike.
Now consider what a modern AI sales tool does. It joins your sales calls. It records and transcribes conversations in which real people — your reps, your prospects, your customers — are identified by name, voice, title, and company. It stores timestamped call data, deal stage information, objection logs, and coaching scores. In the context of EU data protection law, virtually every output of a conversation intelligence platform constitutes personal data about identifiable individuals.
When that data is processed on servers in the United States — which it is, for the majority of market-leading sales intelligence tools — you face the same structural question that cost Uber €290 million: what is the lawful basis for that transfer, and can it withstand scrutiny if the Dutch AP comes knocking?
The Dutch AP's 2025 enforcement hit list — and why your sales stack is on it
The Autoriteit Persoonsgegevens publishes annual enforcement priorities, and the 2025 edition is unusually specific. The authority has identified several categories of technology for active investigation, and the overlap with modern revenue tooling is not accidental.
The AP's stated priorities for 2025 include remote-work productivity tools that use productivity logs, screen capture, keystroke tracking, and location data. They include AI systems that make automated or semi-automated decisions about individuals. They include cross-border data transfers to the United States, Asia, and other countries that lack an adequacy decision from the European Commission. And they include the use of commercial data enrichment services — the data broker layer that feeds many CRM and sales intelligence platforms.
An AI meeting assistant that records calls, transcribes speech, scores rep performance, and logs data to a US-hosted CRM touches every one of these categories. The productivity log dimension is particularly significant: when an AI tool scores a sales rep's talk-to-listen ratio, flags objection-handling gaps, and feeds that score to a manager dashboard, it is generating a performance assessment of an employee from automated monitoring. That is exactly what the AP has said it will examine.
The Netherlands is not operating in isolation. The Dutch AP is a member of the European Data Protection Board and coordinates its enforcement with other national authorities. A finding by the AP that a particular data transfer architecture is unlawful creates precedent and momentum for similar actions in Germany, France, and across the EU. Dutch enforcement actions have a history of propagating across the bloc.
Sales intelligence tools under the microscope: Gong, Chorus, and the transfer problem
The dominant conversation intelligence platforms in the European B2B market — Gong, Chorus (now part of ZoomInfo), Clari, and their peers — were built in the United States for US sales teams. Their data architecture reflects that origin. Gong stores all customer data in the United States, regardless of where the customer is headquartered or where the calls take place.
Gong is not operating without a legal transfer mechanism. The company holds EU-US Data Privacy Framework (DPF) certification, which the European Commission adopted in July 2023 as the successor to the invalidated Privacy Shield. It also maintains Standard Contractual Clauses (SCCs) for EEA-to-US transfers. On paper, those instruments provide a lawful basis for the data flow.
The problem is that neither instrument is stable. The DPF is under active legal challenge before the Court of Justice of the European Union. A complaint filed by privacy advocacy group noyb — the same organisation that drove the Schrems I and Schrems II rulings — reached a significant procedural milestone in March 2026 when the CJEU agreed to hear the appeal. If the DPF is invalidated — as both its predecessors were — every European company relying on DPF certification as its transfer mechanism will need an immediate alternative.
The SCC backstop is not airtight either. SCCs require companies to conduct a Transfer Impact Assessment (TIA) — a documented analysis of whether the legal environment in the destination country adequately protects the transferred data. The Dutch AP and other supervisory authorities have been clear that a TIA must be a genuine assessment, not a checkbox exercise. For transfers to the United States, the TIA must grapple seriously with the US CLOUD Act.
A Transfer Impact Assessment is a documented analysis required before personal data is transferred from the EEA to a country without an adequacy decision. The TIA must assess the legal framework in the destination country, specifically whether public authorities there can access the transferred data in ways that would undermine the protections afforded by the SCCs or other transfer mechanism. For transfers to the United States, the TIA must address the reach of the US CLOUD Act, FISA Section 702, and Executive Order 12333. A TIA that concludes US transfers are safe without engaging with these instruments is unlikely to satisfy the Dutch AP.
The CLOUD Act double exposure: why EU data centers are not enough
A common response from US software vendors to European compliance concerns is to offer EU data residency: your data stays on servers physically located in Ireland, the Netherlands, or Germany. This is a meaningful improvement over pure US hosting, and it removes some jurisdictional risk. But it does not resolve the CLOUD Act problem, and EU sales teams need to understand why.
The Clarifying Lawful Overseas Use of Data Act, signed into US law in 2018, allows US law enforcement and intelligence agencies to compel US-incorporated companies to produce data held anywhere in the world — including on servers located in EU member states. The obligation runs with the corporate structure, not with the geography of the server rack. A US company operating an EU data center remains a US company for CLOUD Act purposes.
This means that when you route call recordings, deal intelligence, and rep performance data through a US-headquartered SaaS vendor — even one with EU data centers — that data is accessible to US government agencies under CLOUD Act orders, without your knowledge and without notification to EU supervisory authorities. The Dutch AP and the European Data Protection Board have flagged this as a systemic risk that cannot be fully mitigated by SCCs or DPF certification alone.
A 2024 analysis of AI agent implementations in European companies found that 73% had GDPR vulnerabilities traceable to cross-border data transfer architecture — primarily the CLOUD Act exposure embedded in US-provider contracts that companies had not adequately assessed. The Uber fine made that abstract risk concrete. The Dutch AP is now equipped, motivated, and funded to pursue it.
The range of actual GDPR fines for AI tools and chatbots in 2024 ran from €35,000 to €1.5 million for individual violations — well below Uber's €290 million ceiling, but substantial enough to materially damage a mid-market company's finances and, more significantly, its ability to operate certain tools while under investigation. The AP can also issue temporary processing bans while investigations are underway, which means the business disruption risk exceeds the fine risk.
What Dutch companies must do right now
The starting point is an honest audit. Most Dutch sales organisations do not have a complete picture of where their commercial data is processed, by which vendors, under what transfer mechanisms, and with what sub-processors downstream. That gap is the first thing the AP will probe in any investigation.
Walk your sales stack systematically. For every tool that touches personal data — call recording platforms, CRM, email sequencers, deal intelligence tools, AI meeting assistants — answer four questions: Where is the data stored? What is the legal transfer mechanism? Is there a signed Data Processing Agreement in place? Who are the sub-processors, and where do they operate?
For US-hosted vendors, the next step is a Transfer Impact Assessment. This is not a vendor-supplied document — it is your organisation's analysis of the legal environment in the destination country, the nature of the data being transferred, and the realistic risk of government access. The Dutch AP has published guidance on what constitutes a credible TIA. If your vendor has provided a template, treat it as a starting point, not a conclusion.
The Dutch government's own approach to AI governance provides a useful benchmark for the level of rigor expected. The Ministry of Finance launched an algorithmic control research framework in July 2023 covering governance, privacy, data and model risk, and information security. The Dutch government maintains a public algorithm register cataloguing over 700 algorithms used by government bodies. The implicit message is that the same standard of transparency and documented accountability the government applies to its own systems is the standard it will expect from private organisations subject to the AP's oversight.
The 2018 childcare benefits scandal — in which a discriminatory government algorithm falsely accused thousands of Dutch parents of fraud — created lasting political pressure for rigorous AI oversight. That pressure has institutional form now. The AP is funded, staffed, and politically supported to enforce it.
The path to compliance: a practical checklist
Compliance with the Dutch AP's enforcement priorities is achievable. It requires documentation, contractual discipline, and — in some cases — architectural change. Work through the following steps systematically.
- Map your data flows. Identify every tool in your sales and RevOps stack that processes personal data. Include CRM, call recording, email tools, sales engagement platforms, and any AI assistant with access to customer data. Document where each tool stores data and the name of its data processor entity.
- Audit transfer mechanisms. For each US-hosted tool, confirm whether the vendor relies on DPF certification, SCCs, or both. Download the current DPA and check whether it explicitly addresses the CLOUD Act. Note that DPF certification alone is insufficient given the pending CJEU appeal filed in March 2026.
- Conduct Transfer Impact Assessments. For high-risk transfers — particularly call recording and real-time call analysis, where the data is sensitive and the volume is high — complete a documented TIA. Engage your legal counsel or a GDPR specialist. File the TIA with your Record of Processing Activities.
- Establish a documented legal basis. For each processing activity, document your legal basis under Article 6 GDPR. For internal coaching use of call recordings, legitimate interest is the most common basis, but it requires a Legitimate Interest Assessment. Consent is cleaner but harder to operationalise at scale.
- Review sub-processor chains. Every SaaS vendor uses third-party infrastructure — transcription APIs, cloud storage, AI inference providers. GDPR requires you to know who these sub-processors are and where they operate. Ask your vendors for their current sub-processor list. Some use transcription or AI providers that introduce their own US transfer exposure.
- Evaluate EU-sovereign alternatives. For processing activities where the transfer risk is unacceptable — typically those involving employee performance data or sensitive customer conversations — consider switching to vendors with no US parent company, no CLOUD Act exposure, and data processing entirely within the EU. Dutch providers such as GLBNXT (ISO 27001 certified, NIS2-compliant) and Leaf Cloud (ISO 27001, SOC 2 Type II, pursuing HAVEN+ certification) offer sovereign cloud infrastructure. For AI sales tooling, Numi is built specifically for this environment.
- Update your privacy notices. If you collect call recordings from prospects or customers, your privacy notice must describe the processing, the legal basis, the retention period, and the transfer mechanism. Many EU companies are running outdated notices that predate both the DPF and the current generation of AI tools.
- Set a review cadence. The regulatory environment is moving fast. DPF certification status, CJEU case timelines, and Dutch AP enforcement priorities all change on a twelve-month cycle. Schedule a compliance review of your sales data architecture at least annually, and assign ownership to a named person in your organisation.
The costs of getting this wrong are no longer hypothetical. The Dutch AP has demonstrated with the Uber ruling that it will pursue large fines for systemic transfer violations. It has signalled through its 2025 priorities that AI tools — including the kind of revenue intelligence software most Dutch B2B companies now use — are explicitly in scope. The window for proactive remediation is open. It will not stay open indefinitely.
Revenue teams that get ahead of this are not just avoiding risk. They are building a durable competitive position. Increasingly, enterprise buyers in the Netherlands and the broader EU are asking vendors to demonstrate that their data practices are compliant before signing. Being able to say that your sales intelligence infrastructure runs entirely on EU-sovereign infrastructure, with no CLOUD Act exposure and a documented TIA on file, is a commercial differentiator — not just a legal nicety.
For a broader look at how EU sales teams can build a modern, compliant revenue intelligence stack, see our overview of how Numi is built for EU teams.