When a business in the Netherlands, Belgium, or Germany deploys an AI voice agent, two regulatory frameworks immediately apply: the General Data Protection Regulation (GDPR) and, since August 2024, the EU AI Act. Getting this wrong is not just a legal risk — it erodes the trust of the very customers you are trying to serve.
This post explains exactly how GREYDOLL approaches compliance, and what that means for you as a business operator.
GDPR: The Basics Have Not Changed
GDPR principles that apply to AI voice calls:
Lawful basis for processing. Every call recording or transcript is personal data. You need a lawful basis to process it — typically legitimate interest (handling a booking request) or consent (for marketing calls). GREYDOLL's agents are configured for service-based interactions, which fall under legitimate interest in most cases.
Data minimisation. GREYDOLL agents collect only the data needed to complete the interaction: name, contact number, booking details, preferences. They do not infer sensitive categories of data (health, ethnicity, beliefs) and are not designed to do so.
Retention limits. Call transcripts are retained for the period specified in your data processing agreement — typically 90 days for operational purposes — and then deleted. You can configure shorter retention if your policy requires it.
Data subject rights. If a guest contacts you to access, correct, or delete their data, GREYDOLL provides the tools to fulfil that request within the 30-day GDPR deadline.
The EU AI Act: What Changed in 2025
The EU AI Act classifies AI systems by risk. Voice agents that handle customer service calls are categorised as limited-risk systems under Article 50, which means they carry specific transparency obligations:
Disclosure. Users must be informed they are interacting with an AI, not a human. GREYDOLL agents identify themselves at the start of every call: "Hello, I'm GREYDOLL, an AI assistant for [Business Name]." This disclosure is mandatory and cannot be disabled.
No emotion inference. The AI Act restricts AI systems that infer emotional states in sensitive contexts. GREYDOLL agents do not assess or record caller sentiment beyond what is needed to route complex calls to a human.
No biometric categorisation. GREYDOLL does not use voice characteristics to infer gender, age, health, or any protected attribute.
Data Residency
All GREYDOLL infrastructure operates within the European Union. Call data, transcripts, and customer records are processed and stored on EU-based servers, with no transfer to third countries outside an adequacy decision or appropriate safeguard.
This matters because it is a common weakness in US-headquartered AI platforms: data flows to servers in the United States under terms that may not satisfy EU transfer rules. GREYDOLL is designed from the ground up for the European market.
What You Are Responsible For
GREYDOLL acts as a data processor on your behalf — you remain the data controller. This means:
- You are responsible for including AI-assisted call handling in your privacy policy
- You are responsible for ensuring your own marketing practices have a lawful basis
- You determine how long data is retained (subject to the minimum/maximum limits in your DPA with GREYDOLL)
We provide a standard Data Processing Agreement (DPA) with every Business plan subscription. It covers the Article 28 GDPR requirements for processor contracts.
Practical Steps Before You Go Live
- Update your privacy policy to reflect that calls may be handled or recorded by an AI system
- Sign the GREYDOLL DPA (included with Business plan onboarding)
- Configure retention to match your internal data policy
- Brief your team so they can answer customer questions about the AI agent
None of this is complex, and our onboarding team walks through each point during setup.
The Bottom Line
Compliance is not a reason to delay adopting voice AI — it is a reason to choose a provider that has done the work. GREYDOLL was built for the European regulatory environment: transparent by design, data-minimal by default, and fully documented for your legal team.
Questions about compliance? Contact us directly or book a call with our team.