Book Free Call
AI tools for lawyers Germany BRAO GDPR professional secrecy compliance
tools

AI APIs for Law Firms in Germany — BRAO Compliance, GDPR & Professional.

Can lawyers in Germany use AI APIs like Claude or ChatGPT?

Yes — German lawyers can use AI APIs, but only with specific safeguards. BRAO §43a requires absolute professional confidentiality over client data. GDPR Art. 28 mandates a Data Processing Agreement (DPA/AVV). Cross-border transfers to US-based providers must be covered by SCCs.

  • BRAO §43a: Client data may only be shared with vendors who are contractually bound to confidentiality.
  • GDPR Art. 28: A Data Processing Agreement (DPA/AVV) is mandatory before processing any client data with an AI tool.
  • BRAK guidelines recommend against entering real client data into public AI systems without adequate contractual safeguards.

Lawyers in Germany can use AI APIs such as Claude or ChatGPT in their practice — but only with specific safeguards in place. The key legal frameworks are BRAO §43a (professional duty of confidentiality), GDPR Art. 28 (Data Processing Agreement required), and the professional guidance issued by the BRAK (Bundesrechtsanwaltskammer — German Federal Bar Association). This guide explains what is permitted, what the risks are, and how to introduce AI tools into a German law firm compliantly.

This article is general information and does not constitute legal advice for individual cases. For a detailed GDPR assessment of Claude specifically, see our guide on Claude Enterprise GDPR compliance.

Quick answer

Yes, lawyers in Germany can use AI APIs — with these prerequisites:

  • DPA under GDPR Art. 28 with the AI vendor (free-tier accounts do not include a DPA)
  • Confidentiality commitment from the vendor covering client data under BRAO §43a
  • No model training on client submissions
  • SCCs or EU hosting for any cross-border data transfers outside the EEA

Can Lawyers Use AI APIs? The Short Answer

Yes, German lawyers can use AI tools such as Claude, ChatGPT, or similar systems. There is no blanket prohibition. What matters is how the tool is used and what data is processed.

Three legal frameworks define the boundaries:

  1. BRAO §43a — The professional duty of confidentiality is absolute and permanent. Client data may only be shared with third parties who are contractually bound to secrecy.
  2. GDPR Art. 28 — Whenever personal data (client information, opposing party details, witness statements) enters an AI system, a Data Processing Agreement (DPA) — called Auftragsverarbeitungsvertrag (AVV) in German — is required.
  3. BRAK professional guidance — The Bundesrechtsanwaltskammer recommends caution when entering client-specific content into AI systems and requires lawyers to maintain professional responsibility for all AI-generated output.

The practical dividing line is not the tool itself, but the workflow: using AI for internal research without client data is far less sensitive than entering contract documents, court pleadings, or client correspondence.

Legal Framework: BRAO §43a, Professional Secrecy & AI

BRAO §43a is the cornerstone of German professional legal rules. Section 2 imposes an unconditional and permanent duty of confidentiality over everything a lawyer learns in the course of professional activity — without exception.

This obligation extends to assistants and service providers. When client data is transmitted to an AI vendor, the law firm must ensure:

  • The vendor is contractually bound to confidentiality (typically through a DPA and confidentiality clauses).
  • The vendor does not train on client data — no model optimization using submitted content.
  • Access to data is technically restricted and minimized to what is necessary.
  • Clear rules govern which categories of data staff are permitted to enter into AI systems.

A practical consequence: most free-tier AI services (ChatGPT Free, Claude Free, Gemini Free) do not meet these requirements. Only commercial Enterprise or API plans that include a DPA are appropriate for client-facing workflows.

Professional Privilege and Cloud Services

The professional duty of confidentiality (anwaltliche Verschwiegenheitspflicht) under German law is not merely a data protection obligation — it is an independent professional duty that applies even when GDPR requirements are formally met. A DPA alone does not automatically preserve professional privilege. Additional contractual confidentiality commitments from the vendor are required.

For law firms, this means zero-data-retention options and explicit contractual commitments against model training are not optional — they are professionally required for any client-facing AI workflow.

Data Protection: DPA, Cross-Border Transfers & EU Hosting

Data Processing Agreement under GDPR Art. 28

Once a lawyer enters client data into an AI system, the vendor becomes a data processor under GDPR Art. 28. A Data Processing Agreement (DPA/AVV) is then mandatory — without exception.

The key elements a DPA must cover for law firm use:

DPA RequirementWhy It Matters for Law Firms
Subject matter and durationAI workflows with client data must be specifically described
Instructions bindingThe vendor may only process data on the firm’s instructions
Confidentiality obligationsVendor staff must be bound to secrecy — directly relevant to BRAO
Technical and organizational measuresArt. 32 GDPR security standard
Sub-processorsWhere is client data actually processed and forwarded?
Deletion and returnWhat happens to client data after the contract ends?
Audit rightsCan the firm conduct checks or request compliance evidence?

Cross-Border Transfers and EU Hosting

Most major AI vendors (Anthropic, OpenAI) process data primarily in the United States. For transfers to third countries under GDPR Chapter V, Standard Contractual Clauses (SCCs) under Art. 46(2)(c) are the standard transfer mechanism. All major enterprise-tier vendors provide SCCs as part of their commercial terms.

Law firms that require EU-only hosting — for example, due to client requirements or internal policy — should evaluate these deployment options:

Deployment pathData locationEU-only possible?
Claude.ai / Anthropic API directUS (default)No dedicated EU offering
Claude via AWS BedrockConfigurableYes — Frankfurt (eu-central-1), Ireland
ChatGPT Enterprise directUS (default)Limited — Azure EU available
Claude/GPT via Azure OpenAI ServiceConfigurableYes — EU regions available
On-premise open-source modelsOwn infrastructureYes — full control

For firms with strict data residency requirements — for example in M&A, banking, or insolvency work — AWS Bedrock EU configurations or on-premise deployments are the most defensible options.

For a detailed guide to the Claude DPA, see our guide on Claude Enterprise GDPR compliance.

Which AI Tools Are Suitable for Law Firms?

Not every AI tool meets the minimum requirements for law firm use. The key criteria are: Does the vendor provide a DPA? Do they commit to confidentiality? Is there no model training on client data?

AI ToolDPA/AVV availableNo training (commercial)SCCs / EU optionSuitable for law firms?
Claude Enterprise / APIYes (Commercial Terms)YesYes / EU via BedrockYes
ChatGPT EnterpriseYesYesYes / Azure EUYes
Microsoft Copilot (M365)YesYesEU Data Boundary (exceptions apply)Conditional
Gemini for Google WorkspaceYesYesEU availableConditional
Claude Free / ChatGPT FreeNoNoNoNo
Local open-source modelsNot requiredStructurally yesOwn infrastructureYes — requires IT resources

Note: This comparison shows whether fundamental requirements can be met. Whether a specific tool is compliant for your firm depends on the actual workflow, the type of client data involved, and your firm’s internal compliance requirements.

The BRAK (Bundesrechtsanwaltskammer) — Germany’s Federal Bar Association — has issued professional guidance on AI tools in legal practice. Key points:

  • Professional responsibility cannot be delegated to AI. Every AI-generated document — whether a draft pleading, contract clause, or research memo — must be independently reviewed and authorized by the responsible lawyer.
  • No unprotected client data in public AI systems. The BRAK explicitly recommends against entering real, unencrypted client data into publicly accessible AI platforms.
  • Careful vendor selection. Lawyers must verify that the vendor provides a valid DPA and confidentiality commitments before deployment.
  • Ongoing review obligation. AI technology and vendor terms change rapidly — law firms must regularly update their AI governance framework.

From case law and disciplinary practice, no blanket prohibition on AI use exists in Germany. Current legal commentary emphasizes that AI use is permissible but requires heightened professional care — particularly around the duty of confidentiality and the secure communication obligations tied to the beA (besonderes elektronisches Anwaltspostfach).

Relationship to BRAO §43e (Office Management Duties)

BRAO §43e requires lawyers to manage their law firm in a way that ensures confidentiality and compliance with professional rules. This framework applies directly to AI tools: the firm is responsible for ensuring its entire technical infrastructure — including external service providers like AI vendors — meets professional conduct standards.

Practical Compliance Checklist: Introducing AI in a German Law Firm

Before any AI tool is used in production in a law firm, verify these seven points:

  1. Check the tier and DPA. Only commercial plans (API, Enterprise, Team) include a DPA. Free-tier accounts are not suitable for client data.

  2. Obtain confidentiality commitments. Confirm the vendor does not train on client data and that contractual confidentiality obligations exist beyond the standard DPA terms.

  3. Document cross-border transfers. Record which countries outside the EEA receive data and document the transfer mechanism (SCCs) in your Records of Processing Activities (RPA/VVT).

  4. Clarify EU hosting requirements. If client mandates or firm policy require EU-only hosting, evaluate deployment options via AWS Bedrock or Azure OpenAI Service.

  5. Define firm-wide usage rules in writing. Set out which categories of data staff may enter into AI systems. Maintain clear “no-go” categories (e.g., unredacted banking data, health data, highly sensitive M&A materials).

  6. Update your RPA and assess DPIA need. Add the AI tool to your Records of Processing Activities. For high-volume or high-risk processing, a Data Protection Impact Assessment (DPIA) under GDPR Art. 35 may be required.

  7. Schedule regular reviews. AI vendors update terms and infrastructure frequently. Set an annual review of your AI governance and document the rationale for your tool choices.

This structured review matters more than which AI tool is most popular. The decision ultimately depends on your firm’s specific workflows and the nature of the client data involved — not the vendor name alone.

Compound Law advises law firms, in-house legal teams, and professional associations in Germany on AI tool compliance, GDPR, DPA review, and professional conduct rules. If you want to introduce AI tools in your law firm compliantly, contact us.

FAQ

Can lawyers in Germany use ChatGPT?

Yes, under conditions. German lawyers may use ChatGPT Enterprise if a GDPR-compliant DPA is in place, no client data is used for model training, and the professional confidentiality obligations under BRAO §43a are met through contractual and technical measures. The free-tier ChatGPT account does not include a DPA and is not suitable for client data.

Which AI tools are BRAO-compliant?

AI tools are considered professionally usable under BRAO when they include a valid DPA, commit to not training on client data, and provide SCCs or EU hosting options. Suitable options include Claude Enterprise/API (Anthropic), ChatGPT Enterprise (OpenAI), and on-premise deployments of open-source models.

Do I need a DPA to use AI tools as a lawyer in Germany?

Yes. Whenever client data or other personal data is entered into an AI system, a Data Processing Agreement (DPA/AVV) under GDPR Art. 28 is mandatory. Free-tier accounts do not include a DPA. Only paid API or Enterprise plans from major vendors provide a DPA.

What does the BRAK say about AI tools for lawyers?

The BRAK has published professional guidance on AI tools in legal practice. Core points: do not enter real client data into public AI systems without contractual safeguards, carefully review vendor DPAs, and maintain professional accountability for all AI-generated output. AI use is permissible but requires a structured compliance approach.

Is professional secrecy protected by a DPA alone?

No. A DPA satisfies the GDPR requirement for data processing but does not alone preserve the professional duty of confidentiality under BRAO §43a. Additional contractual confidentiality commitments, no model training on client submissions, and appropriate technical safeguards (such as zero-data-retention options) are also required.

Related Tool Guides

Make.com DPA and GDPR compliance for German companies
tools

Make.com DPA: Does Make Have a Data Processing Agreement? (GDPR Guide)

Make.com offers a DPA for paid plan customers. What German companies must verify for GDPR compliance — EU data residency, sub-processors, and BetrVG.
Zapier GDPR Germany — DPA, data transfers, and workflow compliance for German companies
tools

Is Zapier GDPR Compliant? DPA, EU Data Residency & Guide for German.

Is Zapier GDPR compliant? Full guide on Zapier DPA, EU data residency, SCCs, and data transfer compliance for German businesses.
HubSpot Breeze AI GDPR compliance for German companies
tools

HubSpot Breeze AI GDPR Compliance: What German Companies Must Know

HubSpot Breeze AI can be used GDPR-compliant, but introduces new obligations on automated decisions (Art. 22), data enrichment, and AI sub-processors German.
Claude GDPR compliance review — legal basis, DPA, and data protection measures for companies in Germany
tools

Claude GDPR Compliance: A Legal Framework for Businesses in Germany

Is Claude GDPR compliant? Legal basis, DPA, DPIA triggers, TOMs, and a practical compliance checklist for companies deploying Claude in Germany.
Airtable GDPR compliance guide for German companies
tools

Airtable and GDPR: DPA, Data Residency, and Compliance for German Companies

Airtable is GDPR-compliant on Enterprise plans with a signed DPA. Here is what German businesses must check before using Airtable for personal data.
Asana GDPR compliance guide for German companies
tools

Asana and GDPR: DPA, EU Data Residency, and Compliance for German Companies

Asana offers a DPA on all paid plans and EU data residency on Enterprise. Here is what German businesses must verify before using Asana for personal data.

Browse More AI Tools

Frequently asked questions

Can lawyers in Germany use ChatGPT?

Yes, under conditions. German lawyers may use ChatGPT Enterprise if a GDPR-compliant DPA is in place, no client data is used for model training, and the confidentiality obligations under BRAO §43a are met through contractual and technical measures. Free-tier accounts do not include a DPA.

Which AI tools are BRAO-compliant?

AI tools are professionally usable under BRAO when they include a valid DPA, commit to not training on client data, and provide SCCs or EU hosting options. Suitable options include Claude Enterprise/API and ChatGPT Enterprise.

Do I need a DPA to use AI tools as a lawyer in Germany?

Yes. Whenever client data or other personal data is entered into an AI system, a Data Processing Agreement under GDPR Art. 28 is required. Free-tier accounts (ChatGPT Free, Claude Free) do not include a DPA.

What does the BRAK say about AI tools for lawyers?

The BRAK (German Federal Bar Association) recommends that lawyers not enter real client data into public AI systems without proper contractual safeguards, that DPAs be carefully reviewed, and that professional accountability for all AI-generated output be maintained.

Is professional secrecy protected through a DPA alone?

No. A DPA satisfies GDPR Art. 28 but does not alone preserve the professional duty of confidentiality under BRAO §43a. Additional contractual confidentiality commitments, no model training on submissions, and technical safeguards such as zero-data-retention options are also required.

Book Free Call