EU AI Act & GDPR Legal Advisory for Companies in Germany

Who helps with EU AI Act compliance in Germany?

Compound Law is an EU AI Act law firm based in Germany advising companies and startups across the DACH region on AI Act obligations, GDPR compliance, AI vendor due diligence, and high-risk AI system conformity. We provide readiness assessments, contract review, and ongoing legal counsel tailored to your sector.

• Compound Law advises companies in Germany on EU AI Act compliance, GDPR obligations, and AI regulatory requirements.
• Services include AI Act readiness assessments, high-risk system classification, DPA review, and works council advice (BetrVG §87).
• We work with startups, pharma companies, fintechs, healthcare providers, and telecoms across Germany and the DACH region.

Compound Law advises companies in Germany and the DACH region on EU AI Act compliance, GDPR obligations, and AI vendor due diligence. Whether you are deploying AI tools internally, building AI-powered products, or preparing for regulatory scrutiny, our team provides the legal clarity you need — from first assessment through to ongoing counsel.

This is a page about our legal services, not a compliance guide. If you want a general introduction to the EU AI Act, see our AI Act by industry overview. For GDPR documentation requirements, see our guide on data processing agreements under Article 28.

What We Help With

EU AI Act Readiness Assessments

The EU AI Act imposes obligations based on the risk class of an AI system — not on whether a company is a developer or a user. Many businesses that purchased AI tools off the shelf still carry obligations as deployers under the Act, particularly if those systems fall within the high-risk categories of Annex III.

A readiness assessment with Compound Law covers:

• Inventory and classification: mapping every AI system in use or in development against the EU AI Act risk taxonomy — prohibited practices, high-risk systems, limited-risk systems, and minimal-risk tools
• Obligation gap analysis: identifying which conformity requirements apply and where your documentation, governance, and technical measures fall short
• Registrar obligations: for high-risk AI systems, assessing whether registration in the EU AI database is required and preparing the relevant documentation
• Action plan: a prioritized, written legal opinion with timelines and ownership

The assessment output is a document you can present to your board, your DPO, or a supervisory authority if questions arise.

GDPR and AI Vendor DPA Review

Deploying an AI tool almost always involves transferring personal data to an external processor. Under Article 28 GDPR, a valid data processing agreement (DPA) is legally required before any such transfer. We review AI vendor DPAs for:

• Adequacy of the data minimization and purpose limitation clauses
• Standard Contractual Clauses (SCCs) for international data transfers
• Sub-processor lists and consent mechanisms
• Vendor data retention and deletion commitments
• AI-specific risks: model training on input data, opt-out mechanisms, and residual data exposure

We also draft and negotiate DPAs where the vendor’s standard contract is insufficient for your risk profile.

High-Risk AI System Classification and Conformity Preparation

If your company develops or deploys a high-risk AI system as defined in Annex III of the EU AI Act — in areas such as employment screening, credit scoring, medical devices, biometric identification, or critical infrastructure — you face a structured set of technical and legal obligations:

• Technical documentation (Article 11)
• Conformity assessment (Article 43)
• CE marking (where applicable)
• Registration in the EU AI database (Article 49)
• Post-market monitoring and incident reporting

Compound Law works alongside your technical team to align documentation requirements with your actual system architecture, and we advise on the conformity assessment pathway that fits your product.

Works Council and Employment Law for AI Tools (BetrVG)

Under §87(1) No. 6 of the Betriebsverfassungsgesetz (BetrVG), works councils in Germany hold co-determination rights over any technical system capable of monitoring employee behavior or performance. Many AI tools — from productivity tracking software to AI-assisted email management — trigger this obligation.

We advise employers on:

• Whether a specific AI tool or internal deployment triggers BetrVG §87 co-determination rights
• Negotiating Betriebsvereinbarungen (works agreements) that govern the use of AI tools
• Structuring AI deployments to reduce friction with works councils
• Employee monitoring compliance under GDPR and EU AI Act

This is an area many compliance programs overlook until the works council raises a formal objection — at which point the deployment is already running.

Who We Work With

Compound Law advises companies at different stages and in multiple sectors across Germany and the DACH region:

Startups and scale-ups building AI-powered products need early-stage legal architecture that scales. We help founders understand their obligations before a product launch, not after a regulatory inquiry.

Pharmaceutical and life sciences companies deploying AI in clinical research, diagnostic support, or drug discovery face the intersection of the EU AI Act and the Medical Device Regulation. Our pharmaceuticals AI Act guide explains the sector-specific framework.

Financial services and fintech companies using AI in credit scoring, loan approval, fraud detection, or portfolio management are among the most exposed to high-risk AI classification. See our insurance sector overview for sector context.

Healthcare providers and health tech companies face overlapping obligations under the EU AI Act, GDPR, and relevant sectoral regulation.

Professional services, legal firms, and consultancies deploying AI in document analysis, research, or client-facing tools have data protection and confidentiality obligations that require careful structuring.

Telecoms and infrastructure companies operating AI systems in critical infrastructure sectors may face additional obligations under the EU AI Act’s category definitions.

How Compound Law Approaches AI Compliance

We treat AI compliance as a structured legal project, not a checkbox exercise. Our engagement process follows three phases:

Phase 1 — Scoping and assessment (2–4 weeks) We map your AI footprint, classify each system under applicable regulation, and identify the gap between your current state and your obligations. This produces a written legal assessment with a prioritized action plan.

Phase 2 — Documentation and implementation (4–12 weeks, depending on scope) We draft or review the legal documents your deployment requires: DPAs, technical documentation, Betriebsvereinbarungen, data protection impact assessments (DPIAs), and internal governance policies. Where vendor contracts require renegotiation, we lead that process.

Phase 3 — Ongoing advisory (retainer) Regulation evolves. Delegated acts, supervisory guidance, and enforcement decisions continuously refine what compliance actually requires. Our retainer clients receive proactive updates and on-demand advice as the regulatory landscape develops.

We also offer self-contained fixed-fee engagements for companies that need a specific deliverable — an AI Act readiness assessment, a single DPA review, or a works council consultation — without committing to ongoing advisory.

Explore our full range of legal tools and guides to understand what compliance documentation your AI deployment requires before our first conversation.

Frequently Asked Questions

Does my company need a lawyer for EU AI Act compliance?

Not every company needs ongoing legal counsel, but any business deploying AI systems that may qualify as high-risk under Annex III of the EU AI Act — in HR, credit, healthcare, biometric identification, or critical infrastructure — faces mandatory conformity obligations that require legal and technical expertise to navigate correctly. Companies that rely solely on vendor assurances or generic compliance templates run significant enforcement risk.

What does an EU AI Act readiness assessment include?

An EU AI Act readiness assessment covers four areas: inventory of AI systems in use or under development, classification of each system against the EU AI Act risk tiers (prohibited, high-risk, limited risk, minimal risk), gap analysis against the applicable obligations (technical documentation, conformity assessment, registration in the EU AI database), and a prioritized action plan. The output is a written legal opinion with clear next steps.

How long does it take to become EU AI Act compliant?

Timeline depends on your AI footprint. A startup deploying a single limited-risk AI tool may achieve compliance-ready status within four to eight weeks. An enterprise with multiple high-risk AI systems across departments typically requires three to six months for full documentation, internal governance, and conformity preparation. Compound Law provides a realistic timeline assessment in the first engagement.

Do you offer fixed-fee AI compliance packages?

Yes. Compound Law offers fixed-fee packages for defined scopes including initial AI Act readiness assessments, DPA review for a specific AI vendor, and BetrVG works council consultation packages. Ongoing advisory retainers are billed on a monthly basis. Contact us for a scoping call and a tailored fee proposal.

---

This page describes Compound Law’s legal services. It does not constitute legal advice. Every company’s AI Act obligations depend on the specific systems deployed, the data processed, and the sector of operation. For advice specific to your situation, speak with a qualified legal professional.

Ready to assess your AI compliance position? Contact Compound Law for a scoping call. We advise companies across Germany, Austria, and Switzerland on EU AI Act readiness, GDPR compliance, and AI vendor due diligence.