The typical case: client data in a private ChatGPT account
Almost every firm knows the scenario, even if it is rarely said out loud: an employee is asked to draft a letter to the tax office. She copies the facts — the client’s name, the GmbH, the revenue figures, the disputed matter — into her private ChatGPT account, because the result is ready in two minutes instead of twenty. The letter is good. Nobody notices a thing. And that is precisely the problem.
This phenomenon has a name: shadow AI. Employees use AI tools on their own initiative because the firm does not provide an approved one. The data ends up in a consumer application for which there is neither a data processing agreement nor a confidentiality obligation — and where, depending on the account settings, inputs may be used to train the models.
Importantly: the problem is not the technology. AI-assisted drafting, research and document processing are legitimate and useful tools for tax firms. The problem is the channel — a private account with a service that is designed, neither contractually nor technically, for professional secrets.
What §203 StGB specifically prohibits for tax advisors
Tax advisors are among the professional secret holders: §203 para. 1 StGB names them expressly, alongside doctors, lawyers and auditors. The provision makes it a criminal offence to disclose, without authorisation, another person’s secret that was entrusted to you in your professional capacity. The penalty: imprisonment of up to one year or a fine. In parallel, §57 para. 1 StBerG imposes a professional-law duty of confidentiality.
Another person’s “secret” is, in practice, almost everything a firm knows about its clients: income circumstances, company figures, shareholder structures, family-law situations, planned transactions. Disclosure means: giving a third party knowledge, or opening up the possibility of obtaining knowledge. Anyone who enters client data into a cloud service whose operator can technically access that data opens up exactly such a possibility.
The decisive exception: §203 paras. 3 and 4 StGB
Since the 2017 reform, professional secret holders may involve external service providers — IT maintenance, data centres, software vendors — insofar as this is necessary for their work. The condition is set out in §203 para. 4 StGB: the professional secret holder must oblige the contributing party to maintain confidentiality. If they fail to do so and a secret is disclosed, they make themselves criminally liable.
The crux: A data processing agreement under Art. 28 GDPR is not the same as the confidentiality obligation under §203 para. 4 StGB. The DPA governs data protection; the §203 obligation governs the criminally protected professional secret. For every AI service that comes into contact with client data, both questions must be answered. Many AI providers offer a DPA — an express §203 confidentiality agreement is offered by very few.
Where the line runs: anonymised vs. identifiable
§203 StGB protects secrets that relate to an identifiable person. From this follows the practical dividing line:
- Uncritical: Abstract technical questions (“How is an investment deduction amount formed?”), text modules with no client reference, publicly available information, fully anonymised facts.
- Critical: Anything that makes a client recognisable — names, tax numbers, but also combinations such as industry + location + revenue size. A “roofing GmbH in Pirmasens with €2.3M in revenue” is identifiable even without a name.
- Frequently underestimated: Pseudonymisation (“Client A”) is not enough. As long as the link can still be established through the surrounding context, a secret is still present. True anonymisation means: the personal reference can no longer be established by anyone.
In day-to-day firm work, clean anonymisation is laborious and error-prone — especially with complex matters where the context enables identification. That is why the workable solution usually runs not through case-by-case anonymisation, but through an infrastructure that is approved for client data.
What the BStBK says: the AI FAQ catalogue (January 2026)
With its FAQ catalogue “AI in the tax advisory profession” (as at 27 January 2026), the German Federal Chamber of Tax Advisors (Bundessteuerberaterkammer, BStBK) has for the first time published official guidance on the use of AI in tax firms. The catalogue covers strategy, use cases, tool selection, quality assurance as well as professional and data protection law — and thereby makes clear: the chamber assumes that AI will be used in firms, and focuses on the how.
For the §203 question, three points from the catalogue are central:
- The duty of confidentiality under §57 StBerG and §203 StGB applies without restriction when using AI as well — it is the benchmark against which every tool must be measured.
- Before using an AI service, you must check on what contractual basis the provider processes data — including the question of whether inputs are used for training.
- Firms need internal rules and trained employees — in other words, the exact opposite of shadow AI.
Expert commentaries on the catalogue also point out that the distinction between the data protection DPA and the criminally required confidentiality agreement under §203 para. 4 StGB is the real hurdle in practice: both questions must be examined separately, and a provider’s “GDPR-compliant” label answers only the first.
The options for tax firms at a glance
Anyone who wants to introduce AI in an orderly way rather than ban it has, in 2026, essentially three categories of solution to choose from. An honest look at all three:
DATEV Copilot
Since February 2026, the DATEV Copilot has been the central AI assistant within the DATEV ecosystem — available to DATEV members as a free add-on and natively integrated into the DATEV environment. Strengths: drafting text, summaries and document analysis within the protected DATEV environment, without data leaving the familiar system. For firms that only want to support DATEV processes with AI, this is the obvious first step. The limitation: the focus is on the DATEV workflow — for tasks beyond that (general correspondence, cross-client research, individual workflows) it is not intended.
Mandanten.KI
Mandanten.KI is a provider specialised in tax advisors with DATEV DMS integration — based on our market observation, the most direct specialist in this niche. Anyone looking for a solution tightly tailored to the tax-advisor workflow, with no requirements beyond that scope, should take a look at this provider.
ClapNClaw
ClapNClaw takes a different approach: a versatile AI assistant (Claude, operated via AWS Bedrock in Frankfurt, eu-central-1) on an infrastructure built for professional secret holders from day one — all firm data sits on servers at Hetzner in Frankfurt, and the DPA under Art. 28 GDPR is in place from day one. The Compliance plan (€59 per user/month) adds the building blocks that are decisive for tax firms: the §203 supplementary agreement (confidentiality obligation under §203 para. 4 StGB), the DATEV connection via OAuth, and invoice extraction — invoice in, structured posting record out.
| Criterion | DATEV Copilot | Mandanten.KI | ClapNClaw |
|---|---|---|---|
| Breadth of use | DATEV workflows | Tax-advisor workflows with DATEV DMS | Multi-use: correspondence, research, invoices, custom workflows |
| DATEV link | Native (own ecosystem) | DMS integration | OAuth connection |
| §203 supplementary agreement | Check the DATEV contractual framework | Check with the provider | Included in the Compliance plan |
| Data location | DATEV environment | Per provider | Hetzner Frankfurt; inference Bedrock eu-central-1 |
| Price | Free for DATEV members | Per provider | Compliance: €59/user/month |
These options are not mutually exclusive: many firms will use the DATEV Copilot for DATEV-internal tasks and, alongside it, a broader solution for everything else. What matters is that every solution in use cleanly answers both contractual questions (DPA + §203 para. 4). For a detailed look at AI use scenarios with DATEV, see our article AI for Tax Advisors: Use Cases, DATEV Integration and §203 Compliance.
Checklist: introducing AI into a tax firm in a legally compliant way
Five steps that make the difference between shadow AI and orderly use:
- Take stock. Ask openly within the team: who already uses AI tools today, which ones, and what for? Without blame — the goal is a realistic picture of shadow AI, not discipline.
- Check the provider’s contractual situation — both levels. Is there a DPA under Art. 28 GDPR? Is there additionally an express confidentiality obligation under §203 para. 4 StGB? Are inputs used for training? Where is data stored and processed?
- Set clear usage rules. A short, written AI policy: which tools are approved, what data may go in, what is off-limits (private accounts for client data). One page is enough — provided it is actually lived by.
- Train the team. Most §203 risks arise from ignorance, not intent. One hour of training on the dividing line “anonymised vs. identifiable” and on the approved tools removes the bulk of the risk.
- Provide an approved alternative. Shadow AI does not disappear through bans, but through an official tool that is at least as convenient as the private ChatGPT account — and that is approved for client data, both contractually and technically.
Rule of thumb: If you would not email a piece of information unencrypted to an unknown external party, it does not belong in an AI tool without an DPA + §203 agreement either. With both — and EU data storage — little stands in the way of productive use.
Frequently asked questions
Am I even allowed to use ChatGPT as a tax advisor?
Yes — for general tasks with no client reference: drafting text, researching publicly available topics, help with wording. As soon as identifiable client data enters the prompt, the duty of confidentiality under §57 StBerG and §203 StGB applies. The free consumer version also lacks a DPA and a confidentiality obligation — client data has no place there.
Is a data processing agreement (DPA) under Art. 28 GDPR enough?
No. The DPA covers the data protection side. §203 StGB additionally requires that external service providers who come into contact with professional secrets be expressly obliged to maintain confidentiality (§203 para. 4 StGB). Anyone who passes client data to an AI provider without contractually fixing this criminal-law obligation risks their own criminal liability — even with a DPA.
When does client data count as anonymised?
When the link to the person can no longer be established by anyone — not even by combining it with other information. Redacting names is often not enough: a GmbH with its industry, location and revenue size is frequently identifiable. Pseudonymised data (“Client A”) remains a secret within the meaning of §203 StGB as long as the assignment is still possible.
What are the concrete consequences of a §203 StGB violation?
§203 StGB provides for imprisonment of up to one year or a fine. On top of that come possible professional-law consequences under the StBerG, civil liability towards the client, and data protection fines under Art. 83 GDPR. Criminal liability falls on the professional secret holder personally — not on the firm as an organisation.
Conclusion: not whether, but how
§203 StGB does not prohibit tax advisors from using AI — it prohibits the unauthorised disclosure of client secrets. The difference lies in two contracts (a DPA under Art. 28 GDPR and a confidentiality agreement under §203 para. 4 StGB), a clear internal policy, and an infrastructure that keeps client data in the EU. The BStBK FAQ catalogue from January 2026 confirms this direction: AI belongs in the firm — but in an orderly, contractually secured way and with a trained team. For the big-picture overview of legally compliant AI use, see our guide Using AI in a GDPR-compliant way.
AI for your tax firm — with a §203 supplementary agreement from day one
Claude via AWS Bedrock Frankfurt, data on Hetzner servers in Frankfurt, DPA + §203 agreement in the Compliance plan (€59/user/month), DATEV connection via OAuth and invoice extraction included.
See ClapNClaw for tax advisors