Who is the data controller — the business or the AI provider?

The business that owns the phone line is the data controller. The AI receptionist provider is the data processor and may only process call data on the controller's documented instructions, under a Data Processing Agreement that satisfies Article 28 of the GDPR. The business remains accountable to its callers; the processor is contractually bound to the business.

Does an AI receptionist have to tell callers it is AI?

Yes. Under Article 50 of the EU AI Act, callers must be clearly informed they are interacting with an AI system, in good time before the interaction continues, unless it is obvious. A compliant AI receptionist discloses this at the start of the call. This is separate from, and additional to, GDPR obligations.

Do AI-answered calls have to announce that the call is recorded?

If calls are recorded, callers must be informed before the recording begins, in line with GDPR transparency duties and Irish data-protection guidance. A compliant setup states this at the start of the call and records only what is necessary, with a defined deletion schedule.

Is an AI Phone Receptionist GDPR-Compliant? (Ireland, 2026)

Q: Is an AI phone receptionist GDPR-compliant in Ireland?

It can be, and it is not automatic. An AI phone receptionist is GDPR-compliant when call data is processed in the EU, the provider acts as a data processor under a written Article 28 Data Processing Agreement, callers are told the line uses AI and that calls may be recorded before recording starts, data is minimised, and recordings and transcripts are deleted on a defined retention schedule. If a provider cannot evidence all of these, treat it as non-compliant.

The honest answer

"Is it GDPR-compliant?" is the first question every Irish business owner asks about an AI receptionist, and the honest answer is: the technology is not compliant or non-compliant — the setup is. The same AI can be run in a way that is fully compliant or in a way that quietly is not. What makes the difference is boring, contractual, and entirely checkable before you sign anything.

This article walks the actual obligations under the GDPR and the EU AI Act as they apply to a phone line answered by AI, in plain language, and tells you what evidence to demand from any provider — including this one.

Who is responsible: controller vs processor

This is the part that trips most people up. Under the GDPR there are two roles, and they are not shared equally:

You (the business) are the data controller. It is your phone line, your callers, your relationship. You decide why the data is processed and you are accountable to your callers and to the Data Protection Commission.
The AI receptionist provider is the data processor. It processes call data only on your documented instructions, and only for the purposes you set.

The instrument that makes this lawful is a Data Processing Agreement (DPA) that satisfies Article 28 of the GDPR. A compliant provider has a DPA ready to read and sign — not something that needs weeks of legal back-and-forth. If a DPA does not exist, or you are told one "can be arranged later," the relationship is not compliant on day one, which is the only day that matters if a caller complains.

"You stay the controller. That is not a downgrade — it means the provider is contractually working for you and your callers, not the other way around."

The 2026 addition: you must disclose the AI

This is new and frequently missed. The EU AI Act, Article 50, requires that people are clearly informed when they are interacting with an AI system, in good time before the interaction continues, unless it is already obvious. For a phone receptionist, "obvious" is exactly what it is not — a good AI voice sounds human, which is the point.

So a compliant AI receptionist says so, at the start of the call. This is a separate obligation from the GDPR — you can be perfectly GDPR-compliant on data and still be non-compliant on AI disclosure. Ask any provider one question: "What exactly does the caller hear in the first ten seconds?" If the honest answer does not include that they are speaking with an AI assistant, that is a gap.

Call recording: the part Irish businesses get wrong

If calls are recorded — and most AI receptionists record for quality, training, and dispute resolution — callers must be informed before the recording begins. Irish data-protection guidance and GDPR transparency duties both point the same way: no silent recording. The notice has to be up front, not buried in a privacy policy nobody on a phone call can read.

Recording also has to be proportionate. Recording every call forever "just in case" fails the data-minimisation principle. A compliant setup records only what is needed and deletes it on a schedule.

Where the data lives, and for how long

Two questions decide most of GDPR compliance for a phone AI, and both have one-line answers a provider should give without hesitating:

Where is call data processed and stored? For an Irish business the safe answer is EU-based infrastructure. Data leaving the EU is not automatically unlawful, but it adds transfer-safeguard obligations most SMBs neither want nor need. EU residency removes the question.
How long is it kept? There must be a defined retention period per data type, not "indefinitely." Short, documented, and actually enforced.

What a defensible retention schedule looks like (illustrative)
Data	Purpose	Typical retention
Call audio	Quality, dispute check	~30 days
Transcript	Booking accuracy, follow-up	~90 days
Booking / lead record	Fulfilling the enquiry	As long as the business relationship requires

The exact numbers are a business decision the controller makes — the point is that a schedule exists, is written into the DPA, and is enforced automatically rather than depending on someone remembering to delete things.

Red flags: when a provider is not compliant

You do not need to be a data-protection lawyer to spot a non-compliant AI receptionist. Any one of these is enough to walk away:

No Data Processing Agreement, or "we'll send one later."
Cannot tell you which country call data is processed in.
No defined deletion schedule — recordings kept "as long as needed" with no number.
The caller is never told they are speaking to an AI.
Calls recorded with no up-front notice to the caller.
Cannot name its sub-processors (the services it relies on under the bonnet).

How CallMeIE handles it

Setting the standard above and then not meeting it would be poor form, so concretely: CallMeIE operates as a data processor under a Data Processing Agreement, processes call data within EU-based infrastructure, operates a defined retention schedule (call audio and transcripts deleted on a fixed window, not kept indefinitely), discloses the AI assistant to callers, and gives notice where calls are recorded. The business remains the data controller; CallMeIE is contractually bound to it under Article 28.

The full detail — sub-processors, exact retention windows, security measures, and the assignment terms — lives in the documents themselves, not in a blog post:

Read them before you sign. That sentence is the whole point of this article: a compliant provider wants you to read the contract, because the contract is where the compliance actually is.

This article explains how GDPR and the EU AI Act apply to AI phone answering in general terms. It is not legal advice and does not create a client relationship. For advice on your specific obligations as a data controller, consult a qualified Irish data-protection adviser or the Data Protection Commission.

Hear the disclosure for yourself

The fastest way to judge a provider on AI disclosure and recording notice is to ring it and listen to the first fifteen seconds. The CallMeIE demo line is live 24 hours — four demo businesses, each with its own receptionist.

+353 61 788 120 — ring now, no booking needed.

Or fill in the onboarding form and I will walk you through the DPA and exactly what your callers will hear.

Frequently asked questions

Is an AI phone receptionist GDPR-compliant in Ireland?

It can be, and it is not automatic. Compliant means: EU data processing, a written Article 28 DPA, AI disclosure to callers, recording notice before recording, data minimisation, and an enforced deletion schedule. Missing any one = not compliant.

Who is the data controller — the business or the provider?

The business is the controller. The AI provider is the processor, acting only on the controller's documented instructions under a DPA.

Does the AI have to tell callers it is AI?

Yes — EU AI Act Article 50 requires clear disclosure that the caller is interacting with an AI system, in good time, unless obvious. A compliant receptionist says so at the start.

Do recorded calls need an announcement?

Yes. If calls are recorded, callers must be told before recording begins, and only necessary data should be recorded, with a defined retention period.