Claude Team GDPR: DPA and Data Protection for Businesses
Short answer
Claude Team includes a DPA and meets the minimum requirements for GDPR-compliant business use. Limitations apply: no EU data residency, no zero data retention, no advanced security controls. Whether Claude Team is sufficient depends on the data categories and compliance requirements of the specific use case.
- Claude Team includes a DPA — Free and Pro tiers do not. At minimum, Team is required for business use involving personal data.
- EU data residency and zero data retention are not available on Claude Team — this limits suitability for sensitive data workflows.
- Article 9 GDPR special-category data, strict confidentiality requirements, or audit log obligations require Claude Enterprise or individual legal review.
Claude Team includes a Data Processing Agreement (DPA) and meets the minimum requirements for GDPR-compliant business use — unlike the consumer plans Free and Pro. The critical limitations are EU data residency, zero data retention, and advanced security controls, which are only available from Claude Enterprise onwards. Whether the Team plan is sufficient for your organisation depends on which data you process and which compliance requirements apply.
This page provides general legal information and is not legal advice for a specific situation. For a broader overview of Claude under German data protection law, see our pages on the Claude DPA and Claude GDPR compliance.
What Is Claude Team?
Claude Team is Anthropic’s commercial group plan for a minimum of five users. It is aimed at agencies, small and medium-sized businesses, and teams that want to use AI-assisted work in a managed corporate environment — without the complexity of an Enterprise implementation.
Key features of Claude Team:
- Minimum users: 5
- Conversations: not used for model training
- DPA: automatically incorporated into the Commercial Terms
- Administration: central team dashboard for user management
- Model access: access to Anthropic’s most capable Claude models
Claude Team differs from Claude Pro (personal single-user plan, no DPA) and from Claude Enterprise (extended business plan with SSO, audit logs, zero data retention, and configurable data location).
Does Claude Team Include a DPA?
Yes. Anthropic provides a Data Processing Agreement (DPA) under Article 28 GDPR for all commercial products — Team, Enterprise, and API. The DPA is incorporated into the Anthropic Commercial Terms and applies from 1 January 2026 onwards. No separate signature or negotiation is required for standard deployments.
Important: Free and Pro plans do not include a DPA. Organisations processing personal data on these plans operate without a contractual basis for data processing — this is not defensible under data protection law.
You access the DPA electronically through the Anthropic customer portal at console.anthropic.com. It is not available as a standalone PDF download. For detailed information on the DPA’s content and how to review it, see our page on the Claude DPA.
The DPA covers the mandatory content required under Article 28 GDPR:
- Subject matter, duration, and purpose of processing
- Anthropic’s obligation to act on instructions
- Confidentiality obligations
- Technical and organisational measures under Article 32 GDPR
- Subprocessor arrangements
- Support with data subject rights
- Deletion and return at end of contract
- Standard Contractual Clauses (SCCs) for third-country transfers
Is Claude Team GDPR Compliant?
Claude Team can be used in a GDPR-compliant way — but with limitations that are relevant for a portion of business scenarios. The following table compares the plans:
| Feature | Claude Free / Pro | Claude Team | Claude Enterprise |
|---|---|---|---|
| DPA available | No | Yes | Yes |
| EU data residency | No | No | Configurable (via Bedrock / Vertex) |
| Zero data retention | No | No | Configurable |
| SSO / SCIM | No | No | Yes |
| Audit logs | No | No | Yes |
| Training opt-out | No | Yes | Yes |
| Minimum users | — | 5 | Individual |
The key takeaway: Claude Team meets the minimum bar for GDPR-compliant business use (DPA, training opt-out) but provides no extended security controls. Organisations that need to contractually guarantee EU data localisation, or that require zero data retention for sensitive projects, will reach the limits of Claude Team.
What Data Can You Use With Claude Team?
The suitability of Claude Team depends heavily on the categories of data being processed.
Suitable — generally low risk:
- Internal documents with no or minimal personal data
- Productivity tasks (drafting, summarising, translating)
- Internal analysis and research without customer data
- General knowledge management and onboarding materials
Use with caution — individual review recommended:
- General customer communications with limited personal data
- Employee data for non-evaluative, administrative purposes
- Contract drafts without particularly confidential content
Not recommended — Claude Enterprise or individual review required:
- Special categories under Article 9 GDPR (health, biometrics, trade union membership, criminal records)
- Strictly confidential business documents (M&A, term sheets, board materials)
- Financial, banking, or patient data
- Workflows where EU-exclusive processing must be contractually guaranteed
- HR decisions with a surveillance or profiling effect
The line is not always clear. When in doubt: the more sensitive the data, the stronger the case for Claude Enterprise or an individually assessed legal review.
When Is Claude Team Not Enough?
The following table helps you decide when Claude Team is sufficient and when Claude Enterprise is the better choice:
| Requirement | Claude Team sufficient? | Recommendation |
|---|---|---|
| DPA under Article 28 GDPR | Yes | Team sufficient |
| Training opt-out | Yes | Team sufficient |
| EU data residency contractually required | No | Enterprise + AWS Bedrock EU |
| Zero data retention for sensitive projects | No | Enterprise (configurable) |
| Audit logs for compliance evidence | No | Enterprise |
| SSO / SCIM provisioning | No | Enterprise |
| Article 9 data or M&A documents | No | Enterprise + individual review |
| Internal, non-sensitive workflows | Yes | Team sufficient |
For a full comparison of data protection features across both plans, see our page on Claude Enterprise. For information on EU data residency and the available deployment options, see our page on Claude EU hosting.
Claude Team GDPR Compliance Checklist
Before an organisation-wide rollout of Claude Team, the following seven steps should be completed:
-
Review and document the DPA. Retrieve the current version of the Anthropic Commercial Terms via console.anthropic.com and keep a record of the retrieval internally.
-
Check subprocessors. Request the current subprocessor list from Anthropic and compare it against your internal vendor register. In particular, check whether subprocessors outside the EEA are involved.
-
Verify SCCs for third-country transfers. Anthropic does not process data exclusively within the EEA. SCCs are incorporated into the Commercial Terms — ensure this transfer mechanism is documented in your records of processing activities.
-
Update your records of processing activities. Add Claude Team as a new processor with purpose, data categories, data subject groups, transfer mechanism, and retention periods.
-
Conduct a DPIA threshold assessment. A Data Protection Impact Assessment under Article 35 GDPR is typically triggered by systematic, large-scale automated processing involving profiling. Assess whether your planned Claude deployment reaches this threshold.
-
Establish an internal usage policy. Define internally which data categories may and may not be entered into Claude Team. Train staff accordingly.
-
Communicate prohibited data categories. Ensure that Article 9 data, trade secrets, and highly confidential documents are not processed in Claude Team unless a formal clearance process is in place.
When You Need More Than General Guidance
The information in this guide covers the typical standard case. A more in-depth legal review is generally required when:
- Regulated industry: your organisation operates in finance, healthcare, or insurance, where sector-specific requirements go beyond the GDPR.
- Large-scale processing: Claude Team is used for extensive customer communications, HR evaluations, or profiling.
- Special data categories: personal data under Article 9 GDPR is involved.
- Strict data localisation: contractual or regulatory requirements demand EU-exclusive processing.
- Works council: your company has a works council (Betriebsrat) with co-determination rights under § 87(1)(6) BetrVG when introducing technical monitoring or analysis systems.
In these situations, Anthropic’s DPA alone does not resolve the compliance question. What matters is whether the specific workflow is sustainable under the GDPR, contract law, and internal governance rules.
Compound Law advises businesses, founders, and in-house teams in Germany on GDPR, AI procurement, and commercial contracts. If you want to review Claude Team or another AI deployment before rollout, contact us.
This guide provides general legal information and does not replace individual legal advice. Specific data protection reviews — in particular DPIA decisions and contract analyses — require advice tailored to your use case.
Does Claude Team Include a DPA?
Yes. Anthropic provides a Data Processing Agreement (DPA) under Article 28 GDPR for commercial products — Team, Enterprise, and API. Free and Pro plans do not include a DPA and are not suitable for processing personal data in a business context.
Is Claude Team GDPR Compliant?
Claude Team can be used in a GDPR-compliant way for standard business workflows. However, EU data residency and zero data retention are not available on this plan. Whether it is sufficient depends on the data categories processed and the organisation’s specific compliance requirements.
What Is the Difference Between Claude Team and Claude Enterprise for Data Protection?
Claude Enterprise adds zero data retention, SSO, audit logs, and configurable data location via AWS Bedrock or Vertex AI. Claude Team includes a DPA and training opt-out, but none of the extended security or residency controls available at the Enterprise tier.
Can I Use Claude Team for Customer Data?
With limitations. Internal documents with minimal personal data are often low risk. Sensitive customer data, Article 9 GDPR special-category data, or workflows with strict confidentiality requirements require individual review — and Claude Enterprise may be more appropriate.
Where Can I Find the DPA for Claude Team?
The DPA is embedded in the Anthropic Commercial Terms and accessed electronically via the Anthropic customer portal (console.anthropic.com). It is not available as a standalone PDF download.
