In early 2025, DeepSeek made headlines. A Chinese AI model that could match Western systems at a fraction of the cost. The tech press was impressed. Some employees in German companies tried it out. That is where the problem starts.
All Data Goes to China
DeepSeek stores all user data on servers in the People’s Republic of China. Their privacy policy says so, and there is no alternative. No EU servers, no data residency option.
For GDPR purposes, this is a fundamental problem. There is no adequacy decision from the European Commission for China. That means the EU has not officially determined that China’s data protection standards meet the European level. Standard Contractual Clauses (SCCs) are not offered by DeepSeek. A Data Processing Agreement is not available.
The legal basis for a data transfer to China does not exist in practice. If you use DeepSeek for business purposes and enter personal data, you are violating the GDPR. This is not a matter of interpretation.
What that means in practice: if an employee at your firm types a client inquiry into DeepSeek to draft a response, that data ends up in China. No contract, no way to control it, no deletion rights. You cannot even file a data subject access request under Article 15 GDPR and expect an answer.
China’s National Intelligence Law
There is one point that should end the discussion. China’s National Intelligence Law of 2017, Article 7, requires all Chinese organizations and citizens to cooperate with state intelligence agencies.
This is not a rumor. This is active Chinese law. If a Chinese intelligence agency demands access to data on DeepSeek’s servers, DeepSeek must comply. There is no legal remedy, no independent oversight that could prevent it.
For European companies, this means every piece of information entered into DeepSeek is potentially accessible to Chinese state agencies. That applies to chat inputs and uploaded documents alike.
I am not saying this to scare anyone. I am saying it because it is statutory text. No speculation or interpretation needed. Article 7 is written in plain language, and there is no known exception for foreign user data.
Italy Already Took Action
In January 2025, Italy’s data protection authority (Garante per la protezione dei dati personali) banned DeepSeek. The reasoning: insufficient transparency about data processing and lack of GDPR compliance. Other European regulators are conducting their own investigations.
When a national data protection authority bans a tool, that is a clear signal. Not just for Italy, but for the entire European market. The GDPR applies uniformly. What is problematic in Italy is not suddenly fine in Germany.
Qwen and Other Chinese AI Models
DeepSeek is not the only Chinese AI tool. Alibaba’s Qwen, Baidu’s Ernie Bot, and various other Chinese models have been showing up more frequently in recent months. Some are free, some are technically impressive.
They all share the same problem. Same jurisdiction, same laws, same intelligence cooperation obligations. Whether the data sits on DeepSeek’s servers or Alibaba’s servers in China does not change the legal assessment. Data residency in China means: incompatible with GDPR for business use.
There is no configuration trick, no opt-out, no enterprise version that fixes this. The jurisdictional problem is structural. You cannot engineer your way around it.
The Contrast
European and US AI platforms can be configured for GDPR-compliant use. ChatGPT Enterprise offers EU data residency. Microsoft Copilot has the EU Data Boundary. Claude offers a DPA for business customers. That does not mean these tools are automatically compliant. It means a compliance assessment is possible and the contractual foundations can be established.
With Chinese providers, that is not the case. There is no configuration that makes data transfer to China GDPR-compliant as long as no adequacy decision exists and China’s intelligence law applies.
This is the point that often gets lost in the discussion. With US providers, you can talk about SCCs, Transfer Impact Assessments, and Supplementary Measures. With Chinese providers, these tools simply do not exist. The combination of no adequacy decision and active intelligence cooperation obligations makes any GDPR compliance strategy impossible.
What to Do
Short version: DeepSeek, Qwen, and other Chinese AI tools go on the block list. No exceptions, no “but it is so cheap,” no “just for internal testing.”
If employees at your company are using DeepSeek or similar tools, address it in your AI acceptable use policy. Name the tools explicitly. Explain the reasons. And make sure approved alternatives are available that deliver the productivity benefits without putting compliance at risk.
If you are not sure which AI tools are being used in your firm or whether any problematic providers are among them: take a look at my AI compliance services. Or book a free AI check directly. 30 minutes, clear assessment.