Op-Ed: AI in Companies: Why Governance Is Becoming More Important Than New Prohibitions

Article written by Franz-Peter Altemeier, Managing Director DDV, on his discussion with attorney-at-law Dr. Jens Eckhardt

AI Act, AI Omnibus, transparency obligations, high-risk AI: the regulatory debate surrounding Artificial Intelligence continues to gain momentum. Many companies are currently focusing primarily on new requirements, deadlines and potential liability risks. At the same time, data protection authorities are increasingly turning their attention to the practical use of AI applications.

The key insight: the real challenges often do not lie where the public debate assumes they do.

This is also the conclusion of an exchange between the DDV and attorney-at-law Dr. Jens Eckhardt at the Customer Service Summit last week. Current developments relating to the AI Act, data protection and AI governance were discussed from the perspective of business practice. The statements that have since been published by the Belgian Data Protection Authority and the State Commissioner for Data Protection of Lower Saxony confirm, in important respects, the assessments that had already emerged during that discussion.

As part of the Customer Service Summit, attorney-at-law Dr. Jens Eckhardt analysed the latest developments together with the DDV. In his view, the AI Act is currently widely misunderstood. “The AI Act contains only eight prohibitions,” Eckhardt explained. Many of the risks being discussed today had already been covered by existing legal provisions before the Regulation entered into force. The real added value of the AI Act therefore lies less in introducing new prohibitions and more in providing guidance and clear guardrails for organisations.

This becomes particularly apparent when looking at business practice. While the public debate often revolves around high-risk AI systems and new regulatory obligations, companies are increasingly dealing with very different questions. Who is responsible for the use of AI? How are employees qualified? Which data may be processed? And which rules apply to the use of AI applications in everyday work?

For Eckhardt, this development leads to a clear conclusion: “Data protection remains the main event.”

In reality, many risks arise not from the technology itself, but from the way it is used. Chatbots, voicebots and AI assistants regularly process personal data. Free-text inputs may contain sensitive information. In addition, employees are increasingly using AI tools that are neither technically nor organisationally integrated into company processes.

A specific term has now become established for this phenomenon: shadow AI. This refers to the uncontrolled use of AI applications outside defined processes and responsibilities. Such use creates risks for data protection, trade secrets and compliance.

Current publications from Belgium and Germany demonstrate that supervisory authorities are now focusing precisely on these issues. At the end of May, the Belgian Data Protection Authority published the results of an investigation into an AI-powered chatbot application. The investigation focused on retention periods, transparency, data protection impact assessments, sensitive data and the involvement of external service providers.

What is noteworthy is less the individual case itself than the overall direction of the investigation. The authority is not primarily concerned with abstract future scenarios surrounding Artificial Intelligence. Instead, it focuses on practical implementation questions: Which data are being processed? How long are chat histories stored? What information is provided to users? Were risks assessed and documented before the application was deployed?

The latest FAQ published by the State Commissioner for Data Protection of Lower Saxony reach similar conclusions. The authority explicitly points out that the General Data Protection Regulation (GDPR) remains the key legal framework whenever personal data are processed. At the same time, it emphasises the obligation to ensure adequate AI literacy and warns against the risks of uncontrolled AI use.

According to Eckhardt, this is precisely where the real task for many organisations begins. The focus is not on discussing individual prohibitions or deadlines, but on developing robust governance structures. Companies need clear responsibilities, transparent processes and sufficiently qualified employees in order to use AI applications responsibly and in compliance with the law.

The European legislator has already incorporated this principle. Article 4 of the AI Act requires providers and deployers of AI systems to ensure an appropriate level of AI literacy among their staff. Training and awareness-raising are therefore becoming increasingly important components of an effective compliance strategy. The Data Protection Authority of Lower Saxony also explicitly identifies training as a necessary measure for the competent use of AI systems.

Another key element is the introduction of clear internal rules governing the use of AI applications. The Data Protection Authority of Lower Saxony expressly recommends organisational measures in the form of internal policies or operational instructions.

Such an AI policy creates transparency regarding permitted use cases, regulates responsibilities and provides employees with guidance for the use of AI tools. Particularly in relation to shadow AI, it can help organisations identify and mitigate risks at an early stage.

To support companies in this area, the DDV has published the new Practice Help “Implementing an AI Policy in Your Organisation”. Prepared by attorney-at-law Dr. Jens Eckhardt, the guidance explains the requirements arising from the AI Act and the GDPR, provides practical drafting examples and illustrates, through real-world examples, how organisations can develop and implement an AI policy. The Practice Help is available exclusively to DDV members in the members' area.

The current debate on Artificial Intelligence therefore highlights one central point above all: the decisive question is no longer whether companies will use AI. The decisive question is whether they can document its use transparently, establish appropriate organisational safeguards and maintain legal control over its deployment.

The guidance issued by the Belgian Data Protection Authority and the recent publications of German supervisory authorities indicate that this is precisely where future regulatory scrutiny is likely to focus.

The DDV supports this development through a continuously expanding programme of information and training. This includes webcasts, introductory training courses and practical workshops on the AI Act, GDPR, AI governance, AI literacy and the compliant use of chatbots, voicebots and other AI applications. The objective is to help organisations use Artificial Intelligence responsibly, lawfully and in a commercially sustainable manner.

Source: Discussion between the DDV and attorney-at-law Dr. Jens Eckhardt at the Customer Service Summit 2026; Belgian Data Protection Authority, “Sous la loupe : chatbots, innovation et protection des données”, 29 May 2026; State Commissioner for Data Protection of Lower Saxony, FAQ Artificial Intelligence, March 2026.