• Woman at a laptop holding a glowing light bulb overlaid with a digital network structure
Insights

Using AI in Your Business with Legal Certainty: The EU AI Act, Data Protection and Liability at a Glance

Risk categories, data protection and contracts for business use of AI.

| Reading time 6 min. | Author: Sebastian Harschneck

AI compliance is not simply an IT project. The EU AI Act provides the regulatory framework, but each application will usually engage further areas of law. Personal data brings the GDPR into play; generative inputs and outputs raise copyright and trade secret issues; contracts, liability and governance must also be addressed. Companies therefore need a single process for identifying systems, assessing risk and defining permitted use.

The risk-based approach of the EU AI Act

The AI Act links its requirements to the purpose, context and risk potential of a system. Certain practices, including specific forms of manipulation and social scoring, are prohibited. High-risk AI is subject to particularly demanding controls. Depending on the use case, this may include systems used in recruitment, creditworthiness assessments or critical infrastructure. Relevant duties may cover risk management, technical documentation, data governance, human oversight, logging and post-deployment monitoring.

Other systems are primarily subject to transparency obligations. Users may need to be told that they are interacting with AI or that content has been artificially generated or altered. Many low-risk applications remain largely free from product-specific duties under the AI Act. That does not make their use legally unrestricted: data protection, employment law, copyright, trade secret protection and general liability rules continue to apply.

The relevant question is therefore not the tool's marketing label but the concrete use case. The same system may be relatively unproblematic when drafting marketing copy but much more heavily regulated when used for recruitment or a safety-related decision.

Data protection, copyright and trade secrets

Whenever an AI application processes personal data, the company must establish a legal basis, purpose limitation, data minimisation and deletion rules. A data protection impact assessment may be required where the processing is likely to create a high risk for individuals. Employee data, customer profiling and systems used to assess or predict human behaviour are particularly sensitive. A use case that is permissible under the AI Act may still lack a lawful basis under the GDPR.

Generative AI also raises copyright questions. Companies need to consider whether protected material may be used as input, what rights exist in the output and whether generated content could infringe third-party rights. External publication should therefore not take place without an appropriate review.

Trade secrets are at risk where employees enter internal information into public or insufficiently protected tools. Protection requires contractual commitments from the provider, suitable technical settings and a clear internal policy. That policy should identify data categories that must not be entered and specify which approved enterprise tools are available for sensitive work.

Third-party AI: contracts and allocation of roles

Most companies do not build their own models but use AI functions supplied by external providers. That does not remove their responsibility. The first step is to identify the company's role under the AI Act and determine whether it is merely deploying the system as intended, making a substantial modification or offering it under its own name. That classification affects the scope of its obligations.

The provider agreement should state clearly whether prompts, uploaded files and usage data may be used for training or product improvement. Confidentiality, deletion, subprocessors, data location, security standards, availability, liability and support with regulatory requests are equally important. Where personal data is processed on the company's behalf, an Article 28 GDPR data processing agreement will also be required.

For business-critical use cases, the company should assess which documentation and information the provider makes available. Without sufficient detail on intended purpose, limitations, data processing and control options, the deployer may be unable to meet its own obligations.

A practical route to AI compliance

The process starts with a complete inventory of the AI systems actually in use, including tools adopted informally by individual teams. For each use case, the company records its purpose, data categories, user group, provider and potential impact. This provides the basis for classification under the AI Act and for deciding whether a data protection impact assessment, specific transparency or additional controls are required.

Provider terms, data processing, training use, confidentiality and liability are then reviewed. In parallel, an internal AI policy identifies approved tools, information that must not be entered and situations in which human review remains mandatory. Training should show permitted, practical ways of working rather than simply listing prohibitions. Defined ownership, an approval process and regular review turn these measures into an ongoing compliance framework.

About the author

Sebastian Harschneck
Sebastian Harschneck
Lawyer · Managing Partner
Get in touch

Sebastian Harschneck advises companies on commercial and contract law, with a focus on trade, distribution and IT law and on ongoing advice to international clients.

Concrete pier and deck of a highway viaduct above wooded hills

Introducing AI in your business and need clarity on the legal position?

Maxfeld.legal classifies your AI applications under the EU AI Act, reviews data protection and contractual requirements, and develops your AI compliance framework.

Get in touch

Frequently Asked Questions on Using AI in Business

To providers placing AI systems on the market in the EU, to deployers established in the EU, and to providers and deployers from third countries whose AI output is used in the EU. The obligations depend on the risk class.

AI in sensitive areas such as recruitment, credit decisions or critical infrastructure. It is subject to strict requirements on risk management, documentation and oversight.

Only with caution. Without adequate safeguards and contractual protection, trade secret protection can be lost.

Where personal data is processed, generally yes, under Article 28 GDPR.

The AI Act takes effect in stages; prohibited practices and certain obligations apply earlier than the full high-risk requirements. The specific timeline needs to be checked in each individual case.

More articles on this topic

Contact

Get in touch

Send us a message. We will get back to you within one working day.

Maxfeld.legal

Rechtsanwaltsgesellschaft mbH
Leipziger Platz 21
90491 Nuremberg

Brochure

Request brochure

Enter your contact details. We will send you the brochure by email right away.