In about 10 minutes you'll know where your use of AI is exposed.
Karl Pusch evaluates your answers personally and sends you his assessment within 48 hours. Auditors usually charge three to four figures for a comparable initial assessment.
Choose what applies to you — then we'll ask the right questions:
Free · no sign-up · just one email right at the end · stop any time
This check is a professional orientation and does not replace a legal review of the individual case. Karl Pusch is a data protection & AI expert, not a lawyer.
Section 1
🤖
Section 1
AI in everyday work
Why this matters: Let's be straight: do you use AI at work — and with whose permission? This is exactly where "shadow AI" arises, and your employer is ultimately liable for it.
Do you use AI tools (e.g. ChatGPT, Copilot, Gemini) for your work?
Do you use a company account for this rather than your private one?
Has your employer explicitly approved the use of these tools?
"Don't know" is a full answer — these gaps in particular are the most valuable for the assessment.
💡According to Bitkom (2025), in around 10% of companies employees use AI without the employer's knowledge.
Why this matters: Since February 2025, the EU AI Act (Art. 4) requires that employees are sufficiently trained in handling AI — that applies to you too, not just "IT".
Have you been trained in the safe and legally compliant use of AI?
Do you know the limits of the tools — i.e. what AI is unsuitable for?
Are you aware that AI literacy has been a legal obligation since February 2025 (Art. 4 AI Act)?
"Don't know" is a full answer — these gaps in particular are the most valuable for the assessment.
💡The AI literacy obligation (Art. 4) applies without any transition period since 02 Feb 2025 — including in companies that only buy AI in.
Why this matters: Whatever you enter into an AI tool can end up with the provider — sometimes for training. Personal or confidential data is the most sensitive point here.
Do you enter personal data (names, customers, colleagues) into AI tools?
Do you enter confidential company or customer information into AI tools?
Do you know what the provider does with your inputs (storage/training)?
"Don't know" is a full answer — these gaps in particular are the most valuable for the assessment.
💡Many free AI services use inputs for training by default — without "zero data retention" you leave the GDPR-safe zone.
Why this matters: When it matters, what counts is whether there are clear rules and whether you know who to turn to — uncertainty is a bigger risk than a single mistake.
Does your company have an AI usage policy?
Do you know the contents of this policy?
Do you know who to ask when in doubt (e.g. the Data Protection Officer)?
"Don't know" is a full answer — these gaps in particular are the most valuable for the assessment.
💡A short AI usage policy + a reachable Data Protection Officer prevent most damage before it occurs.
Why this matters: AI must not deceive people (Art. 50) and it makes mistakes — anyone who adopts AI results unchecked is liable for the errors themselves.
Do you check AI results for errors/hallucinations before using them?
Do you label AI-generated content where it is required?
Are you clear that customers must know when they are talking to a bot?
"Don't know" is a full answer — these gaps in particular are the most valuable for the assessment.
💡From August 2026, AI content and chatbots must be recognisable as such (Art. 50 AI Act).
Why this matters: Tools "under the radar" are the most common way data flows out uncontrolled — and the reporting channel decides whether an incident turns into a fine.
Do you use AI tools that are not officially approved ("under the radar")?
Would you know who to turn to if data has been leaked by accident?
"Don't know" is a full answer — these gaps in particular are the most valuable for the assessment.
💡A clear reporting channel + an open approach to AI prevents staff from secretly using risky tools.
Why this matters: Before anything can be assessed, we need to know which AI is actually in use in your business — including the AI your staff quietly use through the browser.
Do you know which AI tools are actually used in your company — including "shadow AI"?
Do you know for each tool which provider and which model is behind it?
Do you know exactly what data goes into each tool?
"Don't know" is a full answer — these gaps in particular are the most valuable for the assessment.
💡According to Bitkom (2025), in around 10% of companies employees use AI without the employer's knowledge — and you bear the responsibility for that too.
Why this matters: Whether you develop AI yourself or buy it in — as soon as a provider processes data on your behalf, you need a data processing agreement (DPA, Art. 28 GDPR), otherwise an important formal basis is missing.
Do you develop AI yourself OR use AI service providers (or both)?
Do you have a data processing agreement (DPA, Art. 28 GDPR) with every AI provider?
Is your record of processing activities (Art. 30) up to date for the AI processes?
"Don't know" is a full answer — these gaps in particular are the most valuable for the assessment.
💡In June 2025, Vodafone paid a €45m fine, €15m of it solely for deficient processing on behalf (BfDI) — this affects anyone using AI services without a DPA.
Why this matters: Many AI services process data in the USA — permitted, but only with the right safeguards (DPF or Standard Contractual Clauses + transfer impact assessment).
Is a provider based in the USA / a third country — and have you recognised the transfer as such (Chapter V)?
Is there a valid transfer mechanism in place (DPF or Standard Contractual Clauses)?
Do you have a transfer impact assessment (TIA) — and kept it up to date?
"Don't know" is a full answer — these gaps in particular are the most valuable for the assessment.
💡The EU-US Data Privacy Framework currently applies, with the appeal pending before the CJEU (as of 2026) — anyone who has Standard Contractual Clauses in the drawer is on the safe side.
Are you obliged to carry out an impact assessment?
Why this matters: For riskier AI applications, the law requires a documented risk assessment (DPIA, Art. 35) — new technology + large-scale processing regularly triggers it.
Have you checked whether your use of AI requires a DPIA — and carried it out if so?
Has the DPIA been reviewed in light of a changed risk situation (Art. 35(11))?
"Don't know" is a full answer — these gaps in particular are the most valuable for the assessment.
💡If a required DPIA is missing, that alone can be a standalone violation.
Why this matters: The EU AI Act also affects you when you buy in. Since February 2025, Art. 5 (prohibited practices) and Art. 4 (AI literacy) apply without any transition period.
Do you know which role you hold (usually operator/deployer) and whether your system falls under the AI Act?
Have you determined the risk class (prohibited / high / limited / minimal)?
Do you ensure that you do not use any prohibited practices (Art. 5)?
Do you meet the AI literacy obligation (Art. 4) — are your staff trained?
Do you meet the transparency obligations (Art. 50) — bot and AI content labelling?
"Don't know" is a full answer — these gaps in particular are the most valuable for the assessment.
💡Next deadline: from August 2026, transparency obligations (Art. 50). High-risk obligations only in 2027/2028 — the pressure today sits with Art. 4 & 5.
Why this matters: When it matters, what counts is what you can demonstrate (accountability, Art. 5(2)): who is responsible, is there an AI policy, is data protection involved?
Are internal responsibilities for AI clearly defined?
Is there an AI usage policy for staff?
Is your Data Protection Officer involved?
"Don't know" is a full answer — these gaps in particular are the most valuable for the assessment.
💡Anyone with clear responsibilities and a short AI policy has a clear advantage in an audit.
Karl Pusch evaluates your answers personally and sends you your individual assessment within 48 hours to your email.
We use your email solely for this assessment. No newsletter, no spam.
Saving …
Done — thank you!
Karl is now evaluating your check personally.
Your individual assessment — biggest gaps, priorities, next steps — arrives within 48 hours at . Evaluated by Karl Pusch himself, not by a machine.
Don't want to wait? Book a consultation directly.
45 minutes 1:1 with Karl. Just the key details — then straight to picking a time.
This check is a professional orientation and does not replace a legal review of the individual case. Karl Pusch is a data protection & AI expert, not a lawyer.
Frequently asked questions
AI, GDPR & the EU AI Act — answered briefly.
What is an AI compliance check?
An AI compliance check is a structured assessment of whether the use of AI in a company meets the requirements of the GDPR and the EU AI Act. Among other things, it examines the legal basis, processing on behalf, third-country transfers, transparency and staff competence. On this page the check is free, takes around 10 minutes and is evaluated personally by Karl Pusch.
Can I use ChatGPT in my company in a GDPR-compliant way?
In principle yes, but only with safeguards in place: you need a legal basis, usually a data processing agreement under Art. 28 GDPR, a review of the data transfer to the USA, and clear internal rules on which data may be entered. Without these steps, the use is vulnerable from a data protection perspective.
What does the AI training obligation under Art. 4 EU AI Act mean?
Art. 4 EU AI Act obliges providers and deployers of AI systems to ensure a sufficient level of AI literacy among their staff. This obligation has applied since 02 Feb 2025 without any transition period. Companies should carry out and document training in order to demonstrate competence in the event of an audit.
What is shadow AI?
Shadow AI refers to the use of AI tools by staff without the knowledge or approval of the company, for example private ChatGPT access for work tasks. The risk: uncontrolled outflow of customer or business data and breaches of the GDPR and AI Act. Clear policies and training are the most important countermeasure.
Do I need a data protection impact assessment for my AI project?
Often yes. A DPIA under Art. 35 GDPR is required when the processing is likely to result in a high risk to the individuals concerned, which is the case for many AI applications involving personal data. The AI compliance check gives an initial indication of whether your project is affected.
What happens after completing the check?
You leave your email address, and Karl Pusch evaluates your answers personally. You receive the assessment, with pointers to your biggest weak spots, within 48 hours. The check is a professional orientation and does not replace a legal review.
