Skip to main content
WAIMAKERS
About UsCareersContact
|
Schedule Free Call
Back to overview

DeepSeek

DeepSeek

Not CompliantEU: Not AvailableOpt-out AvailableUndefinedChina Only

Business Plan Price

API: ~$0.03-0.90/M tokens

Enterprise Features

API access, open-source models (MIT), self-hosting, available via AWS/Azure/Google EU regions

Last Updated

March 23, 2026

DeepSeek - GDPR & Data Privacy Overview for European Clients

Version: March 2026 - prepared by WAIMAKERS B.V.

⚠️ CRITICAL COMPLIANCE WARNING

DeepSeek faces severe GDPR compliance challenges for EU customers. As of March 2026:

  • Italy's data protection authority (Garante) blocked the service definitively (confirmed by Bird & Bird, January 2025)[1][2]
  • EDPB expanded its ChatGPT Task Force into a broader "AI Enforcement Task Force" to coordinate DeepSeek responses across EU member states
  • Multi-DPA investigation wave: At least 11 EU data protection authorities are investigating — Belgium, France, Ireland, Greece, Netherlands, Luxembourg, Spain, Portugal, Poland, Lithuania, Croatia, and Germany
  • Germany (Berlin DPA): Sent Article 16 "notice-and-action" notifications to Apple and Google to remove DeepSeek from their app stores on June 27, 2025
  • Global bans: Italy, US (multiple agencies), South Korea, Australia, Taiwan, India, Indonesia, and Malaysia have all banned DeepSeek on government devices or networks. Indonesia and Malaysia issued bans in January 2026.
  • Greece ordered DeepSeek to appoint an EU-based DPO, which DeepSeek complied with in May 2025[4]
  • China-based infrastructure with no confirmed EU data residency option[5][6]
  • EU Representative appointed: Prighter Group appointed as EU Representative (Article 27 GDPR)
  • Privacy policy updated January 2026 for "European Region" users: GDPR legal bases mapped, data subject rights listed, China storage acknowledged, EU representative (Prighter) named. Multiple DPAs still consider this insufficient.
  • Available via AWS Bedrock, Azure AI, and Google Vertex AI in EU regions - self-hosting via Hugging Face is now a mainstream GDPR compliance pathway
  • Still no formal DPA available for direct API customers

As of March 2026, DeepSeek is NOT RECOMMENDED for EU customers processing personal data.

1 Purpose

This overview documents what is publicly known about DeepSeek, a Chinese AI language model platform developed by Hangzhou DeepSeek Artificial Intelligence Co., Ltd. (Hangzhou, China).[5] DeepSeek offers both consumer-facing chatbot services and developer API access to its open-source AI models.

Critical finding: DeepSeek's data processing practices have triggered regulatory action across the EU, including a service block in Italy and ongoing investigations in multiple member states.[1][2]

2 What We Know About DeepSeek

Product Overview

DeepSeek provides:[5][7]

  • DeepSeek Chat: Consumer-facing AI chatbot (web and mobile app)
  • DeepSeek API: Developer access to models (DeepSeek-V3.2-Exp, DeepSeek-Reasoner)
  • Open-source models: Available for self-hosting under MIT license[8]
  • Context length: 128K tokens, various output limits

Pricing Structure

DeepSeek's API pricing (as of early 2026):[7][8]

Model Input Price Output Price Context
DeepSeek-V3.2-Exp (Chat) $0.028 per 1M tokens $0.11 per 1M tokens 128K
DeepSeek-Reasoner $0.028 per 1M tokens $0.11 per 1M tokens 128K

Note: Extremely low pricing compared to competitors (50% cheaper than previous DeepSeek versions, ~10x cheaper than OpenAI).[8]

3 EU Regulatory Action Timeline

January 2025: Italy Blocks DeepSeek

Italy's data protection authority (Garante) became the first EU regulator to take action, requesting information from DeepSeek on January 28, 2025, and subsequently blocking access to the service for Italian users on January 30, 2025.[1][2][15]

Garante's official findings (from Provvedimento del 30 gennaio 2025):[16]

  • No legal basis for collecting Italian users' personal data
  • No transparency about what data is collected from prompts and conversations
  • No information about data retention periods
  • Data transfer to China without adequate GDPR safeguards
  • No EU representative appointed (GDPR Article 27 violation)
  • Company claimed GDPR doesn't apply to them ("we don't operate in Italy")
  • Service blocked from January 30, 2025 - app removed from Italian App Store and Google Play[17]

Garante's specific questions to DeepSeek (unanswered satisfactorily):[18]

  1. What personal data is collected from Italian users?
  2. What is the legal basis for processing this data?
  3. How are users informed about data collection?
  4. Where is data stored and for how long?
  5. Who has access to the data?
  6. Are data subjects' rights (access, deletion, portability) guaranteed?
  7. Are adequate security measures in place?

DeepSeek's response: Claimed they "do not operate in Italy" and that "European legislation does not apply to them" - despite having millions of Italian downloads.[19]

Result: Garante deemed the response inadequate and imposed a definitive limitation on processing Italian users' data, blocking the service entirely. This definitive ban has been confirmed by Bird & Bird legal analysis as permanent unless DeepSeek remedies the compliance gaps.[20]

February 2025: Pan-EU Investigation Wave

Of 16 EU data protection authorities contacted by media, seven confirmed ongoing or planned investigations at the time, with the number growing significantly through 2025 and into 2026:[1]

  • Italy: Service blocked, formal investigation
  • Greece: Formal investigation launched (February 6, 2025)
  • Luxembourg: CNPD issued public warning about risks[9]
  • Ireland, Belgium, France, Spain, Netherlands, Germany: Requests for information, preliminary assessments, or formal investigations. Germany's Berlin DPA sent Article 16 "notice-and-action" notifications to Apple and Google to remove DeepSeek from their app stores on June 27, 2025.
  • Portugal, Poland, Lithuania, Croatia: Additional DPAs opened investigations or formal inquiries through mid-2025
  • EDPB expanded its ChatGPT Task Force into a broader "AI Enforcement Task Force" to coordinate member-state responses to DeepSeek, indicating organised pan-EU enforcement. As of March 2026, at least 11 DPAs are known to be actively investigating.

May 2025: Greece Orders DPO Appointment

Greek data protection authority concluded DeepSeek falls under GDPR jurisdiction (Article 3(2)(b)) and ordered the company to appoint an EU-based Data Protection Officer. DeepSeek complied on May 28, 2025, appointing a Vienna-based firm as DPO.[4]

Regulatory questions posed to DeepSeek:

  1. How does DeepSeek ensure lawful processing of personal data?
  2. What processing activities involve Greek/EU user data?
  3. What is the legal basis for each processing activity?
  4. How are data subject rights (access, deletion, portability) guaranteed?
  5. Where are data centers located?[4]

DeepSeek's response (summary):

  • Claimed they provide "open-source software services" for developers, not products/services to consumers
  • Argued GDPR may not apply
  • Stated no facilities in EEA
  • Nevertheless agreed to appoint EU DPO under regulatory pressure[4]

4 GDPR Compliance Assessment

Short answer: DeepSeek is NOT GDPR-COMPLIANT for EU business use. The service has been blocked in Italy, is under investigation in multiple EU countries, and lacks fundamental GDPR safeguards.

Critical Compliance Gaps

1. No EU Data Residency

Status: ❌ NOT AVAILABLE

DeepSeek's infrastructure is China-based with no confirmed EU data centers.[5][6] Greek regulators confirmed DeepSeek stated it has "no facilities in the EEA."[4]

Implication: All EU user data is transferred to and processed in China, triggering GDPR Chapter V requirements for international data transfers.

2. No Data Processing Agreement (DPA)

Status: ❌ NOT PUBLICLY AVAILABLE

No DPA or Standard Contractual Clauses have been published or made available to business customers.[5] DeepSeek's initial position to Greek regulators was that they don't provide "products and services" and therefore GDPR doesn't apply, suggesting no DPA framework exists.[4]

Implication: Businesses cannot meet GDPR Article 28 requirements for processor contracts.

3. Unclear Training Policy + Critical Security Incidents

Status: 🚨 UNDEFINED + SEVERE SECURITY BREACHES

DeepSeek's privacy policy does not clearly state whether user inputs (prompts, conversations) are used to train AI models.[5] Multiple security incidents in early 2025 revealed catastrophic data handling failures:

Incident 1: 12,000 API Keys Leaked in Training Data (February 2025)[21][22][23]

Truffle Security researchers scanned Common Crawl (the massive public dataset used to train DeepSeek's AI models) and discovered:

  • 11,908 live API keys, passwords, and authentication tokens embedded in the training data
  • Credentials belonged to third-party services (AWS, Azure, OpenAI, Stripe, GitHub, etc.)
  • Keys were still active at time of discovery
  • Credentials were hardcoded in publicly scraped web data that DeepSeek used for training

What this means:

  • DeepSeek trained on unfiltered public web scrapes containing secrets
  • No credential scanning or filtering before ingesting training data
  • Potential for any sensitive data in web scrapes to end up in training corpus
  • Risk that DeepSeek could regurgitate secrets in responses
  • Demonstrates fundamentally insecure data handling practices

Incident 2: Exposed ClickHouse Database (January 2025)[24][25][26]

Wiz Research discovered a publicly accessible DeepSeek database with no authentication:

  • Over 1 million lines of log streams exposed
  • Chat history from user conversations
  • API keys and secret keys for DeepSeek's backend
  • Backend operational details and infrastructure metadata
  • Full read/write control over database operations available to anyone

What was exposed:

  • User prompts and AI responses (chat logs)
  • Internal system logs
  • Authentication tokens
  • Infrastructure configuration details
  • No authentication required to access

DeepSeek's response: Database was secured after Wiz disclosed it (January 29, 2025), but unknown how long it was exposed or who accessed it.[24]

Incident 3: South Korea Spy Agency Warning (February 2025)[27]

South Korea's National Intelligence Service (NIS) issued official warning:

  • DeepSeek "excessively collects personal data"
  • All input data is used to train the AI model
  • Chat records are transferable (can be shared/exported)
  • Government agencies urged to avoid the service

Privacy Policy Analysis:

Privacy policy language (July 2025 version):[5]

  • States data may be used for "service improvement" and "research"
  • Does not explicitly commit to not training on user content
  • Chinese version contains additional clauses about data sharing with authorities[12][13]

Comparison to industry standards:

  • OpenAI (Enterprise/API): "We do not train on your data"
  • Anthropic Claude (Enterprise): "We do not train on your data"
  • Microsoft Azure OpenAI: "Customer data is not used to train models"
  • DeepSeek: No such commitment

Implication:

  • Extreme risk that sensitive data in prompts could be incorporated into training data
  • Proven track record of insecure data handling (database exposure, API keys in training)
  • No commitment not to train on user data
  • Evidence from South Korean intelligence that all user inputs are used for training
  • Do not enter any sensitive, confidential, or personal data into DeepSeek

4. China Data Transfer Risks

Status: 🚨 SEVERE RISK

As a Chinese company, DeepSeek is subject to China's national security laws, including:[6][14]

  • China Cybersecurity Law: Requires data localisation and government access
  • China Data Security Law: Mandates cooperation with national security investigations
  • China Personal Information Protection Law (PIPL): China's GDPR equivalent, but with government access provisions

Privacy policy (February 2025 update) added language: "In emergency situations to protect health and life, information may be provided to law enforcement agencies or emergency facilities."[13] This includes Chinese judicial authorities.

Implication: EU user data could be accessed by Chinese government without EU legal safeguards.

5. Insufficient Transparency

Status: ❌ INADEQUATE

Multiple EU regulators have cited lack of transparency as a primary concern:[9][2]

  • Unclear what data is collected from prompts
  • Unclear how long data is retained
  • Unclear where data is processed
  • Unclear whether data is used for training
  • No subprocessor list published

Luxembourg CNPD warning (February 2025): "Data entered by users in 'prompts' can be recorded, transferred, stored or analyzed without a clear framework for data protection."[9]

5 What Is MISSING (Critical Documentation Gaps)

No Data Processing Agreement (DPA)

Searched: API documentation, Terms of Service, Privacy Policy, Enterprise documentation

Result: ❌ NOT FOUND

Without a DPA, EU business customers cannot:

  • Meet GDPR Article 28 requirements for processor contracts
  • Document data processing locations
  • Establish Standard Contractual Clauses for China transfers
  • Verify data retention and deletion procedures
  • Obtain subprocessor list

No Standard Contractual Clauses (SCCs)

Status: ❌ NOT AVAILABLE

No evidence of SCCs or alternative transfer mechanisms (e.g., Binding Corporate Rules, adequacy decision) for China-EU data transfers.[^https://cdn.deepseek.com/policies/en-US/deepseek-privacy-policy.html

Note: China does not have an EU adequacy decision, so SCCs or alternative safeguards are mandatory under GDPR Article 46.

EU Representative Appointed (Update)

DeepSeek initially violated GDPR Article 27 by not appointing an EU representative. Following Greek DPA pressure in May 2025, DeepSeek appointed a Vienna-based DPO. Subsequently, Prighter Group was appointed as DeepSeek's formal EU Representative under Article 27.

In January 2026, DeepSeek updated its privacy policy with a dedicated "European Region" notice that: maps GDPR legal bases for each processing activity, lists data subject rights (access, rectification, erasure, portability, objection), explicitly acknowledges that data is stored in China, and names Prighter Group as the EU representative. While this represents a partial improvement, multiple DPAs still consider the policy insufficient — in particular because it does not resolve the lawfulness of China transfers, provides no SCCs or equivalent safeguards, and makes no commitment not to train on user data.[4]

No Compliance Certifications

Searched: Security documentation, compliance pages, privacy policy

Result: ❌ NOT FOUND

No evidence of:

  • SOC 2 Type II certification
  • ISO 27001 certification
  • GDPR compliance attestation
  • Third-party security audits
  • Any EU-recognised certification

No Clear Data Retention Policy

Unknown:

  • How long are prompts stored?
  • How long are conversation histories retained?
  • Is there automatic deletion?
  • Can users request data deletion? (GDPR Article 17 Right to Erasure)
  • What is the deletion verification process?

6 Comparison to Industry Standards

What reputable AI platforms provide (examples: OpenAI, Anthropic, Google, Microsoft):

✅ Public Privacy Policy with clear training policies

✅ Data Processing Agreement for business customers (GDPR Article 28)

✅ Standard Contractual Clauses for international transfers

✅ EU data residency options (or US with Privacy Shield successor)

✅ Compliance certifications (SOC 2, ISO 27001)

✅ Clear training policies (typically "no training on customer data" for paid tiers)

✅ Data retention policies with deletion options

✅ Subprocessor lists published and maintained

What DeepSeek provides (as of March 2026):

❌ No DPA for direct API customers ❌ No SCCs for China transfers ❌ No compliance certifications (SOC 2, ISO 27001) ⚠️ EU Representative appointed (Prighter Group) ⚠️ Privacy policy updated January 2026 with GDPR legal bases ⚠️ Available via EU-region cloud providers (AWS Bedrock, Azure AI, Google Vertex) - but only for self-hosted/managed deployments

7 Data Processing Flow (Unverified)

[User enters prompt in DeepSeek Chat or API]
  ↓
[Prompt sent to DeepSeek infrastructure]
  ├─ Location: China (confirmed)
  ├─ EU data center: None (confirmed by DeepSeek to Greek DPA)
  └─ Data transfer safeguards: None publicly documented
  ↓
[AI model processes prompt]
  ├─ Training on user data? UNCLEAR
  ├─ Data retention period? UNDEFINED
  └─ DPA protections? NOT AVAILABLE for business customers
  ↓
[Response returned to user]
  ↓
[Conversation history stored]
  ├─ Storage location: China
  ├─ Retention period: UNDEFINED
  ├─ Deletion option: UNCLEAR
  └─ Government access: Possible under Chinese law

*Note: DeepSeek has NOT published infrastructure documentation.*
*Data flow based on regulatory findings and privacy policy.*

8 Recommended Alternatives for EU Customers

If you need AI language models with proper GDPR compliance:

EU-Compliant Alternatives

Anthropic Claude (Enterprise)

  • ✅ Privacy Policy, Terms, DPA available
  • ✅ EU data residency option (AWS EU regions)
  • ✅ SOC 2, ISO 27001 certified
  • ✅ No training on customer data (Enterprise)
  • Price: Custom (Enterprise)

OpenAI (Enterprise)

  • ✅ Privacy Policy, Terms, DPA available
  • ✅ EU data residency option (Azure EU regions)
  • ✅ SOC 2, ISO 27001 certified
  • ✅ No training on customer data (Enterprise, API with opt-out)
  • Price: Custom (Enterprise)

Microsoft Azure OpenAI Service

  • ✅ Full Microsoft DPA
  • ✅ EU data residency (Azure EU regions)
  • ✅ Extensive compliance certifications
  • ✅ No training on customer data
  • Price: Usage-based

Google Gemini (Enterprise)

  • ✅ Privacy Policy, Terms, DPA available
  • ✅ EU data residency (Google Cloud EU regions)
  • ✅ ISO 27001, SOC 2 certified
  • ✅ No training on customer data (Enterprise)
  • Price: Usage-based

Self-Hosted Open-Source Options

Llama 3 (Meta) - Self-Hosted

  • ✅ Full control over data (your infrastructure)
  • ✅ No data leaves your servers
  • ✅ EU deployment possible
  • Price: Infrastructure costs only

Mistral AI (Europe)

  • ✅ French company, GDPR-native
  • ✅ EU data residency available
  • ✅ Open-source and commercial options
  • Price: Varies by deployment

9 If You Must Assess DeepSeek (Not Recommended)

Minimum Due Diligence Steps

If your organisation is considering DeepSeek despite the severe compliance risks, you must:

  1. Contact DeepSeek directly and request:
    • Data Processing Agreement (DPA)
    • Standard Contractual Clauses (SCCs) for China-EU transfers
    • Complete subprocessor list with locations
    • Data retention and deletion procedures
    • Infrastructure and data center locations
    • Training policy: explicit commitment not to train on customer data
    • Compliance certifications (SOC 2, ISO 27001, or equivalent)
    • Written confirmation of how they address Chinese government data access laws
  2. Conduct a Transfer Impact Assessment (TIA)
    • Per GDPR Article 46 and Schrems II ruling
    • Document risks of China data transfers
    • Assess whether SCCs provide "essentially equivalent" protection
    • Consider Chinese national security laws' impact
  3. Conduct a Data Protection Impact Assessment (DPIA)
    • Required under GDPR Article 35 for high-risk processing
    • China data transfers qualify as high-risk
  4. Obtain legal opinion
    • From EU data protection counsel
    • On feasibility of China transfers post-Schrems II
  5. Document the decision
    • In GDPR Article 30 processing records
    • Include risk assessment and mitigation measures
  6. Never process:
    • EU personal data (names, emails, identifiable information)
    • Special category data (health, biometric, racial/ethnic, political, religious)
    • Confidential business information
    • Any data subject to regulatory requirements (HIPAA, financial data, etc.)

Legal and Financial Risks

GDPR fines: Up to €20 million or 4% of global annual turnover (Article 83)

Specific violations likely if using DeepSeek for EU personal data:

  • Article 28: No processor contract (DPA)
  • Article 44-46: Unlawful international data transfer (China)
  • Article 27: No EU representative (until May 2025, and limited scope)
  • Article 30: Incomplete processing records (due to lack of DeepSeek documentation)

Additional risks:

  • Data breach liability: Unlimited damages to affected individuals
  • Regulatory investigation: Time, cost, reputational harm
  • Contractual breach: Violation of customer agreements requiring data protection
  • IP theft: Sensitive business data sent to China-based servers
  • Government surveillance: Chinese authorities' access to data under national security laws

10 Procurement Quick Answers (EU)

Is DeepSeek GDPR-compliant?

No. DeepSeek has been blocked in Italy and is under investigation in multiple EU countries for GDPR violations. The service lacks fundamental compliance documentation (DPA, SCCs) and processes all data in China.[1][2]

Does DeepSeek have a Data Processing Agreement (DPA)?

Not publicly available. No DPA has been published, and DeepSeek's initial regulatory response suggested they don't consider themselves a data processor.[4]

Where is DeepSeek's data stored and processed?

China. DeepSeek confirmed to Greek regulators that it has "no facilities in the EEA."[4] All data is transferred to and processed in China.

Does DeepSeek train AI models on user content?

Unclear. Privacy policy does not explicitly commit to not training on user data. Recent scandals revealed API keys and passwords in DeepSeek training data, suggesting potential data leakage.[10][11]

Can EU users request deletion of their data?

Unclear. Privacy policy mentions GDPR rights but implementation is unverified. Given the regulatory investigations and compliance gaps, it's uncertain whether deletion requests are properly handled.

What compliance certifications does DeepSeek hold?

None publicly disclosed. No evidence of SOC 2, ISO 27001, or other internationally recognised certifications.

Why did Italy block DeepSeek?

Lack of transparency about data collection, unclear legal basis for processing EU personal data, China data transfer risks without adequate safeguards, and no EU representative appointed.[1][2]

Did DeepSeek appoint an EU Data Protection Officer?

Yes, but only after Greek regulators ordered them to do so in May 2025. DeepSeek appointed a Vienna-based firm as DPO.[4] However, this doesn't resolve the fundamental issues with China data transfers.

Can we use DeepSeek's open-source models and self-host in EU?

Yes, and this has become the mainstream GDPR compliance pathway for organisations that need DeepSeek's capabilities. Options include:

  • Direct self-hosting via Hugging Face on your own EU infrastructure (MIT license)
  • AWS Bedrock (EU regions): DeepSeek models are now available via AWS Bedrock in EU regions
  • Azure AI (EU regions): DeepSeek models available via Azure AI in EU regions
  • Google Vertex AI (EU regions): DeepSeek models available via Google Vertex AI in EU regions

When using cloud provider APIs (AWS/Azure/Google), you operate under the cloud provider's DPA and EU data residency - eliminating the China transfer issue. No data is sent to DeepSeek's own infrastructure. This is now a viable and commonly used approach.

Caveats:

  • Training data provenance concerns remain (API keys found in training data)
  • No SLA or support from DeepSeek for any deployment
  • Cloud provider pricing may be higher than direct DeepSeek API

11 Notes & Caveats

  • Italy ban definitive: The Italian Garante's block is definitive, confirmed by Bird & Bird legal analysis - not temporary.
  • EDPB AI Enforcement Task Force: The European Data Protection Board expanded its ChatGPT Task Force into a broader "AI Enforcement Task Force" to coordinate member-state responses to DeepSeek, signaling organised pan-EU enforcement.
  • Multi-DPA investigation wave (11+ DPAs): Belgium, France, Ireland, Greece, Netherlands, Luxembourg, Spain, Portugal, Poland, Lithuania, Croatia, and Germany are all engaged. Berlin DPA sent Article 16 "notice-and-action" notifications to Apple and Google on June 27, 2025.
  • Global bans beyond EU: Italy, US (multiple agencies), South Korea, Australia, Taiwan, India, Indonesia (January 2026), and Malaysia (January 2026) have all imposed bans on government or national network use of DeepSeek.
  • EU Representative appointed (Prighter Group): Partial improvement - satisfies Article 27 formally, but does not resolve China transfer issues.
  • Privacy policy updated January 2026: European Region notice added, GDPR legal bases mapped, data subject rights listed, China storage explicitly acknowledged, Prighter named as EU representative. Multiple DPAs still consider this insufficient without DPA/SCCs.
  • Cloud provider pathway now mainstream: DeepSeek models are available via AWS Bedrock, Azure AI, and Google Vertex AI in EU regions. This is now a viable GDPR compliance approach - you use the cloud provider's DPA, not DeepSeek's.
  • Self-hosting via Hugging Face: Open-source self-hosting is increasingly common as an alternative to direct DeepSeek API access.
  • Still no formal DPA for direct API customers - businesses cannot use the direct DeepSeek API for EU personal data without violating GDPR Article 28.
  • China national security laws: Chinese companies can be compelled to provide data to government; EU-China data transfers face Schrems II challenges.
  • API keys scandal: Discovery of 12,000 API keys/passwords in training data raises serious questions about data handling practices.[10]
  • Pricing too good to be true: DeepSeek's pricing (~$0.028/M tokens) is 10x cheaper than competitors. Question: how is this economically viable? Potential answer: monetisation through data.[8]

12 Disclaimer

This overview documents severe GDPR compliance issues with DeepSeek based on EU regulatory actions and publicly available information as of March 2026.

We strongly advise against using DeepSeek for any EU business purpose, especially when processing personal data, until the company:

  1. Resolves regulatory investigations across the EU
  2. Publishes comprehensive Data Processing Agreement with Standard Contractual Clauses
  3. Establishes EU data residency or demonstrates adequate safeguards for China transfers
  4. Provides clear training policy commitments
  5. Obtains internationally recognised compliance certifications

WAIMAKERS B.V. applies strict privacy and security due diligence internally. We do not use tools under active regulatory investigation or those lacking fundamental GDPR safeguards. Customers should apply the same standard.

WAIMAKERS cannot be held legally liable for any mistakes, errors, inaccuracies, or for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer. Using non-compliant tools presents severe legal, financial, and reputational risks.

If DeepSeek resolves its compliance issues and EU regulators lift restrictions, this assessment should be re-evaluated.

Prepared and issued by WAIMAKERS B.V. - March 2026.

References

  • https://www.euractiv.com/news/deepseek-making-a-splash-with-eu-data-protection-bodies/ - DeepSeek Under EU Data Protection Scrutiny
  • https://www.gdpreu.org/deepseek-ai-under-eu-scrutiny/ - DeepSeek AI Under EU GDPR Scrutiny
  • https://garanteprivacy.it/home/docweb/-/docweb-display/docweb/10097450 - Italian Garante Blocks DeepSeek (January 30, 2025)
  • https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/10098477 - Italian Garante Provvedimento Blocking DeepSeek (January 30, 2025)
  • https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/10096856 - Italian Garante Requests Information from DeepSeek
  • https://www.secrss.com/articles/79691 - DeepSeek Appoints EU DPO Following Greek DPA Order (May 2025)
  • https://cnpd.public.lu/fr/actualites/national/2025/02/deepseek.html - Luxembourg CNPD Warning on DeepSeek
  • https://www.wiz.io/blog/wiz-research-uncovers-exposed-deepseek-database-leak - Wiz Research: Exposed DeepSeek Database Leaking Sensitive Information
  • https://cdn.deepseek.com/policies/en-US/deepseek-privacy-policy.html - DeepSeek Privacy Policy

Need help navigating AI?

Schedule Free Call
WAIMAKERS

Learn. Lead. Make.

AI Transformation Boutique · Amsterdam

Make work exciting, make businesses unstoppable.

Who We Help

View all roles & industriesCEOs & Board MembersPE & Investment ManagersCFOs & Finance LeadersInnovation DirectorsCTOs & IT LeadersCommercial Directors

What We Do

View all servicesOur ApproachLearnTailored Training ProgrammesAI Champions ProgrammeAgentic Way of WorkingE-learningLeadMake

Company

About UsResourcesContactCareersPodcast ↗

© 2026 WAIMAKERS. All rights reserved.

Privacy PolicyCookie Policy