GDPR and AI Receptionist — Complete Guide for Nordic Service Businesses 2026
Many business owners hesitate over AI receptionists for GDPR reasons. It's a legitimate concern — but with the right provider and the right configuration, it's entirely manageable. Here's everything you need to know.
What personal data does an AI receptionist handle?
An AI receptionist collects and processes:
- Name and contact details: phone number, email, possibly address
- Booking information: time, service, any notes
- Voice data: if calls are recorded for quality purposes
- History: previous bookings and interactions
Under GDPR, all of this constitutes personal data and requires a legal basis for processing.
Legal basis — what applies?
For booking-related data the legal basis is typically performance of a contract (Art. 6.1b GDPR): you process personal data to carry out the service the customer has booked. This does not require a separate consent for basic booking management.
For marketing (newsletters, promotional offers) you need consent (Art. 6.1a). Configure the AI never to use booking data for marketing without explicit consent.
Data Processing Agreement (DPA) — mandatory
If you engage an AI receptionist provider that processes personal data on your behalf, the provider is a data processor. You are the data controller.
This means you are required to sign a Data Processing Agreement (DPA) with the provider. This is not optional — it is a requirement under GDPR Art. 28.
Nordicall signs a DPA with all customers as part of onboarding.
Where is data stored — and does it matter?
GDPR does in principle allow data transfers outside the EU under certain conditions (SCCs, adequacy decisions). But for healthcare and for sensitive customer data, EU storage is strongly recommended.
Nordicall stores all data on servers in Sweden and Norway. No data is transferred outside the EEA. This means you can reference EU storage as an additional reassurance in your privacy policy.
Voice recordings — what applies?
If the AI receptionist records calls, customers must be informed in advance — either via a recording notice ("This call may be recorded") or in your privacy policy which customers can access.
Nordicall does not record calls by default. Transcriptions (text-based summaries) are stored for booking purposes and are automatically deleted after 90 days unless configured otherwise.