Expertise / GDPR Specialist
GDPR Specialist
„We’re worried our AI is sending employee data to OpenAI."
Impact assessments for AI workflows, DPA review, anonymised data flows. Before the build, not after the data leak.
AI applications are particularly sensitive under GDPR as soon as personal data lands in prompts — which is almost always the case in the Mittelstand. For every new application we check the legal basis (Art. 6 GDPR), build the impact assessment where needed (Art. 35) and design the data flow so pseudonymisation kicks in wherever possible.
What clients ask us about this.
- „Do we need a DPIA for our service bot?"
- „How do we pseudonymise customer data before the API call?"
- „Who’s liable if employee data ends up at a US vendor?"
- „Are the EU Standard Contractual Clauses enough?"
What we keep for you.
Documented per mandate, viewable and correctable by you anytime.
- DPIA status per AI application with risk rating
- DPAs with all relevant sub-processors
- Pseudonymisation pipelines (which data is stripped before the API)
- Taboo list: which data categories must never enter which system
- Schrems-II transfer impact assessments for US vendors
Tax advisory firm · 80 employees
Client email drafts via Claude. DPIA documented, pseudonymisation layer built (names + IBAN masking before API call), Anthropic DPA with zero-retention addendum verified, training prepared for the two clerks involved.
One request is enough.
Write us briefly what’s on your plate — we respond within one business day. This role is part of the Autopilot retainer, not booked separately.