PyleHound PyleHound

Legally compliant AI for lawyers – GDPR & Section 203 StGB compliant document analysis

PyleHound meets the high requirements of GDPR and professional law – even when it comes to sensitive professional secrets.

PyleHound data processing

Summary

GDPR

  • No order processing according to Art. 28 GDPR, as there is no authority to issue instructions to PyleHound
  • Alternatively, an AVV is included in the terms of use.

§ 203 StGB

  • No applicability of § 203 StGB, as there is no disclosure within the meaning of § 203 StGB due to the lack of clear text insight.
  • Alternatively, the requirements of § 43e (3) BRAO are fulfilled.

Cloud and AI use

  • The requirements for the permissible use of cloud and AI services (in this case Google Gemini) are met by contractual and technical protective measures.

Client information

  • Information on the use of AI vis-à-vis clients depends on the individual use of PyleHound - but is recommended in order to strengthen trust.

1. No AV contract required under Art. 28 GDPR

Our position: The use of PyleHound does not constitute order processing within the meaning of Art. 28 GDPR. The criteria for this – in particular the determination of the purposes and essential means of data processing by the controller – are not met. PyleHound uses large language models (LLMs) whose architecture, training data, and processing logic are controlled solely by the model provider (in this case, Google). In addition, the user has no influence on the internal architecture and processing logic of PyleHound.

Consequence: There is no obligation to follow instructions. Any influence on the processing is effectively impossible. From a data protection perspective, this is therefore not contract processing, but independent data processing under the joint or sole responsibility of PyleHound.

Supported by:

Legal certainty:
As a precautionary measure, our terms and conditions nevertheless contain an AV agreement that applies if the controller has a say in the purposes or means – for example, through targeted prompts or the configuration of additional functions.

2. No obligation under Section 203 of the German Criminal Code (StGB)

Our position:
PyleHound processes data in a fully automated manner, encrypted and without the possibility of viewing plain text. According to established case law, under these conditions there is no disclosure within the meaning of Section 203 StGB.

Case law:

  • Higher Regional Court of Cologne, decision of November 30, 1982 – 3 Zs 126/82 The court clarifies that “entrusting” only occurs if someone consciously enters into a confidentiality agreement or the secret was consciously disclosed. In the case of other facts that are already known, the law does not require silence if the informant has consented.

  • Higher Regional Court of Nuremberg, judgment of November 8, 1994 – 1 U 1484/94
    This decision emphasizes that the transfer of information that was not clearly communicated as a secret or is already generally known does not constitute disclosure within the meaning of Section 203 of the German Criminal Code – in particular if there is no intention to keep it secret.

  • [Higher Regional Court of Dresden, decision of September 11, 2007 – 2 Ws 163/07] (https://www.jusmeum.de/urteil/olg_dresden/77cdbcacf4bf20a4f70d114ee4459deb8ec9624f0f28b9cfc48f58b936ceae92?page=10&utm_source=chatgpt.com)

  • BT-Drs. 18/11936, p. 30: Automated processing without access = no criminal disclosure

Additional protection:
Upon request, we provide a confidentiality agreement and obligation in accordance with Section 203 (4) of the German Criminal Code (StGB), which applies “insofar as information is actually disclosed to us” or in cases where plain text access is technically possible or desired (e.g., for individualization).

3. Use of Google Gemini: Admissibility under professional law

PyleHound uses Google's LLM Gemini. The integration is carried out in compliance with data protection and professional law, in particular § 43e BRAO and § 203 StGB.

Why does the LLM see plain text at all?

Due to the technical functioning of AI systems such as Gemini, entered data must be processed in plain text for a short time in order to be able to answer the query at all. This is comparable to an email: there, too, short-term plain text processing is necessary due to technical intermediate steps (SMTP server, cache, etc.), without this automatically constituting a disclosure that violates professional law.

  • Processing is transient, without permanent storage.
  • The data is not used for training purposes.
  • Google deletes the requests immediately after processing, unless additional storage is activated.
  • Communication is encrypted on the transport and server side.

Assessment: This form of processing does not meet the requirements of “disclosure” within the meaning of Section 203 of the German Criminal Code (StGB) as long as the service provider does not take note of the data and is not permitted to store it (cf. BT-Drs. 18/11936; DAV statement no. 32/2025, p. 6).

Admissibility according to DAV statement No. 32/2025

The DAV statement assesses the use of cloud and AI services by lawyers as admissible if:

  • disclosure is necessary (Section 203 (3) sentence 2 StGB),
  • the service provider is bound to confidentiality (Section 43e (3) BRAO),
  • technical access controls and encryption are in place,
  • no actual plain text access by the provider takes place.

Google meets these requirements:

  • ISO 27001/27018 certification
  • DPA pursuant to Art. 28 GDPR + confidentiality obligation
  • No access to customer data by human employees
  • Encrypted processing with optional client-side encryption

Result:
The brief processing of plain text by Gemini is technically necessary, but is not considered a disclosure from a legal perspective, provided that no access is granted. An explicit obligation under Section 203 of the German Criminal Code (StGB) is therefore not mandatory, but only necessary if an actual disclosure takes place.

4. Duty to inform clients

Must the client be informed?

| Yes, in certain cases. DAV statement 32/2025 stipulates a duty to inform if:

  • data is processed in plain text and the provider may be able to access it,
  • or a decision on essential aspects of the mandate is supported or prepared by AI (e.g., in the case of draft pleadings).
| No obligation to inform if:
  • the processing is encrypted and takes place without access,
  • it is merely a technical support activity (research, formulation assistance, document classification).
|

Recommendation:
Transparency creates trust. A brief note in the client agreement, such as:
“We use AI systems that comply with data protection regulations to optimize our services. No secrets will be disclosed.” ... may be useful, but is not mandatory for purely technical, encrypted use.

Ready for a demo of PyleHound?

Find out how PyleHound will improve your everyday life. Schedule a free demo today.

Schedule a demo