AI & Data Protection

How both fit together.

AI and data protection are often seen as opposites. They are not – when AI is developed from the start with the right architectural approach. For organisations in regulated environments, this is not a question of comfort but of prerequisite. I advise and develop AI solutions where data protection is not a retrospective patch but part of the design.

Why data protection matters especially for AI

AI systems work with data – often sensitive data. Customer data, application data, internal documents, communications. Once this data leaves a system – for example into an external cloud – a loss of control occurs that is simply not acceptable in many organisations: legally, regulatorily, or for reasons of trust.

Municipalities and public authorities handling personal citizen data

Banks and financial institutions under BaFin regulation

All organisations subject to GDPR – which is effectively every organisation in the DACH region

Local AI models – control without cloud dependency

The most direct path to GDPR-compliant AI is local execution: models run on your own infrastructure, data never leaves your environment. This is technically straightforward today – and for many use cases, the right choice.

How this works in practice

Ollama

With Ollama, powerful open-source language models can be run locally – on a server in your data centre or in your private cloud environment.

LangChain

LangChain enables structured connection of local models to your data, systems and processes – without transferring data to external services.

Hugging Face

Hugging Face provides a wide selection of specialised models that can be trained and fine-tuned for specific tasks – classification, extraction, summarisation.

What this means

No data transfer to external providers
Full control over model, data and inference
Transparent, auditable system architecture
No dependency on provider terms or pricing changes

Commercial AI services – when it's the right choice

Local models are not always the best solution. For certain tasks – especially those that do not involve sensitive data – commercial AI services like Azure OpenAI or AWS Bedrock can make sense. They offer higher model quality for complex language tasks, easier scaling and lower operational overhead.

When commercial services are used, protective measures must be architecturally anchored from the start:

Data minimisation

Only pass the data that is actually necessary for the task – no unnecessary contextualisation with personal information.

Pseudonymisation & anonymisation

Sensitive fields are mechanically removed or replaced before being passed to external services.

Contractual safeguards

Data processing agreements (DPA) with the provider, review of standard contractual clauses for third-country transfers.

Logging & audit trail

Complete traceability of which requests were sent to external services and with what data.

Architectural separation

AI services are not directly integrated into core processes but connected via controlled interfaces that enable data governance.

I advise you openly on which approach is right for your specific use case and regulatory situation.

Privacy by Design – what this concretely means

"Privacy by Design" is enshrined in the GDPR – but in practice it is often treated as a checklist rather than an architectural principle. I understand it as the latter: data protection is a design decision made from the very first architectural sketch.

Data minimisation

Only process what is necessary for the specific use case – no data hoarding, no unnecessary context.

Data flow control

Clear rules on who may pass which data to the AI system – technically and organisationally.

Technical access restriction

Authentication and authorisation at system level – not only at the surface.

Logging & deletion concepts

Fully traceable and audit-proof – as the technical foundation for audits and Data Protection Impact Assessments.

DPIA documentation

Technical documentation for Data Protection Impact Assessments where required – prepared for your Data Protection Officer.

Who this is particularly relevant for

Municipalities and public authorities

Working with personal citizen data and wanting to use AI in a GDPR-compliant way.

Banks and financial institutions

Subject to BaFin regulation and needing to operate AI systems in an auditable and traceable way.

SMEs

Processing sensitive customer or business data and unable to accept uncontrolled transfer to external services.

Data protection officers & compliance

Who need to assess the technical feasibility of GDPR-compliant AI and make technically-founded system decisions.

Frequently asked questions

Are municipalities and public authorities allowed to use AI at all?

Can our organisation use ChatGPT or a similar service?

What is the difference between a local model and a private cloud?

Do we need a Data Protection Impact Assessment (DPIA) for AI projects?

How is it ensured that AI decisions are traceable?

Implement AI in a GDPR-compliant way – from the start.

If you want to use AI but not at the cost of data protection and data sovereignty, let's talk. I will show you concretely which approach is right for your organisation, your data and your regulatory situation.

Schedule a free initial consultation

Related Services

Automation & AI

Your processes run. Your team decides. – AI that works productively and delivers ROI.

AI for organisations

What is genuinely possible – and where it pays off. – Practical AI for SMEs, municipalities, and banks.

AI Training

Building capability that works in daily delivery. – Build AI skills for your team. In half a day.