DeepSeek GDPR compliance analysis for German companies
tools

Is DeepSeek GDPR Compliant? What German Companies Need to Know

Is DeepSeek compliant for German business use?

Usually no for the hosted service, but self-hosted deployments can work. As of 29 June 2026, DeepSeek's published policy still points to personal-data processing and storage in China, and German regulators still treat the service as high-risk. EU-hosted open-weight deployments are a separate compliance scenario.

  • Hosted DeepSeek is not a safe default for personal-data use by German companies.
  • DeepSeek's public policy still points to PRC storage and model-improvement processing.
  • Berlin's DPA said on June 23, 2026 that Apple and Google rejected its takedown request and that further DSA steps may follow.
  • Self-hosted DeepSeek on EU infrastructure can be documented as a separate, lower-risk setup.

Hosted DeepSeek is not the safe default for German companies processing personal data, but self-hosted DeepSeek can be a different legal answer. As of June 29, 2026, DeepSeek’s published privacy policy still says it directly collects, processes, and stores personal data in the People’s Republic of China, while German regulators continue to challenge those transfers. If you need DeepSeek-class performance, the practical split is: avoid the hosted service for personal-data workflows, or use the open-weight models on controlled EU infrastructure with proper contracts and documentation.

Hosted DeepSeek vs Self-Hosted DeepSeek: The Short Answer

For most German businesses, the right first answer is simple:

  • Hosted DeepSeek cloud: not a safe default for workflows involving personal data
  • Sandboxed no-personal-data experimentation: possible only with strict internal controls
  • Self-hosted DeepSeek models in the EU: potentially workable with proper procurement and governance

That split matters because the legal risk attaches to the service model, not just the model name. A Chinese-operated hosted chatbot and an open-weight model deployed inside your own EU environment are not the same compliance scenario.

Why Hosted DeepSeek Still Creates GDPR Risk in June 2026

DeepSeek’s own policy still points to PRC storage

DeepSeek’s current published privacy policy says that personal data may be stored outside the user’s country and that, to provide the service, DeepSeek directly collects, processes, and stores personal data in the People’s Republic of China. The same policy also says DeepSeek uses personal data to train and improve its technology.

For German organisations, that creates an immediate vendor-risk problem:

  • prompts and uploads can contain personal data or confidential business information
  • service logs and device data are also in scope
  • third-country transfer analysis is unavoidable from the start

This is why DeepSeek cloud cannot be treated like a low-friction productivity tool for HR, legal, support, or sales workflows.

Public procurement documentation remains weak for German buyers

German companies normally need a clean procurement file before approving any AI vendor for personal-data use. In practice that means checking:

  1. a usable DPA/AVV under Article 28 GDPR
  2. the transfer mechanism and supporting documentation
  3. security and retention commitments
  4. the provider’s role in model training and telemetry

As of June 29, 2026, we did not find a public enterprise DPA/AVV package or a public SCC package suitable for routine German procurement of DeepSeek’s hosted service. That does not prove no such paper exists in every private deal, but it does mean the hosted product is not procurement-ready in the way German legal and privacy teams usually require.

If you need a benchmark for what a compliant vendor file should look like, compare it with our guides on GDPR AI procurement, the AI vendor assessment checklist, and a proper data processing agreement.

German regulators are still escalating, not cooling off

The German regulatory signal is still negative:

  • On June 27, 2025, the Berlin Commissioner for Data Protection and Freedom of Information notified Apple and Google that the DeepSeek app should be treated as illegal content in Germany because of unlawful data transfers to China.
  • The LfD Niedersachsen warned that, based on current knowledge, DeepSeek does not satisfy key requirements of the GDPR and the EU AI Act.
  • In its 2025 annual report published on June 23, 2026, the Berlin DPA said Apple and Google had rejected its request to block the app and that it intends to pursue further steps under Articles 20 and 21 DSA.

That is the freshest official 2026 signal on the German enforcement path: the matter is still live.

What Changed Since Earlier DeepSeek Analyses

An older version of this page treated the lack of an EU representative as one of the headline defects. That point now needs a narrower statement.

DeepSeek’s current privacy policy names Prighter Group as privacy representative and point of contact for the EU and UK. That helps with contactability, but it does not solve the two issues that matter most for German companies:

  • the hosted service still routes personal data into a high-risk transfer scenario
  • the hosted product still lacks the procurement clarity that German privacy and legal teams usually need

In other words: the representative point improved, but the hosted-service risk case did not disappear.

Decision Framework for German Companies

Use this practical split when deciding whether DeepSeek belongs anywhere in your organisation:

ScenarioRecommended postureWhy
Employees using hosted DeepSeek for HR, customer, legal, or internal documents with personal dataProhibitHighest GDPR and confidentiality risk
Limited experimentation with synthetic or fully anonymised dataSandbox onlyStill needs policy controls, access limits, and logging
Self-hosted DeepSeek on your own EU infrastructureAssess and documentDifferent legal posture because the hosted DeepSeek service is not involved
DeepSeek weights served by an EU providerRun full vendor review on that providerThe provider, not DeepSeek cloud, becomes the primary procurement target

For many German companies, the best policy is:

  1. ban hosted DeepSeek for personal-data workflows
  2. allow only controlled testing with non-personal data
  3. approve self-hosted or EU-hosted alternatives only after vendor review

If you are formalising that process, our guide to AI vendor due diligence in Germany and EU AI Act procurement requirements is the next step.

When Self-Hosted DeepSeek Can Be the Better Answer

DeepSeek’s open-weight models can be legally easier to use than DeepSeek cloud because you can separate the model weights from the hosted service.

That setup is more defensible when:

  • prompts stay inside your own EU environment
  • your infrastructure provider signs the necessary DPA/AVV
  • you document the processing in your ROPA
  • you run a DPIA where the use case requires it
  • access, logging, and retention are aligned with internal policy

This is broadly the same pathway discussed for self-hosted Llama. If you want a more procurement-ready commercial option instead, compare Claude Enterprise GDPR positioning and related DPA material before making a buying decision.

Practical Checklist

  • Block hosted DeepSeek for workflows involving personal data
  • Review whether any teams already used DeepSeek with customer, employee, or contract data
  • Decide whether limited sandbox use without personal data is acceptable
  • If DeepSeek capability is needed, assess self-hosted or EU-hosted deployment instead
  • Record the decision in your AI governance and vendor review process
  • Update internal training so employees understand that “open-weight” and “hosted cloud” are different risk categories

This page provides general legal information, not legal advice. Specific procurement, transfer, and AI-governance decisions should be reviewed against your actual data flows and deployment model. For situation-specific support, contact Compound Law.

Frequently Asked Questions

Is DeepSeek GDPR compliant?

For the hosted DeepSeek service, usually no for German companies processing personal data. For self-hosted deployments on controlled EU infrastructure, compliance can be possible with the right contracts, governance, and documentation.

Is DeepSeek banned in Germany?

No formal statutory ban exists. But on June 27, 2025, the Berlin DPA asked Apple and Google to block the app in Germany, and in its June 23, 2026 annual report it said both platforms rejected that request and further DSA steps may follow.

Can I self-host DeepSeek in the EU?

Yes. If you run DeepSeek’s open-weight models on your own EU infrastructure or through a properly contracted EU provider, the legal analysis is different from using DeepSeek’s hosted cloud service.

Does DeepSeek offer a DPA or AVV?

We did not find a public enterprise DPA or AVV package for German procurement as of June 29, 2026. That makes vendor due diligence and lawful personal-data use materially harder for the hosted service.

Does DeepSeek send prompts or telemetry to China?

DeepSeek’s published privacy policy says it directly collects, processes, and stores personal data in the People’s Republic of China, including user inputs and service data. That is a core transfer-risk issue for German companies.

What if I use DeepSeek through an EU host?

Then assess the EU host as the relevant vendor. If prompts stay within the EU-hosted environment and do not go back to DeepSeek-operated services, the compliance analysis is closer to other self-hosted open-weight models.

Related Tool Guides

Claude ZDR zero data retention guide for Anthropic API and Claude Code enterprise use
tools

Claude ZDR: Zero Data Retention for Enterprise and Claude Code

Claude ZDR is available only on qualified Anthropic API and Claude Code enterprise paths. Learn scope, exclusions, retention exceptions, and procurement steps.

DeepL DPA and GDPR approval guide for companies in Germany
tools

DeepL DPA and GDPR in Germany: Approval Guide for Buyers

DeepL can usually be approved in Germany only on paid business plans with a signed DPA, feature review, and confidentiality checks. DeepL Free is not approved.

Cursor DPA and GDPR review for teams in Germany
tools

Cursor DPA 2026: Where to Find It and What It Covers

The Cursor DPA is public at cursor.com/terms/dpa, but German teams still need the right paid plan, Privacy Mode, and transfer review before using personal data.

Zapier GDPR 2026 Germany — DPA, Article 28, SCCs and EU data transfers for German companies
tools

Is Zapier GDPR Compliant? Germany Guide 2026

Is Zapier GDPR compliant for German companies? DPA, SCCs, EU data residency, and when Zapier is too risky for personal data workflows.

Claude Code GDPR compliance — DPA, data retention and EU hosting guide
tools

Claude Code Data Privacy: GDPR, DPA & No Training Policy

Claude Code's data privacy policy: no training on your code by default, GDPR DPA included via Anthropic API, zero data retention for Enterprise.

HubSpot privacy and GDPR compliance for German businesses
tools

HubSpot Privacy in Germany: GDPR, DPA, and Works Council Risks

HubSpot privacy and GDPR compliance in Germany require a DPA, transfer review, EU data hosting assessment, and works council analysis.

Tool Library

Browse More AI Tools by Topic

Compare more tools, privacy issues, and deployment scenarios in the full AI tool library.

View all AI tools

Frequently asked questions

For the hosted DeepSeek service, usually no for German companies processing personal data. For self-hosted deployments on controlled EU infrastructure, compliance can be possible with the right contracts, governance, and documentation.

No formal statutory ban exists. But on June 27, 2025, the Berlin DPA asked Apple and Google to block the app in Germany, and in its June 23, 2026 annual report it said both platforms rejected that request and further DSA steps may follow.

Yes. If you run DeepSeek's open-weight models on your own EU infrastructure or through a properly contracted EU provider, the legal analysis is different from using DeepSeek's hosted cloud service.

We did not find a public enterprise DPA or AVV package for German procurement as of June 29, 2026. That makes vendor due diligence and lawful personal-data use materially harder for the hosted service.

DeepSeek's published privacy policy says it directly collects, processes, and stores personal data in the People's Republic of China, including user inputs and service data. That is a core transfer-risk issue for German companies.

Then assess the EU host as the relevant vendor. If prompts stay within the EU-hosted environment and do not go back to DeepSeek-operated services, the compliance analysis is closer to other self-hosted open-weight models.

Book Free Call