Back to Blog
AI Telephony GDPR-Compliant: Legally Secure Use of Voice Agents
GDPRData ProtectionComplianceJanuary 7, 20267 min

AI Telephony GDPR-Compliant: Legally Secure Use of Voice Agents

AI Voice Agents offer enormous efficiency gains – but before a business deploys them, the critical question arises: is this legally compliant? In Germany and across the DACH region, data protection law is particularly strict. The GDPR applies without restriction, the German Federal Data Protection Act (BDSG) supplements it at national level, and sector-specific regulations such as medical professional confidentiality or attorney-client privilege add further requirements. This article sets out what businesses must specifically observe and how GDPR-compliant deployment of AI telephony can be achieved.

Personal data in telephone conversations

Every telephone conversation with an identified or identifiable person contains personal data within the meaning of Art. 4(1) GDPR. This includes:

  • Name and contact details of the caller
  • Conversation content (enquiries, complaints, orders)
  • Metadata (time of call, duration, phone number)
  • Where voice is recorded: the voice itself (biometric data under Art. 9 GDPR where used for identification)

Processing this data requires a legal basis under Art. 6 GDPR. For most business telephony applications, Art. 6(1)(b) (contract performance) or Art. 6(1)(f) (legitimate interests) applies. For recordings and more extensive analysis, explicit consent (Art. 6(1)(a)) or a clear balancing of interests is generally required.

Transparency obligations – customers must be informed

Art. 13 GDPR requires the data subject to be informed at the time data is collected. For AI telephony this means specifically:

  • Callers must be informed at the start of the conversation that an AI system is conducting the call
  • Where recording takes place, this must be explicitly disclosed
  • The purpose of recording and the processing duration must be communicated

The wording can be practical: "You are now being connected to our digital assistant. The conversation may be recorded for quality assurance purposes. Further information can be found at [privacy policy]."

Note: A caller's silence following the notice does not constitute legal consent to recording. Active confirmation is required for this (e.g. "Press 1 to consent to recording").

Recording obligations and recording prohibitions

When may recording take place?

Recording telephone conversations in Germany is in principle only permissible with the consent of all parties, under Β§ 201 of the Criminal Code (violation of the confidentiality of the spoken word) and the Telecommunications Act. For business purposes:

  • With the caller's explicit consent: always permissible
  • For quality assurance and training: permissible with appropriate information and opt-out option
  • To fulfil statutory documentation obligations: permissible (e.g. in the financial sector under Β§ 83 WpHG)

Important: Partially divergent regulations apply in Austria and Switzerland. In Austria, call recording in a B2B context is possible under simpler conditions; in Switzerland, the revised Data Protection Act (nDSG) must be observed.

Alternatives to full recording

If obtaining consent appears too burdensome, or if conversion rates suffer due to the notice, there are alternatives:

  • Transcription without audio file: The conversation is transcribed and the audio file immediately deleted. Less sensitive from a data protection perspective, as no voice is stored.
  • Anonymisation after transcription: Names and other identifiers are removed from the transcript, so no personal reference remains.
  • Aggregated analysis: Sentiment and topic analyses without personal reference.

Data processing agreement (DPA) – the contractual obligation

When is a DPA required?

Whenever an external service provider processes personal data on behalf of the controller, a data processing agreement under Art. 28 GDPR must be concluded. When deploying an AI Voice Agent provider, this is mandatory.

A legally compliant DPA must contain:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Type of personal data
  • Categories of data subjects
  • Obligations and rights of the controller
  • Technical and organisational measures (TOMs)
  • Sub-processor arrangements (e.g. speech recognition provider)
  • The processor's obligation to follow instructions
  • Deletion and return obligations upon contract termination

Sub-processors – the hidden compliance pitfall

Many AI Voice Agent solutions in turn use external service providers for speech recognition, TTS (text-to-speech), or data processing. These sub-processors must be named in the DPA, and the processor must ensure they too act in compliance with the GDPR.

Check whether the provider uses sub-processors outside the EU. For US-based services (e.g. certain cloud services), a Standard Contractual Clauses transfer (SCCs) is required.

EU server locations – not a nice-to-have, but essential

Why EU hosting is decisive

The GDPR does not generally prescribe EU hosting, but data transfers to third countries without an adequate level of protection (outside the EU/EEA) are permissible only under strict conditions under Art. 44 et seq. GDPR. In practice, EU hosting is by far the most straightforward approach.

For sensitive sectors such as healthcare, law, and tax advisory, data protection authorities recommend – and in some cases require – that no personal data from client or patient conversations leaves the EU.

Reputable AI telephony providers for the DACH market operate their infrastructure exclusively in EU data centres – preferably in Germany, to also meet the more demanding requirements of the BDSG.

Data minimisation – collect only what is necessary

Art. 5(1)(c) GDPR (data minimisation) requires that only those data actually necessary for the given purpose are collected. For AI Voice Agents this means:

  • No permanent storage of audio files where transcripts suffice
  • Automatic deletion periods for all conversation data (typically 30–90 days)
  • Purpose limitation: data from service calls must not be used for marketing purposes without a new legal basis

Sector-specific considerations

Healthcare (medical practices, psychotherapists, pharmacies)

Conversations with patients will very likely contain health data – a special category under Art. 9 GDPR. Processing is permissible only under strict conditions, in particular with explicit consent or for the fulfilment of treatment contract obligations.

Medical practices are also subject to professional medical confidentiality (Β§ 203 of the Criminal Code). The AI provider is treated as a "person entrusted with professional confidentiality" and must be contractually incorporated accordingly.

Recommendation: In medical practices, AI Voice Agents should be deployed exclusively for administrative purposes (appointment booking, general information) – not for clinical initial consultations or triage.

Attorney confidentiality (Β§ 43a BRAO) and the duty of confidentiality for tax advisors (Β§ 57 StBerG) extend to all persons active in the professional practice – and to technical tools used. Client conversations via AI Voice Agent must therefore meet the highest data protection standards.

Recommendation: For client conversations, use only providers with certified GDPR compliance, a German server location, and written evidence of TOMs.

GDPR compliance checklist for AI Voice Agents

  • DPA concluded with the AI provider
  • All sub-processors named in the DPA
  • Server locations exclusively in the EU
  • Technical and organisational measures (TOMs) documented
  • Transparency notice implemented at the start of conversations
  • Consent to recording actively obtained (where recording is desired)
  • Automatic deletion periods configured
  • Website privacy policy updated (AI use mentioned)
  • Record of processing activities (RoPA) updated
  • Data subject rights ensured (access, erasure, objection)
  • Staff trained on GDPR-compliant use
  • Sector-specific special regulations reviewed

Get started now

anicall.io provides GDPR-compliant AI Voice Agents with exclusively EU server locations, a complete DPA, and professional data protection documentation. In a free consultation, we review together how legally compliant deployment can work for your business.

Book your free consultation now β†’