Claude GDPR: Which Claude Plans Work for Germany in 2026
Is Claude GDPR compliant?
Yes, Claude can be used in a GDPR-compliant way in Germany, but only on the right contract stack. The decisive questions are which Claude plan you use, whether Article 28 GDPR is covered by a DPA, how transfers are structured, and what internal controls you document before rollout.
- Claude Free, Pro, and Max are consumer plans. Privacy controls there do not replace a business DPA under Article 28 GDPR.
- Claude Team, Enterprise, and the Anthropic API are commercial products with a DPA incorporated into Anthropic's Commercial Terms.
- A DPA is necessary but not sufficient. German companies still need a legal basis, transfer review, TOMs, and often a DPIA.
Claude GDPR compliance for Germany is possible, but only if you use Claude on the right plan and under the right documents. For most businesses, the decisive split is not “Claude is private” versus “Claude is not private”; it is consumer terms versus commercial terms, plus the legal basis, transfer path, retention setup, and governance you document before rollout.
Editor note: this page and the German Claude DSGVO page should stay aligned on the legal conclusions, even where phrasing and search framing differ.
This page is general information, not legal advice for a specific deployment. If you need the contract deep dive, start with our Claude DPA and Anthropic DPA pages. If your question is operational rather than purely contractual, our guides on Claude Enterprise, Claude Team GDPR, and Claude EU hosting give the deployment context around the same legal issues.
Is Claude GDPR compliant for companies in Germany?
Yes, but only conditionally. Claude can be deployed in a GDPR-compliant way for companies in Germany when the workflow sits on a commercial plan, the Article 28 GDPR processor relationship is documented, the transfer setup is reviewed, and the company has internal rules for what may and may not be entered into the system.
The shortest accurate answer is this:
- Claude Free, Pro, and Max are consumer products. Their privacy controls do not make them suitable for business personal-data workflows.
- Claude Team, Claude Enterprise, and the Anthropic API are commercial products. Anthropic says the DPA with SCCs is incorporated into its Commercial Terms for those products.
- A DPA is not the whole analysis. German companies still need a legal basis under Article 6 GDPR, transfer review under Chapter V GDPR, and technical and organizational measures under Article 32 GDPR.
- High-risk use cases trigger extra work. Employee data, special-category data, regulated professional secrecy, and automated decision support often require a DPIA and additional governance.
That distinction matters because many “Claude privacy” pages discuss chat deletion, model-improvement settings, or consumer privacy notices. Those points may help an individual user, but they do not answer the business question that German legal, privacy, and procurement teams actually have to sign off on.
Which Claude plans are acceptable under GDPR and which are not?
The plan tier is the first legal filter. Before discussing safeguards, ask which contract applies.
| Plan | Contract posture | DPA status | Suitable for business personal data? | Main reason |
|---|---|---|---|---|
| Claude Free | Consumer | No business DPA | No | Consumer terms only |
| Claude Pro | Consumer | No business DPA | No | Consumer terms only |
| Claude Max | Consumer | No business DPA | No | Consumer terms only |
| Claude Team | Commercial | DPA in Commercial Terms | Usually yes, subject to review | Processor setup available |
| Claude Enterprise | Commercial | DPA in Commercial Terms | Usually yes, subject to review | Added governance controls |
| Anthropic API | Commercial | DPA in Commercial Terms | Usually yes, subject to review | Commercial processor setup |
| AWS Bedrock / Vertex AI routes | Third-party commercial | Review platform contract | Sometimes | Provider contract stack changes |
Claude Free, Pro, and Max
For Claude GDPR questions, the core point is simple: consumer-plan privacy settings are not a substitute for commercial procurement documents. Anthropic’s current support materials separate commercial products from consumer products and explicitly place Free, Pro, and Max on the consumer side.
That matters for at least four reasons:
- No Article 28 processor contract. A business using Claude for customer, employee, or applicant data usually needs a DPA.
- Consumer retention logic is different from enterprise procurement logic. Deleting chats or disabling model improvement is helpful, but it is not the same as a negotiated controller-processor framework.
- Governance is weaker. Business auditability, workspace controls, and procurement review usually require commercial tooling.
- Internal policy cannot override the external contract. A company policy saying “do not use sensitive data” does not cure a missing Article 28 framework.
For that reason, Claude Pro is not the right answer for business personal-data workflows in Germany, even when the user-facing privacy story looks better than on some competing consumer tools. If you need a more detailed explanation, see our Claude Pro privacy page.
Claude Team
Claude Team is the lowest tier that should even enter a serious GDPR review for business use. Anthropic currently treats Team as a commercial product, and its DPA is incorporated into the Commercial Terms for commercial products.
That does not mean Team is automatically approved. It means the minimum contractual building block exists. From there, legal and privacy teams still need to ask:
- What data categories will users input?
- Is the workflow internal drafting, customer support, HR evaluation, or something else?
- Do we need a DPIA?
- Are our works council and information-security teams affected?
- Are default retention and export controls acceptable for the use case?
For smaller organizations, Team can be enough where the use case is relatively low-risk, internal, and well-governed. Our more specific Claude Team GDPR guide focuses on that path.
Claude Enterprise
Claude Enterprise improves the compliance position mainly through governance, not by changing the GDPR articles themselves. Anthropic’s current Enterprise materials highlight audit logs, SCIM, custom data retention controls, and compliance APIs. Those features matter because they make internal control, evidence gathering, and policy enforcement easier.
Enterprise is usually the stronger option when:
- many users need access across departments,
- the company must evidence usage and admin actions,
- procurement requires clearer retention or administrative controls,
- privacy and security teams want centralized settings and spend controls,
- Claude Code or other developer-facing workflows need organization-level governance.
Current Anthropic help materials also show that Enterprise now exists in self-serve and sales-assisted forms, with minimum seat thresholds and usage billed separately at API rates. That is commercially relevant because legal review often starts when a tool becomes an organization-wide spend line rather than an individual reimbursement item.
Anthropic API and third-party deployment routes
The Anthropic API is usually the cleanest route for structured business workflows because it lets the company control the application layer, logs, prompts, and filters more tightly than a general chat interface. It is also where Anthropic’s current documentation is most explicit about Zero Data Retention (ZDR) and data-handling scope.
However, API does not automatically mean EU-only. Anthropic’s current commercial privacy materials say data is stored in the US by default. Its first-party API now supports inference geography controls, but current documentation still says workspace storage is in the US. So the legal answer is more nuanced than older “no residency options” summaries and also more nuanced than simple “EU data residency available” marketing shorthand.
If the company uses Claude through AWS Bedrock or Google Vertex AI, the contract and deployment analysis changes. In those cases, the platform provider’s terms, regional settings, and logging stack become part of the legal assessment. That is why business buyers should treat “Claude DPA” and “Claude on Bedrock” as related but distinct procurement questions.
What legal documents matter besides the privacy policy?
The biggest mistake in Claude GDPR reviews is over-weighting the privacy policy. Privacy notices matter, but they are not the core business compliance documents.
DPA / Article 28 GDPR
For commercial products, Anthropic says its DPA with SCCs is automatically incorporated into the Commercial Terms. That is the legal starting point for controller-processor analysis.
In practice, the DPA review should confirm:
- the product and workflow are actually on the commercial stack,
- the processing description matches the real use case,
- subprocessors and change mechanisms are documented,
- deletion and return language fits internal requirements,
- audit-support language is sufficient for procurement,
- the company understands whether Anthropic acts only as processor in the workflow at issue.
For a clause-by-clause discussion, see our Claude DPA and Anthropic DPA pages.
SCCs and transfer mechanism
SCCs are still not the same thing as “problem solved.” German companies should document:
- where data is stored at rest,
- where inference may run,
- whether support or safety review access can occur outside the EEA,
- which subprocessors receive the data,
- whether supplementary internal measures are required.
The current Anthropic materials are especially important here because they show a mixed picture:
- commercial traffic may be routed across multiple geographies by default,
- the first-party API now offers inference geography controls,
- data is still described as stored in the US by default,
- partner platforms have their own region and retention rules.
That makes it risky to answer “Does Claude have EU data residency?” with a blanket yes or no.
Subprocessors, retention, and training position
A serious Claude GDPR review should also separate three distinct topics that are often collapsed together:
- Subprocessors Review where they operate and what functions they perform.
- Retention Standard product retention, custom enterprise retention, and ZDR are different things.
- Model training Anthropic says it does not use data shared under commercial products to train models unless the customer joins the Development Partner Program.
That training statement is commercially important, but it is still only one piece of the GDPR puzzle. A tool can avoid model training and still create unresolved issues around legal basis, retention, or employee-data governance.
When does a Claude workflow trigger extra German-law risk?
Some Claude workflows are manageable with a standard procurement review. Others move into a much stricter risk category.
Employee data and works council issues
If Claude is used with employee data, especially for evaluation, productivity analysis, hiring support, disciplinary context, or monitoring-adjacent workflows, German employment-law issues arise alongside GDPR issues.
The main pressure points are:
- Section 87(1) no. 6 BetrVG works council co-determination,
- the need for a clear and documented use policy,
- restrictions on entering performance or HR-sensitive material,
- a likely DPIA in higher-risk deployments.
Even where the pure privacy analysis is arguable, a rollout can still fail internally if the labor-law side is ignored.
Special-category data and DPIA triggers
A DPIA under Article 35 GDPR is commonly required where Claude is used for:
- special-category data under Article 9 GDPR,
- systematic profiling or scoring,
- automated decisions with significant effects,
- large-scale sensitive communications,
- systematic monitoring of individuals.
That includes many practical enterprise scenarios: HR screening, health-related operations, compliance monitoring, and customer-risk triage. The fact that the tool is “assistive” rather than fully automated does not remove the need to assess risk properly.
Law-firm secrecy and regulated-sector use
For law firms and other regulated businesses, GDPR is only part of the picture. The harder question is often whether the workflow also touches:
- legal professional privilege or confidentiality duties,
- trade secrets,
- sector-specific retention rules,
- regulated advice or regulated decision preparation,
- supervisory expectations on documentation and review.
That is why we treat Claude GDPR as a procurement-and-governance question, not merely a website privacy question.
Practical rollout checklist for German companies
Before approving Claude for a workflow involving personal data, work through this checklist:
- Identify the exact product path. Confirm whether users are on Free, Pro, Max, Team, Enterprise, the first-party API, or a third-party deployment route.
- Exclude consumer plans for business personal data. If the workflow depends on a consumer account, stop there and redesign the setup.
- Document the legal basis under Article 6 GDPR. Usually this is legitimate interests or contract performance, but it must be documented, not assumed.
- Review the DPA and transfer setup. Check Article 28 coverage, SCC incorporation, subprocessors, and current storage/routing reality.
- Define input rules and technical controls. Specify what data users may not enter, who can access the tool, and how logs or exports are managed.
- Assess retention. Distinguish standard retention, custom retention, and ZDR-eligible workflows.
- Run a DPIA where required. Do not wait until after rollout if the workflow touches employee data, profiling, or special-category data.
- Involve the right internal functions. Legal, privacy, security, IT, procurement, and where applicable the works council.
- Record the decision. Keep a written approval trail showing the approved use case, restrictions, owner, and review date.
Why the privacy-policy answer is not enough
The search intent behind Claude GDPR is usually not “Can I delete a chat?” It is “Can my company in Germany approve this tool for real work with personal data?”
That question cannot be answered from a privacy notice alone because a defensible business answer depends on:
- the contract stack,
- the processor role,
- international transfers,
- retention and logging,
- internal restrictions,
- high-risk use cases,
- evidence for auditors, procurement, or works councils.
That is the gap these pages need to close. A privacy-friendly interface may still be the wrong legal setup. A strong DPA may still be insufficient for a high-risk workflow. And a helpful consumer control may still be irrelevant to a commercial rollout decision.
Compound Law advises companies, startups, and legal teams in Germany on AI procurement, GDPR, employment law, commercial contracts, and AI governance. If you want a deployment-specific review of Claude, Anthropic terms, or a planned internal AI policy, contact us.
FAQ
Is Claude GDPR compliant?
Claude can be used in a GDPR-compliant way, but only after a workflow-specific review. The decisive issues are plan tier, DPA coverage, legal basis, transfer setup, retention, and internal governance.
Which Claude plan is acceptable for business personal data?
Claude Team, Claude Enterprise, and the first-party Anthropic API are the relevant commercial starting points. Free, Pro, and Max are consumer plans and are not the right contract basis for business personal-data processing.
Do I need a DPA for Claude?
Yes in most business workflows where Anthropic processes personal data on the company’s behalf. The DPA is the minimum contractual layer under Article 28 GDPR, but it is not the full compliance analysis.
Is Claude Pro allowed for business data?
Not for personal-data workflows that require a processor agreement. Claude Pro is a consumer product. Consumer privacy controls do not create the business DPA required by Article 28 GDPR.
Does the Claude DPA also cover the API?
Yes for the first-party Anthropic API. Anthropic says its DPA with SCCs is incorporated into the Commercial Terms for commercial products. If the deployment runs through AWS Bedrock, Vertex AI, or another provider, review that provider’s contract stack separately.
Does Claude offer EU data residency?
Only in a limited and qualified sense. Anthropic’s current API materials show inference-geography controls, but its commercial privacy materials still describe data as stored in the US by default. If you need strict EU-only storage or region-bound logging, assess the deployment architecture in detail rather than relying on generic marketing language.
When is a DPIA required for Claude?
Usually when the workflow involves employee monitoring, profiling, large-scale special-category data, or automated decisions with significant effects. German supervisory guidance and the actual processing design both matter.
Does Claude use commercial customer data for model training?
Anthropic says it does not use data shared under commercial products to train models unless the customer opts into the Development Partner Program. That is helpful, but it does not by itself resolve the wider GDPR assessment.
