The implementation of intelligent chatbotsand voicebots for digital customer communication is no longer a "nice-to-have," but a decisive competitive advantage. However, this also comes with responsibility.

In Germany and the EU in particular, the use of conversational AI is inextricably linked to the strict requirements of the General Data Protection Regulation (GDPR).

Many companies are hesitant to take the step toward AI solutions because the complexity of the legal situation often seems overwhelming. Added to this is the EU AI Act, which came into force in 2024 and introduced specific transparency and security requirements for AI systems, including chatbots and voicebots.

This article highlights the legal basis and shows you the crucial technical and organizational measures (TOM) you need to take.

In most cases where chatbots or voicebots are used, personal data is inevitably collected. The GDPR imposes high requirements on companies in the EU in terms of transparency, purpose limitation, and the rights of data subjects.

A GDPR-compliant AI agent design should therefore follow the principle of "privacy by design." This principle states that data protection requirements are already integrated into the architecture of the systems and do not need to be added later.

Since many solutions for chatbots and voicebots are now based on large, US-based large language models (LLMs), the lack of control over data processing and the often non-transparent use of data for training purposes is a major hurdle.

So while the SIP connection provides the audio connection, APIs (Application Programming Interfaces) are the data interfaces. The bot uses APIs to connect to your critical backend systems such as CRM or ERP in real time. For example, if a customer provides their customer number, the AI agent sends this to your CRM via API, authenticates the caller and can greet them personally.

The question of whether your telephone system is operated locally at your company (on-premise) or in the cloud influences the integration strategy.

For companies in Germany and the EU, the choice of hosting location is a critical success factor for GDPR-compliant AI agent operation. Many global providers use servers outside the EU or the European Economic Area.

In the context of the GDPR, this requires a so-called third-country transfer of personal data, which has become extremely difficult and risky since the "Schrems II" ruling and the associated requirements.

Although the EU-U.S. Data Privacy Framework has brought relief, standard contractual clauses and additional technical safeguards (such as complex end-to-end encryption) often remain necessary, including the performance of a transfer impact assessment.

The simplest and safest solution to avoid such complex legal risks is to host your data in Germany or the EEA. German data centers are automatically subject to strict German data protection regulations and the GDPR. This ensures compliance with European data protection standards from the outset and eliminates the need for time-consuming verification of an adequate level of protection for transfers to third countries.

In addition, the technical and organizational measures (TOM) pursuant to Art. 32 GDPR are of crucial importance. They include all protective measures that must ensure an adequate level of protection. These include:

• encryption
• access control
• Pseudonymization/anonymization
• recoverability

By combining hosting in the EEA with comprehensive, documented TOM, you lay the foundation for a GDPR-compliant chatbot or voicebot and offer a clear competitive advantage in terms of data sovereignty and trust.

In addition to the GDPR, companies that use AI-based chatbots or voicebots must also consider the requirements of the EU AI Act. This law takes a risk-based approach that divides AI systems into four categories: unacceptable risk (prohibited), high risk, limited risk, and minimal risk. Most standard AI agents fall into the limited risk category or, in certain sensitive use cases, into the high risk category.

For AI agents in customer service or for answering general FAQs that are classified as limited risk, the Chatbot EU AI Act primarily stipulates transparency requirements. The most important requirement here is to clearly inform users that they are interacting with an AI system and not with a human employee.

However, a chatbot or voicebot could fall into the high-risk category if, for example, it is used in sensitive areas (e.g., medical advice, credit checks, or applicant management), as it could potentially have a significant impact on users' fundamental rights and security.

Significantly stricter requirements apply to such high-risk chatbots:

• Risk management system: Establishment and documentation of a comprehensive system for risk assessment and mitigation.
• Data governance: Use high-quality, representative training data to minimize discrimination or bias.
• Human oversight: Ensuring adequate opportunity for human monitoring and intervention.
• Documentation and logging: Detailed records of the system's functionality, intended purpose, and performance.

Regardless of the exact classification, companies must act proactively and conduct a thorough risk assessment for each chatbot use case. Early implementation of transparency requirements and preparation for the stricter requirements for high-risk systems are crucial to ensuring compliance with the EU AI Act and operating in a legally compliant manner in the long term.

BOTfriends supports you in designing your chatbot to be both GDPR-compliant and EU AI Act-compliant. With in-depth technological expertise and compliance knowledge, we combine the requirements of both regulations into a single governance strategy.

Gain a decisive competitive advantage through trust and compliance. Contact our experts now to develop a customized chatbot strategy for your company that complies with the GDPR and EU AI Act, and safely exploit the full potential of conversational AI.