Skip to content

AI Governance Information Pack

Project: Pickles GmbH — AI Governance Framework
Stage: Stage 5 — Commercial Packaging
Status: Draft
Version: v1
Date: 2026-02-26
Assumptions: Built on outline assumptions — not verified against real Pickles GmbH data

1. Executive Summary

Pickles GmbH [ASSUMPTION] is a German legal technology provider offering AI-powered tools designed to support qualified legal professionals in research, drafting, summarisation, and structured legal analysis. Its systems are designed as assistive tools for lawyers and in-house legal teams — not as autonomous legal decision-makers.

AI governance is central to the trustworthiness of legal AI. Under Regulation (EU) 2024/1689 (EU AI Act), Regulation (EU) 2016/679 (GDPR), the German Federal Data Protection Act (BDSG), and professional rules applicable to German lawyers (BRAO/BRAK), AI systems used in legal contexts must be carefully controlled, documented, and subject to meaningful human oversight. In addition, GDPR Article 5 requires accountability and demonstrable compliance with data protection principles.

This Information Pack summarises Pickles GmbH’s AI governance architecture as implemented through its multi-stage AI Governance Framework (Stages 1–4). It explains how systems are classified, documented, monitored, and reviewed, and how regulatory obligations — including EU AI Act Articles 9, 11, 13, 14, 31, 72; GDPR Articles 5, 22, 28, 32, 33, 35; and relevant BRAO/BRAK provisions — are operationalised.

This document is intended for non-technical legal procurement teams evaluating Pickles GmbH as a vendor. It provides a structured overview of compliance posture, risk management, transparency measures, and professional safeguards.

2. AI Architecture Overview

2.1 Assumed Product Portfolio

[ASSUMPTION] Based on the AI System Inventory (L1-3.1) and EU AI Act Risk Mapping Matrix (L2-4.1), Pickles GmbH operates the following AI system categories:

  • Legal Research Assistant (SYS-01)
    AI-supported retrieval and summarisation of case law and legislation.

  • Document Drafting Tool (SYS-02)
    AI-assisted drafting and auto-completion of contracts and legal documents.

  • Document Summarisation Tool (SYS-03)
    AI summarisation of lengthy legal documents and judgments.

  • Legal Analysis Tool (SYS-04)
    AI-supported structured legal analysis applied to specific fact patterns.

These descriptions are provisional and must be verified against the actual production architecture. [LEGAL REVIEW REQUIRED]

2.2 Architectural Principles

Across all systems, the following architectural principles apply:

  1. Registration Before Deployment
    No AI system may be deployed without prior registration in the AI System Inventory (EU AI Act Article 11; L1-3.1).

  2. Gate-Based Intake Process
    All systems must pass a six-gate approval workflow before production deployment (L1-3.3).

  3. Defined Intended Purpose
    Each system’s intended purpose is documented in technical documentation in line with Annex IV and Article 13(3)(b)(i) EU AI Act (L2-4.2).

  4. Human-in-the-Loop Design
    System outputs cannot bypass mandatory lawyer review prior to client-facing use (EU AI Act Article 14; GDPR Article 22; L1-3.4).

3. EU AI Act Compliance

3.1 Risk Classification Approach

Pickles GmbH applies a structured Risk Classification Framework (L1-3.2) aligned to:

  • EU AI Act Article 6 (High-risk classification)
  • Annex III (High-risk categories)
  • Recitals 53 and 61 (legal AI interpretation)

Under Annex III Point 8(a), AI systems used by judicial authorities to apply law to concrete facts are classified as high-risk. [ASSUMPTION] Pickles GmbH sells to lawyers rather than judicial authorities; however, classification boundaries require legal review. [LEGAL REVIEW REQUIRED]

Where a system is determined to be high-risk:

  • Article 9 — A continuous risk management system is implemented.
  • Article 11 & Annex IV — Full technical documentation is maintained.
  • Article 13 — Instructions for use and transparency documentation are provided.
  • Article 14 — Effective human oversight is designed into the system.
  • Article 72 — Post-market monitoring is mandatory.
  • Article 73 — Serious incidents must be reported.

3.2 Technical Documentation

For each system, Pickles GmbH prepares documentation structured to Annex IV requirements (L2-4.2), including:

  • Intended purpose
  • System architecture overview
  • Training and validation approach [ASSUMPTION]
  • Known limitations and accuracy constraints
  • Human oversight mechanisms
  • Logging and monitoring design (Article 12)

Documentation is version-controlled and updated upon substantial modification (Article 3(23); Article 43(4)).

3.3 Transparency Measures

Transparency is addressed at three levels (L2-4.3):

  • System-Level Transparency (Article 13) — Deployer-facing instructions.
  • User-Level Transparency (Article 50) — Disclosure when interacting with AI; labelling of AI-generated content (effective 2 August 2026).
  • Professional Transparency — Alignment with BRAK Position Paper obligations.

4. Human Oversight Model

Human oversight is governed by the Human Oversight Policy (L1-3.4).

4.1 Core Principle

No AI output may constitute final legal advice without review and authorisation by a qualified lawyer.

This principle reflects:

  • EU AI Act Article 14 (Human oversight)
  • GDPR Article 22 (No solely automated decisions with legal effects)
  • BRAO §43a(2) (Independent professional judgement)

4.2 Prohibited Practices

Prohibited practices include:

  • Direct delivery of AI-generated advice to clients without review.
  • Designing workflows that bypass human review.
  • Representing AI output as independent legal advice.

[LEGAL REVIEW REQUIRED] The exact application of GDPR Article 22 in AI-assisted legal workflows must be assessed in context.

5. Data Protection Summary

5.1 Controller / Processor Model

Based on the Data Flow Map (L2-5.1):

  • Pickles GmbH acts as data controller for employee and account data. [ASSUMPTION]
  • Pickles GmbH acts as data processor for client-submitted legal documents. [ASSUMPTION]
  • Third-party model providers may act as sub-processors (GDPR Article 28(2)). [ASSUMPTION]

[LEGAL REVIEW REQUIRED] Role allocation must be verified per GDPR Article 4(7)–(8).

5.2 Lawful Basis

Lawyer clients, as controllers, determine lawful basis under GDPR Article 6. Where special categories of data (Article 9) are processed, additional conditions apply.

5.3 DPIA Status

The DPIA Assessment (L2-5.2) confirms:

  • High-risk systems require DPIA consideration (GDPR Article 35).
  • SYS-04 is treated as requiring full DPIA. [ASSUMPTION]

5.4 Security Measures

Security controls are implemented in line with GDPR Article 32 and BDSG §64, including:

  • Encryption in transit (TLS 1.3+) [ASSUMPTION]
  • Access controls and role-based permissions [ASSUMPTION]
  • Sub-processor due diligence (L2-5.3)

6. Monitoring & Quality Assurance

Monitoring is governed by the AI Monitoring Framework (L3-6.1).

6.1 Key Metrics

Monitored metrics include:

  • Hallucination / factual error rate
  • Citation integrity
  • User-reported accuracy concerns
  • Incident frequency
  • Model drift indicators

For high-risk systems, Article 72 requires structured post-market monitoring.

6.2 Incident Handling

The Incident Response Playbook (L3-6.2) defines:

  • Severity levels (P1–P4)
  • GDPR Article 33/34 breach notification timelines
  • EU AI Act Article 73 serious incident reporting

6.3 Change Management

The Model Change Management Protocol (L3-6.3) governs:

  • Change classification (Types A–F)
  • Substantial modification assessment (Article 3(23))
  • Conformity reassessment triggers (Article 43(4))

7. Professional Standards

Pickles GmbH aligns its governance architecture with:

  • BRAO §43a(2) — Independent legal judgement
  • BRAO §43e — IT outsourcing safeguards
  • BRAK AI Position Paper (December 2024)

Where third-party providers are used, confidentiality obligations consistent with §43e BRAO are required (L2-5.3).

8. Contact & Further Information

Pickles GmbH [ASSUMPTION]
Registered Address: [Placeholder]
Email: compliance@pickles.example [ASSUMPTION]
Data Protection Officer: dpo@pickles.example [ASSUMPTION]

Further documentation (under NDA where appropriate) may include:

  • Technical Documentation Packs (Annex IV format)
  • DPIA summaries
  • Sub-processor list
  • Monitoring dashboard extracts
  • Incident management summaries

End of Document 1