German version"Are we even allowed to put an AI on the phone?" — one of the first questions dental practices, salons, and restaurants ask us. The short answer: yes, as long as a few basic GDPR requirements are met. This article walks through each relevant criterion in detail so you can make an informed decision.
What data does an AI phone assistant process?
A typical call involves processing:
- The caller's phone number
- The spoken content, converted to text for processing (transcript)
- Name and contact details, if provided for an appointment booking
- Health- or treatment-related details, if the caller mentions them during the call (e.g. at medical practices)
This is personal data, and in some cases special category data under Articles 4 and 9 GDPR — which means heightened care is required, especially in a medical context.
Legal basis for processing
Processing typically relies on one of two legal bases under Article 6(1) GDPR:
- (b) contract performance: the caller actively wants to book an appointment or request a service — processing is necessary to fulfil that request.
- (f) legitimate interest: for general call handling and quality assurance, provided the caller's interests don't override it.
Explicit consent generally isn't required for most standard cases, though transparent information about the processing — a short note at the start of the call, or in your privacy policy — is still recommended and often required regardless.
The key GDPR criteria for small businesses
- Data processing agreement (DPA): the AI phone assistant provider must offer a DPA under Article 28 GDPR as a processor.
- Server location: ideally processing within the EU, avoiding international transfer mechanisms and added complexity.
- Retention period: clear deletion periods for call recordings and transcripts — not indefinite storage.
- Transparency for callers: callers should be able to tell they're speaking with an AI system where relevant.
- Data minimization: only collect the data actually needed for the booking or inquiry.
- Technical and organizational measures (TOMs): encryption, access restrictions, and logging on the provider's side.
- Disclosed sub-processors: which additional vendors (e.g. cloud hosting, speech processing) are involved should be documented.
- Updated privacy policy: your own privacy policy should mention the use of an AI phone assistant.
What belongs in the data processing agreement
A compliant DPA under Article 28 GDPR covers, among other things: the subject matter and duration of processing, the nature and purpose of processing, categories of data subjects and data, the rights and obligations of the controller, and the technical and organizational measures in place. Without this agreement, there's no legal basis for engaging an external provider to process call data.
Server location and international transfers
If voice processing happens outside the EU, additional requirements apply — such as standard contractual clauses or an EU Commission adequacy decision. This significantly increases the compliance burden. Processing within the EU avoids this complexity and is the simpler choice for most small businesses.
Retention periods for recordings
There's no blanket legal deadline for call recordings — the purpose determines the period. Short retention windows (e.g. a few weeks for quality assurance) are common, while appointment booking data may be kept for as long as needed for the business relationship. What matters is that the provider has a documented deletion policy rather than storing indefinitely.
Questions to ask a provider before signing up
| Question | Why it matters |
|---|---|
| Is a DPA under Article 28 GDPR provided? | Without a DPA there's no legal basis for the processing arrangement. |
| Where does data processing take place? | Determines whether additional transfer safeguards are needed. |
| How long are recordings stored? | Indefinite storage violates the data minimization principle. |
| Which sub-processors are involved? | Transparency is required and affects the processing risk. |
| How are deletion requests handled? | Data subjects have a right to erasure under Article 17 GDPR. |
Not every provider meets these criteria automatically. Before committing to a solution, it's worth getting written confirmation of these points rather than a verbal assurance.
Disclaimer
This article provides a general overview and does not constitute legal advice. For a legally sound assessment of your specific situation, we recommend consulting a data protection officer or specialist lawyer.
Questions about Hallodesk's data handling?
We're happy to answer your questions about DPAs, server location, and data processing in a short call.
✉️ Get in touchFrequently asked questions
Are businesses in Europe even allowed to put an AI on the phone?
Yes, as long as the provider offers a data processing agreement under Article 28 GDPR, the data processing is documented transparently, and deletion periods for recordings and transcripts are defined.
Is explicit caller consent required?
In most cases, processing relies on contract performance or legitimate interest under Article 6(1)(b) or (f) GDPR, for example when the caller actively wants to book an appointment. Explicit consent usually isn't required, though transparent information about the processing is still recommended.
What should I ask a provider before signing up?
Ask about server location, whether a data processing agreement under Article 28 GDPR is provided, how long recordings and transcripts are stored, and whether sub-processors outside the EU are involved.