GDPR-Compliant AI Agent: What You Need to Know

If your business operates in the EU or serves EU customers, the General Data Protection Regulation (GDPR) applies to every piece of customer data you collect — including conversations with an AI agent.

An AI agent on your website collects personal data by nature: names, email addresses, phone numbers, and sometimes sensitive details like health concerns or legal issues. If this data is processed incorrectly, you face fines of up to 20 million EUR or 4% of annual global revenue — whichever is higher.

The good news: GDPR compliance for AI agents is straightforward if you choose the right platform and follow a few key principles.

1. Lawful Basis for Processing

You need a legal reason to process customer data. For AI agents, the most common basis is legitimate interest (the customer initiated the conversation and expects a response) or consent (the customer explicitly agrees before the chat starts).

Best practice: display a brief notice before the chat begins — "By using this chat, you agree to our privacy policy" — with a link to your full privacy policy.

2. Data Minimization

Only collect what you actually need. If your agent books appointments, it needs a name and contact method. It does not need a home address, date of birth, or social media profiles. Configure your agent to ask only for essential information.

3. Transparency

Customers must know they are talking to an AI, not a human. Your agent's greeting should make this clear: "Hi, I'm the AI assistant for [Business Name]." Additionally, customers should know what data you collect and how it's used.

4. Data Storage and Hosting Location

Customer data must be stored within the EU or in countries with an adequate level of data protection. This is the most critical — and most commonly violated — requirement. Many AI platforms route data through US servers, which creates compliance issues.

Always verify: Where are the platform's servers located? Is the LLM API call routed through EU infrastructure? Where are conversation logs stored?

5. Right to Erasure

Customers can request that their data be deleted. Your AI agent platform must support this — either through an admin dashboard where you can delete individual conversations, or through an automated process.

The most common GDPR violations with AI agents aren't intentional — they come from choosing the wrong platform without checking the details:

• US-hosted LLM calls — your agent sends customer messages to a US server for processing. Even if your website is EU-hosted, the AI processing happens outside the EU. This is a data transfer violation
• No Data Processing Agreement (DPA) — GDPR requires a signed DPA between you and any third party processing customer data on your behalf. If your AI platform doesn't offer a DPA, you're non-compliant
• Indefinite data retention — storing conversation logs forever without a defined retention period violates data minimization principles. Set a retention policy (e.g., 90 days) and auto-delete old conversations
• No cookie consent for the widget — if the chat widget uses cookies or tracking, it falls under the ePrivacy Directive. Make sure your cookie consent banner covers the chat widget

Since the Schrems II ruling invalidated the EU-US Privacy Shield, transferring personal data to the US requires additional safeguards (Standard Contractual Clauses + supplementary measures). For small businesses, this is complex and risky.

The simplest solution: choose an AI agent platform that hosts everything in the EU. This means:

• Application servers in EU data centers
• Database storage in the EU
• LLM inference (the AI processing) on EU-located infrastructure
• No data transfer to third countries during any part of the process

Not all platforms can guarantee this. Some use OpenAI's US-based API, then store the results in EU databases. That's still a data transfer to the US during processing — and it's still a compliance risk.

Use this checklist when evaluating an AI agent platform for your business:

• ☐ EU hosting confirmed — servers, database, and LLM processing all within the EU
• ☐ DPA available — the platform provides a Data Processing Agreement you can sign
• ☐ Privacy notice in chat — a clear notice before or at the start of the conversation
• ☐ AI disclosure — the agent identifies itself as AI, not a human
• ☐ Data minimization — the agent only collects information you actually need
• ☐ Retention policy — conversation logs are auto-deleted after a defined period
• ☐ Deletion capability — you can delete individual customer conversations on request
• ☐ Cookie compliance — the widget is covered by your cookie consent if it sets cookies
• ☐ Encryption — data is encrypted in transit (TLS) and at rest
• ☐ Access controls — only authorized team members can read conversation logs

The EU AI Act, which came into full effect in 2025, classifies AI systems by risk level. Customer service AI agents are generally classified as limited risk, which means the main requirement is transparency — users must be informed they are interacting with an AI system.

If your agent handles sensitive categories (health data, legal inquiries), additional requirements may apply. In practice, this means:

• Clear AI disclosure at the start of every conversation
• No deceptive practices — don't pretend the agent is human
• Human oversight — a way for customers to reach a real person when needed
• Documentation of the AI system's purpose and capabilities

For most small businesses, compliance with the AI Act is straightforward: be transparent, don't deceive, and offer a human fallback.

When selecting an AI agent platform, ask these three questions:

1. "Where is my customer data processed and stored?" — the answer should be "entirely within the EU" with specific data center locations
2. "Can you provide a signed DPA?" — this should be available immediately, not "upon request in 4-6 weeks"
3. "Do you use third-party LLM APIs that route data outside the EU?" — some platforms use US-based APIs (OpenAI, Anthropic US endpoints) for processing. This creates a data transfer even if storage is in the EU

Botkontor, for example, hosts all infrastructure in Germany (Hetzner data centers), processes LLM calls within the EU, and provides a DPA as part of every business account. Zero data leaves the EU at any point.

GDPR compliance is not optional — it's the baseline. Choose a platform that makes it easy, so you can focus on growing your business instead of worrying about data protection.