AI Voice Agent and GDPR: The DPO Checklist Before Deployment

AI voice agents are no longer pilot projects. They are in production across organisations, handling dozens or hundreds of calls a day. And IT, legal, and DPO teams are starting to ask the right questions, often too late, once the deployment is already signed off.

What an AI voice agent processes is nothing like a web form or an email campaign. Voice is a particular type of data. It can be biometric. It is recorded in real time. It flows through third-party components. It is sometimes pushed into a CRM with no documentation of how.

This article is not a GDPR primer. If you are looking for what the law says about call recording in general, or about sales automation and compliance, those topics are covered elsewhere.

This article is an operational checklist for DPOs, CISOs, and IT leadership: the 7 points to validate before an AI voice agent goes into production in your organisation, and what Un1ty delivers concretely on each of them.

Why AI voice agents deserve specific regulatory attention

Most sales automation tools process text data: emails, forms, CRM records. An AI voice agent does something fundamentally different: it processes human voice in real time.

This difference has direct regulatory implications that general compliance frameworks do not always cover.

Voice can be biometric data. This is the most underestimated point in AI voice agent deployments. As soon as a system processes voice to identify or authenticate an individual, as some voice agents do via voice recognition to retrieve a customer file, that voice falls under the special category of biometric data under Article 9 of the GDPR. The protection regime is reinforced, the legal basis is more restrictive, and processing is in principle prohibited except within limited exceptions.

Even without active voice recognition, a system that retains raw recordings long enough to enable later identification may attract this regime. The boundary is not always obvious and it requires explicit analysis.

An AI voice agent generates several simultaneous data flows. In a single interaction, it produces an audio recording, a text transcription, a structured summary, call metadata, and potentially an automatic CRM entry. Each flow has its own requirements for legal basis, retention period, and data location. Treating these flows as a single homogeneous block is a common compliance error.

The subprocessing chain is rarely transparent. Speech recognition engine, transcription service, language model, hosting infrastructure: each component is a processor under Article 28 of the GDPR. The organisation deploying the voice agent is the data controller and it is accountable for the failures of each of its processors.

The 7-point DPO checklist

1. Has the qualification of voice data been documented?

Before any deployment, your DPO must explicitly answer this question: will the voice agent be used to identify or authenticate callers from their voice?

If yes, even partially, the biometric data classification applies. This requires identifying a legal basis among the exceptions under Article 9(2) of the GDPR, in practice explicit consent or a legal obligation, documenting this qualification in the data processing register, and conducting a DPIA (see point 3).

If no, voice remains ordinary personal data subject to the general GDPR regime. But this conclusion must be formally documented, not assumed.

What Un1ty documents for you: Un1ty provides its clients with documentation of the voice agent's processing flows, specifying for each flow the nature of the data processed and the applicable qualification. This documentation is designed to be directly integrated into your organisation's data processing register.

2. Has the legal basis for each data flow been identified?

An AI voice agent generates at least four distinct flows: the audio recording, the transcription, the summary or structured data, and call metadata. Each can legitimately rest on a different legal basis.

Recording for training purposes may rest on legitimate interest. Retention for evidential purposes may rest on a legal obligation. AI-based behavioural analysis used to score callers may require explicit consent if it produces significant effects on individuals.

The list of legal bases must appear in the processing register, flow by flow. A blanket treatment under "legitimate interest" is not sufficient.

What Un1ty provides: The configuration of Un1ty's AI voice agent explicitly distinguishes each data flow and allows your DPO to set the purposes and legal bases associated with each, rather than grouping them under a single category.

3. Has a DPIA been conducted?

Article 35 of the GDPR requires a Data Protection Impact Assessment for any processing likely to result in a high risk to the rights and freedoms of individuals.

Large-scale processing of voice data by an automated system falls within this category. The CNIL in France, like other European authorities, has published lists of processing activities that require a DPIA. Automated behavioural analysis systems are consistently included.

Deploying an AI voice agent without a prior DPIA means taking a documented compliance risk. The DPIA is not a formality: it is the document that forces the organisation to articulate risks, compensatory measures, and trade-off decisions before the system is in production.

What Un1ty makes available: Un1ty provides its clients with the technical elements needed to conduct the DPIA, including a precise description of the processing carried out, the security measures in place, and the list of subprocessors involved. These elements significantly reduce the time required to complete the impact assessment on the client side.

4. Is caller information natively integrated into the interaction flow?

The ePrivacy Directive and the GDPR jointly require that callers be informed that their voice is being processed by an automated system, before any voice processing takes place. This information must specify the nature of the processing, its purpose, and the data subjects' rights.

The critical operational point: this information cannot be a manually activated option. It must be built into the voice agent flow, triggered systematically on every call, and configured by the organisation, not by the sales rep or supervisor.

An operator that does not offer this native configuration forces its clients to manage compliance manually, which is both risky and unscalable.

What Un1ty integrates natively: Un1ty's AI voice agent includes a configurable information message triggered automatically at the start of every call, before any voice processing takes place. The message content is customisable by the client organisation, and its triggering is systematic, without depending on any human action.

5. Is data hosted in Europe, without unencumbered transfers?

Voice data and transcriptions must be hosted on infrastructure located within the European Union. Any transfer to a third country, whether the United States, India, or any other country outside the EEA, must be governed by compliant mechanisms: standard contractual clauses, binding corporate rules, or an adequacy decision.

The common problem: organisations validate that the main platform is hosted in Europe, without checking where third-party components are hosted, particularly transcription or language engines. A transcription component that sends audio data to a US service without proper documentation is enough to create a non-compliance issue across the entire deployment.

What Un1ty guarantees: Un1ty is a B2B telecom operator whose infrastructure is hosted in Europe. Voice data, transcriptions, and call metadata processed by the AI voice agent remain on European servers. Un1ty can provide this guarantee contractually, allowing your legal teams to integrate it directly into your GDPR commitments towards your own clients and regulators.

6. Are retention periods defined and automatically enforced?

One of the most frequent failures in AI voice agent deployments is not technical: it is the absence of a retention policy. Recordings accumulate indefinitely because no deletion rule was defined and no one monitors enforcement.

Your DPO must validate three points: is a retention period defined for each flow (recording, transcription, summary, metadata)? Is it documented in the processing register? Is it automatically enforced by the system, without manual intervention?

What the Un1ty platform enables: The Un1ty platform incorporates configurable retention rules by flow type and by purpose. Once set by the administrator, these rules apply automatically without human intervention. Recordings and transcriptions are deleted at the expiry of the defined period, with traceability available for audits. For more on what call recording enables beyond compliance, our article on the 5 key advantages of call recording covers the operational benefits for your teams.

7. Do subprocessing agreements cover the entire chain?

Every third-party component involved in voice data processing, whether the ASR engine, transcription service, LLM, or cloud infrastructure, must be covered by an agreement compliant with Article 28 of the GDPR. This agreement must define the subject matter and duration of processing, the nature and purpose of the data, the obligations and rights of the data controller, and the security measures in place.

What Un1ty provides: Un1ty makes available to its clients the complete list of subprocessors involved in voice data processing, along with the corresponding Article 28-compliant subprocessing agreements. This documentation is available before contract signature, not only on request after deployment.

What this checklist reveals about choosing an operator

These seven points are not bureaucratic obstacles. They are concrete operational questions that quickly reveal whether an operator has built compliance in as a design constraint, or added it as an afterthought.

An operator that offers an AI voice agent with European hosting, native caller information, configurable retention policies, and complete subprocessor documentation is not more constraining than another. It is simply able to support its clients' compliance, which the other cannot.

This is the choice Un1ty made from the outset when designing its AI voice agent: a sovereign B2B telecom infrastructure, data hosted in Europe, complete transparency on processing flows, and configuration tools that allow each organisation to define its own retention and information rules. Not because it is a commercial obligation, but because an operator that cannot answer these seven questions is not one you can rely on for sensitive deployments.

For more on the implications of AI in commercial tools, our article on 5 essential AI features for sales team efficiency covers concrete use cases on the performance side.

Conclusion

Deploying an AI voice agent without working through this checklist means exposing your organisation to avoidable regulatory risk. More importantly, it means discovering problems after the system is in production, when fixes cost ten times more.

The good news: these seven points can be verified in a matter of days. A structured conversation with your operator, a review of your processing register, and a targeted DPIA are enough to secure the deployment. Compliance work on an AI voice agent is not disproportionate, as long as it happens before, not after.

If you would like to evaluate how Un1ty's AI voice agent meets these requirements in your specific context, contact our team for a technical conversation with our compliance specialists.

‍

‍