Is DeepSeek GDPR Compliant? What German Companies Need to Know
Is DeepSeek GDPR compliant for German companies?
No. DeepSeek's cloud service cannot be used under GDPR by German companies: no DPA, no SCCs for China transfers, no adequate EU representative. Self-hosted DeepSeek models (V3, R1) on EU infrastructure are a lawful alternative.
- DeepSeek offers no DPA/AVV — making enterprise procurement impossible under GDPR Article 28.
- Data is stored on servers in China, a country without an EU adequacy decision, with no SCCs in place.
- Seven German state DPAs opened formal investigations in February 2025; Berlin DPA sent DSA Article 16 notices in June 2025.
- Self-hosting DeepSeek's open-weight models on EU infrastructure is GDPR-compliant with proper documentation.
DeepSeek’s cloud service cannot be used lawfully by German companies for the processing of personal data. There is no Data Processing Agreement, no Standard Contractual Clauses covering transfers to China, and German supervisory authorities have opened formal investigations. Self-hosted DeepSeek models deployed on EU infrastructure are a different and potentially lawful path. This guide explains both the legal gaps and the compliance options. For a full overview of AI tools assessed for the German market, see our AI tools directory.
Is DeepSeek GDPR Compliant?
No — for the cloud service. DeepSeek AI (Hangzhou DeepSeek Artificial Intelligence Co., Ltd.) operates from China and stores user data on Chinese servers. China does not have an EU adequacy decision under Article 45 GDPR, meaning no automatic recognition that Chinese data protection standards are equivalent to the EU’s.
For a data transfer to China to be lawful under GDPR, a company must have in place one of the Article 46 safeguards — most commonly Standard Contractual Clauses (SCCs). DeepSeek does not offer SCCs. DeepSeek also does not provide a Data Processing Agreement (DPA), which Article 28 GDPR requires whenever a controller engages a processor. Without a DPA, any use of DeepSeek for personal data is unlawful under EU law regardless of where you are based.
The short answer for German legal and compliance teams: DeepSeek cloud is off-limits for personal data until these gaps are resolved.
Why DeepSeek’s Cloud Service Fails German Data Protection Law
No Standard Contractual Clauses for China Data Transfers
Under Article 46 GDPR, transfers of personal data to a third country without an adequacy decision require appropriate safeguards. The most common mechanism used by US cloud providers in Germany is the European Commission’s Standard Contractual Clauses (SCCs), updated in June 2021.
DeepSeek does not offer SCCs. Data entered into DeepSeek’s cloud service — including prompts, uploaded documents, and any personal data in those inputs — is transferred to and processed in China without a valid legal transfer mechanism. This is a direct GDPR violation for any German company that processes personal data (employee data, customer data, any identifiable information) through the service.
No DPA/AVV Available for Enterprise Procurement
Article 28 GDPR requires a written Data Processing Agreement between the controller (your organisation) and the processor (DeepSeek) whenever a processor handles personal data on your behalf. This is non-negotiable — without a DPA in place, the entire processing relationship is unlawful.
DeepSeek does not offer a DPA or AVV (Auftragsverarbeitungsvertrag) for enterprise customers. This single fact makes DeepSeek cloud unusable for German business procurement under current law. For comparison, see how a GDPR-compliant DPA should be structured when assessing any AI vendor.
No EU Representative Under Article 27 GDPR
Article 27 GDPR requires companies established outside the EU that offer services to EU residents to designate a representative in the EU. This representative serves as the point of contact for data subjects and supervisory authorities.
DeepSeek partially addressed this in its January 2026 privacy policy update by designating a privacy team contact for a “European Region.” However, German supervisory authorities have publicly stated this does not satisfy Article 27 in substance — the designated contact lacks the formal representative mandate and enforcement reach required by the regulation.
Regulatory Actions in Germany: Berlin DPA, DSK, and App Store Notices
German data protection authorities have taken some of the most aggressive action globally against DeepSeek. The timeline of regulatory events:
| Date | Event |
|---|---|
| February 2025 | Seven German state DPAs open formal investigations into DeepSeek. Lead authorities: Hessen (HBDI), Baden-Württemberg (LfDI BW), Berlin (BlnBDI), Rheinland-Pfalz |
| February 2025 | LfD Niedersachsen issues formal recommendation advising against use of DeepSeek cloud for personal data processing |
| June 27, 2025 | Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI) sends DSA Article 16 notices to Apple and Google requesting removal of the DeepSeek app from German stores |
| January 2026 | DeepSeek updates its privacy policy, creating a “European Region” designation and adding a privacy contact |
| Q1 2026 | German DPAs collectively assess the January 2026 update as insufficient; investigations continue |
The DSA Article 16 notices sent by the BlnBDI to Apple and Google are particularly significant: they represent the first time a German DPA used the Digital Services Act’s content removal mechanism against an AI tool. The Berlin DPA’s position is that making DeepSeek available on app stores in Germany facilitates GDPR violations at scale.
The Datenschutzkonferenz (DSK) — the joint body of all German federal and state data protection authorities — has signalled continued attention to the DeepSeek matter throughout 2025 and 2026.
DeepSeek’s January 2026 Privacy Policy Update — Is It Enough?
In January 2026, DeepSeek published a revised privacy policy that introduced a “European Region” concept and named a privacy contact for European users. This update addressed superficial criticism about the absence of any EU-facing documentation. However, it fell short of resolving the core GDPR problems:
- No DPA introduced. The update did not produce an Article 28-compliant processor agreement. German enterprise procurement still has no contractual basis.
- SCCs still absent. The update did not add Standard Contractual Clauses. Third-country transfers to China remain without a valid Article 46 mechanism.
- Article 27 representative not formally designated. German DPAs have stated that naming a “privacy contact” in a policy document is not equivalent to the formal representative designation Article 27 requires.
- Data storage location unchanged. Primary data storage remains on servers in China.
German supervisory authorities have publicly characterised the January 2026 update as insufficient. Investigations remain open.
Self-Hosting DeepSeek: A Lawful Alternative
Self-hosted DeepSeek models are a fundamentally different legal situation. DeepSeek released its V3 and R1 models as open-weight models, meaning the model weights are publicly available for download and local deployment. When you run DeepSeek on your own EU-based infrastructure:
- No data leaves your environment. Prompts, inputs, and outputs are processed entirely on infrastructure you control.
- No transfer to China. The Article 46 SCC problem does not arise.
- DPA with your infrastructure provider only. You need a DPA with your EU cloud or on-premise infrastructure provider, not with DeepSeek AI.
- No contact with DeepSeek AI services. You are using the model weights, not DeepSeek’s API or servers.
This is the same compliance pathway used for open-source Llama models — the key is that data stays within your controlled, EU-hosted environment. Companies pursuing this path should:
- Deploy on certified EU cloud infrastructure (e.g., a German colocation facility or EU-region cloud with an Article 28 DPA in place)
- Document the deployment in your Records of Processing Activities (ROPA) under Article 30 GDPR
- Conduct a Data Protection Impact Assessment (DPIA) if the deployment involves systematic processing of sensitive data
- Implement access controls and logging consistent with your information security policy
GDPR Risk Assessment for Enterprise Use Cases
Different use cases carry different risk profiles for organisations that have used or are considering DeepSeek:
| Use Case | Personal Data Involved? | GDPR Risk (Cloud) |
|---|---|---|
| Internal drafting (no personal data) | No | Lower — but transfer risk remains |
| Customer support or comms | Yes | Critical — no DPA, no SCC |
| HR and employee data | Yes | Critical — special attention §26 BDSG |
| Legal document review | Likely yes | Critical — confidentiality + GDPR |
| Code generation (no personal data) | No | Lower — but evaluate IP risk separately |
| Research with anonymised data | Potentially | Medium — depends on anonymisation quality |
For any use involving personal data, the absence of a DPA is a hard stop. Even for use cases without personal data, the lack of SCCs means that any inadvertent personal data inclusion creates immediate exposure.
If your organisation has already been using DeepSeek cloud, consider:
- Documenting the scope of any personal data processed
- Assessing notification obligations under Article 33 GDPR if there is reason to believe personal data was transferred without adequate safeguards
- Transitioning to a compliant alternative — see below
Practical Compliance Checklist for German Companies
For organisations evaluating or currently using DeepSeek:
- Stop using DeepSeek cloud for personal data immediately — no DPA and no SCCs means ongoing non-compliance
- Audit which workflows used DeepSeek — identify what data was processed and by which employees
- Assess Article 33 exposure — determine whether the absence of adequate safeguards constitutes a reportable breach
- Evaluate self-hosted DeepSeek — if DeepSeek’s capabilities are needed, assess EU-hosted self-deployment
- Consider compliant alternatives — Claude Enterprise offers EU data residency, a GDPR-compliant DPA, and SCCs for German enterprise use
- Update internal AI usage policies — explicitly address which tools are approved for personal data processing
- Document the decision — record the risk assessment and the transition decision in your ROPA
Compliant Alternatives for German Companies
If your organisation needs an AI assistant or large language model for tasks that involve personal data, several options offer proper GDPR documentation:
- Claude Enterprise — Anthropic DPA with SCCs, EU data processing options, no training on customer data
- Self-hosted DeepSeek V3/R1 — deploy open-weight models on your own EU infrastructure
- Self-hosted Llama — Meta’s open-weight models, same self-hosting compliance path
When evaluating any AI vendor, a GDPR Data Processing Agreement is the minimum threshold. No DPA means no lawful processing of personal data, regardless of the tool’s capabilities.
The information on this page is general legal information, not legal advice. The regulatory situation around DeepSeek continues to evolve. For advice specific to your organisation’s use case and risk profile, contact Compound Law.
Frequently Asked Questions
Is DeepSeek GDPR compliant?
No. DeepSeek’s cloud service cannot be used in a GDPR-compliant manner by German companies for personal data. There is no DPA, no SCCs for China transfers, and German supervisory authorities have opened formal investigations. Self-hosted DeepSeek models on EU infrastructure can be compliant.
Is DeepSeek banned in Germany?
DeepSeek is not formally banned, but the Berlin DPA sent DSA Article 16 notices to Apple and Google on June 27, 2025, requesting removal of the app from German stores. Seven German state DPAs have opened formal investigations. Use of DeepSeek cloud for personal data processing carries high regulatory risk.
Can I use DeepSeek self-hosted?
Yes. DeepSeek V3 and R1 are open-weight models available for self-deployment on EU infrastructure. When hosted on your own servers within the EU, data does not transfer to China, resolving the primary GDPR compliance issues. Proper documentation (ROPA entry, infrastructure DPA, DPIA where required) is still needed.
Does DeepSeek have a DPA or AVV?
No. As of April 2026, DeepSeek does not offer a Data Processing Agreement for enterprise customers. This makes any processing of personal data through DeepSeek cloud unlawful under Article 28 GDPR.
What did German DPAs say about DeepSeek?
Seven German state DPAs opened formal investigations in February 2025. The LfD Niedersachsen issued a recommendation against use for personal data. The Berliner Beauftragte für Datenschutz und Informationsfreiheit sent DSA Article 16 notices to Apple and Google in June 2025. German DPAs assessed DeepSeek’s January 2026 privacy policy update as insufficient.
