GDPR and AI Calling: The Complete Guide for 2026
63% of companies never respond to inbound leads at all. Of those that do, the average response time is 47 hours. AI voice agents solve this — but only if you deploy them legally. Here is the definitive guide to running AI calling campaigns under GDPR, the EU AI Act, and the major national frameworks that govern outbound voice across 12 key markets.
63% of companies never respond to inbound leads at all. Of those that do, the average response time is 47 hours. AI voice agents solve this — but only if you deploy them legally. Here is the definitive guide to running AI calling campaigns under GDPR, the EU AI Act, and the major national frameworks that govern outbound voice across 12 key markets.
GDPR Fundamentals for Voice Outreach
The General Data Protection Regulation (Regulation EU 2016/679) does not mention AI calling. It does not need to. GDPR governs any processing of personal data, and making a phone call to a named contact involves processing their name, phone number, and — during the call — the content of the conversation itself.
For B2B outbound teams, GDPR creates two primary obligations: you need a legal basis for processing the contact's data, and you need to respect their rights (including the right to object).
Legal Basis: Consent vs. Legitimate Interest
GDPR Article 6 lists six lawful bases for processing personal data. For B2B outbound voice, two are relevant:
Consent (Article 6(1)(a)): The contact has explicitly agreed to be contacted. This is the gold standard legally, but impractical for cold outreach — you cannot get consent from someone you have not yet contacted.
Legitimate Interest (Article 6(1)(f)): You have a genuine business reason to contact the person, that reason is not overridden by their privacy rights, and you can document why. GDPR Recital 47 explicitly states that "the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."
In practice, most B2B cold outreach relies on legitimate interest. This is legal, but it comes with conditions:
- Relevance: You must have a genuine reason to believe the person would be interested. Calling a CFO about accounting software is legitimate. Calling a random number about the same product is not.
- Balance test: Your interest in marketing must not override the person's right to privacy. Publicly available contact details (company website, LinkedIn) suggest a lower privacy expectation than a private mobile number.
- Opt-out: The person's desire not to be contacted overrides your legitimate interest. Always. No exceptions.
- Documentation: You must conduct and record a Legitimate Interest Assessment (LIA) before launching a campaign. If a regulator asks why you called someone, "we thought they'd be interested" is not enough. A documented LIA is.
The ePrivacy Layer
GDPR is not the only EU regulation governing calls. The Privacy and Electronic Communications Directive (ePrivacy Directive, 2002/58/EC) adds country-specific rules on top of GDPR. Each EU member state implements the directive differently, which is why calling rules vary significantly between Germany and Spain.
The key principle: GDPR governs the data, and ePrivacy governs the communication channel. You need compliance with both.
Country-by-Country Compliance Matrix
Rules for AI voice outreach vary dramatically by jurisdiction. The table below covers the 12 markets most relevant for B2B companies operating from Europe.
European Union
| Country | B2B Cold Calling | DNC Registry | AI Disclosure Required | Key Regulation |
|---|---|---|---|---|
| Germany | Allowed with "presumed consent" (UWG §7) — must have genuine business reason | Deutsche Robinsonliste (voluntary) | Yes, from August 2026 (EU AI Act) | UWG §7, BDSG, DSGVO |
| France | Allowed B2B; B2C requires consent | Bloctel (mandatory check) | Yes, from August 2026 | Code de la consommation, RGPD |
| Italy | Allowed B2B with legitimate interest | Registro delle Opposizioni (mandatory check since 2022) | Yes, from August 2026 | Codice Privacy, GDPR |
| Spain | Allowed B2B; B2C requires consent | Lista Robinson (voluntary, but widely checked) | Yes, from August 2026 | LSSI, LOPDGDD |
| Netherlands | Allowed B2B | Bel-me-niet Register | Yes, from August 2026 | Telecommunicatiewet |
Non-EU Markets
| Country | B2B Cold Calling | DNC Registry | AI Disclosure Required | Key Regulation |
|---|---|---|---|---|
| United Kingdom | Allowed B2B; screen against CTPS | CTPS (Corporate TPS) + TPS (consumer) | Not yet mandated (under review) | PECR, UK GDPR, ICO guidance |
| United States | Allowed B2B; TCPA governs B2C | National Do Not Call Registry (FTC) | AI-generated voices fall under TCPA since Feb 2024 | TCPA, FCC ruling 2024 |
| Canada | Allowed B2B with conditions | National DNCL (mandatory) | Not yet mandated | CASL, CRTC regulations |
| Australia | Allowed B2B | Australian Do Not Call Register | Not yet mandated | Spam Act, Do Not Call Register Act |
| Brazil | Allowed B2B with legitimate interest | Procon DNC lists (state-level) | Not yet mandated | LGPD |
| India | Allowed B2B; heavy restrictions on timing | NDNC Registry (mandatory) | Not yet mandated | TRAI regulations, IT Act |
| UAE | Allowed B2B with prior relationship | TRA DNC list | Not yet mandated | Federal Decree-Law on Data Protection |
The critical takeaway: B2B voice outreach is legal in every major market, but the conditions vary. DNC registry screening is mandatory in most countries. AI disclosure is currently mandated only by the EU AI Act (effective August 2026) and the US FCC ruling (effective 2024), but the trend is global.
The EU AI Act Overlay
Starting August 2, 2026, the EU AI Act adds a new obligation on top of GDPR: AI disclosure. Article 50(1) requires that people interacting with an AI system must be informed of that fact.
For AI voice agents, this means every call to an EU contact must begin with a statement informing the person that they are speaking with an AI. The disclosure must be clear and delivered before the commercial message.
The penalties for non-compliance are significant: up to €15 million or 3% of worldwide annual turnover, whichever is higher.
Importantly, this obligation applies regardless of where your company is located. If your AI agent calls someone in the EU, the EU AI Act applies.
For a detailed analysis of Article 50, penalties, and the full implementation timeline, see: EU AI Act and Voice Agents: What Changes in August 2026.
DNC Registries: The Non-Negotiable Check
Every country with a Do Not Call registry makes screening mandatory. Calling a registered number is not just poor practice — it is illegal, with penalties that can reach six figures per incident in some jurisdictions.
The operational challenge for AI campaigns is scale. When you are calling 500 contacts a day across multiple countries, manual DNC checking is impossible. You need automated screening against every relevant registry before each call is placed.
Key registries to screen against:
- Italy: Registro delle Opposizioni — expanded in 2022 to cover all marketing calls to Italian numbers, including mobile. Mandatory check.
- Germany: Deutsche Robinsonliste — voluntary opt-out, but widely used and expected by regulators.
- UK: TPS (consumers) and CTPS (businesses) — mandatory screening under PECR.
- US: National Do Not Call Registry — mandatory for telemarketing. B2B calls are largely exempt, but state-level rules vary.
- Australia: Do Not Call Register — mandatory check, renewed every 30 days.
- India: NDNC Registry — heavily enforced, with strict time-of-day restrictions (9 AM to 9 PM local time only).
- Canada: National DNCL — mandatory screening; violations carry fines up to CAD $15,000 per call.
The practical rule: if a country has a DNC registry, screen against it before every campaign. No exceptions. Automated screening is the baseline requirement, not an optimisation.
Consent Management for AI Campaigns
Even with legitimate interest as your legal basis, consent plays a role in AI calling compliance. There are three types of consent to manage:
1. Data Processing Consent (GDPR)
If you are using consent rather than legitimate interest as your legal basis, you need explicit, informed, specific, and freely given consent before the call. This typically applies to:
- B2C outreach in most EU countries
- Any outreach to personal (non-business) phone numbers
- Campaigns where the contact's professional relevance is unclear
Consent must be documented and easily withdrawable. Double opt-in is recommended but not legally required for voice outreach.
2. Call Recording Consent
If you record calls — and most AI voice platforms do, for quality and transcript purposes — you may need additional consent depending on jurisdiction:
- One-party consent (US federal, UK): Only one party (your company) needs to know the call is recorded.
- Two-party consent (Germany, most EU countries): Both parties must be informed. Your AI agent should state "This call may be recorded for quality purposes" at the start.
For AI voice agents, recording notice is typically bundled with the AI disclosure statement: "I am an AI assistant calling on behalf of [Company]. This call may be recorded."
3. AI Interaction Disclosure (Not Consent)
From August 2026, the EU AI Act requires notification that the person is interacting with AI — but not consent. The person must be informed; they do not need to agree for the call to proceed lawfully. However, if they ask to speak to a human, offering a transfer or callback is both best practice and increasingly expected by regulators under human oversight provisions.
Data Handling Requirements
GDPR imposes strict requirements on how you handle personal data throughout an AI calling campaign.
Data minimisation: Collect and process only the data you need. For lead qualification, you need name, phone number, company, and role. You do not need date of birth, home address, or social media history.
Storage limitation: Define and document retention periods before launching. A common approach: retain data for the campaign duration plus 12 months. Delete or anonymise after that unless there is an ongoing documented legitimate interest.
Right to erasure: When someone asks you to delete their data, comply within 30 days. Your AI calling platform must support deletion of call records, transcripts, and contact data on request.
Right to object: Anyone can object to direct marketing at any time. When they do, processing must stop immediately. Real-time suppression is required: if a person objects during a call, their number must be added to your internal DNC list before the next call in the campaign goes out.
Data Processing Agreements: If your AI voice platform is a third-party service, you need a Data Processing Agreement (DPA) in place. This document defines the platform's obligations as a data processor — data security, sub-processor management, breach notification timelines, and data deletion on contract termination.
Pre-Launch Compliance Checklist
Before launching any AI voice campaign in a GDPR-regulated market, verify the following:
- Legal basis documented. Legitimate Interest Assessment completed and filed. If using consent, opt-in records verified.
- DNC screening completed. All contact numbers screened against the relevant national registry. Screening logged with timestamp.
- AI disclosure configured. Agent script opens with a clear statement that the caller is an AI. Language matches the language of the call.
- Recording notice included. If calls are recorded, the agent informs the person at the start.
- Opt-out mechanism working. If a person asks not to be called, the system flags the contact and suppresses future calls immediately.
- Privacy notice updated. Your company's privacy notice references AI voice outreach. URL or verbal reference available if requested during the call.
- Data Processing Agreement in place. DPA signed with your AI voice platform provider.
- Calling hours configured. Campaign restricted to legal calling windows for each destination country.
- Team briefed. Everyone managing campaigns understands GDPR basics, AI Act disclosure requirements, and the opt-out process.
How Agoralia Handles Compliance
Agoralia's compliance engine automates the most error-prone parts of this process. DNC screening, AI disclosure injection, calling-hour restrictions, and sanctioned-country blocking are handled automatically for every campaign, based on the destination country. The compliance database covers 200+ jurisdictions and updates as regulations change — you do not need to track legislative developments across 30 markets yourself.
The Compliance Advantage
Compliance is not a cost centre. It is a trust signal.
When your AI agent opens with "I am an AI assistant calling on behalf of [Company]," two things happen simultaneously: you satisfy the law, and you signal to the prospect that your company operates transparently. In a market where AI scepticism is growing and regulatory scrutiny is increasing, that transparency is a competitive advantage.
The companies that treat compliance as table stakes — rather than a reluctant afterthought — will build stronger prospect relationships and avoid the regulatory exposure that will intensify after August 2026.
Explore how Agoralia manages compliance automatically →
Sources: Regulation (EU) 2016/679 (GDPR), Articles 6, 13, 17, 21 and Recital 47 (GDPR.eu); Regulation (EU) 2024/1689 (EU AI Act), Article 50 (EUR-Lex); ePrivacy Directive 2002/58/EC; FCC Declaratory Ruling on AI-Generated Voices in Robocalls, February 2024 (FCC); TRAI Telecom Commercial Communications Customer Preference Regulations.
Read next