← Back to blog

Deploying a voice AI agent in contact with European customers involves specific legal responsibilities that many companies underestimate. Between the GDPR (applicable since 2018), the European AI Act (applicable since August 2025), and sector-specific regulations (HDS for medical, DSP2 for finance), the regulatory framework is dense. But when well understood, it becomes a competitive advantage: compliant companies gain the trust of their customers.

The voice: a biometric data under the GDPR

The human voice contains biometric information: timbre, fundamental frequency, breathing rate — all characteristics that allow for the identification of a person. In this regard, the recording and processing of human voices fall under sensitive data as defined by Article 9 of the GDPR, with enhanced protection requirements.

This means that you cannot simply record all your calls "to improve service quality" without an explicit legal basis. The valid legal bases for this processing are: explicit and prior consent (not tacit consent by continuing the call), the execution of a contract (if the recording is necessary for the service), or legitimate interest (provided it passes the balancing test).

Practical compliance obligations

Prior information

Before any voice recording, the caller must be informed: that the call may be recorded, for what purpose, how long the data will be retained, and how to exercise their rights (access, rectification, deletion). This information can be provided by the AI agent itself at the beginning of the call, in the form of a short and clear message.

Recommended wording: "This call is handled by an AI assistant. To improve our services, this exchange may be recorded and retained for 12 months. You can object at any time by requesting it. For more information: [URL of the privacy policy]."

Retention period

Voice recordings cannot be retained indefinitely. The retention period must be proportionate to the purpose: 3 months for training agents, 12 months for dispute resolution, 5 years maximum for regulated sectors (banking, insurance) with documented justification. Beyond these periods, the data must be deleted or anonymized.

Hosting: European imperative

Voice data of European citizens must be hosted in the EU or in a country recognized as providing adequate protection. This practically excludes solutions that store recordings on American servers without sufficient contractual guarantees (standard contractual clauses + additional mechanisms according to the Schrems II jurisprudence).

Vocalis hosts all its data in France and Germany (AWS Paris, OVHcloud Strasbourg), with ISO 27001 certification and documented GDPR compliance in the DPAs (Data Processing Agreements) provided to each client.

The AI Act: new obligations since August 2025

The European regulation on artificial intelligence (AI Act) has introduced specific obligations for AI systems in contact with natural persons:

Sectors with specific constraints

The medical (HDS) sector requires that any health data collected or processed via a voice agent be hosted by a certified HDS host. The voice data of a patient calling for a medical appointment does not necessarily contain health data — but as soon as the conversation concerns a pathology, treatment, or prescription, the HDS scope applies.

The banking and insurance sectors must comply with prudential archiving requirements (ACPR): retention of contractual evidence (recording of consent) for the duration of the contract + 5 years. Voice identity verification systems must be documented and auditable.

"GDPR compliance is not a barrier to deploying voice AI — it is a framework that forces the construction of more robust and trustworthy systems." — DPO, French financial services group

GDPR compliance checklist for your voice AI deployment