Notion DPA and GDPR: Can German Companies Use Notion Compliantly?
Short answer
Yes, Notion can be used GDPR-compliantly in Germany — provided you execute Notion's Data Processing Agreement (DPA), understand that Notion stores all data in the US with no EU region option, and apply specific controls for Notion AI, which uses OpenAI as a sub-processor.
- Execute Notion's DPA before rollout — it covers GDPR Art. 28, SCCs, and sub-processors.
- Note that Notion has no EU data region — US-based AWS storage with SCCs is the transfer basis.
- Notion AI adds complexity: OpenAI is a sub-processor, requiring a separate AI addendum review.
Yes, Notion can be used GDPR-compliantly by German companies — provided you execute Notion’s Data Processing Agreement (DPA), understand that all data is stored in the US with no EU region available, and apply specific controls when using Notion AI, which routes content through OpenAI as a sub-processor. For most German businesses, the compliance question is not whether Notion is “GDPR-compliant” in the abstract, but whether your specific rollout — including workspace data categories, transfer documentation, and AI feature governance — is defensible under German data protection law.
This guide covers what legal, privacy, and IT teams need to check before deploying Notion and Notion AI in a German company context. For broader context on data processing agreements under GDPR Art. 28, see our dedicated guide.
Does Notion Have a Data Processing Agreement (DPA)?
Yes. Notion offers a Data Processing Agreement that covers GDPR Article 28 requirements, Standard Contractual Clauses (SCCs) for EU-to-US data transfers, sub-processor disclosures, and deletion and return commitments. Enterprise customers can negotiate the DPA directly with Notion.
Key things legal teams should verify when reviewing Notion’s DPA:
- Correct contracting entity: Confirm the Notion entity and verify the DPA version that applies to your subscription tier.
- Sub-processor list: Notion discloses its infrastructure and AI-feature sub-processors. Review the current list and the process for sub-processor updates.
- Notion AI addendum: Notion AI has separate data processing terms beyond the main DPA. If your company uses Notion AI features, you must review and accept this AI-specific addendum — it is not covered by the standard DPA.
- SCC module and annex: Notion relies on Module Two (controller-to-processor) SCCs for EU–US transfers. Confirm that the relevant Annex II (technical and organisational measures) reflects your actual implementation.
- Deletion and return timelines: Verify the retention period after contract termination and how data deletion is documented.
The DPA is the contractual foundation. But it does not automatically resolve whether your specific workspace, user permissions, and AI use cases fit within a defensible GDPR setup — that is a separate governance question.
EU Data Hosting and Data Residency
Notion does not offer an EU data region. As of early 2026, all Notion data — including workspace content, AI-generated outputs, and usage data — is stored in the United States on Amazon Web Services (AWS) infrastructure.
This is a material fact for German companies:
- No EU residency option. Unlike Microsoft 365 or Google Workspace, Notion currently cannot keep data within the EU. Every company using Notion is necessarily relying on a third-country transfer basis.
- SCCs are the applicable transfer mechanism. Notion uses Standard Contractual Clauses (EU Commission Decision 2021/914) as the legal basis for EU-to-US data transfers. German companies should confirm the applicable SCC module and assess whether a Transfer Impact Assessment (TIA) is advisable for sensitive data categories.
- German supervisory authority position: The German Data Protection Conference (DSK) and the Federal Commissioner for Data Protection and Freedom of Information (BfDI) have consistently scrutinized US cloud services. The EU–US Data Privacy Framework (effective July 2023) provides an additional transfer basis if Notion is certified — but companies should verify Notion’s current DPF certification status independently and not rely on certification assumptions from prior procurement cycles.
- Sector-regulated companies: Businesses subject to stricter data residency rules — for example, health data processors under § 22 BDSG, or regulated financial services firms — should separately assess whether US-based storage is compatible with sector-specific requirements, independent of GDPR.
For most German companies, US-based storage via SCCs is a workable arrangement. It is, however, a fact that must be explicitly documented in records of processing activities (ROPA) and cannot be treated as a default assumption.
Notion AI — Additional GDPR Considerations
Notion AI — the AI-powered writing, search, and summarization features built into Notion workspaces — adds a distinct layer of GDPR complexity beyond the base Notion product.
OpenAI is a sub-processor for Notion AI. When employees invoke Notion AI functions — drafting, search, Q&A, summaries — content may be routed through OpenAI under Notion’s sub-processor arrangement. This has several practical implications:
- Separate data terms apply. The standard Notion DPA does not fully govern Notion AI processing. Review and accept the Notion AI data addendum specifically. The sub-processor chain (Notion → OpenAI) and the specific data processing activities covered must be understood before enabling AI features.
- Training data policy — a stated commitment, not a legal guarantee. Notion’s documentation states that customer workspace data is not used to train AI models. This is a helpful procurement point. It should be verified at contract time and on renewal, not treated as a permanent given.
- DPIA trigger under GDPR Art. 35. If your Notion AI rollout involves systematic processing of employee data, large-scale processing of personal data, or categories creating a high privacy risk, a Data Protection Impact Assessment (DPIA) may be required under GDPR Art. 35. This is particularly relevant for use cases involving HR files, customer data, or confidential legal documents.
- Workspace-level AI controls. Enterprise Notion plans allow AI features to be enabled or disabled at the workspace or team level. Before rollout, confirm granular control availability and document which teams have Notion AI features enabled.
The risk with Notion AI for German companies is less about the AI feature itself and more about the breadth of personal data that AI search and summarization can reach across a permissive workspace. Restricting Notion AI to content areas with low personal data exposure is usually the most defensible first configuration.
For comparison with how similar tools handle these questions, see the guides for Slack AI, Microsoft Teams Copilot, and HubSpot Breeze AI.
BetrVG and Works Council Requirements
In Germany, deploying workplace tools that affect how employee work is monitored, organized, or evaluated triggers co-determination rights under the Betriebsverfassungsgesetz (BetrVG).
§ 87(1) no. 6 BetrVG gives works councils the right to co-determine the use of technical equipment that enables monitoring of employee behavior or performance. This provision applies broadly. Tool introductions are regularly subject to works council consultation or agreement even when the primary purpose is productivity rather than monitoring.
For Notion specifically, works council assessment should address:
- Workspace activity data: Notion can generate activity metadata — who viewed, edited, or created pages. If managers or HR can access this data, co-determination concerns arise.
- Notion AI interaction patterns: AI feature usage logs, if accessible at an administrative level, can create indirect visibility into employee work habits and content choices.
- Work organisation changes: Introducing Notion AI as a core knowledge management or planning tool changes work organisation — a classic co-determination trigger under § 87(1) no. 6 BetrVG.
Practical recommendation: Engage the works council early, before company-wide rollout. The earlier co-determination is addressed, the less likely it is to delay deployment. If a Betriebsvereinbarung (works agreement) is required, it should specify: permissible use cases, which analytics are visible to management, retention periods for activity data, and prohibited prompt content categories.
For additional context on how German employment law intersects with AI tools, see our AI employee monitoring compliance guide.
Legal Basis for Processing Under GDPR Art. 6
Before deploying Notion and Notion AI, your company must identify the legal basis for processing under GDPR Art. 6 for each data category that may enter the workspace.
| Processing activity | Data involved | Likely legal basis |
|---|---|---|
| Internal documentation and project collaboration | General business data, minimal personal data | Art. 6(1)(f) legitimate interests |
| Employee workspace and knowledge management | Employee names, roles, work product | Art. 6(1)(b) employment contract or Art. 6(1)(f) |
| Customer data in workspace (accounts, support) | Customer names, contacts, business data | Art. 6(1)(b) contract with customer, or Art. 6(1)(f) |
| HR data (onboarding, evaluations, absences) | Employee personal data | Art. 6(1)(b) + § 26 BDSG (employee data) |
| Special category data (health, union membership) | Sensitive data under GDPR Art. 9 | Art. 9(2) exception required — explicit consent or statutory basis |
Data minimisation obligations: Even where a legal basis exists, GDPR Art. 5(1)(c) requires that personal data be adequate, relevant, and limited to what is necessary. Companies should not allow HR files, medical records, or detailed customer PII into a broad Notion workspace simply because a DPA has been executed. The legal basis and the data minimisation assessment must be conducted together.
For German companies, § 26 BDSG governs the processing of employee data. The threshold for what constitutes legitimate processing of employee data is generally stricter under German employment law than a GDPR Art. 6(1)(f) analysis alone would suggest. Compound Law’s expertise overview explains how these intersecting frameworks are reviewed in practice.
Risk Levels by Use Case
| Use case | Typical data | Risk level | Review needed |
|---|---|---|---|
| Drafting internal meeting notes | General business information | Low | Standard DPA and policy review |
| Summarising product documentation | Internal technical material | Low | Access-control check and user guidance |
| Searching a general company wiki | Mixed internal knowledge, possible personal data | Medium | Permission review and data-minimisation rules |
| Sales or customer-success workspace | Customer names, account context, support details | Medium to high | Contract review, data category review, transfer check |
| HR onboarding and people-operations support | Employee data, evaluations | High | Narrow permissions, HR review, works council and DPIA assessment |
| Contract review or legal investigations | Confidential legal data, dispute material | High | Case-by-case legal approval; generally not suited for broad rollout |
Practical Compliance Checklist Before Rollout
Before enabling Notion — and especially Notion AI — company-wide, work through these steps across legal, privacy, IT, and operations:
- Execute the Notion DPA and confirm the correct entity, sub-processor list, and SCC module.
- Review and accept the Notion AI addendum — this is separate from the main DPA.
- Document the transfer basis (SCCs) in your ROPA; assess whether a Transfer Impact Assessment is appropriate.
- Map workspace data categories — identify which personal data (employee, customer, HR, special category) is already in or will enter the workspace.
- Establish data minimisation rules — define what personal data may and may not be entered into Notion.
- Review access permissions — restrict guest access, external sharing, and cross-team content visibility.
- Assess whether a DPIA is required under GDPR Art. 35 for Notion AI applied to sensitive data.
- Engage the works council early; prepare a Betriebsvereinbarung if co-determination applies.
- Define approved, restricted, and prohibited AI use cases across teams.
- Train employees on what may never enter Notion AI prompts — HR files, customer PII, litigation documents.
How Compound Law Helps
Compound Law supports German and DACH companies with Notion DPA and AI addendum review, Transfer Impact Assessments, DPIA analysis for Notion AI use cases, Betriebsvereinbarung drafting for works council engagement, and practical rollout documentation for legal, privacy, and operations teams.
Typical engagements include:
- Notion DPA and AI addendum review,
- GDPR transfer documentation and TIA,
- DPIA for Notion AI high-risk processing scenarios,
- Works council strategy and Betriebsvereinbarung drafting,
- Internal AI governance policies and use-case matrices,
- Rollout guidance for legal, privacy, and operations stakeholders.
Specific situations require individual legal advice. This guide structures the review but does not substitute for a fact-specific assessment of your workspace, contracts, and actual data flows.
Frequently Asked Questions
Is Notion GDPR compliant for German companies?
Yes, Notion can be used in a GDPR-compliant way in Germany. Compliance depends on executing the Notion DPA, documenting the US-based data storage via SCCs, reviewing Notion AI’s OpenAI sub-processor relationship, and applying appropriate workspace governance for personal data categories.
Does Notion offer a Data Processing Agreement (DPA)?
Yes. Notion provides a Data Processing Agreement covering GDPR Art. 28, standard contractual clauses for EU–US transfers, and sub-processor disclosures. A separate AI-specific data addendum applies if Notion AI features are used and must be reviewed independently.
Does Notion store data in the EU?
No. As of early 2026, Notion has no EU data region. All workspace data is stored in the United States on AWS infrastructure. EU and German companies use Standard Contractual Clauses (SCCs) as the legal basis for the EU-to-US data transfer.
Can I use Notion AI if I have GDPR obligations?
Yes, but with additional care. Notion AI uses OpenAI as a sub-processor. You must review the Notion AI data addendum, assess whether a DPIA is required for your intended use cases, and consider restricting AI features for workspaces containing employee, customer, or confidential legal data.
What do I need to check before deploying Notion company-wide in Germany?
Execute the DPA and AI addendum, map workspace data categories, document the SCCs for the US transfer basis, assess DPIA requirements, engage the works council early, define approved and prohibited AI use cases, and train employees on what may not enter Notion AI prompts.
Do I need works council approval to deploy Notion in Germany?
Not automatically, but an early co-determination assessment is strongly recommended. Under § 87(1) no. 6 BetrVG, works councils have co-determination rights for technical tools that can record or evaluate employee behavior or performance. Notion’s activity metadata and Notion AI interaction logs can create monitoring-adjacent scenarios that should be addressed before company-wide deployment.
