AI Voice Agent DSGVO Compliance: Germany & Austria Guide (2026)

Germany and Austria share a language, a legal tradition, and a data protection framework that goes beyond what most EU countries require. The DSGVO (Datenschutz-Grundverordnung) is not simply GDPR translated into German. Both countries have layered national legislation on top of the EU regulation, creating a compliance environment that catches most AI voice agent providers off guard.

If you are deploying an AI voice agent that handles calls from German or Austrian businesses, you need to understand not just GDPR but the BDSG, the DSG, Section 201 of the StGB, and the enforcement positions of the BfDI, 16 state-level data protection authorities, and the Austrian DSB. This guide breaks down each layer and what it means for your AI voice system.

For broader European GDPR compliance covering all member states, see our comprehensive GDPR compliance guide for AI voice agents. For country landing pages, see our guides for AI receptionists in Germany and AI receptionists in Austria.

DSGVO vs GDPR: What Is Different

The DSGVO is the German-language version of the EU General Data Protection Regulation. In substance, the regulation is identical across all EU member states. However, GDPR contains over 70 opening clauses - provisions where member states are permitted or required to adopt national rules. Germany and Austria have used these opening clauses extensively, creating a regulatory environment that is materially stricter than the GDPR baseline.

The key national additions for AI voice agents in Germany come through the Bundesdatenschutzgesetz (BDSG), which was comprehensively revised in 2018 to complement the DSGVO. In Austria, the equivalent national law is the Datenschutzgesetz (DSG), which similarly supplements the GDPR with Austrian-specific provisions.

Where Germany Goes Further

• Employee data protection (BDSG Section 26): Germany has dedicated provisions for processing employee personal data that go beyond standard GDPR requirements. If your AI voice agent interacts with employees - transferring calls, recording employee conversations, or logging employee activity - these provisions apply.
• Criminal sanctions for recording (StGB Section 201): Recording a conversation without consent from all parties is a criminal offense in Germany, not merely a regulatory violation. This includes AI-generated recordings and transcripts.
• Data Protection Officer requirements (BDSG Section 38): Germany has a lower threshold for mandatory DPO appointment. Businesses with 20 or more employees engaged in automated data processing must appoint a Datenschutzbeauftragter. AI call handling qualifies as automated data processing.
• Video surveillance restrictions (BDSG Section 4): While not directly applicable to voice-only AI, these provisions demonstrate Germany's generally restrictive approach to automated surveillance and monitoring.

Where Austria Goes Further

• Automated calling systems (UWG Section 107): Austria's Unfair Competition Act prohibits automated calling systems for advertising without prior consent, with no meaningful B2B exception for fully automated systems.
• Constitutional data protection (DSG Section 1): Austria elevates data protection to a constitutional right (Grundrecht), which means courts apply a higher standard of scrutiny to data processing activities.
• Administrative fines (DSG Section 11): Austria can impose criminal penalties for certain data protection violations, in addition to GDPR administrative fines.

BDSG National Provisions for Voice AI

The Bundesdatenschutzgesetz contains provisions that directly affect how AI voice agents process data. Understanding these provisions is essential because they create obligations that exist nowhere else in the EU.

Section 22: Processing of Special Categories of Data

BDSG Section 22 specifies additional conditions for processing special categories of personal data under GDPR Article 9. For AI voice agents, this matters when calls involve health data (medical appointments), trade union membership, religious beliefs, or other Article 9 categories. The BDSG requires "appropriate and specific measures" (angemessene und spezifische Massnahmen) to safeguard the data subject's interests, including technical and organizational measures, encryption, pseudonymization, and access controls.

Healthcare-focused AI voice agents - those scheduling medical appointments, handling patient inquiries, or triaging calls for medical practices - must implement enhanced safeguards under BDSG Section 22. This includes restricting access to call recordings, encrypting transcripts at rest and in transit, and implementing role-based access controls.

Section 35: Right to Erasure

BDSG Section 35 modifies the GDPR right to erasure (Article 17) with German-specific provisions. Where erasure is technically impossible or would require disproportionate effort, the controller may restrict processing instead. For AI voice systems, this means you must have the technical capability to delete specific call recordings, transcripts, and derived data on request - or document why restriction is the appropriate alternative.

Section 37: Right to Object to Automated Decision-Making

BDSG Section 37 supplements GDPR Article 22 on automated decision-making. If your AI voice agent makes decisions that produce legal or similarly significant effects - routing a call to collections, flagging a caller as high-priority, or declining to schedule an appointment based on automated criteria - the caller has the right to human review. This is not optional. You must provide a mechanism for callers to request human intervention.

Recording Consent and Criminal Law

This is the single most critical compliance requirement for AI voice agents in Germany and Austria. In both countries, recording a telephone conversation without the consent of all parties is a criminal offense.

Germany: StGB Section 201

Section 201 of the Strafgesetzbuch (German Criminal Code) criminalizes the unauthorized recording of the "non-publicly spoken word" (nichtoeffentlich gesprochenes Wort). The offense carries a penalty of up to three years imprisonment or a fine. This applies to:

• Audio recordings of telephone conversations.
• AI-generated transcripts of telephone conversations (these are derived from the spoken word and are treated equivalently).
• Real-time speech-to-text processing that creates a permanent record of the conversation.

The consent requirement is absolute. There is no business exception, no legitimate interest override, and no implied consent for recording. Every call that is recorded - whether as audio or as a transcript - requires explicit consent from all parties before recording begins.

Austria: StGB Section 120

Austria's equivalent provision is Section 120 of the Austrian Strafgesetzbuch, which criminalizes the violation of telecommunications secrecy (Verletzung des Telekommunikationsgeheimnisses). The penalty is up to one year imprisonment. The practical requirements are similar to Germany: all-party consent is required before any recording or transcription.

How AI Voice Agents Must Handle Consent

BfDI Federal Oversight and State Authorities

Germany's data protection oversight structure is unique in Europe. The BfDI (Bundesbeauftragter fur den Datenschutz und die Informationsfreiheit) is the federal data protection commissioner, but the BfDI is not the only authority. Each of Germany's 16 Bundeslander has its own state data protection authority (Landesdatenschutzbeauftragter or Landesbeauftragter fur den Datenschutz).

This creates a layered oversight system. The BfDI has jurisdiction over federal bodies and telecommunications/postal service providers. State authorities have jurisdiction over private businesses operating in their territory. A dental practice in Bavaria falls under the BayLDA (Bayerisches Landesamt fur Datenschutzaufsicht). A law firm in Berlin falls under the BlnBDI (Berliner Beauftragte fur Datenschutz und Informationsfreiheit). A hotel chain operating across multiple states may be subject to multiple state authorities.

Key State Authorities for AI Voice Agents

• BayLDA (Bavaria): One of the most active state authorities, known for detailed technical guidance and active enforcement against businesses. Bavaria has the largest concentration of Mittelstand businesses.
• LfDI Baden-Wurttemberg: Known for publishing practical guidance documents and taking a balanced approach to technology and data protection.
• HmbBfDI (Hamburg): Active in enforcement against tech companies. Hamburg is a major tech hub and media center.
• LDI NRW (North Rhine-Westphalia): The largest state authority by population served. NRW has the highest concentration of businesses in Germany.

Austria DSB Requirements

Austria has a simpler structure than Germany. The Datenschutzbehorde (DSB) is the single national authority. The DSB is known for strict interpretation of GDPR provisions and has been active in cross-border enforcement. The DSB was the first EU authority to issue a decision in the Schrems II follow-up cases, finding that the use of Google Analytics violated GDPR because of data transfers to the United States.

For AI voice agent providers, the DSB's position on transatlantic data transfers is particularly relevant. If your AI processes any voice data in the United States - even temporarily for speech-to-text processing - the DSB is likely to find a violation. All processing must remain within the EU/EEA.

The DSB has also taken strong positions on automated decision-making and AI transparency. Austria's elevation of data protection to a constitutional right (Grundrecht) under DSG Section 1 means that the DSB and Austrian courts apply a higher standard of scrutiny to data processing activities than most other EU member states. For AI voice agents, this translates to heightened expectations around consent quality, transparency of processing, and the right to human intervention in automated decisions.

Data Protection Impact Assessment Requirements

GDPR Article 35 requires a Data Protection Impact Assessment (DPIA) for processing that is "likely to result in a high risk" to individuals. Both the BfDI and the Austrian DSB have published lists of processing operations that require a DPIA (Datenschutz-Folgenabschatzung).

AI voice agents almost certainly require a DPIA in both Germany and Austria. The BfDI's DPIA list includes "large-scale processing of data generated through the use of telecommunications, internet, or other electronic communication services" and "use of AI to process personal data for automated decision-making." An AI voice agent that handles telephone calls and processes speech data hits both criteria.

What the DPIA Must Cover

• Systematic description of processing: What data the AI collects (voice data, caller ID, content of conversation), how it processes the data (speech-to-text, intent classification, response generation), and what happens to the data afterward (storage, retention, deletion).
• Necessity and proportionality: Why the processing is necessary for the stated purpose and why less intrusive alternatives are not sufficient.
• Risk assessment: Risks to callers including unauthorized access to recordings, data breaches, inaccurate transcription, and misclassification by AI models.
• Mitigation measures: Technical and organizational measures to address identified risks - encryption, access controls, retention limits, consent mechanisms, and human oversight provisions.

The DPIA must be completed before deploying the AI voice agent, not after. It must be documented and available for inspection by the relevant supervisory authority. If the DPIA identifies high residual risks that cannot be mitigated, you must consult the supervisory authority before proceeding (GDPR Article 36 prior consultation).

Data Residency and Processing Locations

Data residency is not a nice-to-have for the DACH market - it is a compliance requirement in practice. The Austrian DSB's decision on Google Analytics, the BfDI's guidance on cloud services, and multiple state authority enforcement actions have established that transferring personal data to the United States carries significant legal risk.

For AI voice agents, data residency means:

• Voice data processing: Speech-to-text conversion must happen within EU/EEA data centers. Sending audio to US-based speech recognition APIs (even temporarily) creates a data transfer that requires a valid transfer mechanism under GDPR Chapter V.
• LLM processing: If the AI uses a large language model to generate responses, the model must be hosted within the EU/EEA. Sending conversation content to US-based LLMs constitutes a data transfer.
• Storage: Call recordings, transcripts, and metadata must be stored in EU/EEA data centers.
• Sub-processors: Every sub-processor in the chain must process data within the EU/EEA. This includes telephony providers, speech-to-text services, and cloud infrastructure providers.

Employee Data Under BDSG Section 26

BDSG Section 26 is Germany's dedicated provision for processing employee personal data. It applies when the AI voice agent interacts with employees in any capacity.

Common scenarios where BDSG Section 26 applies to AI voice agents:

• Call transfers: When the AI transfers a call to an employee, it processes the employee's name, extension number, and availability status.
• Performance data: If the AI logs which employees receive the most transfers, handle calls fastest, or are most frequently unavailable, this creates employee performance data subject to BDSG Section 26.
• Recording employee conversations: If a call is transferred from the AI to an employee and recording continues, the employee's side of the conversation is captured. This requires separate analysis under BDSG Section 26.
• Training data: Using recorded employee conversations to train or improve the AI system requires a lawful basis under BDSG Section 26, not just general GDPR provisions.

Works council (Betriebsrat) involvement may also be required under the Works Constitution Act (Betriebsverfassungsgesetz). The introduction of AI systems that monitor employee behavior or performance triggers the works council's co-determination right under Section 87(1) No. 6 BetrVG. This means the works council must be consulted before deployment, and in some cases, the works council has the right to block deployment until agreement is reached.

EU AI Act Transparency Obligations

The EU AI Act applies in both Germany and Austria and creates additional transparency obligations for AI voice agents beyond what GDPR requires. Article 50 requires that AI systems designed to interact with natural persons must inform the person that they are interacting with an AI system. This applies to every call, without exception.

The disclosure must be:

• Clear and intelligible: The caller must understand that they are speaking with an AI, not a human.
• Timely: The disclosure must come at the beginning of the interaction, before the substantive conversation starts.
• In the appropriate language: For German-speaking callers, in German. For English-speaking callers, in English.

Germany and Austria are both expected to implement the AI Act with national provisions that may go beyond the minimum requirements. Watch for implementing legislation (expected by 2026-2027) that may create additional obligations specific to voice AI systems.

For businesses that also handle outbound calls, see our country-by-country compliance guide for AI cold calling in Europe.

DSGVO Compliance Implementation Checklist

Use this checklist when deploying an AI voice agent for German or Austrian businesses.