The 3 Categories of Data to Protect
1. Voice Biometric Data
The human voice is considered biometric data under GDPR (Article 9). Its processing requires explicit consent, distinct from the general consent of the call, and can only be done for specific purposes.
2. Conversational Content (PII)
Everything said during the call is personal content: identity, address, IBAN, health, financial situation. The transcription must be encrypted, access restricted, and the retention period minimized.
3. Metadata
Timestamp, duration, origin, behavior (hesitations, pauses), patterns. This data is also regulated, although often forgotten.
GDPR Checklist: What Your Provider Must Check
Consent
- ☐ Explicit Voice Consent at the beginning of the call, with standardized phrase
- ☐ Recording of Consent separate from the rest of the conversation
- ☐ Immediate Right to Withdraw during the call upon simple request
- ☐ Information on the AI Nature of the interlocutor (algorithmic transparency, cf. European AI Act)
Hosting and Location
- ☐ Servers exclusively in the European Union
- ☐ No outsourcing outside the EU without standard contractual clauses (SCC)
- ☐ Physical address of data centers documented in the contract
- ☐ Anti-CLOUD Act Clauses if the provider has a US parent company
Encryption
- ☐ Encryption in Transit: TLS 1.3 minimum
- ☐ Encryption at Rest: AES-256
- ☐ Backup Encryption
- ☐ Key Rotation: documented procedure
Retention and Deletion
- ☐ Defined Retention Period according to purpose (generally 3 to 24 months)
- ☐ Automatic Deletion at the end of the period
- ☐ Right to be Forgotten accessible in self-service or upon request within 72 hours
- ☐ Data Portability in machine-readable format
Governance
- ☐ Designated DPO at the provider, directly contactable
- ☐ Updated and Auditable Processing Register
- ☐ Impact Assessment (DPIA) conducted and shared
- ☐ Violation Notification Procedure within 72 hours
The European AI Act: What Changes in 2025-2026
The European AI Regulation (AI Act), which came into effect in 2024, adds specific obligations for AI voice agents:
- Mandatory Transparency: the interlocutor must be informed that they are speaking to an AI
- Technical Documentation: "high-risk" systems (health, finance, HR) must provide detailed documentation
- Human Oversight: automatic decisions impacting rights must allow for human intervention
- Robustness Testing: systems must be tested against biases and errors
Non-compliance with the AI Act can result in fines of up to 35 million euros or 7% of global revenue, which is more than GDPR.
Special Cases by Sector
Health
AI voice agents processing health data fall under Article 9 of GDPR and must be hosted on HDS-certified (Health Data Hosting) infrastructures in France.
Finance and Banking
Bank calls require complete logging for regulatory traceability (MiFID II, PSD2). The AI must allow for a complete export upon request from the regulatory authority.
Debt Collection
Debt collection is particularly sensitive as it handles financial data of individuals in difficulty. Voice consent must be accompanied by written notification (email or letter). See our debt collection approach.
How Vocalis AI Ensures Compliance
Vocalis AI is designed from the outset to be GDPR and AI Act compliant:
- Exclusive hosting in Europe (France, Germany, Netherlands)
- AES-256 encryption at rest, TLS 1.3 in transit
- Recorded and timestamped voice consent separately
- Dedicated DPO, contactable 24/7 for rights exercise requests
- Standard DPIA provided upon request
- Standard CNIL declaration made available
- Annual audit by an external firm
Need a GDPR-compliant AI voice agent for your business? Book a free audit and we will provide our compliance documentation during the meeting.