RAG & Privacy · DSK guidance

RAG & privacy: what the new
DSK guidance
means for your company

The German Data Protection Conference (DSK) has published clear guidelines for AI systems using Retrieval Augmented Generation (RAG). Here's what it's about – and why KOSMO is designed precisely for these requirements.

How KOSMO meets the DSK guidance DSK guidance (PDF) →
🛡️
GDPR-compliant

Per DSK guidance

🔍
RAG technology

With source citations

🏠
Data sovereignty

100% under your control

Background

Who is the DSK – and why does it matter?

The DSK is the joint body of the independent data protection authorities of the German federal government and the 16 federal states. It develops common positions and guidance on data protection.

Their publications aren't directly legally binding, but they are effectively directive: they show how supervisory authorities assess technologies – and therefore what will be seen as compliant or risky during audits.

Anyone deploying or planning AI systems today should use the DSK guidance as a reliable compass – especially when handling personal data in companies, municipalities and sensitive areas.

Why it matters to you

  • Unified view of supervisory authorities
  • Concrete guidelines for AI & RAG systems
  • Highly relevant for SMEs and administration
Read the DSK document →
Explanation

What is RAG – in short

RAG stands for Retrieval Augmented Generation. In plain terms: an AI language model is combined with smart search across your own data.

1

Ask a question

The user asks a question in the KOSMO interface.

2
🔍

Semantic search

The retrieval module searches your documents, emails and knowledge sources.

3
🧠

AI generates the answer

The language model uses the retrieved content to answer precisely.

4
📄

Source citation

Every answer shows which document and which section it comes from.

Important: documents are not permanently integrated into the model. They stay in your database and can be changed or deleted at any time – a decisive advantage for privacy and data subject rights.
🔍
Semantic search instead of keywords

KOSMO understands the meaning of a question, not just individual words.

📂
Answers from your real documents

No made-up answers – only substantiated information from your knowledge base.

🔗
Traceably linked with source citations

Every answer is traceable – ideal for compliance and audits.

DSK assessment

What opportunities does the DSK see in RAG systems?

The guidance shows: RAG systems can be an important building block for privacy-compliant AI – when implemented correctly.

Greater accuracy

Answers are based on concrete documents, not just training knowledge. Errors can be fixed by updating the sources.

🔍

Transparency & traceability

Source citations make every answer traceable – a plus for compliance and documentation.

🏠

Data stays under control

Personal data stays in your own systems. RAG uses it without permanently integrating it into the model.

⚖️

Data subject rights are feasible

Delete a document and it immediately affects future answers – unlike with fixed, trained models.

🖥️

On-premise realistic

Smaller, focused models plus RAG enable operation on your own hardware – with no dependency on global cloud providers.

Risks

What risks remain?

The DSK is clear: RAG is no free pass. Some challenges have to be actively addressed.

⚠️

Problematic base model

An unlawfully trained base language model remains problematic – even with RAG.

🎯

Purpose limitation

Personal data may only be processed for the specific, predefined purpose.

🔗

Unwanted linkage

Internal data can be linked to knowledge already present in the model.

📦

Black-box effect

The model's exact internal decision path remains technically complex and hard to audit.

That's why we need systems that are designed from the start for privacy by design, controllable data flows and transparent architecture.
KOSMO & DSK

How KOSMO puts the DSK guidance into practice

KOSMO was built from day one to meet the requirements the DSK has now published for RAG systems.

🏠

100% data sovereignty

KOSMO runs either fully on-premise or in certified German data centres. No data transfer to US clouds or third countries.

🇪🇺

European language models

Use and swap models that are compatible with European requirements – no lock-in to proprietary black-box APIs.

⚙️

RAG with full control

You decide which data sources are connected. No data flows into model training – changes take effect in real time.

📄

Source citations & transparency

Every answer can be traced back to the underlying documents – ideal for audits, reviews and QA.

🔑

Role-based access

Fine-grained permissions: employees only see content they're authorised for – enforced technically by the system.

🌐

Controlled external data

Web search and external sources are optional and clearly marked. Default: internal, vetted knowledge.

🔓

Open source & configurable

Open components and transparent architecture allow technical and legal review – a real advantage over closed-source AI.

Ideal for

🏛️ SMEs 🏙️ Municipalities 🏥 Healthcare 🎓 Education ⚡ Energy providers 🏛️ Chambers
Take action

Request advice on RAG & privacy

Use AI without losing control of your data – we'll show you how KOSMO does it.

Request a consultation Discover on-premise

Partners & supporters