📣 Send us your press release
Site updates every 15 minutes
Professional Services

Hamburg Data Protection Officer Focuses on AI and Large Language Models

Hamburg's Commissioner for Data Protection and Freedom of Information has published a discussion paper addressing the use of Large Language Models (LLMs) and their compliance with the EU's General Data Protection Regulation (GDPR). The paper clarifies that LLM models themselves do not contain personal data.

12 July 2026
Hamburg Data Protection Officer Focuses on AI and Large Language Models

Hamburg's Commissioner for Data Protection and Freedom of Information (HmbBfDI) has issued guidance regarding the use of artificial intelligence (AI) and Large Language Models (LLMs), such as ChatGPT. The recently published discussion paper examines how the utilization of these technologies aligns with the European Union's General Data Protection Regulation (GDPR).

According to the Hamburg data protection authority, LLM models are components of broader AI systems that process user inputs and generate outputs based on probability models derived from data. While LLMs are trained on vast datasets that may include personal information, the authority's view is that this training process abstracts the data, losing direct links to individuals. The model learns general patterns and correlations, not identifiable details about specific persons. Consequently, these models inherently do not contain personal data, and GDPR rights cannot be asserted against them.

The Hamburg commissioner's assessment also covers "privacy attacks," which involve targeted attempts to extract training data from LLMs. The authority cites European Court of Justice jurisprudence, stating that such attacks would typically require disproportionate technical and temporal effort, thus not meeting the criteria for disclosing personal data. These types of activities are currently primarily confined to scientific research and model improvement.

Practically, this means companies should not face GDPR violations simply by using LLM models, even if the model was trained on unlawfully collected data. A company's responsibility arises if it directly uses or retrains models with personal data without a proper legal basis, or if it fails to ensure data protection practices and clarify responsibilities with third-party LLM providers.

Original source: dhpg.de