Back to Blog
Voice Agent Data Protection – Legally Compliant AI Telephony 2025
Data ProtectionGDPRVoice AgentOctober 30, 202510 min

Voice Agent Data Protection – Legally Compliant AI Telephony 2025

AI-powered Voice Agents answer calls, book appointments, and qualify leads – around the clock, without pause. But before a business goes live with the technology, one critical question must be addressed: Is deployment legally compliant? Particularly in Germany and Austria, data protection law is interpreted especially strictly. Those who make mistakes here risk fines of up to €20 million or 4 % of global annual turnover.

This guide provides you with a complete data protection framework for Voice Agents – from the obligation to inform under Art. 13 GDPR through to a data deletion concept.


Why Voice Agents are particularly relevant under data protection law

A Voice Agent processes voice data in real time. That alone is sensitive from a data protection perspective, because voices are personal data within the meaning of Art. 4(1) GDPR. When recording is added, a fleeting conversation becomes a permanently stored document. And as soon as voice patterns are used to identify a person – even inadvertently – you are in the domain of biometric data under Art. 9 GDPR, the specially protected category.

There is a further complication: Voice Agents frequently use cloud services from outside the EU. Voice data may therefore leave the European Economic Area – another risk factor that requires its own regulatory treatment.


Duty to inform under Art. 13 GDPR

As soon as you collect personal data – which happens the moment a call is received – you must inform the calling person. When a human employee takes a call, this is arguably fulfilled implicitly. With a Voice Agent, you must ensure it actively.

What must the Voice Agent communicate at the start of the conversation?

Under Art. 13 GDPR, the following information is required:

  • Name and contact details of the controller (your business)
  • Contact details of the data protection officer (where applicable or legally required)
  • Purpose and legal basis of processing (e.g. contract performance under Art. 6(1)(b), legitimate interests under (f), or consent under (a))
  • Recipients or categories of recipients (e.g. CRM provider, telephony service provider)
  • Intention to transfer to a third country (where data is processed outside the EEA)
  • Retention period or criteria for determining it
  • Data subject rights (access, rectification, erasure, restriction, objection, data portability)
  • Right to lodge a complaint with a supervisory authority

Practical tip: Many businesses integrate a brief spoken passage at the start of each call that refers to the full privacy policy on their website. This is permissible under data protection law, provided the reference is clear and the policy is easy to find.


The question of whether you may record telephone conversations in Germany is governed primarily by Β§ 201 of the Criminal Code (violation of the confidentiality of the spoken word) and Β§ 3 of the Telecommunications Act. Without the express consent of all parties to the conversation, recording is generally not permitted.

Consent to recording must:

  1. Be given freely – not tied to the service where recording is not strictly necessary
  2. Be informed – the caller must know what is being recorded and for what purpose
  3. Be unambiguous – silence does not count, nor does a pre-ticked box
  4. Be revocable – the caller must be able to stop the recording at any time (e.g. by pressing a key)

In practice, the following approach is recommended: the Voice Agent informs the caller at the outset about recording and states the purpose (e.g. quality assurance, training data). An active confirmation is then requested: "If you consent to the recording, please say 'Yes' or press 1."

Important: The consent itself must be logged – date, time, phone number, and the content of the consent.


Biometric data: The underestimated risk factor

If a Voice Agent uses voice characteristics to identify or authenticate a person – for example to recognise an existing customer – this constitutes biometric data under Art. 9(1) GDPR. These data enjoy special protection.

Processing is in principle prohibited unless one of the exceptions in Art. 9(2) GDPR applies. The most relevant are:

  • Explicit consent (Art. 9(2)(a)) – high requirements; written form recommended
  • Substantial public interest (Art. 9(2)(g)) – rarely applicable to SMEs

For most business applications this means: Voice Agents must not use voice recognition to identify individuals without obtaining explicit consent. Businesses that rely purely on voice control (intent recognition) without storing or attributing voices are outside the biometric risk zone.


Data processing agreement (DPA)

Any external service provider processing personal data on behalf of your business is a data processor under Art. 28 GDPR. This includes:

  • The Voice Agent provider (e.g. anicall)
  • The cloud telephony provider (SIP trunk)
  • The speech recognition provider (ASR/TTS)
  • The CRM provider, where data is transferred automatically

With each of these service providers, you must conclude a data processing agreement (DPA) that fulfils the requirements of Art. 28(3) GDPR. This must govern as a minimum:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Type of personal data and categories of data subjects
  • Obligations and rights of the controller
  • The processor's obligation to follow instructions
  • Confidentiality obligations
  • Technical and organisational measures (TOMs)
  • Sub-processor arrangements
  • Obligations to assist with data subject rights and data breaches
  • Deletion or return upon contract termination
  • Audit rights

Sub-processor list

Professional Voice Agent providers supply a complete list of their sub-processors. Check that this list is up to date and that you are informed of any changes. Require this as a contractual obligation in the DPA.


Data storage and deletion periods

The GDPR prohibits storing data longer than necessary (principle of storage limitation, Art. 5(1)(e)). For Voice Agents you must create a deletion concept covering the following categories:

Data categoryRecommended retention periodLegal basis
Call logs (metadata)90 daysLegitimate interest
Recordings for quality assurance30–60 daysConsent
Transcripts containing customer dataUntil end of contract + 3 yearsContract performance / statutory retention
Complaints correspondence3 yearsStatutory retention obligation
Invoicing-relevant data10 yearsΒ§ 147 German Fiscal Code

Ensure that your Voice Agent provider offers automated deletion routines, or that you have manual deletion procedures in place.


Data subject rights and their implementation

Callers have extensive rights under the GDPR:

  • Right of access (Art. 15): What data has been stored?
  • Right to rectification (Art. 16): Correct inaccurate data
  • Right to erasure (Art. 17): "Right to be forgotten"
  • Right to restriction (Art. 18): Restrict processing
  • Right to object (Art. 21): Object to processing based on legitimate interests
  • Data portability (Art. 20): Provide data in machine-readable format

You must ensure that these rights can be fulfilled within one month (extendable to three months in complex cases). This requires knowing where all data relating to a caller is stored – in the Voice Agent system, the CRM, the call log.


Third country transfers

Many AI voice services are processed on servers in the US or other third countries. Following the end of the Privacy Shield and the Schrems II ruling of the CJEU (2020), such transfers are permissible only under strict conditions.

Permissible mechanisms for third country transfers:

  1. Adequacy decision by the European Commission (e.g. for the UK, Japan, Canada)
  2. Standard Contractual Clauses (SCCs) under Implementing Decision 2021/914
  3. Binding Corporate Rules (BCRs) – for corporate groups
  4. Derogations under Art. 49 GDPR – only in individual cases, not as a permanent arrangement

For US providers, the EU-US Data Privacy Framework (DPF), operational since 2023, applies. Check whether your provider is certified under it. Even if it is, SCCs should be agreed as an additional safeguard.


Sector-specific requirements

Medical practices and healthcare

Health data are specially protected under Art. 9 GDPR. If a Voice Agent records symptoms, receives diagnoses, or handles prescription requests, it is processing health data. Additionally:

  • Professional confidentiality under Β§ 203 of the Criminal Code – physicians may only pass patient data to employees under their direction; an external Voice Agent provider must be contractually included in this circle
  • Consent under Art. 9(2)(a) GDPR is generally required
  • Technical security requirements are heightened – end-to-end encryption is mandatory

Law firms

Lawyers are subject to the professional duty of confidentiality under Β§ 43a of the Federal Lawyers' Act (BRAO). Client data may in principle not be passed to third parties without consent. A Voice Agent receiving client enquiries must therefore:

  • Be operated on infrastructure hosted exclusively in the EU
  • Have its DPA structured to meet the specific requirements for legal practices
  • Not transfer client content to third-party AI systems used for training purposes

GDPR compliance checklist for Voice Agents

Use this checklist for self-assessment before putting your Voice Agent into operation:

  • Privacy policy includes reference to Voice Agent and AI processing
  • Duty to inform under Art. 13 GDPR implemented at the start of the conversation
  • Recording notice with active consent implemented
  • DPA concluded with all data processors
  • Sub-processor list documented and reviewed
  • Third country transfers legally secured (SCCs, DPF)
  • Deletion concept created and technically implemented
  • Record of processing activities under Art. 30 GDPR updated
  • Data Protection Impact Assessment (DPIA) under Art. 35 GDPR assessed (mandatory for biometric processing)
  • Processes for data subject rights defined (deadlines, responsibilities)
  • Internal staff trained on handling Voice Agent data
  • Sector-specific requirements (healthcare, law) reviewed and implemented

Documentation recommendations

The accountability principle (Art. 5(2) GDPR) requires you to be able to demonstrate your compliance. Keep the following documents readily available:

  • Privacy policy with Voice Agent-specific sections
  • Conversation opening script with data protection notice (versioned and dated)
  • Consent log for recordings
  • DPA with each service provider
  • Sub-processor list (with date of last review)
  • Technical and organisational measures (TOMs)
  • Deletion concept with specific deadlines
  • Record of processing activities under Art. 30 GDPR
  • DPIA (where required)

Conclusion

Operating a Voice Agent in a data protection-compliant manner is not an unsolvable problem – but it does require careful preparation and the right choice of provider. Those who lay these foundations can deploy the technology with legal certainty while simultaneously strengthening customer trust. Data protection is not an obstacle – it is a competitive advantage: customers who know their data is secure are more comfortable interacting with your system.

Ready to introduce a GDPR-compliant Voice Agent? Our experts guide you from legal review through to productive operation.

Book your free consultation now