AI Policy for Companies: What Needs to Be Included + Checklist 2026

An explicit statutory obligation under the title "You must write an AI policy" does not exist in the GDPR. Nevertheless, tough legal and practical reasons speak in favor of it:

• Organizational Data Protection: The GDPR fundamentally requires "appropriate technical and organizational measures" (TOMs) to protect personal data. If employees use arbitrary AI tools without regulation, confidential customer data, applicant data, or internal information quickly end up in unvetted systems. An AI policy is the central organizational tool to minimize these risks.
• Management Liability: The general duty of care of the management requires the mitigation of risks. Those who do not regulate the use of AI systems risk inadvertently creating copyright infringements, turning incorrect information into a basis for decision-making, or generating discriminatory results. In the event of damage, this can lead to direct liability.
• The EU AI Act is Reality: The European legal framework for Artificial Intelligence is already taking effect in crucial stages. Companies must prove that they promote AI literacy within the workforce and minimize risks. A well-thought-out AI policy also signals externally – to customers, partners, and supervisory authorities – that you take governance and compliance seriously.

A practical AI policy should have a modular structure and cover the following core areas:

Allowed and forbidden tools

• Whitelisting: A clear list of AI applications approved within the company (e.g., ChatGPT Enterprise, Microsoft Copilot with an active corporate license).
• Shadow IT Ban: A strict prohibition on using private accounts or unvetted tools for business purposes.
• Approval Process: A defined procedure for how employees can submit new AI tools for review and approval.

Data protection and permitted entries (Input rules)

• Data Classification: An exact specification of which data categories may be entered and which are absolutely taboo (e.g., health data, source code of core products, passwords, sensitive customer files).
• Anonymization Requirement: The instruction to anonymize or pseudonymize data prior to entry if the context needs to be preserved.

Handling AI output

• Obligation to Verify: The prohibition against adopting texts, code, or decision proposals without verification.
• Risk Education: A note on potential copyright infringements when processing AI results without control.

Transparency and labeling

• Labeling Obligations: Determining when the use of AI must be disclosed to customers or the public (e.g., for AI-generated marketing images or automated chatbots in customer service).

Data protection is the most critical point of any AI policy. Since many AI providers process data on external servers, you must legally secure three pillars:

1. Clarify the legal basis for data processing (Art. 6 GDPR): If personal data is processed, it must be clarified whether this is covered by a "legitimate interest" of the company or whether explicit consent (e.g., from customers or applicants) must be obtained.
2. Conclude a Data Processing Agreement (DPA): If an AI tool processes personal data, a DPA according to Art. 28 GDPR is mandatory. The policy should state: without a valid DPA, no personal data may flow into the tool.
3. Secure third-country transfers (EU-US Data Privacy Framework): Many AI services are based in the USA. Prefer providers that are certified under the current EU-US Data Privacy Framework (DPF) or where data transfer is legally watertight via Standard Contractual Clauses (SCCs) and additional security measures (such as data encryption).

Sample formulation for your policy: 

"The input of personal data into AI tools is only permitted if (a) a clear legal basis exists, (b) a DPA has been concluded with the provider, and (c) the third-country transfer is legally secured (e.g., by the EU-US Data Privacy Framework). In case of doubt, consultation with the Data Protection Officer must take place prior to input."

Practical Tip: The data protection review of new AI tools and the conclusion of DPAs require deep specialized knowledge. Those who do not have an internal legal department can rely on digital all-in-one solutions like the digital Data Protection Officer from heyData to efficiently and legally automate the compliance of software and internal guidelines.

The copyright situation surrounding AI systems is complex. Your guideline should therefore be based on the following principles:

• No automatic copyright protection for AI output: According to established case law, AI-generated works lack the required human "personal intellectual creation." This means: text, images, or programming code generated purely by an AI are generally in the public domain and can also be copied by your competitors. Independent protection can only arise through significant human editing.
• Danger of copyright infringements (Risk of plagiarism): Since AI models are trained on huge amounts of data, it can happen that the output looks deceptively similar to protected works of third parties. Anyone using this output commercially risks warning letters and legal notices.
• Observe the licensing rights of the tools: Some providers reserve the right in their terms of use to use your inputs (prompts) to train their own models, or they restrict commercial use in free versions.

Sample formulation for your policy: 

"AI-generated content must be checked for potential copyright infringements before publication, distribution, or commercial use. Employees bear the responsibility for the diligent final inspection of the content they publish."

AI systems can hallucinate (invent facts), output outdated data, or deliver biased results. Therefore, your policy must define clear control mechanisms:

• Ultimate Human Responsibility (Human-in-the-Loop): AI is an assistant, not a final decision-maker. Every work result – whether contract text, customer email, or code snippet – must mandatory be checked by a human eye.
• Mandatory Plausibility Check: Particularly for factual statements, statistical data, legal assessments, or decisions with external impact, cross-referencing via primary sources is mandatory.
• Responsibilities in the Company: Assign fixed roles. Who maintains the list of allowed tools? Who is the contact person for errors or security incidents? Typically, this is a task force consisting of IT, Data Protection, and Legal.

A guideline only becomes effective if it is actually lived in the company. Proceed in six steps during the introduction:

1. Involve stakeholders early on: Bring management, IT, data protection, HR, and the works council to the table in time to create acceptance.
2. Understandable language instead of legalese: Write the policy clearly, precisely, and accessibly. Use practical examples from your employees' daily work.
3. Offer practical training: Theory alone is not enough. Run short workshops showing how to comply with the policy in daily work with ChatGPT & Co.
4. Guarantee central availability: Deposit the guideline in the intranet or employee handbook and provide quick guides (e.g., as one-pagers) directly at the digital workplace.
5. Anchor it in existing processes: Integrate the AI policy into the onboarding of new employees and make the "AI check" a standard when procuring new software.
6. Schedule regular updates: Technological development and case law change rapidly. Set a fixed rhythm (at least once a year) to review and adjust the policy.

Use this checklist to ensure that your AI guideline covers all regulatory and practical requirements:

Basics & Scope

• The personal and material scope is exactly defined (to whom and to which tools does the guideline apply?).
• The goals and purpose of the policy are clearly formulated.
• Central terms (e.g., What does the company define as an "AI system"?) are clearly delineated.

Data Protection & Compliance

• Allowed and forbidden data categories for AI inputs are unmistakably defined.
• Concrete specifications for handling personal data (Art. 6 GDPR) are integrated.
• The process for concluding Data Processing Agreements (DPAs) is established.
• Compliance with requirements for third-country transfers (e.g., EU-US Data Privacy Framework) is ensured.
• A fixed contact person for data protection questions regarding AI use is named.

Copyright & Output Control

• Binding rules for the manual review of AI-generated content prior to use are anchored.
• Risk notices regarding potential copyright infringements and plagiarism are included.
• The commercial use and licensing rights of the utilized tools have been reviewed and documented.

Governance & Tool Management

• A dynamic list ("whitelist") of all approved AI applications is available or linked.
• A clear, auditable process for reviewing and approving new AI tools is established.
• The prohibition of shadow IT (use of unauthorized tools or private accounts) is explicitly formulated.
• The principle of ultimate human responsibility (Human-in-the-Loop) is anchored as a core tenet.

A well-thought-out AI policy is not a bureaucratic obstacle, but a fundamental cornerstone of a modern compliance and risk strategy. It effectively protects your company from data leaks, copyright issues, and liability risks. At the same time, it gives your employees the necessary legal certainty to use innovative tools productively. Those who establish clear guidelines today and cleanly integrate the requirements of the EU AI Act and the GDPR make their company future-proof.

What is the most important point in the AI policy?

The protection of sensitive data (input control). The policy must clarify completely unmistakably which internal data, source codes, or personal information must never be entered into a public or unsecured AI.

Do small companies or startups also need such a guideline?

Yes, absolutely. As soon as even one person in the team uses ChatGPT or similar tools for business purposes, liability and data protection risks arise. For startups whose company value is often based on intellectual property (IP), protection against thoughtless data leakage via AI prompts is vital for survival. In addition, investors nowadays standardly demand proof of clean AI governance.

Is it enough to just ban the use of AI in the company entirely?

A blanket AI ban is almost always counterproductive in practice. It leads to employees using the tools secretly (shadow IT) to keep up with market efficiency. As a result, the company loses all control. A controlled, legally secured framework is many times safer than a ban that is ignored.

How does the EU AI Act affect internal company policies?

The EU AI Act obliges companies, among other things, to promote and prove the "AI literacy" of their workforce. Your policy should therefore not only contain prohibitions, but also define how employees are trained in the safe and transparent handling of AI. When using systems classified as "high-risk AI," strict documentation and monitoring obligations are additionally introduced.

How do I handle the use of AI by external service providers (e.g., agencies)?

Your AI policy should also include specifications for external partners and suppliers. If an agency creates text, graphics, or programming code for you, it must be contractually regulated to what extent AI may be used and who is liable for the copyright and data protection review of the output.