DeepSeek, in particular, is causing concern for data protection authorities in Europe: The powerful AI-based chatbot from China, which became a serious competitor to ChatGPT almost overnight, is currently the subject of various review procedures.
What is DeepSeek – and why is AI the focus?
DeepSeek is a generative AI model from China. It functions similarly to ChatGPT, but is said to be significantly more efficient. According to the provider, the DeepSeek-R1 model, introduced in January 2025, costs only a fraction of the money OpenAI invested in ChatGPT development.
The Chinese software is a Large Language Model (LLM) that can process complex queries, write creative texts, provide code examples, or even provide legal assessments. The problem: As a Chinese provider, DeepSeek is not subject to the same strict data protection regulations as European services.
This not only makes it more difficult for users, and especially for companies in Europe, to comply with the General Data Protection Regulation (GDPR), but also poses significant risks to personal and business-critical data.
Companies today can choose from a range of LLM providers. We recommend taking the time to thoroughly examine each provider and carefully weigh the opportunities and risks.
Hischam El-Danasouri, Data Privacy Manager
Digression: What is the difference between DeepSeek, ChatGPT, and others?
Since ChatGPT 2022 entered the international AI scene, development in this area has progressed rapidly. Besides ChatGPT, the best-known LLMs include Gemini and Copilot. However, there are significant differences between them and DeepSeek, both in terms of functionality and privacy, and origin. We present three models and how their developers approach data protection.
- ChatGPT from OpenAI is one of the best-known AI models. Companies can use the chatbot via a browser or integrate it into their internal applications and systems via Microsoft Azure. A privacy-sensitive deployment of Microsoft AI is possible, but requires, among other things, proper data classification, a data protection impact assessment, and careful permission management. Learn more about using the US-based AI model in our free ChatGPT guide.
- Claude from Anthropic is considered a proponent of so-called Trustworthy AI. The model uses Constitutional AI, meaning Claude AI integrates ethical values to promote moral principles and data protection.
- Google’s Gemini is tightly integrated with the Google Cloud infrastructure. Its integration with existing Google services makes Gemini particularly attractive for companies using Google Workspace. However, even with this AI model, technical and organizational measures (TOM ) are required to protect corporate data.
Unlike the AI models from the US, with DeepSeek, it is unclear what measures companies can take to protect their data from misuse. This would require the Chinese provider to provide specific information about how data is processed, where it is stored, or how it is protected. Since this is not the case, the use of DeepSeek poses significant GDPR risks for EU companies.
DeepSeek and data protection: These are the key issues
The new AI from China is under fire for various reasons. In addition to data leaks and allegations of censorship, the data processing in particular raises questions: The software is an application from a provider outside the EU, located in a third country without an adequacy decision.
Specifically, this means that the EU cannot currently determine an adequate level of data protection in China comparable to European data protection. Users of an application from a country without an adequacy decision must implement additional measures, such as standard contractual clauses (SCCs) or binding corporate rules, to ensure that personal data is transferred securely and in compliance with the GDPR. However, it is currently (as of April 2025) still unclear which instruments are suitable.
Another key issue is that DeepSeek currently does not provide a data processing agreement (DPA), thus failing to ensure compliance with Articles 28 and 32 GDPR. It is also questionable whether the provider would sign a DPA if presented to them.
DeepSeek has put China back at the forefront of the AI race. However, European companies cannot currently use cutting-edge models from the Chinese AI industry without significant compliance risks.
Hischam El-Danasouri, Data Privacy Manager
European data protection authorities also criticize the following points regarding DeepSeek:
- Lack of transparency about the way data is processed
- Training the AI with prompts from users that may contain company data
- missing references to TOMs
- unclear data flows between client and server
- Lack of an opt-out option when storing data on servers in China
GDPR violations by DeepSeek: These paragraphs are affected
A data protection-compliant use of DeepSeek in a company in Europe currently seems almost impossible. Because the application of the software could violate several key articles of the GDPR.
What data does DeepSeek store?
According to previous analyses by security experts, DeepSeek-R1 stores, among other things, personal user data that users disclose when logging in. It also stores all keystrokes that could be used to recognize users (profiling), as well as uploaded documents.
A look at DeepSeek’s privacy policy reveals that, in addition to user data, they also collect IP addresses, payment data, and information about the device from which users access DeepSeek. The third category of data DeepSeek records is “data from other sources,” such as websites.
DeepSeek Leak: What are the consequences of a data leak in DeepSeek?
Shortly after DeepSeek’s release, a massive data leak came to light: A cloud security provider discovered a publicly accessible DeepSeek database on the internet, containing over a million user entries.
The database was so easy to find that criminals probably had access to the data. However, it was difficult to find a location at DeepSeek to which the leak could have been reported.
Because DeepSeek stores data extensively, data privacy is at risk. If corporate data is exposed through a DeepSeek leak, affected organizations could face significant costs for remediating the data leak or for claims for damages from affected customers and partners.
Investigation proceedings against DeepSeek: How data protection authorities react
As a result of the data leak, several European data protection authorities initiated investigations into DeepSeek in February 2025. Italy has already responded by banning the Chinese AI.
The supervisory authorities ‘ accusation: DeepSeek violates the principles of the GDPR and takes inadequate security precautions (Articles 5 and 32 GDPR). Users also have data protection concerns when using DeepSeek: Many companies are unsure whether they can use DeepSeek.
What are the possible risks for companies?
DeepSeek states that all data is recorded, transmitted, stored, or analyzed without restrictions and processed for various purposes. According to the provider, it may be required under Chinese law to transfer data to Chinese intelligence and security authorities. Furthermore, it is unclear whether and how the provider ensures users’ data and IT security.
This results in various risks for companies
- Loss of data sovereignty, especially for business-critical information
- No possibility to enforce data subject rights under the GDPR
- Damage to the image and trust if data protection incidents become public
- Fines by data protection supervisory authorities
- Misuse of sensitive data by cybercriminals
Furthermore, without a DPA, there is no legal basis for the processing of personal data by the service provider. This can lead to companies being held liable to supervisory authorities or data subjects for unlawful data processing.
How can you protect your business?
According to the Lower Saxony State Commissioner for Data Protection, the GDPR-compliant use of DeepSeek is currently not possible. Companies that still want to work with the AI model from China can only attempt to mitigate the data protection risk:
- DeepSeek should not be installed and used on production systems with Internet access.
- Do not enter any sensitive or personal information.
- Train employees on the risks of AI-based systems from unsafe third countries.
- Give preference to AI tools with clear GDPR guarantees and EU legal compliance.
- Pay attention to provider transparency, security concepts, and ensure that the AI provider has appointed an EU representative in accordance with Art. 27 GDPR.
Data protection with DeepSeek: A challenge for companies
The DeepSeek example demonstrates the importance of data protection-compliant selection and testing of AI applications for companies. Since AI tools require data to train and deliver better results, companies must ensure that the processed information is optimally protected from cybercriminals and foreign authorities.
For tools from the US, careful security measures ensure a certain degree of data protection compliance, as an adequacy decision exists for the US based on a data protection framework agreed with the EU. However, with DeepSeek, it is not yet clear whether and how it can be used in compliance with the GDPR.
SMEs, in particular, should carefully consider how they can protect the data of their customers, partners, and employees before using AI software, and should resort to GDPR-compliant alternatives if unsure. Proliance supports you in selecting the right tools and training your team.