US-hosted AI without GDPR violation?

Yes, with Standard Contractual Clauses (SCCs). Most platforms provide standard SCCs.

Fines for non-compliance?

GDPR up to 4% global annual revenue or €20M. Georgian law up to 2,000 GEL per violation.

Required for large-scale processing. Most SMBs need designated person not formal DPO.

GDPR + Georgian Personal Data Law for AI Voice Agents

Q: Explicit consent for inbound?

No, consent implicit for inbound. Still must disclose AI at call start.

AI voice agents are legal in Georgia and the EU when deployed correctly. This guide covers the exact compliance requirements: disclosure scripts, consent flows, data retention, and audit trails. Disclaimer: this is technical guidance, not legal advice.

Three Layers of Compliance

Every AI voice agent serving Georgian or EU customers must comply with:

Georgian Personal Data Protection Law (2011, amended 2024) — for Georgian citizens and residents
EU GDPR + EU AI Act (2024) — for EU customers and any cross-border data flow
Sector-specific rules — telco, financial, medical have additional requirements

AI Disclosure Requirement

Both Georgian and EU law require AI disclosure at the start of every voice interaction. The script must:

Clearly identify that the call is handled by AI ("This call is handled by an AI assistant")
Identify the company on whose behalf the AI calls
Be at the start of the call, not in the middle
Be in the customer's language

Example minimum-compliant opening:

"Hello, this is [AI Name] calling on behalf of [Company]. This call is handled by AI. Do you have a moment to speak?"

Failure to disclose = potential fine + reputational damage.

For each call, you need legal basis. Common ones:

Consent — explicit opt-in (best for marketing/sales calls)
Legitimate interest — for existing customer service (assess via balancing test)
Contract performance — fulfilling existing contractual obligation
Legal obligation — debt collection has its own rules

For outbound sales: must have prior consent. Cold-calling unverified leads is risky in EU especially.

For inbound: consent is implicit when customer initiates.

Recording Disclosure

If you record calls (most do for QA):

Disclose recording in opening: "This call may be recorded for quality"
Allow customer to opt out of recording
Store recordings encrypted at rest
Have a retention policy (typically 90 days then auto-delete)

For Georgian customers: explicit opt-in to record is safest. For EU: legitimate interest can cover recording for quality, but disclose still.

Data Retention

Default retention rules:

Call recordings: 90 days unless legal hold
Call transcripts: 1-2 years for analytics
Lead data: as long as legitimate business purpose (typically 2-3 years inactive deletion)
PII (phone, email, name): pseudonymized in analytics, deleted on request

Customer right to erasure: you must delete on request within 30 days. This is a hard requirement under GDPR.

Data Residency

For Georgian customers:

Data should ideally stay in Georgia or EU (Georgia has adequacy decision pending with EU)
US-hosted (most AI platforms) is legal but requires Standard Contractual Clauses (SCCs)

For EU customers:

Data should stay in EU/EEA, or have SCCs in place
Schrems II implications — careful with US transfer

Vapi, Retell, and OpenAI all support EU-region hosting on Enterprise plans. For SMB on default plan, US hosting + SCCs is the practical path.

EU AI Act Implications

The EU AI Act (effective 2025-2026) classifies AI voice agents as:

Limited risk for general customer interactions — AI disclosure required
High risk if used in employment screening, credit scoring, biometric ID — additional documentation required

Voice agents for sales, support, booking are limited risk. Deploy with disclosure + standard documentation.

Vendor DPA + Data Processing Agreement

When using Vapi, Retell, OpenAI, ElevenLabs:

Sign Data Processing Agreement (DPA) with each
Most vendors have standard DPAs available
Verify SCCs are in place if data flows to US
For HIPAA (US healthcare), need Business Associate Agreement (BAA)

Audit Trail Requirements

Maintain logs of:

Every call with timestamp, participants, duration
AI disclosure given (yes/no per call)
Consent collected if applicable
Recording status
Data access events

Logs should be tamper-resistant and retained for at least 1 year for audit purposes.

Common Risk Areas

Cold calling without consent — high risk in EU, lower in US
Recording without disclosure — illegal in most jurisdictions
Data shipped to US without SCCs — GDPR violation
No customer opt-out path — must always allow human escalation or unsubscribe
Storing PHI in unencrypted training logs — HIPAA violation if applicable

FAQ

1. Can I use a US-hosted AI without violating GDPR?

Yes, with Standard Contractual Clauses (SCCs) in place between you and the vendor. Most platforms (Vapi, Retell, OpenAI) provide standard SCCs.

2. Do I need explicit consent for inbound calls?

No, consent is implicit for inbound. But you still must disclose AI at call start.

3. What's the fine for non-compliance?

GDPR up to 4% of global annual revenue or €20M, whichever is higher. Georgian Personal Data Law up to 2,000 GEL per violation.

4. Do I need a Data Protection Officer (DPO)?

Required if you process large amounts of personal data systematically. Most SMBs deploying voice agents don't need a formal DPO but should have a designated person for data requests.