KI-Anbieter richtig befragen: DSGVO & EU AI Act Checkliste

Vendor-Prüfung · Fragenkatalog · Compliance-Checkliste

Der Vertrag war schon unterschrieben

Ein mittelständisches Unternehmen aus Bayern integriert eine KI-gestützte Dokumentenanalyse in seinen Einkaufsprozess. Der Anbieter kommt aus San Francisco, hat ein ansprechendes Dashboard, nennt auf Nachfrage eine ISO-27001-Zertifizierung und schickt in 48 Stunden ein Angebot. Der Vertrag wird unterzeichnet.

Neun Monate später: Eine externe Datenschutzprüfung stellt fest, dass Lieferantendaten — darunter Bankverbindungen und Bonitätsinformationen europäischer Geschäftspartner — auf US-amerikanischen Servern verarbeitet werden. Einen Auftragsverarbeitungsvertrag (AVV) nach Art. 28 DSGVO hat der Anbieter nie angeboten. Ein Transfer Impact Assessment existiert nicht. Die Daten wurden ohne Rechtsgrundlage in ein Drittland übermittelt.

„Die Frage, die im Erstgespräch niemand gestellt hatte, lautete: Wo werden unsere Daten verarbeitet, und haben Sie einen AVV nach DSGVO parat?“

This case is not isolated. It describes a structural problem: companies evaluate AI vendors by product features, price and references — but rarely by the regulatory requirements that have been mandatory since the EU AI Act and strengthened DSGVO enforcement.

Warum die Standardfragen nicht reichen

ISO 27001 is a management system standard. It certifies that a company has defined information security processes — not that these are sufficient for AI-specific contexts, and certainly not that DSGVO obligations are fulfilled. The certificate does not cover:

•

Art. 22 DSGVO: right not to be subject to fully automated decisions

•

EU AI Act risk classes: a vendor can be ISO-certified without having conducted a conformity assessment

•

Training data and opt-out: whether customer data is used for model improvement

•

Auditability: what logs are kept and whether the client has access

„Compliant by design“ is a marketing statement. What counts are written contractual obligations, presented documentation, and traceable processes.

Die 5 kritischen Fragekategorien

A — Datenlokalisierung und Transfer

Where are our data processed — which data centers, which country?
Do you offer a Data Processing Agreement (AVV) per Art. 28 DSGVO?
For US providers: does a Transfer Impact Assessment (TIA) exist?
Who are your sub-processors, and in which countries?

Without AVV, any processing is unlawful.

B — EU AI Act Risikoklasse

How does the vendor classify their system (minimal, limited, high, prohibited)?
What conformity assessment per Art. 43 EU AI Act was conducted?
Is there technical documentation per Annex IV?
Is the system registered in the EU database for high-risk AI?

From August 2026, high-risk requirements fully apply.

C — Modell und Training

Are our input/output data used for training or fine-tuning?
Is opt-out possible — and is it active by default?
What legal basis per Art. 6 DSGVO underlies training use?

Many cloud AI providers use user data by default for model improvement.

D — Menschliche Aufsicht

Which decisions does the system make fully automatically?
Is there a human-in-the-loop mechanism?
How can a user contest an automated decision (Art. 22 DSGVO)?

Art. 22 DSGVO and Art. 14 EU AI Act both require safeguards.

E — Audit und Logging

What system logs are kept?
For how long? (High-risk AI: at least 10 years per Art. 12 EU AI Act)
Do we as clients have access to logs?
Is audit by us or third parties contractually anchored (Art. 28(3)(h) DSGVO)?

Without audit rights you cannot prove what the system did with which data.

Red Flags im Verkaufsgespräch

Warning Signals

„Wir verarbeiten keine personenbezogenen Daten.“ Without concrete analysis, this is an assertion, not a guarantee.

„Wir sind compliant by design.“ Without evidence, this is empty.

No AVV offer without being asked The provider either doesn’t understand DSGVO or avoids contractual obligations.

Unclear answers about data storage location „In the cloud“ without country is not acceptable.

Refusal of audit rights Art. 28(3)(h) DSGVO requires this. A provider refusing is not DSGVO-compliant.

Standard contracts with US jurisdiction CLOUD Act allows US authorities access to data of American companies.

Warum diese Fragen bei AlpiType nicht entstehen

AlpiType builds AI systems that run entirely on-premise in the client’s own infrastructure.

✓

Data localization: Your data never leave your servers.

✓

Model training: We don’t use your production data.

✓

Audit and logging: You determine what logs are stored and for how long.

✓

EU AI Act: We classify the system together with you and support conformity assessment.

Technisches Gespräch vereinbaren

Wir beginnen mit einer kostenlosen Ersteinschätzung.

Ersteinschätzung anfragen → Claude Workshop →

Ihr AlpiType Team · Landsberg am Lech · alpitype.de Alle Angaben ohne Gewähr. Kein Ersatz für rechtliche Beratung.

Was Sie Ihren KI-Anbietern fragen müssen