AI voice agent and GDPR: what you need to know before going live

An AI voice agent touches three layers of personal data from the very first second of a call: the caller's voice, the content of the conversation, and the metadata (number, time, duration). Here's what GDPR compliance demands before going live.

The triple disclosure#

Opening line: "this call is handled by an automated voice assistant." If you record the voice, say so. If you transcribe and send to an external LLM, say so. Three sentences, 4 seconds, legal armor.

Legal basis and purpose#

• Basis: legitimate interest (inbound call handling) or explicit consent for sales.
• Purpose: strictly handling the request, never marketing enrichment.
• Retention: 30 days default for the transcript, 90 for metadata.
• Maximum default: 1 year if the call becomes a commercial dispute.

Cascading processors#

Every actor in the chain (Twilio, Vapi/Retell, OpenAI/Mistral, your CRM) is a processor under GDPR. You must have a signed DPA with each. VocazAI provides an umbrella DPA that covers VocazAI + our STT/LLM subprocessors, with the list publicly maintained.

Hosting and cross-border transfers#

To stay in the EU zone, verify that STT and LLM run in European regions (Mistral EU-hosted, Whisper self-hosted). Otherwise you trigger a non-EU transfer and need standard contractual clauses (SCCs) and ideally the Data Privacy Framework on the provider side.

Data subject rights#

The caller can request access to their transcript, erasure, portability. You must respond within 30 days. In practice: an admin endpoint that filters calls by phone number and exports or deletes — VocazAI ships this in the dashboard.

The 5-minute checklist#

Voice disclosure check, signed DPAs check, EU region confirmed, retention durations set, privacy page updated, data-subject-rights procedure documented. First month VocazAI free to put it all in place with our DPO.