A mid-market insurance company in Germany rolled out an AI tool for claims processing in 2024. They skipped the works council. The works council went to court and won an injunction. The tool was shut down, the rollout restarted from scratch eight months later, and the bill ran into six figures. None of that was a technology problem — every line of it was compliance.
That’s the pattern. AI projects don’t usually fail in production. They fail in legal, HR, or works council review — six weeks before launch, or six weeks after. AI compliance isn’t an add-on project. It’s the rail your AI projects run on.
Compliance quick check: how ready are you?
5 questions on AI compliance readiness
1. Do you have a complete inventory of every AI system in use — including the unofficial ones?
2. Is there a signed Data Processing Agreement (DPA) for every external AI vendor that touches personal data?
3. Were the works council, HR, and data privacy involved before each AI rollout — not after?
4. Is every AI system classified by EU AI Act risk tier (or an internal equivalent)?
5. Have your employees actually completed AI literacy training (Art. 4 EU AI Act)?
Three rule sets, not one
Most compliance teams treat AI as a data-privacy problem. That’s one third of it. AI sits at the intersection of three rule sets — and ignoring any one of them is how rollouts get shut down.
Rule set 1: GDPR — what happens to the data
GDPR governs personal data. For AI, that means:
- Legal basis (Art. 6): Every processing activity needs one. No “we just thought it’d be useful.”
- DPA (Art. 28): Signed agreement with every external AI vendor that touches personal data.
- DPIA (Art. 35): Impact assessment for high-risk processing — and most workplace AI clears that bar.
- Data subject rights (Art. 15–22): Access, deletion, objection. Including against AI outputs.
- Cross-border transfer (Art. 44 ff.): Safeguards for US cloud vendors. Schrems II rules apply.
For US-based subsidiaries or customers, CCPA/CPRA (California), 15+ state privacy laws, and sector rules (HIPAA, GLBA, FERPA) overlap. There’s no single US federal AI privacy law — the patchwork does the regulating instead.
Rule set 2: EU AI Act — what happens to the system
The EU AI Act regulates the system itself, not just the data:
- Risk classification: Each system goes into one of four tiers. Most of yours are limited or minimal risk; HR/scoring systems are typically high.
- AI literacy (Art. 4): In force since February 2025. Employees who use or are affected by AI need actual training.
- Transparency (Art. 50): Label AI interactions. Users get to know when they’re talking to a system.
- Documentation: AI inventory for all systems, technical documentation for high-risk ones.
US companies serving EU users are in scope too. Geography of the user, not the company.
Rule set 3: Labor law — what happens to the people
This is the one that bites hardest, fastest. In Germany, Austria, the Netherlands and other co-determination jurisdictions, works councils have real veto power over AI deployment:
- § 87 (1) Nr. 6 BetrVG (DE): Co-determination on any technical system capable of monitoring behavior or performance. AI tools almost always qualify.
- § 90 BetrVG: Information rights when new technical systems are planned.
- § 95 BetrVG: Co-determination on selection criteria — directly relevant to AI in HR.
In the US, no works councils, but the equivalent exposure is sharper in different ways: anti-discrimination law (Title VII, ADA), state-level AI hiring laws (NYC Local Law 144, Illinois AIPA), and class actions when an AI tool produces disparate impact.
The trap most teams fall into: They cover GDPR and EU AI Act, ship the project, then the works council files an injunction in week six. The injunction sticks. The project starts over.
Build the governance framework in five steps
Step 1: Make an AI inventory — including the shadow stuff
List every AI system. Officially sanctioned ones, integrations buried in SaaS tools you already pay for, and shadow AI employees brought from home. The unofficial ones are the larger risk.
| System | Vendor | Personal data? | EU AI Act tier | HR / labor relevant? |
|---|---|---|---|---|
| Microsoft Copilot | Microsoft (US) | Yes (M365 data) | Limited | Yes |
| Unapproved cloud AI (shadow) | Various (US) | Yes (uncontrolled) | Varies | Yes |
| Applicant screening AI | Vendor X | Yes (personal data) | High | Yes |
| Spam filter | Microsoft | No | Minimal | No |
If the inventory has fewer than 10 rows, you missed half of them.
Step 2: Risk-assess each system
Three questions per row. They map to the three rule sets:
- Does it process personal data? → GDPR obligations.
- What EU AI Act tier? → Tier-specific obligations.
- Can it monitor employee behavior or performance? → Works council / HR before deployment.
Step 3: Adopt an AI policy people will follow
Not a 40-page document nobody reads. A short policy that says:
- Which AI tools are approved (positive list — not just a blacklist)
- What data may be entered into which tool (tiered by classification)
- Who approves new AI tools, and how fast they decide
- What training is required to use what
- What happens when someone ignores the policy
The policy needs works-council sign-off. In Germany, that usually means a Betriebsvereinbarung — a formal agreement, not a memo.
Step 4: Run the AI literacy training
Art. 4 EU AI Act has been in force since February 2025. Three audiences, three depths:
- Every employee: What AI is, where it gets things wrong, what data is allowed where.
- IT and procurement leads: Risk classification, vendor evaluation, monitoring.
- Executives: Strategic implications, liability, accountability for what gets deployed.
Hands-on workshops beat compliance PowerPoint. By a lot.
Step 5: Quarterly monitoring — not annual
AI compliance rots fast. Every quarter:
- Re-scan for new AI tools (including shadow AI).
- Re-check risk classifications. Use cases drift.
- Update training status: new hires, new tools, new regulations.
- Document incidents — including near-misses.
Infrastructure decides how big the compliance bill gets
Your AI infrastructure choice doesn’t just affect performance. It changes the size of the compliance pile:
| Compliance aspect | Cloud AI | On-premise AI |
|---|---|---|
| DPA required | Yes, per vendor | Not for the AI itself |
| Cross-border transfer | Yes (US vendors) | None |
| DPIA effort | High | Low |
| Data sovereignty | Limited | Full |
| Audit capability | Limited — vendor-dependent | Full — your infrastructure |
| Documentation | Partly at vendor | Fully in your hands |
On-premise AI structurally cuts the compliance bill: no DPA marathon, no cross-border transfer review, full audit trail. For finance, healthcare, government, and any regulated industry, it’s often the pragmatic path — not an ideological one.
Make compliance smaller, not bigger contboxx Vault is the on-premise AI platform that removes DPA, cross-border transfer, and cloud-risk from your compliance pile. ISO 27001:2022 certified. Book a free demo
FAQ
Who is responsible for AI compliance inside an organization?
It’s a shared job: the Data Protection Officer for GDPR, IT leadership for the EU AI Act technical pieces, and the C-suite for overall accountability. Mid-market companies can run all three through a single compliance lead — but only if that lead has clear authority to halt deployments. Without that, the role is theatre.
Do stakeholders need to approve every AI deployment?
Not every one, but most. In the EU, the works council must be involved for any system capable of monitoring behavior or performance — which is almost any AI that touches employee data. In the US, HR and legal should sign off on any AI system touching employee or customer data, especially in hiring or evaluation.
What happens if we deploy AI without proper compliance?
Three exposures stack up: GDPR fines (up to EUR 20 million or 4% of revenue), EU AI Act fines (up to EUR 35 million or 7%), and labor-law consequences — in Germany, the works council can get an injunction that shuts the tool down outright. In practice, the labor-law route is the fastest and most expensive.
Bottom line
AI compliance isn’t a brake on AI projects. It’s the rail they run on. The companies that treat GDPR, the EU AI Act, and labor law as one connected problem ship AI tools that stay shipped. The ones that treat them as three separate boxes to tick ship AI tools that get pulled six weeks later.
Start with the inventory. The rest follows.
EU AI Act and GDPR side by side | US CLOUD Act risk for European companies