AI Cold Calling in Europe: GDPR Compliance Guide by Country (2026)

You have built an AI voice agent that can make 500 calls a day, qualify leads in natural conversation, and log everything to your CRM. There is just one problem: the rules for making those calls change every time you cross a border within Europe.

If you have found this guide, you are likely asking a specific question: can I use an AI voice agent to cold call B2B prospects in [country]? The answer depends entirely on which country you are targeting. What is perfectly legal in Finland could result in a five-figure fine in Austria.

This guide is narrowly focused on cold calling rules per country - specifically for B2B outreach using AI voice agents. For broader GDPR compliance covering data processing, vendor selection, and AI voice system architecture, see our comprehensive GDPR compliance guide. For the intersection of B2B outbound calling and GDPR foundations, see our B2B cold calling in Austria, Germany, and Europe guide.

Why Country-Level Rules Matter

GDPR provides a baseline for data protection across the EU, but it does not regulate cold calling directly. Cold calling rules come from a separate layer of legislation: the ePrivacy Directive (2002/58/EC), which each EU member state transposed into its own national law. The result is a patchwork where the same AI cold call that is routine in one country may violate telecommunications law in another.

Three separate legal frameworks interact when an AI voice agent makes a cold call in Europe:

• GDPR - governs the processing of personal data (phone numbers, names, call recordings, conversation transcripts).
• National ePrivacy/telecommunications law - governs whether the call itself is permitted, what consent is required, and what disclosures must be made.
• EU AI Act - requires that AI systems disclose their artificial nature to the person they interact with. This applies in every EU country, for every call, without exception.

The AI Act requirement is straightforward and universal: your AI voice agent must identify itself as AI at the start of every call. The tricky part is the national telecommunications layer, which is where the country-by-country differences emerge.

Germany: UWG and Implied B2B Consent

Germany has one of the most regulated cold calling environments in Europe, governed by the Gesetz gegen den unlauteren Wettbewerb (UWG) - the Act Against Unfair Competition.

The Core Rule

UWG Section 7(2) No. 1 classifies telephone advertising without prior express consent as an "unreasonable nuisance" (unzumutbare Belastigung). On its face, this appears to ban cold calling entirely. However, German case law has carved out a narrower path for B2B.

The B2B Exception: Implied Consent (Mutmassliche Einwilligung)

German courts recognize the concept of implied consent for B2B calls. If a reasonable business person would expect to receive such a call - because the product or service is directly relevant to their business operations - the call may be permissible without explicit prior consent. This is not an open door. You must be able to demonstrate:

• The prospect's business has a clear, specific need for what you offer (not a generic pitch).
• You are calling a business phone number, not a personal number.
• The person you reach is in a relevant decision-making role.
• You can document your reasoning for why implied consent applies.

AI-Specific Considerations

Fully automated AI calls face additional scrutiny in Germany. The Bundesnetzagentur (Federal Network Agency) enforces rules against unsolicited advertising calls and has imposed fines up to EUR 300,000 for violations. AI calls that fail to disclose their automated nature, or that are clearly mass-market rather than targeted, carry higher enforcement risk. If you operate in Germany, consider a hybrid approach: the AI handles conversation and qualification, but calls are reviewed or initiated with human oversight.

The Robinson List

Germany maintains a voluntary Robinson List (Robinsonliste) operated by the German Dialogue Marketing Association (DDV). While checking this list is not legally mandatory for B2B, doing so demonstrates good faith and reduces complaint risk.

Austria: TKG 2003 - Stricter Than Germany

Austria's cold calling rules are among the strictest in Europe. The Telekommunikationsgesetz (TKG) 2003, combined with the UWG Section 107, creates a framework that is materially more restrictive than Germany's.

The Core Rule

UWG Section 107(2) prohibits calls to subscribers for advertising purposes using automated calling systems without prior consent. This applies to both B2B and B2C. An AI voice agent making autonomous calls falls squarely within the definition of an automated calling system.

What This Means for AI Cold Calling

Unlike Germany, Austria does not recognize a meaningful "implied consent" exception for automated B2B calls. The Austrian Supreme Court (OGH) has consistently interpreted the law strictly. For AI voice agents, this means:

• Prior consent is required for fully automated calls, even to businesses.
• Consent must be explicit and specific to telephone marketing.
• A pre-existing business relationship alone is not sufficient to justify automated cold calls.

Compliant Approaches in Austria

Companies targeting Austrian businesses with AI voice agents typically use one of these strategies:

• Opt-in first: Collect consent through web forms, trade shows, or email campaigns before the AI places the call.
• Human-initiated, AI-assisted: A human team member initiates the call, then the AI handles the conversation. This may avoid the "automated calling system" classification, though the legal position is debated.
• Inbound-first model: Run advertising that drives prospects to call your AI-answered number, then use AI for the follow-up outbound call based on that inbound interaction.

Enforcement

The Austrian Data Protection Authority (DSB) and courts actively enforce cold calling restrictions. Penalties include injunctive relief, damages, and regulatory fines. Austria is not a market where you can take a "call first, ask forgiveness later" approach.

France: CNIL Rules and Bloctel

France regulates cold calling through the Code de la consommation and enforcement by the CNIL (Commission nationale de l'informatique et des libertes) and the DGCCRF (Direction generale de la concurrence, de la consommation et de la repression des fraudes).

B2B Cold Calling Rules

French law distinguishes between B2B and B2C cold calling, and the B2B environment is notably more permissive than Austria:

• B2B calls are generally permitted without prior consent, provided the call concerns goods or services relevant to the prospect's professional activity.
• The Bloctel opt-out register primarily applies to B2C calls. Businesses are not automatically protected by Bloctel, though individual professionals registered on it should be respected.
• Calling hours are restricted: commercial calls may only be placed Monday to Friday, 10:00-13:00 and 14:00-20:00. Saturday calls are permitted 10:00-13:00. Sunday and public holiday calls are prohibited.
• Frequency limits: Since 2023, France limits solicitation calls to the same person to four attempts within a 60-day period.

AI Disclosure and Recording

The EU AI Act disclosure requirement applies fully in France. Additionally, France requires two-party consent for call recording under the French Penal Code. Your AI must inform the prospect about recording and obtain verbal consent before any recording begins.

Data Retention

CNIL guidelines specify that prospect data collected during cold calling campaigns should not be retained for more than 3 years from the last contact. If the prospect does not engage, the data should be deleted after the campaign ends or after 3 years, whichever comes first.

Netherlands: Telecommunicatiewet

The Netherlands regulates cold calling through the Telecommunicatiewet (Telecommunications Act) and oversight by the Autoriteit Consument en Markt (ACM).

B2B Rules

• B2B cold calling is permitted without prior consent. The Netherlands explicitly distinguishes between B2B and B2C in its telecommunications law.
• The Bel-me-niet Register (Do Not Call register) applies only to B2C calls. B2B numbers are not covered.
• However, if you call a sole proprietor (eenmanszaak) or a small business where the business number is also the owner's personal number, you may need to treat it as B2C.
• Standard GDPR requirements apply: legitimate interest, data minimization, right to object.

AI-Specific Requirements

The EU AI Act disclosure applies. The Netherlands has been proactive in AI regulation through the Algoritmeregister (Algorithm Register) initiative, though this primarily affects government use of AI. For commercial AI cold calling, the standard EU AI Act transparency requirements apply.

Call recording in the Netherlands follows a single-party consent model for business calls, meaning you can record the call as long as one party (the AI system, as agent of your company) consents. However, informing the prospect is still best practice and recommended by the ACM.

Nordics: Sweden, Finland, Denmark, Norway

The Nordic countries share a generally permissive approach to B2B cold calling, making them among the most accessible markets in Europe for AI outbound campaigns.

Sweden

• B2B cold calling is permitted under the Marknadsforingslagen (Marketing Practices Act).
• The NIX-Telefon register is primarily a B2C opt-out list, but businesses can register individual numbers. Check the register before calling.
• The Swedish Authority for Privacy Protection (IMY) enforces GDPR compliance. Focus on data minimization and documented legitimate interest.
• Call recording: Sweden follows single-party consent. One party to the call can consent to the recording. Informing the other party is recommended but not legally required for B2B.

Finland

• B2B cold calling is permitted under the Tietoyhteiskuntakaari (Information Society Code).
• There is no opt-out register equivalent for B2B calls. Standard GDPR opt-out handling applies.
• Finland has one of the most straightforward regulatory environments for B2B outbound in Europe.
• Call recording: Single-party consent applies. Finland's approach is similar to Sweden's.

Denmark

• B2B cold calling is permitted under the Marketing Practices Act (Markedsfoeringsloven).
• The Robinson List allows companies registered in CVR (Central Business Register) to opt out of marketing calls. Always check this list before calling Danish businesses.
• The Danish Data Protection Agency (Datatilsynet) enforces GDPR requirements.
• Call recording: Single-party consent. Denmark is consistent with other Nordic countries.

Norway

• Norway is not an EU member but follows GDPR through the EEA Agreement. The EU AI Act also applies through the EEA framework.
• B2B cold calling is permitted under the Markedskontrolloven (Marketing Control Act).
• Check the Bronnysund Register Centre for businesses that have opted out of marketing communications.
• Call recording: Single-party consent under Norwegian law.

UK: PECR Post-Brexit

Since Brexit, the UK operates under its own data protection framework: the UK GDPR (retained EU law) and the Privacy and Electronic Communications Regulations 2003 (PECR). The EU AI Act does not apply in the UK, though the UK is developing its own AI regulatory framework.

B2B Cold Calling Rules

• B2B cold calling is permitted under PECR Regulation 21. Unlike B2C calls, B2B calls do not require prior consent.
• The Telephone Preference Service (TPS) is a B2C opt-out register. Corporate subscribers (businesses) are not covered by TPS, though the Corporate Telephone Preference Service (CTPS) allows businesses to register. Always check CTPS before calling UK businesses.
• The caller must identify themselves and provide a contact address or freephone number on request.
• The Information Commissioner's Office (ICO) enforces PECR and has authority to issue fines up to GBP 500,000 for violations.

AI Disclosure in the UK

The EU AI Act does not apply post-Brexit. However, the UK's developing AI regulatory framework, guided by the Department for Science, Innovation and Technology (DSIT), emphasizes transparency as a core principle. While not yet a legal requirement in the same way as the EU AI Act, disclosing that the caller is an AI is strongly recommended for ethical and reputational reasons - and may become a legal requirement as UK AI regulation matures.

Call Recording

The UK follows single-party consent for call recording under the Regulation of Investigatory Powers Act 2000 (RIPA). A business can record calls for legitimate business purposes without informing the other party, though informing them is strongly recommended. If the recording is shared with third parties (e.g., for training or quality purposes), two-party consent is generally required.

Country-by-Country Comparison

The following table summarizes the key cold calling rules for each country covered in this guide.

Consent Types Explained

Confusion around consent types is the most common source of compliance mistakes. Here is a clear breakdown of the three consent models that apply to cold calling in Europe.

Explicit Consent (Opt-In)

The prospect has actively agreed to receive calls from you. This can come from a web form checkbox, a signed document, a verbal agreement (recorded), or event registration with marketing consent. Required in Austria for automated AI calls.

Implied Consent (Mutmassliche Einwilligung)

A legal fiction recognized primarily in German law: the prospect has not explicitly consented, but a reasonable person in their position would expect and not object to the call because it is directly relevant to their business. This requires documented justification and is narrower than many companies assume.

Legitimate Interest (No Consent Required)

Under GDPR Article 6(1)(f), you process the prospect's data based on your legitimate commercial interest in reaching potential customers. This is the legal basis used in most permissive countries (Nordics, Netherlands, UK, France for B2B). It requires a documented balancing test (Legitimate Interest Assessment) showing your interest does not override the prospect's rights.

Recording Obligations Across Europe

Call recording compliance is a separate concern from the call itself. Even in countries where B2B cold calling is freely permitted, recording the call may require additional consent. For a deep dive on recording-specific compliance, see our call recording compliance guide.

Two-Party Consent Countries

In Germany, Austria, and France, recording a call without the consent of all parties is a criminal offense. Your AI voice agent must:

• Inform the prospect that the call will be recorded.
• Obtain verbal consent before recording begins.
• Offer the option to continue without recording.
• Log the consent decision for audit purposes.

Single-Party Consent Countries

In the Nordics, Netherlands, and UK, one party can consent to the recording. Since your company operates the AI agent, you are the consenting party. However, best practice - and many regulators' recommendation - is to inform the prospect regardless.

Data Retention

Call recordings are personal data under GDPR. Retention must be limited to what is necessary:

• Quality assurance: 30-90 days is standard.
• Compliance auditing: Up to 12 months.
• Legal disputes: Up to the limitation period for the relevant jurisdiction (typically 3-6 years).

Automated deletion after the retention period expires is not just best practice - it is the only reliable way to ensure compliance at scale.

Compliance Checklist for AI Cold Calling

Before launching any AI cold calling campaign in Europe, work through this checklist for each target country.