TL;DR: Hosted DeepSeek and Chinese AI models cannot be used for EU personal data. China has no GDPR adequacy decision, DeepSeek has no Standard Contractual Clauses, and Italy banned it within 72 hours of reviewing its practices. For US teams with no EU data exposure, it is legally usable but carries sovereignty risk. The open-source DeepSeek model, self-hosted on EU infrastructure, is a separate calculation and can be GDPR compliant.
DeepSeek R1 outperforms many US models on benchmarks at a fraction of the cost. Reddit threads and Hacker News discussions lit up in early 2026 as engineers tested it, impressed by the reasoning quality. Then the compliance questions started: can our team actually use this? What about GDPR? What about our EU customers?
The answer depends heavily on one variable most discussions skip: hosted versus self-hosted. That distinction changes the legal analysis entirely.
The Short Answer by Use Case
| Use case | Hosted DeepSeek (deepseek.com) | Notes |
|---|---|---|
| EU personal data | No | GDPR Article 46 violation, no SCCs in place |
| US personal data only, no EU operations | Legally usable | Get a service agreement; sovereignty risk remains |
| Internal testing, no personal data | Lower risk | Still check your AI acceptable use policy |
| Self-hosted open-source on EU infrastructure | Yes | No China transfer; standard GDPR controls apply |
| Government systems | No | US, Australia, and others have device bans |
The rest of this article explains why, and what to do about it.
Why Hosted DeepSeek Fails GDPR
GDPR Chapter V governs transfers of personal data to countries outside the EU. The rules are strict: you can only send EU personal data to a third country if one of three conditions is met.
First, the country must have an adequacy decision from the European Commission, meaning the EU has certified that the country's data protection laws are essentially equivalent to GDPR. China does not have an adequacy decision. It has never had one. Given China's cybersecurity laws, which give the government broad access to data stored on servers in China, an adequacy decision is not on the horizon.
Second, you can use Standard Contractual Clauses (SCCs): pre-approved legal clauses that create binding obligations on the data importer to protect EU personal data to GDPR standards. SCCs can bridge the gap when no adequacy decision exists. DeepSeek's privacy policy makes no mention of SCCs for EU-China transfers. As of June 2026, there is no documented SCC mechanism for using deepseek.com with EU personal data.
Third, you can use Binding Corporate Rules (BCRs) or certain approved codes of conduct. None apply here.
The result: sending EU personal data to deepseek.com violates GDPR Article 46. This is not a technicality or gray area.
European regulators moved fast. Italy's Garante data protection authority imposed a ban on DeepSeek within 72 hours of reviewing its practices in early 2026. Investigations opened in 13 European jurisdictions. The European Data Protection Board created a dedicated AI Enforcement Task Force. The Berlin DPA found that DeepSeek processes extensive user data and stores and transfers it to servers in China, then sent DSA Article 16 notifications to Apple and Google app stores over DeepSeek distribution.
The Open-Source Exception
Here is where the analysis changes. DeepSeek model weights are publicly available on Hugging Face. You can download them and run inference on your own infrastructure.
When you self-host DeepSeek on EU-based servers, two things happen: data never leaves your infrastructure, and it never reaches China. There is no China transfer. The GDPR transfer risk under Article 46 disappears entirely.
Your GDPR obligations for self-hosted models are the same as for any self-hosted software. You are the data controller. You need appropriate technical and organizational measures. You need a legal basis for processing. But you are not facing a cross-border transfer problem, because the data stays where you put it.
The practical caveat: running DeepSeek R1 at full capability requires significant compute. The full model is not a laptop deployment. Teams with existing GPU infrastructure or an EU cloud budget (AWS Frankfurt, Azure Netherlands, GCP Belgium) can make this work. Smaller quantized versions run on less hardware with capability tradeoffs.
For teams evaluating cost-efficient open-source models, this is a real path to GDPR compliance. Self-hosted Qwen or DeepSeek on EU cloud instances, with your own data processing controls, sidesteps the sovereignty problem entirely.
Other Chinese AI Models: Same Analysis
The hosted-versus-self-hosted framework applies to every Chinese AI model provider.
Alibaba Qwen: Open-source versions are available on Hugging Face and support self-hosting. The hosted version at qwenai.com has the same China transfer problem as hosted DeepSeek. Self-hosted on EU infrastructure: GDPR-compatible. Hosted: not safe for EU personal data.
Baidu ERNIE: Primarily a hosted product with no well-documented open-source weights available for self-deployment. China transfer risks apply. High risk for EU personal data.
ByteDance AI products: ByteDance, the TikTok parent company, has AI offerings subject to the same China data sovereignty concerns. Government scrutiny of ByteDance's data practices is ongoing in the US and EU alike.
The test to apply is always: where does inference happen, and where does data flow? If it flows to servers in China and no SCCs are in place, GDPR compliance is not achievable for EU personal data regardless of which Chinese provider is involved.
What to Do Now
Audit your current AI tool stack. Ask each team which AI models they are using, including personal productivity tools. Shadow IT using deepseek.com is a real exposure.
If you are processing EU personal data with hosted Chinese AI: stop. This is not a risk-tolerance question with a manageable downside. It is a GDPR violation in a jurisdiction actively enforcing against these exact providers.
If you want cost-efficient open-source models: evaluate self-hosting Qwen 2.5 or DeepSeek V3 on EU cloud infrastructure. Benchmark capability against your actual use cases before committing to the infrastructure cost.
Update your AI acceptable use policy to explicitly address Chinese-hosted AI models. The policy should name the categories of restricted tools, not just rely on employees to infer the risk.
Add to your vendor due diligence checklist: "Country of data storage?" and "SCCs available for EU-origin data?" Any vendor that cannot answer both questions clearly fails the threshold check. See the full AI vendor due diligence checklist for the complete evaluation framework.
For US-only data: the legal calculus is different. No US federal law prohibits using DeepSeek for purely domestic US data. CCPA service provider requirements apply: you need a Data Processing Agreement that prohibits DeepSeek from selling or independently using your data. Check whether DeepSeek offers business account agreements with these terms. Even without a legal prohibition, many enterprise AI policies now explicitly prohibit inputting sensitive data into any Chinese-hosted AI service on sovereignty grounds.
Frequently Asked Questions
Does DeepSeek store my prompts permanently? DeepSeek's privacy policy states that user inputs and outputs are used to improve services. No SCC mechanism is in place for EU-China data transfers. For EU personal data, this means you should assume prompts are retained on China-based servers with no enforceable deletion timeline under GDPR.
Can I use DeepSeek for publicly available data with no EU individuals involved? Possibly. If you are processing only publicly available, non-personal data with no EU individuals in scope, the GDPR transfer risk does not apply. The remaining concern is supply-chain exposure: Chinese government access to query logs, including any context you provide with the prompt. For competitive intelligence or sensitive business analysis, that is worth weighing even when GDPR does not technically apply.
Is the open-source DeepSeek model the same quality as the hosted version? The open-source weights (R1, V3) are the same model architecture as the hosted service and capability is comparable. The difference is infrastructure: you run it on your own compute, which requires significant GPU resources but gives you full control over data residency and eliminates the China transfer problem entirely. For teams with existing cloud infrastructure in EU regions, the marginal cost of self-hosting is often lower than enterprise licensing fees for US-based AI providers.
