Is your data protection
ready for AI?
Everyone is betting on AI — but whoever uses AI is liable for data protection. I bring the two together: grow with AI and stay GDPR-compliant. Pragmatic, without bureaucracy.
- Certified Data Protection Officer
- 10 years of experience
- 100+ projects
- Since 2016
Deploying AI? Both paths share the same catch.
Whether you build AI yourself or use an AI service provider — GDPR responsibility stays with you. This is where it is decided whether AI becomes an advantage or a risk.
You build AI in-house
Your own models, your own data, your own pipelines — maximum control. But legal bases, data minimisation, training data and the EU AI Act then become your construction site. A flaw in the foundation gets expensive.
You deploy an AI provider
Ready to go quickly — but where does your data and your customers’ data flow? DPA, third-country transfer, purpose limitation: in case of doubt you are liable, not the provider.
Both paths work — when data protection is built in from the start. That is exactly what the initial consultation is for.
Discuss my path →Fast & practical — in four steps.
Analysis
A fast, honest analysis of your processes and documents — so you know where your real risks actually are.
Tailored solution
Planning a solution that fits your business — without bureaucracy, but with maximum security.
Liability assessment
A clear assessment of your liability risks — and the question of whether you even need a Data Protection Officer.
Data protection package
A finished data protection package for your company — actionable, documented and audit-proof.
How I secure your company.
Data protection check
The fast status check: where do you stand on the GDPR, what is missing, what is urgent? Plain language instead of legal fog.
GDPR consulting for companies
Ongoing advice on complex questions — from data processing and records of processing activities to employee and customer data.
External Data Protection Officer
I take on the role of DPO for your company — competent, reachable, with no need to build it up in-house.
Online courses & AI training
Hands-on training for your team — including the safe use of AI in the company (GDPR + EU AI Act).
Karl Pusch
Certified Data Protection Officer & Auditor (TÜV Rheinland) · GDPR in practice
Since 2016 I have been advising business owners on complex questions around data protection and data security. My standard: understand the real challenges and deliver solutions that work in everyday operations — instead of theoretical debates.
In practice, data protection rarely fails because of the law, but because of implementation in everyday work. That is exactly where I come in: instead of page-long expert opinions, you get a clear assessment of which obligations genuinely apply to your company, what to do first and what can wait. I translate the GDPR and EU AI Act into concrete, documented steps — understandable for management and team, and defensible towards supervisory authorities.
It is especially when deploying AI that you see how closely data protection and the business model are connected. Anyone using ChatGPT, automation or their own models needs to know which data flows where and who is responsible for it. My goal is for you to use AI as a growth lever without taking on an avoidable legal risk — from the first concept to ongoing monitoring.
Certified Data Protection Officer & Auditor (TÜV Rheinland)
A verified qualification, not just a claim.
10 years of experience
I have been advising business owners on data protection & data security since 2016.
100+ projects delivered
From sole traders to mid-sized companies — across all industries.
Digital & e-commerce
Specialised in digital business models and online retail.
What clients say.
Anyone can promise a lot — true quality shows in the experiences of my clients.
„We combine data protection, data quality and online optimisation for more trust, higher conversion and lasting success.“
„A focus on public-sector institutions and secure data processing — delivered reliably and with a practical mindset.“
„Since 2018 we have relied on professional data protection solutions to manage applicant, employee and partner data securely.“
Is your use of AI GDPR- & AI-Act-safe?
29 short questions, answered honestly — and you immediately get a personal evaluation: your biggest gaps, prioritised, with concrete next steps. Evaluated by Karl Pusch.
- Personal risk assessment: green · amber · red
- Your biggest gaps — prioritised, with a recommended action
- Obligations & deadlines (GDPR + EU AI Act) applied to your case
AI Compliance Check
~4 minutes · free · result instantly + by email
Start the check now →We only ask for your email at the very end. No other data.
Data protection, DPO & AI — answered briefly.
When does my company need a Data Protection Officer?
In Germany a Data Protection Officer is mandatory once, as a rule, at least 20 people are permanently engaged in the automated processing of personal data. Regardless of headcount, the obligation also applies where there is large-scale processing of special categories of data (Art. 9 GDPR, e.g. health data) or systematic monitoring. Anyone who is required to appoint a DPO but fails to do so risks a fine in itself.
Is an external or an internal Data Protection Officer the better choice?
An external Data Protection Officer brings ready-to-use expertise without the need to train internal staff or trigger special protection against dismissal. For most SMEs, the external solution is more predictable and usually less expensive than an internal position. Important: authorities require a named natural person as the DPO, not just a company.
Am I liable for data protection if I use AI via a service provider?
Yes. As the responsible company you remain accountable for GDPR compliance, even when you use an AI tool from a service provider. As a rule you will need a Data Processing Agreement under Art. 28 GDPR and you must check where the data flows. Responsibility can be regulated by contract, but it cannot be fully handed off.
What does working with Karl Pusch cost?
The starting point is a 45-minute consultation via video call for 150 €, in which you receive a risk assessment and a prioritised action list. Beforehand you can complete the AI Compliance Check free of charge. Ongoing support as an external Data Protection Officer is agreed individually depending on scope.
Which regions and languages is the consulting aimed at?
The consulting serves companies and self-employed professionals subject to the EU GDPR and the EU AI Act (across the EU/EEA and beyond). Consultations are available in English and German and take place remotely via video call, so you can take part from anywhere.
What is the EU AI Act and does it affect my company?
The EU AI Act is the European Union’s regulation on artificial intelligence. It has been in force since August 2024 and applies in stages: prohibited AI practices and the obligation to ensure AI literacy (Art. 4) have applied since February 2025, the obligations for general-purpose AI models since August 2025, and the bulk of the high-risk obligations follow from August 2026. Practically every company that uses or offers AI is affected — the extent of the obligations depends on the risk of the specific use.
Do my employees have to be trained in how to use AI?
Yes. Since February 2025, Art. 4 of the EU AI Act requires companies to ensure a sufficient level of AI literacy among employees who use AI systems. No particular format is prescribed; the training must match the systems in use and the staff’s tasks. Documented training also helps to avoid data protection breaches caused by improper use.
May I use ChatGPT or other AI tools in my company?
In principle yes — but with clear rules. You need a legal basis for the processing, as a rule a Data Processing Agreement with the provider (Art. 28 GDPR) and clarity on whether data flows to third countries. Personal or confidential data only belongs in an AI tool if it is properly safeguarded under data protection law. An internal AI policy and trained employees are the most practical way to use AI in a legally sound manner.
What is a Data Protection Impact Assessment (DPIA) and when is it required?
A Data Protection Impact Assessment under Art. 35 GDPR is a risk analysis carried out in advance for processing that is likely to result in a high risk to the rights and freedoms of data subjects — for example large-scale profiling, systematic monitoring or the use of new technologies such as AI. It documents risks and countermeasures and is often mandatory exactly where AI meets personal data.
How high can fines for GDPR breaches be?
The GDPR sets out two tiers in Art. 83: up to 10 million € or 2% of worldwide annual turnover, and for serious breaches up to 20 million € or 4% of worldwide annual turnover — whichever amount is higher. The individual case is always decisive. Even a missing legal basis, or a required but unappointed Data Protection Officer, can be sanctioned.
More on GDPR & AI consulting — or simply book a consultation.
Consultation — 45 minutes, 150 €.
45 minutes 1:1 via video call: we clarify your AI/GDPR question and your next steps — focused, with no sales pressure. Still unsure? Take the free AI Compliance Check first.