Rollout without stress: How to evaluate tools with legal, IT and works council

The Bliro AI Sales Assistant automates conversation documentation and CRM maintenance for sales teams that use Salesforce or HubSpot. However, before an AI meeting tool such as the Bliro KI Sales Assistant runs productively in the company, three stakeholders must give the green light: legal/data protection, IT security and works council. This article provides a concrete assessment framework for all three test centers so that the rollout of an AI tool takes place in an orderly manner rather than as a shadow AI problem. The article complements our Lead article on CRM automation in the field about the internal approval perspective.

Why an orderly rollout is crucial right now

One Bitkom study from May 2025 shows: 10 percent of employees in Germany use AI professionally without the knowledge of their employer. In the previous year, it was still 5 percent. At the same time, only 23 percent of companies have set binding rules for the use of AI.

Shadow AI is created without clear approval processes: Employees install AI meeting tools on their own without involving the IT department, data protection officer or works council. According to IBM Cost of a Data Breach 2025 Report Data breaches related to shadow AI cost an average of 4.63 million US dollars, around 670,000 dollars more than traditional incidents.

Die WalkMe State of Digital Adoption Survey 2025 Even estimates the proportion of knowledge workers who use AI tools without IT approval at 78 percent worldwide. A study by Software AG adds: 46 percent would continue to use unauthorized AI tools even if they were explicitly banned. The consequence for sales teams: An orderly rollout with approved tools such as the Bliro KI Sales Assistant is not only a compliance issue, but also actively prevents sales staff from switching to uncertain alternatives.

What legal and data protection need to check with an AI meeting tool

The legal evaluation of an AI meeting tool comprises three levels of testing: legal basis of data processing, data protection impact assessment and compliance with the EU AI Act.

Legal basis: Consent or legitimate interest?

The decisive factor is whether the tool saves audio or video files. Tools with a recording function require the consent of all call participants in accordance with Art. 6 para. 1 lit. a GDPR. The Bliro KI Sales Assistant transcribes conversations exclusively in volatile memory (RAM) without creating audio or video files. This architecture makes it possible to rely on the legitimate interest in accordance with Art. 6 para. 1 lit. f DSGVO. The transparency obligation under Article 13 GDPR remains in place: Interlocutors must be informed in advance.

Data Protection Impact Assessment (DSFA)

Die Federal Commissioner for Data Protection (BfDI) states in its handout of December 2025 that a DSFA is generally required when using AI systems. Die ISICO data protection advice confirmed: When using AI, at least two threshold analysis criteria are regularly met, which makes the DSFA mandatory.

EU AI Act: AI competence requirement since February 2025

Committed since February 2, 2025 Art. 4 of the EU AI Regulation (2024/1689) ensure that all companies that use AI systems have sufficient AI expertise. that Haufe specialist portal explains that although a violation of Article 4 is not directly subject to fines, civil liability risks arise in the event of damage caused by untrained use.

Die IHK Schleswig-Holstein points out that additional transparency requirements for AI systems with limited risk will apply from August 2026 and that recognition of emotions in the workplace has been classified as a prohibited practice since February 2025. The Bliro AI Sales Assistant deliberately dispenses with sentiment analysis and speaker recognition.

What the IT department needs to check with an AI meeting tool

The IT assessment focuses on server location, certifications, and integration with existing systems. The following checklist shows the most important test points.

Checkpoint	Why It Matters	bliro AI Sales Assistant
Server location	GDPR Art. 44: avoid third-country data transfers	EU servers (AWS Frankfurt)
ISO certification	Verifiable information security standards	ISO 27001 + SOC 2
Audio/video storage	§ 201 StGB and biometric data (GDPR Art. 9)	No storage, RAM-only processing
DPA in place	GDPR Art. 28: mandatory for data processing agreements	Included in standard onboarding
CRM integration	Data security during automatic synchronisation	Field-level (custom fields/objects)
Third-party audits	Independent verification of security standards	Regular audits by Kertos

that Bavarian State Office for Data Protection Supervision (BayLDA) points out that the risk management of the AI Regulation offers synergy effects with the DSFA under the GDPR. Companies that have already created a DSFA for their AI tool can use this basis for the requirements of the EU AI Act.

One Kivocado Compliance Overview (2026) shows that fines under the EU AI Act and GDPR can cumulate: up to 35 million euros from the AI regulation plus up to 20 million euros from the GDPR. Die Data Protection Conference (DSK) states in its guidance that early integration of data protection (privacy by design) is the best strategy to minimize these risks.

What the works council needs to check with an AI meeting tool

The works council has an enforceable right of participation in the introduction of AI software. Die Large law firm CMS Hasche Sigle clarifies that Section 87 (1) No. 6 BetrVG applies as soon as the employer has access to employee usage data. It is not the intention to monitor that is important, but the technical possibility.

Die IBP.Kanzlei adds that AI systems are objectively suitable for behavioral or performance monitoring almost without exception, because algorithms continuously process usage data.

that Hamburg Labour Court (Az. 24 BvGA 1/24) However, has decided that there is no right of participation if employees voluntarily use AI tools via private accounts and the employer has no access to data. This decision shows that with a tool provided by the employer, such as the Bliro KI-Sales Assistant, the involvement of the works council is mandatory.

Three arguments that convince the works council

that AI Knowledge and Continuing Education Center (KIWW) underlines that participation in the introduction of AI is not limited to data protection, but also includes work organization, health protection and qualification. Die Dr. Ahlborn Law Firm summarizes that Section 80 (3) BetrVG makes the involvement of an expert necessary when introducing AI.

No monitoring tool: Anonymous sales coaching with the Bliro KI Sales Assistant only shows each employee their own feedback. According to the manufacturer, supervisors only see aggregated team data.
No recordings: The Bliro KI Sales Assistant does not create audio or video files and does not join any meeting as a visible bot.
Works agreement as a framework: How Lawyer Hammer explains, well-designed works agreements create a legally secure basis for the use of AI in companies.

that Specialist portal betriebsrat.de confirmed: Since the Works Council Modernization Act 2021, the works council may by law call in an expert when using AI without having to separately prove the necessity.

that Specialist portal Dr. Data Protection analyses the first ruling of the Hamburg Labour Court and comes to the conclusion: The mere permission to use AI tools does not constitute a violation of Section 87 BetrVG as long as the employer has no access to the usage data. With a centrally provided tool, however, the situation is different, which is why the works agreement is the safest way.

Our Conclusion

An orderly AI rollout with clear integration of legal, IT and works council is not a bureaucratic effort, but the fastest way to productive use. Companies that work without an approval process risk shadow AI, compliance violations, and team acceptance issues. The Bliro KI Sales Assistant addresses the most common checkpoints of all three stakeholders through its technical architecture: no recordings, no biometric data, EU servers, ISO 27001, SOC 2 and anonymous coaching. The most important recommendation: Start the approval process in parallel, not sequentially. Legal, IT and works council can check at the same time if all documents (DSFA template, AVV, technical documentation, draft works agreement) are available from the start.

Common questions about the AI tool rollout with legal, IT and works council

How long does a complete approval process take for an AI meeting tool in a company?

A complete approval process for an AI meeting tool such as the Bliro KI Sales Assistant usually takes four to eight weeks when legal, IT and works council audit in parallel. The biggest time wasters are coordinating the works agreement and implementing the DSFA. When tested sequentially, the process can take three to six months.

Can the works council completely block the introduction of an AI meeting tool?

The works council can delay the introduction of an AI meeting tool, but not block it permanently. According to Section 87 (2) BetrVG, in the absence of agreement, a conciliation body may be called to replace the verdict. In practice, it has been shown that involving the works council at an early stage speeds up the process because concerns are addressed proactively.

Does the Bliro AI sales assistant need the consent of all call participants?

The Bliro KI Sales Assistant does not require the consent of the call participants because no audio or video files are created. Real-time transcription processes speech exclusively in volatile working memory (RAM). This architecture makes it possible to rely on the legitimate interest in accordance with Art. 6 para. 1 lit. f DSGVO. The transparency obligation under Art. 13 GDPR remains in place: You should inform interlocutors in advance, for example by means of a notice in the meeting invitation.

What documents does the IT department need to evaluate an AI meeting tool?

For the IT evaluation of an AI meeting tool such as the Bliro KI Sales Assistant, the IT department needs at least five documents: the order processing agreement (AVV), the technical architecture description (server location, data flows, encryption), the ISO 27001 and SOC 2 certificates, the DSFA template and the list of all sub-contractors. With the Bliro KI Sales Assistant, the AVV is part of standard onboarding.

Why is a DSFA almost always mandatory for AI meeting tools?

A data protection impact assessment (DSFA) is almost always mandatory for AI meeting tools because their use typically meets at least two criteria of threshold analysis in accordance with the guidelines of the Article 29 Data Protection Working Group: innovative use of technology and processing of personal data on a potentially large scale. In its handout dated December 2025, the BfDI states that a DSFA is generally required when using AI.

Does the AI competence requirement under the EU AI Act also apply to sales employees who use the Bliro KI Sales Assistant?

Yes, the AI competence requirement under Article 4 of the EU AI Regulation has been applicable to all employees who work with AI systems since February 2, 2025. This includes sales staff who use the Bliro KI sales assistant in their day-to-day business. The obligation includes basic technical, legal and ethical knowledge. The Bliro onboarding team supports implementation and training.

Does the works council have the right to an external expert when evaluating AI tools?

Yes, since the Works Council Modernization Act 2021, it has been considered necessary to involve an external expert in the assessment of AI systems by law (Section 80 (3) sentence 2 BetrVG). The works council no longer has to separately prove the necessity. However, the works council and employer must agree on the person of the expert and the remuneration.

‍