← Blog/Compliance

Is an AI Receptionist Legal in the UK? GDPR, ICO & PECR Explained

Semir JahicSemir Jahic··8 min read
Person reviewing data protection documents at a desk

"Can I put an AI on my phones without falling foul of data protection?" It's the right question for any responsible business. The short answer is yes, it's legal — provided it's done properly. The useful answer is knowing what "properly" means. Here it is, in plain English.

In short: an AI receptionist can handle your inbound calls in a UK-GDPR-compliant way if there's a lawful basis for processing, callers are told an AI is in use, you sign a data processing agreement (DPA) with the provider, data-subject rights (including deletion) are honoured, and retention is sensible. The key is choosing a compliant provider — and knowing what to ask.

*(This article is general information, not legal advice — check your specifics with a qualified adviser.)*

Do I need consent for an AI to answer calls?

Usually not explicit consent. The UK GDPR allows several lawful bases; for answering an inbound call from a customer, the common ones are legitimate interests or performance of a contract / pre-contractual steps (someone ringing to book or enquire). Consent matters mostly for *marketing* or *outbound* calls, not for answering people who ring you.

What is always required is transparency: telling people clearly what's happening — which includes disclosing that an AI system is involved.

Does PECR apply?

PECR (the Privacy and Electronic Communications Regulations) mainly governs electronic marketing — automated marketing calls, texts and cookies — and sits alongside the UK GDPR. Answering inbound calls is a different activity from making outbound marketing calls. If you also use the system to make automated outbound marketing calls, PECR rules (and consent) become directly relevant, so keep inbound answering and outbound marketing clearly separated in your setup and your policies.

Can an AI record the call?

It can, but distinguish recording the audio from transcribing. Keeping audio means processing more personal data and demands more safeguards. Many solutions — fonea included — transcribe in real time and discard the audio, keeping only an encrypted transcript. That shrinks the risk and the data footprint. If audio is kept, it must be disclosed and justified.

Try fonea: answer every call the UK-GDPR-compliant way — encrypted transcripts, retention you control. Get started

What about a data processing agreement?

When a provider processes personal data on your behalf, it's a processor and you're the controller. UK GDPR (Article 28) requires a data processing agreement (DPA) setting out what's processed, why, for how long, and with what safeguards. No DPA, no deal — always ask for it.

Data-subject rights and retention

Callers keep their rights: access, rectification and, importantly, erasure. Your provider must let you delete data on request and apply sensible retention (don't keep transcripts indefinitely "just in case"). Default to short retention and extend only with a reason. Also ask where data is processed and who the sub-processors are.

Five questions to ask any provider

1. What's the lawful basis, and how are callers informed? 2. Do you sign a data processing agreement? 3. Do you record audio or only transcribe? Is it encrypted? 4. Can I delete data on request and set retention? 5. Who are your sub-processors and where is data processed?

Key Takeaways

  • An AI handling inbound calls is legal under UK GDPR when done properly.
  • The lawful basis is usually legitimate interests or pre-contractual steps, not always consent.
  • PECR is about outbound marketing — keep that separate from inbound answering.
  • Transparency is mandatory: disclose the AI.
  • Insist on a DPA, erasure on request, and sensible retention; prefer transcribe-and-discard over keeping audio.

Frequently Asked Questions

Is it different for the EU GDPR?

The UK GDPR is closely aligned with the EU GDPR. A good provider complies with both — useful if you also have EU callers.

What about health or other sensitive data?

Special-category data (e.g. health) needs stronger safeguards. It's workable, but ask for specific assurances and consider a Data Protection Impact Assessment (DPIA).

Who's liable if something goes wrong?

Your business is the controller; the provider is the processor. The DPA allocates responsibilities — another reason to insist on one.

Sources

  • UK Information Commissioner's Office (ICO) — *Guide to the UK GDPR* and *Guide to PECR*
  • UK GDPR, Article 6 (lawful basis) and Article 28 (processors / DPAs)
  • European Commission — *General Data Protection Regulation (GDPR)*
uk-gdpricopecrcomplianceai-receptionist

fonea unverbindlich ausprobieren

Schweizer KI-Telefonassistent für KMU. Hören Sie eine Live-Demo direkt im Browser, buchen Sie einen Termin mit unserem Team oder starten Sie sofort — CHF 90/Monat, 30 Tage Geld-zurück-Garantie, monatlich kündbar.

Jetzt startenLive-Demo anhörenTermin buchen

DSG- und revDSG-konform · Daten in der Schweiz · Schweizerdeutsch nativ