NEW Fixed-price web development, AI apps & SEO across DACH Open services →
← Talura Home

GDPR and AI Phone Assistants — what is required and what is not

A practical guide for businesses: which building blocks are mandatory for GDPR-compliant AI telephony, what is optional, and what extra rules apply to healthcare providers, law firms, and accountants.

Start with 100 free minutes Full guide

Why GDPR matters for AI phone calls

Phone calls contain personal data: voice (which qualifies as a biometric identifier under Article 9 GDPR when used to create voice profiles), name, request details, and often health, financial, or contractual information. Any business that deploys an AI phone assistant is the data controller and must comply with GDPR.

Good news: with the right setup, AI telephony is just as GDPR-compliant as a human staff member — and often easier to document, because every processing step is technically traceable.

Bad news: deploying a US-based voicebot without a DPA and without disclosure puts you at risk of fines of up to 4% of annual worldwide revenue, plus reputational damage. The following sections cover exactly what is required.

The required building blocks

1. Data Processing Agreement (DPA) with the platform provider A DPA under Article 28 GDPR establishes that the provider processes data solely on your behalf. Talura generates this automatically when you create an account and makes it available at /avv.
2. DPAs with the AI providers you use You choose your AI models (LLM, STT, TTS) and sign a separate DPA with each provider. OpenAI, Anthropic, Google, Deepgram, ElevenLabs, and others all offer a DPA — typically accepted online in the provider's dashboard. For highly sensitive industries, EU-native providers (Mistral, Google Gemini Frankfurt region) reduce transfer risk.
3. Transparency disclosure at the start of every call Callers must be informed: (a) they are speaking with an AI, (b) the conversation is being processed/recorded, (c) they have the right to object. Required under both GDPR's transparency principle and the EU AI Act's transparency obligation for AI systems interacting with people in natural language. Talura plays this disclosure automatically. The wording is customizable; the minimum required content is not.
4. Documented deletion policy How long is each category of data retained? Typical: audio recordings 7–30 days (quality assurance and dispute evidence), transcripts 30–365 days (documentation), structured fields (appointment data) until the matter is resolved plus any applicable legal retention periods. Talura allows auto-deletion per agent.
5. Records of Processing Activities (Article 30 GDPR) You must document in writing that you process phone data via AI — purpose, data categories, recipients, retention periods, security measures. Templates available at /datenschutz. Supervisory authorities request this in audits.
6. Technical and organizational measures (TOMs) Encryption (TLS in transit, AES-256 at rest), access controls, backup policy, penetration testing. Talura documents its own TOMs and provides them on request — you reference them as an annex to your own TOM documentation.
7. 72-hour breach notification obligation In the event of a data breach: 72 hours to notify your supervisory authority, plus notification to affected individuals if the breach is likely to result in high risk to their rights. Talura notifies you promptly of any security-relevant events — you are responsible for the supervisory authority notification as the data controller.

Healthcare, legal, and accounting professionals: additional rules

Professionals subject to confidentiality obligations — physicians, psychotherapists, pharmacists, lawyers, accountants, notaries — operate under both GDPR and their professional secrecy duties. In Germany, this is codified in § 203 of the Criminal Code (§ 203 StGB): sharing protected professional information through unauthorized channels is a criminal offense, not just a regulatory matter. Comparable obligations exist across EU member states (legal professional privilege, medical secrecy, etc.).

What this means for AI telephony: The AI may not provide professional advice. Appointment booking, standard FAQs, and emergency escalation are all fine (front-desk function). But the bot must not offer a diagnosis, legal opinion, or tax recommendation — even a technically correct answer could constitute a breach of professional secrecy.

Talura is explicitly configured for this. The industry templates for medical practices, physical therapy, and accounting firms include hard prohibitions in the system prompt: on clinical, legal, or tax questions, the bot refers the caller to you rather than answering itself.

Additional recommendation for the most sensitive practices: self-hosting the AI on your own infrastructure (see /self-hosting.html). This way data never leaves your own IT environment.

EU vs. non-EU providers — what works?

EU-native providers (GDPR-compliant by default)
  • Mistral (France) — LLM. Full GDPR compliance, no special arrangement needed.
  • Google Gemini with EU region (Frankfurt) — LLM. DPA active, data residency configurable.
  • Cartesia with EU server option — TTS. Low latency for voice.
  • Piper (local) — TTS. Runs fully offline, no data transfer.
  • Whisper local / Ollama — STT/LLM. Full data sovereignty.
Non-EU providers with adequate DPA (GDPR-compliant with agreement)
  • OpenAI — LLM/TTS. EU data residency on Enterprise tier. DPA available online.
  • Anthropic Claude — LLM. DPA available; EU server option in rollout.
  • Groq — LLM. DPA available; very fast inference.
  • Deepgram — STT. Standard DPA; EU hosting available.
  • ElevenLabs — TTS. UK hosting (UK is recognized as adequate). DPA available.
What to avoid
  • Providers without a DPA — even if the model is "free." Without a DPA, there is no legal basis for the processing.
  • Third countries without an adequacy decision and without Standard Contractual Clauses (SCCs) — the Schrems II risk. This applies to certain jurisdictions including China, Russia, and others.
  • Free-tier models that reserve the right to use your data for training — some providers use free-tier requests for model training. That is incompatible with processing personal data. When in doubt, use the paid tier or explicitly activate the training opt-out.

Full provider comparison with GDPR suitability ratings: /anbieter-vergleich. Note: provider terms change frequently — always verify current terms directly with the provider before deployment.

Practical Talura configuration for GDPR compliance

Concrete steps for a clean GDPR setup with Talura:

  1. Create your account at talura.app — DPA is generated automatically and available in your dashboard.
  2. Choose providers by sensitivity level: for healthcare providers, prefer Mistral + Piper + local Whisper; for standard SMBs, OpenAI + ElevenLabs + Deepgram (all with DPA) are a practical choice.
  3. Customize the disclosure text: the start of every call must include "You are speaking with an AI assistant from [Company]; this conversation will be processed." The wording is customizable but the minimum required content is fixed.
  4. Set deletion periods per agent: 7 days for audio, 30 days for transcripts is a sensible default. Longer retention requires documented justification.
  5. Maintain the emergency keyword list: configure escalation triggers so the bot routes to a human rather than attempting to handle emergencies itself.
  6. Update your Records of Processing Activities: add Talura as a data processor, your AI providers as sub-processors, data categories, and retention periods.
  7. Brief your team: anyone with dashboard access can see transcripts containing personal data. Staff data protection commitments are mandatory under GDPR.

Full privacy policy and DPA template texts: /datenschutz and /avv.

Frequently asked questions

Is an AI phone assistant automatically GDPR-compliant?

No. Compliance comes from the setup: DPA, EU hosting (or DPA with non-EU providers), call disclosure, deletion policy, encryption, careful provider selection.

Do I have to tell callers it's an AI?

Yes — required under the EU AI Act's transparency obligation. Talura handles this automatically at the start of every call.

How long can I store recordings?

Audio 7–30 days typically, transcripts 30–365 days. Longer retention only where a legal obligation requires it.

Can I use US-based models for GDPR-covered calls?

Yes, with a DPA and EU data residency (OpenAI Enterprise, Anthropic, Google Gemini Frankfurt). For the most sensitive data, prefer EU-native providers.

What extra rules apply to healthcare providers, lawyers, and accountants?

Professional confidentiality obligations apply on top of GDPR. In Germany, § 203 StGB (German confidentiality law) makes unauthorized disclosure a criminal offense. Comparable rules exist across the EU. The AI must not provide professional advice — front-desk functions are permitted.

Do I need a Data Protection Officer (DPO)?

Not necessarily just because of AI telephony. Mandatory when processing special category data (healthcare) or when more than 20 people are regularly involved. If required, involve the DPO. For most SMBs, a well-maintained RoPA document is sufficient.

Further reading

AI Phone Assistant — full guide

Everything about how AI telephony works, what it costs, which industries benefit, and full setup workflow.

Talura Privacy Policy

Full privacy notice — processing purposes, retention periods, sub-processors, data subject rights.

DPA / AVV

Data Processing Agreement with Talura — generated automatically when you create an account.

Try it free, no commitment

100 free minutes — one-time. DPA generated automatically, hosted in Germany (Berlin), bring-your-own provider keys. No credit card, no subscription.

Get started