GDPR and voice AI: what EU restaurants need to know
A voice AI agent records the voice, recognises orders and connects to the POS. Every one of those steps is a personal data under GDPR. Here's what you need in place before the first call runs through the AI — and why EU hosting isn't just a marketing line.
Andreas Juric is the founder of Stari Vuk AI Agency and has been building voice AI systems for restaurants across Croatia and DACH since 2023.
What GDPR treats as personal data in AI calls
The European Data Protection Board classifies voice as biometric data the moment it's used to identify a person. Even when you don't use it for ID, the audio and transcript are still personal data because they can be linked to a phone number. The moment the AI picks up the phone, you're processing personal data and need a legal basis.
For most restaurants that basis is performance of a contract (Art. 6(1)(b) GDPR) — the guest calls to place an order and the processing is necessary to deliver it. Marketing messages or behavioural analytics need a separate consent.
Why EU hosting isn't marketing, it's a requirement
If the AI model sends audio or transcripts to servers outside the EU (e.g. the US), you're automatically in a third-country transfer situation. GDPR requires standard contractual clauses, a transfer impact assessment and disclosure to the guest. Few restaurants have the time or legal resources for that.
That's why Restoran.team uses EU-only hosting (Germany, Netherlands, Croatia), EU model providers and EU transcription. Data never leaves the EU. It saves lawyers months of work and gives the guest confidence when they ask 'where does my data go'.
Retention — how long can you keep recordings
Art. 5(1)(e) requires that data be kept no longer than necessary. For phone orders that means long enough to fulfil the order and handle any complaint — typically 30 to 90 days. After that, recordings and transcripts are deleted automatically.
The exception is accounting records (amount, date, VAT) which national law often requires you to keep for years. Those aren't voice data though — they're transactional records you'd have in the POS anyway.
Transparency towards the guest
On the first call the AI must clearly state that it's an automated agent. That's mandatory under the EU AI Act which came into force in 2024. Hiding the fact that an AI is on the other end is a violation and loses the guest's trust the moment they figure it out.
The second requirement is a privacy notice — the guest needs access to the privacy policy, information on retention, recipients and the right to deletion. Restoran.team auto-generates the policy for each client and links it in all communications.
DPIA — when do you need a privacy impact assessment
A DPIA is mandatory when processing could create a high risk for the rights of individuals. For a normal voice agent in a restaurant that usually isn't the case — minimal processing, clear purpose, data stays in the EU.
A DPIA becomes mandatory if you're doing biometric identification (e.g. recognising regulars by voice), profiling for marketing, or large-scale processing. A pizzeria with 200 calls a day isn't there. A chain with a thousand locations and CRM profiling is.
Frequently asked questions
Do I need to ask consent to record AI calls?
Not necessarily. For order fulfilment the legal basis is the contract, not consent. You only need consent if you use recordings for marketing, analytics or training your own models beyond the order purpose.
What if a guest asks to delete their data?
Under Art. 17 GDPR you have 30 days. Restoran.team has an automated tool that deletes all recordings and transcripts tied to a phone number with one click.
Can the AI greet a regular by name?
Only if that guest has an order history in your POS and you have a legal basis for CRM. Otherwise it's profiling and needs consent plus a DPIA.
What about children ordering pizza?
GDPR sets the age limit for digital services at 16 (some member states lower). In practice it rarely escalates since processing is limited to order fulfilment, but be careful with marketing to minors.
Do I need a Data Protection Officer because of the AI agent?
Usually not. A DPO is mandatory for large-scale processing or sensitive categories. Small and mid-sized restaurants typically don't need one, but having a privacy contact person is recommended.
Who is the controller — us or Restoran.team?
You are the controller, Restoran.team is the processor. A Data Processing Agreement (DPA) is signed to cover all obligations — it's a standard part of the package.
Restoran.team — INDI Monika Kunstek · Drašković 3 A-D, 42220 Novi Marof, Croatia · VAT: HR66987567542