AI for Law Firms in Germany: Tools, Compliance, and BRAO

Short answer

German law firms can use AI tools for legal research, contract review, document drafting, and client intake — provided they address professional secrecy under BRAO, GDPR compliance, and appropriate human oversight. The question is not whether AI is permissible, but how to deploy it defensibly.

• BRAO Section 43a (confidentiality) and Section 43e (external service providers) are the primary professional law constraints.
• Every AI tool processing client data requires a DPA, cross-border transfer assessment, and sub-processor review.
• AI tools are legally usable for many law firm workflows — but require a documented operating model and human review.

AI for law firms in Germany is a practical and legally viable option — but not without constraints. German lawyers, managing partners, and law firm technology teams need to navigate professional secrecy obligations under the BRAO, GDPR data protection rules, and the professional responsibility to supervise AI-generated work. This guide covers what German law firms are actually using AI for, what the rules say, and how to deploy AI tools in a way that is defensible under German and EU law.

How German Law Firms Are Using AI

AI adoption in German law firms has accelerated since 2023. The practical use cases cluster around several core workflows:

• Legal research and case analysis — summarising case law, searching precedents, extracting relevant holdings from long judgments
• Contract review and drafting — identifying unusual clauses, generating first drafts of standard commercial agreements, redlining and comparison
• Client intake and document triage — routing documents, extracting key facts from client-provided files, intake questionnaires
• Internal knowledge management — searching internal document archives, precedent banks, and matter files
• Billing and time entry support — generating narrative descriptions from time logs and file notes

Most German law firms that have moved beyond experimentation use AI in a tiered model: general, non-client-specific tasks in one tier, and carefully scoped client-matter tasks in another. The more sensitive the matter, the more restricted the AI access.

What German Professional Rules Say About AI — BRAO and BORA

The Bundesrechtsanwaltsordnung (BRAO) is the primary professional conduct framework for German lawyers. It does not prohibit AI use, but it creates obligations that directly affect how AI may be used in legal practice.

Section 43a BRAO — Confidentiality

The core confidentiality obligation covers all information entrusted to the lawyer in the course of professional activity. When an AI tool is an external service, any transfer of confidential client data to that tool must be consistent with this obligation. The Bundesrechtsanwaltskammer (BRAK) confirmed in its December 2024 AI guidance that professional secrecy analysis is required before deploying AI tools that process matter-related information.

Section 43e BRAO — Outsourcing to External Service Providers

Where a lawyer engages an external provider to process confidential information, Section 43e requires a written contract that:

• commits the provider to confidentiality
• limits processing to the agreed purpose
• includes deletion or return of data after the engagement
• ensures the provider’s employees are bound by equivalent secrecy obligations

For practical purposes, this means an AI vendor agreement for a law firm must go further than a standard GDPR DPA. The Section 43e content is an additional layer on top of data protection law.

Berufsordnung für Rechtsanwälte (BORA)

The BORA imposes further conduct obligations including competence requirements. A lawyer who uses AI-generated legal analysis without review risks violating their duty of diligent professional conduct. Delegating judgment to an AI system does not transfer liability.

GDPR and DSGVO for Law Firms Using AI

Alongside professional conduct rules, German law firms face GDPR obligations any time client data — which almost always includes personal data — is processed by an AI tool.

DPA Requirements

If an AI provider processes personal data on behalf of the law firm, the firm is typically the data controller and the provider the processor. This requires a data processing agreement (DPA) or Auftragsverarbeitungsvertrag (AVV) under Article 28 GDPR.

The DPA must address:

• subject matter and duration of processing
• nature and purpose of processing
• type of personal data and categories of data subjects
• obligations and rights of the controller
• sub-processor chains and approval mechanisms
• deletion or return of data on termination

Most enterprise AI vendors (OpenAI, Anthropic, Microsoft, Google) provide DPA templates. However, signing a DPA is not the same as having a compliant processing arrangement. Firms must verify the actual data flows match what the DPA describes.

Cross-Border Transfers

Many AI providers process data outside the EEA, or use sub-processors located outside the EEA. This triggers Chapter V GDPR requirements for international transfers. The primary legal mechanisms are Standard Contractual Clauses (SCCs) and adequacy decisions. Firms should ask each AI vendor:

• Where are prompts, files, and outputs processed or stored?
• Which sub-processors are involved, and where are they located?
• Is EU/EEA data residency available, and at what level (infrastructure vs. logical)?
• Does the vendor use data for model training, and how is this controlled?

Data Protection Impact Assessments

Where AI processing creates a high risk to individuals — for example, large-scale processing of sensitive personal data, systematic profiling, or automated outputs that affect individual rights — an Article 35 GDPR DPIA may be required. Law firm AI deployments involving client health data, criminal records, or employee personal data in volume warrant careful analysis.

Best AI Tools for German Law Firms

German law firms are using AI tools across several categories. Each category has different compliance implications.

AI Legal Research Tools

• Perplexity Enterprise — web-based research with cited sources; enterprise version offers data protection controls and DPA. Suitable for open legal research, not for loading confidential matter documents.
• Lexis+AI, Westlaw AI — established legal database providers with AI search layers; contractual frameworks designed for professional use

AI for Contract Review and Drafting

• Claude Enterprise (Anthropic) — strong analytical and drafting capabilities; enterprise DPA available, EU data residency options. Suitable for contract analysis when configured correctly. See the Claude Enterprise legal guide for procurement details.
• GPT-4 via OpenAI API — widely used for document drafting; requires careful configuration for law firm use. See the AI APIs for law firms guide for the full analysis.

AI APIs for Custom Legal Solutions

Law firms building internal tools or custom workflows increasingly turn to AI APIs rather than off-the-shelf tools. This provides more control over data handling, prompt engineering, and integration with existing matter management systems.

• Anthropic API — available with DPA and SCCs; see Anthropic API legal guide
• OpenAI API — DPA available; European data residency documented for eligible API deployments; see OpenAI API legal guide

The AI APIs for German law firms compliance guide covers the provider comparison in detail.

AI for the Legal Industry — EU AI Act Considerations

The EU AI Act classifies most legal research and drafting tools as minimal or limited risk AI systems. However, AI systems used to assist in judicial or quasi-judicial decisions, or systems that evaluate individuals’ legal situations in ways that significantly affect their rights, may attract higher-risk classification. Law firms using AI for legal services under the AI Act should check whether their specific use case crosses into the high-risk tier.

What to Check Before Adopting an AI Tool

Before rolling out any AI tool in a German law firm, work through this compliance checklist:

1. Data classification — define which matter data may and may not be processed by the tool
2. DPA / AVV — obtain and review the vendor’s data processing agreement
3. Section 43e BRAO contract review — verify the contract includes confidentiality, purpose limitation, and deletion commitments
4. EU data residency — confirm where data is processed and stored, including sub-processors
5. Training data opt-out — verify whether the vendor uses inputs for model training and how to disable it
6. Sub-processor list — obtain a current list of sub-processors and assess EEA exposure
7. DPIA screening — assess whether the use case triggers an Article 35 GDPR obligation
8. Internal usage policy — document permitted use cases, prompt guidelines, and human review requirements
9. Access controls — restrict AI tool access to fee earners with a need to use it for the specific matter type
10. Competence and supervision — ensure lawyers using AI tools review outputs before relying on them professionally

How Compound Law Helps Law Firms with AI

Compound Law advises German law firms and legal departments on the legal and compliance framework for AI adoption. Our work includes:

• DPA and AVV review for AI tool procurement
• Section 43e BRAO compliance analysis for AI vendor relationships
• GDPR DPIA support for law firm AI deployments
• AI Act classification for legal technology use cases
• Internal AI policy drafting for law firms deploying LLMs in practice

If your firm is evaluating AI tools or building an internal compliance framework for AI in legal practice, get in touch with Compound Law.

---

Frequently Asked Questions

Can German lawyers use ChatGPT or Claude for client work?

Yes, in principle — but not without safeguards. Consumer versions of ChatGPT or Claude are not suitable for confidential client data. Enterprise or API versions with DPAs, EU data residency configurations, and training opt-outs are the appropriate path. Even then, lawyers remain professionally responsible for all outputs.

What does BRAO say about using AI in legal practice?

BRAO does not prohibit AI use in German legal practice. Section 43a requires protection of confidential information. Section 43e governs outsourcing arrangements with external providers who access confidential data, requiring a specific written contract. The BRAK December 2024 guidance confirmed that these obligations apply to AI tool adoption.

Do German law firms need an AVV (DPA) with their AI providers?

Yes, where personal data is processed. An AVV under Article 28 GDPR is required. But a DPA alone is not sufficient — law firms also need the Section 43e BRAO contract layer, cross-border transfer safeguards, and a verified sub-processor chain.

Is there a GDPR-compliant AI tool for legal research?

Several enterprise-grade tools can be configured to meet GDPR requirements. Perplexity Enterprise, Claude Enterprise, and Azure OpenAI with European data residency are among those commonly assessed by German law firms. Compliance depends on the specific configuration and use case, not just the vendor’s general terms.

What are the risks of AI use in Kanzleien under German law?

The primary risks are: professional liability for unchecked AI errors; confidentiality breaches under Section 43a BRAO; GDPR violations if client personal data crosses borders without adequate safeguards; and potential scrutiny from the Rechtsanwaltskammer if AI-assisted work is identified and not properly supervised. A documented operating model is the best protection against all four.