GDPR-compliant AI for German companies: a practical checklist

The first conversation with a German company is rarely about model quality. It is about Auftragsverarbeitung, data residency and what happens to a customer record the moment it touches a model. Get those answers wrong and the project never starts — no matter how good the AI is.

Decide what never leaves your control

Classify data before it ever reaches an LLM. Some fields should be redacted or pseudonymised before a prompt is even built; some workloads belong on models you host yourself. The default question for every field is simple: does this actually need to leave the building?

Cookieless by default

On the front end I ship analytics that work without cookies (self-hosted Matomo with disableCookies) and load third-party embeds — calendars, maps — only on click, the 2-click / click-to-load pattern. No consent wall is needed because nothing tracks until the visitor asks for it.

Consent where it actually matters

A required, explicit consent checkbox gates every form submission and links to a Datenschutzerklärung that describes the real processing — not boilerplate copied from another site. Consent should be specific, informed and provable.

Build the paper trail in

• A real Impressum and Datenschutz that match what the system actually does.
• Auftragsverarbeitungsverträge with every sub-processor you rely on.
• Data export and deletion as features, not favours.
• Logs that let you answer "what did the AI do with this record?"

Privacy is a design input, not an afterthought

Retro-fitting compliance onto a system that already ships data everywhere is painful and expensive. Designing for it from the first sketch costs almost nothing — and it is the difference between a German company signing and walking away.

“For a German client, "where does the data go?" is not a legal footnote. It is the first question — and the right answer wins the deal.”