Is DeepSeek GDPR Compliant? What German Companies Need to Know
Is DeepSeek compliant for German business use?
Usually no for the hosted service, but self-hosted deployments can work. As of 29 June 2026, DeepSeek's published policy still points to personal-data processing and storage in China, and German regulators still treat the service as high-risk. EU-hosted open-weight deployments are a separate compliance scenario.
- Hosted DeepSeek is not a safe default for personal-data use by German companies.
- DeepSeek's public policy still points to PRC storage and model-improvement processing.
- Berlin's DPA said on June 23, 2026 that Apple and Google rejected its takedown request and that further DSA steps may follow.
- Self-hosted DeepSeek on EU infrastructure can be documented as a separate, lower-risk setup.
Hosted DeepSeek is not the safe default for German companies processing personal data, but self-hosted DeepSeek can be a different legal answer. As of June 29, 2026, DeepSeek’s published privacy policy still says it directly collects, processes, and stores personal data in the People’s Republic of China, while German regulators continue to challenge those transfers. If you need DeepSeek-class performance, the practical split is: avoid the hosted service for personal-data workflows, or use the open-weight models on controlled EU infrastructure with proper contracts and documentation.
Hosted DeepSeek vs Self-Hosted DeepSeek: The Short Answer
For most German businesses, the right first answer is simple:
- Hosted DeepSeek cloud: not a safe default for workflows involving personal data
- Sandboxed no-personal-data experimentation: possible only with strict internal controls
- Self-hosted DeepSeek models in the EU: potentially workable with proper procurement and governance
That split matters because the legal risk attaches to the service model, not just the model name. A Chinese-operated hosted chatbot and an open-weight model deployed inside your own EU environment are not the same compliance scenario.
Why Hosted DeepSeek Still Creates GDPR Risk in June 2026
DeepSeek’s own policy still points to PRC storage
DeepSeek’s current published privacy policy says that personal data may be stored outside the user’s country and that, to provide the service, DeepSeek directly collects, processes, and stores personal data in the People’s Republic of China. The same policy also says DeepSeek uses personal data to train and improve its technology.
For German organisations, that creates an immediate vendor-risk problem:
- prompts and uploads can contain personal data or confidential business information
- service logs and device data are also in scope
- third-country transfer analysis is unavoidable from the start
This is why DeepSeek cloud cannot be treated like a low-friction productivity tool for HR, legal, support, or sales workflows.
Public procurement documentation remains weak for German buyers
German companies normally need a clean procurement file before approving any AI vendor for personal-data use. In practice that means checking:
- a usable DPA/AVV under Article 28 GDPR
- the transfer mechanism and supporting documentation
- security and retention commitments
- the provider’s role in model training and telemetry
As of June 29, 2026, we did not find a public enterprise DPA/AVV package or a public SCC package suitable for routine German procurement of DeepSeek’s hosted service. That does not prove no such paper exists in every private deal, but it does mean the hosted product is not procurement-ready in the way German legal and privacy teams usually require.
If you need a benchmark for what a compliant vendor file should look like, compare it with our guides on GDPR AI procurement, the AI vendor assessment checklist, and a proper data processing agreement.
German regulators are still escalating, not cooling off
The German regulatory signal is still negative:
- On June 27, 2025, the Berlin Commissioner for Data Protection and Freedom of Information notified Apple and Google that the DeepSeek app should be treated as illegal content in Germany because of unlawful data transfers to China.
- The LfD Niedersachsen warned that, based on current knowledge, DeepSeek does not satisfy key requirements of the GDPR and the EU AI Act.
- In its 2025 annual report published on June 23, 2026, the Berlin DPA said Apple and Google had rejected its request to block the app and that it intends to pursue further steps under Articles 20 and 21 DSA.
That is the freshest official 2026 signal on the German enforcement path: the matter is still live.
What Changed Since Earlier DeepSeek Analyses
An older version of this page treated the lack of an EU representative as one of the headline defects. That point now needs a narrower statement.
DeepSeek’s current privacy policy names Prighter Group as privacy representative and point of contact for the EU and UK. That helps with contactability, but it does not solve the two issues that matter most for German companies:
- the hosted service still routes personal data into a high-risk transfer scenario
- the hosted product still lacks the procurement clarity that German privacy and legal teams usually need
In other words: the representative point improved, but the hosted-service risk case did not disappear.
Decision Framework for German Companies
Use this practical split when deciding whether DeepSeek belongs anywhere in your organisation:
| Scenario | Recommended posture | Why |
|---|---|---|
| Employees using hosted DeepSeek for HR, customer, legal, or internal documents with personal data | Prohibit | Highest GDPR and confidentiality risk |
| Limited experimentation with synthetic or fully anonymised data | Sandbox only | Still needs policy controls, access limits, and logging |
| Self-hosted DeepSeek on your own EU infrastructure | Assess and document | Different legal posture because the hosted DeepSeek service is not involved |
| DeepSeek weights served by an EU provider | Run full vendor review on that provider | The provider, not DeepSeek cloud, becomes the primary procurement target |
For many German companies, the best policy is:
- ban hosted DeepSeek for personal-data workflows
- allow only controlled testing with non-personal data
- approve self-hosted or EU-hosted alternatives only after vendor review
If you are formalising that process, our guide to AI vendor due diligence in Germany and EU AI Act procurement requirements is the next step.
When Self-Hosted DeepSeek Can Be the Better Answer
DeepSeek’s open-weight models can be legally easier to use than DeepSeek cloud because you can separate the model weights from the hosted service.
That setup is more defensible when:
- prompts stay inside your own EU environment
- your infrastructure provider signs the necessary DPA/AVV
- you document the processing in your ROPA
- you run a DPIA where the use case requires it
- access, logging, and retention are aligned with internal policy
This is broadly the same pathway discussed for self-hosted Llama. If you want a more procurement-ready commercial option instead, compare Claude Enterprise GDPR positioning and related DPA material before making a buying decision.
Practical Checklist
- Block hosted DeepSeek for workflows involving personal data
- Review whether any teams already used DeepSeek with customer, employee, or contract data
- Decide whether limited sandbox use without personal data is acceptable
- If DeepSeek capability is needed, assess self-hosted or EU-hosted deployment instead
- Record the decision in your AI governance and vendor review process
- Update internal training so employees understand that “open-weight” and “hosted cloud” are different risk categories
This page provides general legal information, not legal advice. Specific procurement, transfer, and AI-governance decisions should be reviewed against your actual data flows and deployment model. For situation-specific support, contact Compound Law.
Frequently Asked Questions
Is DeepSeek GDPR compliant?
For the hosted DeepSeek service, usually no for German companies processing personal data. For self-hosted deployments on controlled EU infrastructure, compliance can be possible with the right contracts, governance, and documentation.
Is DeepSeek banned in Germany?
No formal statutory ban exists. But on June 27, 2025, the Berlin DPA asked Apple and Google to block the app in Germany, and in its June 23, 2026 annual report it said both platforms rejected that request and further DSA steps may follow.
Can I self-host DeepSeek in the EU?
Yes. If you run DeepSeek’s open-weight models on your own EU infrastructure or through a properly contracted EU provider, the legal analysis is different from using DeepSeek’s hosted cloud service.
Does DeepSeek offer a DPA or AVV?
We did not find a public enterprise DPA or AVV package for German procurement as of June 29, 2026. That makes vendor due diligence and lawful personal-data use materially harder for the hosted service.
Does DeepSeek send prompts or telemetry to China?
DeepSeek’s published privacy policy says it directly collects, processes, and stores personal data in the People’s Republic of China, including user inputs and service data. That is a core transfer-risk issue for German companies.
What if I use DeepSeek through an EU host?
Then assess the EU host as the relevant vendor. If prompts stay within the EU-hosted environment and do not go back to DeepSeek-operated services, the compliance analysis is closer to other self-hosted open-weight models.