intoCHAT LogointoCHAT
Back to Blog
Compliance · Germany 2026-05-30 9 min read

DSGVO and Chatbots: the 2026 Compliance Checklist for German Businesses

intoCHAT Team
intoCHAT Team
9 min read
DSGVO compliance checklist for chatbot deployments in Germany

If your business operates in Germany and runs a chatbot, you are processing personal data under the EU GDPR (DSGVO) and the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG). Germany applies the strictest interpretation of GDPR in the EU — Aufsichtsbehörden (state-level data protection authorities like BfDI, HmbBfDI, LfDI) issue more enforcement actions per capita than any other member state. This article is the practical compliance checklist for chatbot deployments — what to ask vendors, what to document, what to audit before launch.

What DSGVO actually requires for chatbots

GDPR Article 6 requires a lawful basis for every processing activity. For chatbots, the typical basis is legitimate interest (Art. 6(1)(f)) for customer-service inquiries — but you need a documented balancing test. For marketing-adjacent use cases (e.g., outbound WhatsApp templates), explicit consent (Art. 6(1)(a)) is required. The German interpretation: document both your lawful basis and your balancing test before launch; do not rely on a generic vendor template.

Personal data in chatbot conversations

Almost every chatbot interaction processes personal data — IP addresses, browser fingerprints, free-text containing names/contact info/health-or-financial details. The German BDSG and case law (BGH, EuGH) are explicit: if the data can be linked to a natural person, even indirectly, GDPR applies.

The practical bar: every deployment needs documented data minimization, a retention policy with auto-deletion, a process for data-subject rights (Auskunft, Berichtigung, Löschung, Datenübertragbarkeit, Widerspruch), and a transparent mention of the chatbot in your Datenschutzerklärung.

Data residency — EU vs Germany-region

GDPR does not require data to stay in Germany — it requires data to stay within the EU/EEA or transit to a country with an adequacy decision. In practice, German Aufsichtsbehörden and DPOs strongly prefer EU-region hosting (Frankfurt is the default for most enterprise deployments). Germany-specific hosting (Bundesgebiet-only) is available on enterprise plans for organizations with strict Bundeswehr, BSI Grundschutz, or public-sector residency requirements.

Avoid US-region hosting unless you have a specific reason. After Schrems II, US transfers require additional safeguards (Standard Contractual Clauses, supplementary measures), and most German DPOs will flag US-hosted chatbot data as a compliance risk.

Auftragsverarbeitungsvertrag (AVV / DPA)

GDPR Article 28 requires a written processor agreement (Auftragsverarbeitungsvertrag in German law) between you and your chatbot vendor. The AVV must specify:

  • Categories of personal data processed.
  • Purposes of processing.
  • Duration of processing.
  • Sub-processor list (Meta, OpenAI, Anthropic, AWS, etc.) with a process for adding new sub-processors.
  • Technical and organizational measures (TOMs).
  • Breach notification timing (Article 33 requires 72 hours).
  • Data subject rights handling.
  • Audit rights.
  • Deletion/return of data at contract end.

A vendor that cannot sign an AVV at contract should be considered a compliance risk. intoCHAT signs an AVV for every paid deployment in Germany.

Audit logging and retention windows

For regulated industries (banking under BaFin, insurance, healthcare, public sector), audit logging of every conversation and every system action is increasingly expected. For non-regulated industries, audit logging is recommended for incident response and data-subject-rights handling. Retention should be category-specific:

  • Conversation transcripts: 30–90 days typical; up to 6 months for fraud/abuse review.
  • Audit logs: 6 months to 7 years depending on regulatory requirements.
  • Qualified leads in CRM: duration of the customer relationship.
  • Anonymized analytics: indefinite (no GDPR obligation once truly anonymized).

Cross-border AI model providers and Schrems II

AI chatbots typically use large language models from providers (OpenAI, Anthropic, Google, Mistral, Azure OpenAI). Many of these route inference through US infrastructure by default. After Schrems II (CJEU C-311/18), German DPOs apply elevated scrutiny to US transfers.

Mitigations: (1) use EU-hosted model endpoints where available (OpenAI now offers EU regions, Azure has Frankfurt and Paris regions, Mistral hosts in EU), (2) configure data-minimization at the API level (no persistent storage by model provider, opt-out from training), (3) document the contractual chain in your AVV. For sensitive deployments (banking, insurance, healthcare), insist on EU-only model inference.

The practical 9-point compliance checklist

  1. Signed AVV with sub-processor list, breach-notification SLA, audit rights, and TOMs.
  2. EU-region hosting documented at contract level (Frankfurt or equivalent). Germany-region for strict residency requirements.
  3. Documented lawful basis per processing activity (legitimate interest with balancing test for service; explicit consent for marketing).
  4. Datenschutzerklärung updated to disclose chatbot processing, categories of data, retention, recipient categories.
  5. Data subject rights operationalized — not just stated. Test the Auskunft and Löschung process end-to-end before launch.
  6. Retention policy defined per data category with auto-deletion enforced at the platform level.
  7. Cross-border model usage documented. EU-hosted endpoints for sensitive deployments. Opt-out from training data confirmed.
  8. Audit log enabled, exportable, tamper-evident. Retention matched to regulatory requirements.
  9. Incident-response plan with 72-hour breach notification (Article 33) clearly defined between you and the vendor.

Sector-specific overlays

Beyond general DSGVO compliance, certain sectors have additional requirements that materially affect chatbot deployments:

  • Banking (BaFin): outsourcing rules (MaRisk AT 9), model risk documentation, human-oversight requirements. AI agent deployments need governance committee sign-off.
  • Healthcare (Art. 9 GDPR): heightened controls for Gesundheitsdaten — usually no persistent storage of clinical free-text, audit log mandatory, EU-hosted model endpoints.
  • Public sector (BSI Grundschutz): Bundesgebiet-only hosting often required; specific TOM requirements; procurement-specific DPA addenda.
  • Telecom (TKDSG): additional rules for communication metadata; consent handling specifically defined.

For German businesses ready to start

intoCHAT is built for the German compliance environment — EU-region (Frankfurt) hosting standard with Germany-region available on enterprise, AVV signed at contract, ISO 27001 attested, full audit log on every plan, configurable retention, EU-hosted model endpoints for sensitive deployments. See the AI chatbot for Germany page for the overview, or the AI agent for Germany page for enterprise controls (SSO, RBAC, per-action approval gates).

This article is informational and not legal advice. For a binding interpretation of GDPR / BDSG as it applies to your specific business, consult a German data-protection lawyer or Datenschutzbeauftragter.