10 min read · 15 Jun 2026

The One-Page AI Policy for a 5 to 50 Person DACH Company

Your staff already use AI. The only question is whether they do it consistently and safely, or improvise in consumer tools you cannot see. For a 5 to 50 person company in Austria, Germany, or Switzerland, you do not need a 27-page governance manual. You need one page that gets read, covering: approved tools and how to request new ones, what data must never go into which tools, a basic training expectation (your EU AI Act literacy hook), a human-review rule for output, disclosure of chatbots and AI content, and one named owner. A copy-ready template is below. The goal is to enable safely, not to ban, because a ban just moves AI use into private accounts you have no view into.

This is a practical guide, not legal advice. The regulatory specifics are current as of mid-2026 and some are moving; verify against the official sources before you rely on them, and run anything load-bearing past your own counsel.

Want this adapted to your tools and signed off in a week?

Book Free Consultation

Why a small company actually needs one

Not fear, just reality. Surveys put AI use among knowledge workers around three quarters, and most of those bring their own tools, more so at small and mid-sized companies. That is shadow AI, and it is the default unless you offer a known, approved path instead. The risks are concrete: staff have pasted confidential code and customer data into consumer chatbots, and unverified AI output has reached customers and courts with real consequences. A one-pager does not add bureaucracy. It replaces invisible, ad-hoc use with a path people can actually follow.

There is also a legal nudge. The EU AI Act's AI-literacy duty (Article 4) has applied since 2 February 2025 to both providers and deployers, which is effectively any company whose staff use AI. The bar is deliberately flexible, basic documented training scaled to role, not a certification programme, and there is no Article 4-specific fine, with enforcement routed through national authorities from August 2026. A proposal to soften Article 4 (the Digital Omnibus) was circulating in 2026 but is not yet adopted, so treat the current duty as live.

What belongs in the policy

Eight short sections, each earning its place.

Section	What it says
Scope and principles	Who and what it covers, plus a few plain principles: a human stays accountable, protect data, be transparent, verify before relying.
Approved tools	A named list of allowed tools per use case, and a one-line path to request a new one. This is what kills shadow AI: a yes path.
Data handling	What must never go into which tools. Consumer and free tiers are not for company data; a business tier with a signed DPA or AVV is the approved path.
AI literacy	A short, documented expectation that staff get basic training. This is your Article 4 hook.
Output rules	Mandatory human review; no unverified AI output in customer-facing, legal, or financial contexts. A four-eyes rule for critical outputs.
Disclosure	Tell people when they are talking to a bot; label AI content where required, with the human-editorial-control carve-out noted below.
Escalation and owner	One named owner and one contact. Without an owner, the policy and reality drift apart.
Review cadence	Revisit at least every six months. Tools and law move fast.

The DACH data-protection part

When an employee puts personal or customer data into a tool, your company decides the purpose and means, so it is the controller and carries the GDPR duties. Using an external AI provider to process personal data generally needs a data processing agreement (an AVV under Article 28), which consumer free tiers usually do not offer and may also train on your inputs, while business tiers typically do offer one and do not train on your data by default. Switzerland's revised data protection act applies in parallel and is treated as technology-neutral, so it covers AI processing too. One moving detail worth flagging: vendor terms change fast, so cite each provider's own current DPA rather than assuming. We cover how these regimes stack in how GDPR and the AI Act stack for a DACH SaaS.

The copy-ready one-page template

Paste it, fill the brackets, delete what does not apply. It is built for a 5 to 50 person company, not an enterprise.

AI Usage Policy, [Company Name]
Version [1.0] · Owner: [name or role] · Last reviewed: [date] · Next review: [+6 months]

1. Scope and principles. This applies to all staff and contractors using AI tools for [Company] work. Our principles: a human stays accountable for every output; we protect customer, personal, and confidential data; we are transparent about AI use; we verify before we rely.

2. Approved tools. Use only: [for example ChatGPT Team or Enterprise, Microsoft 365 Copilot, Claude for Work]. Do not use personal or free accounts for company work. To request a new tool, ask [owner] before using it.

3. Data rules. Never enter into any non-approved tool: personal or customer data, confidential or contractual information, credentials, or source code. Approved business tools with a signed DPA or AVV, and no training on our data, may process work data per their tier. If unsure, ask [owner].

4. Training. Everyone using AI completes [short onboarding or link] and a refresher [annually]. Ask [owner] if you are unsure how a tool works or where its limits are.

5. Output rules. AI output is a draft, never a final answer. A qualified person reviews every output for accuracy and context before use. For customer-facing, legal, or financial content, apply the four-eyes principle. Never send unverified AI output to customers or authorities.

6. Disclosure. Tell people when they are interacting with an AI chatbot. Label AI-generated content where required; content a human has reviewed and taken responsibility for does not need a per-item label.

7. Questions and escalation. Owner: [name, role, contact]. Report any data leak, wrong output that reached a customer, or "is this allowed" question immediately. No blame for asking.

8. Review. Reviewed at least every six months and whenever tools or law change materially. Acknowledged: [signature or sign-off].

"A one-page policy that people actually read and follow beats a 27-page document that sits in a folder. The job is not to look compliant. It is to give your team a safe yes instead of an invisible workaround."

What to leave out, on purpose

Theater is the enemy here. Skip the vague aspirational language ("use AI responsibly" with no specifics), which only creates a false sense of compliance. Skip a full ISO 42001 certification or a complete NIST AI risk-management build-out; both are enterprise-tier and disproportionate for a small team, though they are fine as a reference vocabulary if you scale later. Skip long risk taxonomies and exhaustive use-case catalogues that nobody maintains. And never ship a policy with no named owner or no review date, because both guarantee it drifts into fiction. Keep it to the page that gets read.

Frequently Asked Questions

Does a small company need an AI policy?

Yes, practically. Your staff already use AI, often with their own tools, and the EU AI Act literacy duty (Article 4) has applied since February 2025. A one-pager is enough for a 5 to 50 person company.

What must an AI policy include under the EU AI Act?

The Act does not prescribe a template, but Article 4 expects staff to have sufficient AI literacy, and Article 50 expects chatbot and AI-content transparency from August 2026. Cover basic training plus disclosure and you are aligned.

Can employees use ChatGPT at work?

Yes, on an approved business or enterprise tier that does not train on your data and offers a DPA. Avoid free or personal accounts for company or personal data.

Is free ChatGPT GDPR-compliant for customer data?

Generally no. Free and Plus consumer tiers may train on inputs by default and do not offer a DPA or AVV, so they are unsuitable for personal or customer data.

What is the difference between consumer and business AI tiers?

Business tiers do not train on your data by default, offer a DPA with standard contractual clauses, and give retention controls. That is what makes them suitable for company data. Vendor defaults change, so check the current terms.

Do we have to label AI-generated content?

From August 2026 some AI content must be disclosed, but text that a human reviews and takes editorial responsibility for is exempt. Internal drafts do not need labels.

Who should own the AI policy in a small company?

One named person, often the owner, ops lead, or IT contact. A policy with no owner drifts from reality.

What is the EU AI Act AI-literacy obligation (Article 4)?

Since 2 February 2025, providers and deployers must ensure staff have a sufficient level of AI literacy, scaled to role and context. There is no Article 4-specific fine; enforcement runs through national authorities from August 2026. A softening proposal exists but is not yet law.

Is there a free German AI policy template (KI-Richtlinie Vorlage)?

Yes. The WKO offers a free fill-in template for SMEs, and German bodies publish guidance too. The one-page template above is a ready DACH starting point you can adapt.

Is a one-page policy really enough?

For 5 to 50 people, yes. A short policy that is read and followed beats a long one that is ignored, and you can always grow it as you scale.

Final thoughts

An AI policy for a small DACH company is not a compliance project. It is a one-page agreement that gives your team a safe, known way to use the tools they are already using.

Name the approved tools, draw a hard line around data, set a human-review rule, point at basic training, name an owner, and review it twice a year. That is enough to satisfy the obligations that actually touch you and to stop confidential data from leaking into a personal account. Write the page that gets read, then keep it current as the tools and the law move.

Want help turning this into your real, signed-off policy?