What legal frameworks are relevant when using AI – and how we address them.
Why This Topic Is Important
AI is not a legal vacuum. Integrating AI into operational business processes operates within a regulatory environment that is rapidly evolving. EU AI Act, GDPR, liability issues, copyright – the topics are diverse and new for many companies.
We are not lawyers. This document does not replace legal advice. However, we work with AI in a business context every day and incorporate legal frameworks into our architecture from the very beginning. Here we provide an overview of the key topics – and how we handle them in our projects.
The EU AI Act
With the AI Act, the EU has established the world’s first comprehensive legal framework for artificial intelligence. This is relevant for companies deploying AI – including in the mid-market. The AI Act classifies AI systems by risk levels. The higher the risk, the stricter the requirements. Most AI applications we develop for our clients – operational decision support, automation, data analysis – are not expected to fall into the high-risk category. However, the exact classification depends on the specific application area. What We Do: We closely monitor the development of the AI Act and its implementing regulations. When architecting new systems, we consider the requirements that are already emerging – especially regarding transparency, documentation, and human oversight. For a binding legal classification, we recommend seeking legal advice on a case-by-case basis. Our specialized attorney is happy to assist you.
GDPR and AI
The GDPR applies unconditionally to AI-supported systems. Wherever personal data is processed – and that is almost always the case in operational systems – the known principles apply: purpose limitation, data minimization, transparency, rights of the data subjects. What We Do: Our systems are designed so that AI components only access the data they need for their tasks. We document which data is processed by which AI component. And we ensure that personal data does not end up in external AI models without having established the necessary data protection prerequisites.
Transparency
An increasingly relevant question: Must it be disclosed that AI is in use? The answer depends on the context. The EU AI Act imposes transparency obligations for certain applications – such as when AI interacts directly with end users or generates content. What We Do: We generally recommend a transparent approach to AI use for our clients. Not only because it is legally required in many cases – but because transparency builds trust. With employees, customers, and partners. In our systems, it is clear where AI is applied and where human decisions are made.
Liability
Who is liable if an AI-supported decision is wrong? This question concerns many companies – and the legal landscape is still evolving. In principle, responsibility for business decisions lies with the company, not the software. What We Do: We design AI in our systems as decision support – not as autonomous decision-makers. Critical processes retain human oversight. The AI provides analyses, recommendations, and forecasts. The decision is made by the human. This architecture is not only legally sensible – it is also the better operational solution.
Copyright
Who owns what AI generates? Texts, analyses, code – the copyright classification of AI-generated content has not yet been conclusively clarified. The legal situation is evolving and varies by jurisdiction. What We Do: In our projects, it is clearly defined that all work results – regardless of whether AI was involved in their creation – belong to the client. The software, the code, the generated content. We discuss how we regulate this contractually openly at the beginning of each collaboration.
AI and Labor Law
AI changes jobs. Tasks shift, roles evolve, processes change. This can raise labor law questions – for instance, regarding co-determination, works agreements, or the handling of AI-supported performance evaluations. What We Do: We develop systems that support people – not monitor them. Our architecture is designed to reduce operational burdens, not control employees. When AI functions intersect with labor law issues, we inform our clients so they can conduct the necessary internal discussions.
Our Approach: Integrating Legal Considerations from the Start
Legal requirements cannot be retrofitted into finished software. Therefore, we treat them like data protection and security: as an architectural principle, not an afterthought. This means specifically:
| 🏗️ | Regulatory requirements are integrated into the system architecture – from the very beginning |
| 📋 | AI components are documented: what data, what purpose, what logic |
| 👤 | Human oversight is maintained for critical decisions |
| 🔍 | Traceability is built in – what the AI does is transparent and verifiable |
| 🤝 | We proactively point out legal touchpoints and recommend legal advice if needed |
The legal landscape surrounding AI is evolving rapidly. We do not claim to be able to answer every question definitively. However, we ensure that the systems we build are based on a solid foundation – both technically and regulatorily.
