AI Voice Agents in Germany: Robinson-Liste, UWG & Cold Calling Rules (2026)

If you are evaluating an AI voice agent for inbound reception, outbound qualification or appointment booking inside Germany, the question is not whether you can deploy. The question is which combination of consent, disclosure and opt-out checks keeps the deployment defensible against the Bundesnetzagentur, the relevant Landesdatenschutzbehoerde, and any competitor or consumer ready to file a UWG complaint. Germany's framework is unforgiving precisely because it stacks four pieces of legislation - UWG, TKG, BDSG and GDPR - and now the EU AI Act on top.

This guide is the field-tested counterpart to our broader European cold-calling compliance guide. Where that piece compares 9 jurisdictions, this one drills exclusively into Germany - the law text, the enforcement cases, the Robinson-Liste mechanics and the 12-step checklist we use when shipping AI voice into the German market.

Why Is Germany Different from the Rest of Europe?

Most EU member states transposed the ePrivacy Directive 2002/58/EC into a single telecommunications statute. Germany did not. It split the obligations across four overlapping statutes, each enforced by a different authority:

• UWG (Gesetz gegen den unlauteren Wettbewerb) - the Act Against Unfair Competition, enforced by civil courts and competitor associations through cease-and-desist suits.
• TKG (Telekommunikationsgesetz) - the Telecommunications Act, enforced by the Bundesnetzagentur, which handles automated calls, caller-ID rules and the EUR 300,000 administrative fine pathway.
• BDSG (Bundesdatenschutzgesetz) - the German Federal Data Protection Act, layered on top of GDPR and enforced by the 16 state DPAs plus the federal BfDI.
• GDPR + EU AI Act - the two EU regulations that apply directly without transposition.

The practical consequence is that a single AI cold call in Germany can simultaneously breach UWG (unfair competition), TKG (automated calling without consent), BDSG (unlawful processing) and the EU AI Act (failure to disclose AI nature). Each statute has its own competent authority, its own complaint pathway and its own penalty ceiling. Stacking them means a single misconfigured outbound campaign can trigger four parallel proceedings.

Two additional features make the German system distinctive. First, German competition law allows private enforcement: registered competitor associations such as the Wettbewerbszentrale and the Verbraucherzentrale Bundesverband (vzbv) can sue offending companies directly under UWG and recover injunction costs. They do this aggressively. A regulator complaint to the Bundesnetzagentur is therefore not the only - or even the most likely - enforcement pathway. Second, German civil courts can grant preliminary injunctions (einstweilige Verfuegung) within days of a complaint, which can shut down an entire dialer infrastructure before the substantive case is heard. Foreign sales teams who assume a slow regulatory process repeatedly underestimate this combination.

UWG Section 7 Explained: B2C Express, B2B Presumed Consent

The core cold-calling rule is UWG Section 7(2) No. 1. Read carefully: the wording is short but it carries the full enforcement weight.

Two consent standards live inside one sentence:

• Consumer (B2C): ausdrueckliche Einwilligung - prior express consent. The consumer must have actively and unambiguously agreed to receive marketing calls before the call is placed. Pre-ticked checkboxes, bundled consents and opt-out mechanisms do not satisfy this standard. The Bundesgerichtshof (BGH) made this explicit in the Payback judgment (BGH, judgment of 16 July 2008 - VIII ZR 348/06).
• Other market participant (B2B): mutmassliche Einwilligung - presumed or reasonable consent. The caller must be able to show that the recipient, given their role and business activity, would reasonably be expected to welcome the call. This is a documented, fact-specific test - not a blanket B2B exemption.

A second sub-clause - UWG Section 7(2) No. 2 - additionally bans automated calling machines (automatische Anrufmaschinen) without prior express consent of the recipient, regardless of B2B or B2C status. This sub-clause is exactly where AI voice agents sit if they place fully autonomous outbound calls. We return to it in the enforcement section below.

What "prior express consent" really means in German case law

German courts have been steadily tightening the express-consent standard for over a decade. The minimum bar set by the BGH in Payback and refined in subsequent cases requires four cumulative elements: the consent must be specific to telephone marketing (not bundled with general T&C acceptance), it must name the calling company, it must be actively given (no pre-ticked boxes), and it must be auditable (the company must be able to produce, on demand, the exact wording the consumer agreed to and the timestamp of agreement). Consent collected through a third-party lead generator without these four elements is routinely set aside by German civil chambers.

What "presumed consent" is not

The presumed-consent standard for B2B is not a synonym for "legitimate interest", "reasonable expectation" or "industry practice". It is a fact-specific test that requires the caller to demonstrate, on the balance of probabilities, that this specific recipient, in this specific role, at this specific company would have welcomed the call. The burden of proof is on the caller. Once a recipient complains, the caller has to produce contemporaneous documentation showing why presumed consent existed before the dial - not generic talking points constructed after the fact.

Robinson-Liste: How the German Opt-Out Registry Works

The Robinson-Liste is a voluntary opt-out registry where German consumers can list their phone numbers, postal addresses and email addresses to signal that they refuse direct marketing. It is operated by the Interessenverband Deutsches Internet e.V. (IDI) and supported by the Deutscher Dialogmarketing Verband (DDV).

Registration and structure

Consumers register free of charge. The list is segmented by channel: telephone, postal mail, email, fax, mobile and SMS. A registration takes effect within roughly four weeks and remains valid for five years before requiring renewal. Members of the DDV - which includes most large German call-centre operators - are contractually obliged to scrub their dialing lists against the Robinson-Liste before launching campaigns.

Legal status

The Robinson-Liste itself is not a statute. Listing on it does not create a freestanding cause of action. Its real weight is evidentiary: German courts have repeatedly held that a registration on the Robinson-Liste constitutes an active expression of refusal, which destroys any argument that presumed consent under UWG Section 7(2) No. 1 could have existed. In practice, calling a Robinson-listed consumer is functionally equivalent to calling without express consent - the UWG violation is established as soon as the opt-out is shown.

How scrubbing works in practice

The Robinson-Liste is not a public download. Companies access it through a paid scrubbing service: they upload a hashed version of their dialing list, and receive a list of matches that must be suppressed before dialing. The cost is trivial - a few cents per record at scale - relative to a single UWG cease-and-desist letter, which routinely reaches four to five-figure euro amounts including lawyer fees and injunction costs. DDV-member operators run the scrub continuously, not just before campaign launch, because a consumer can register at any time and the registration takes effect roughly four weeks later.

Why every AI voice campaign in Germany must scrub against it

Even though the Robinson-Liste is technically B2C-focused and voluntary, the cost-benefit calculation for AI outbound is one-sided: scrubbing is cheap, an UWG suit is not. Major German competitor associations - the Wettbewerbszentrale in particular - actively buy lists, complain on behalf of registered consumers, and recover injunction costs and lawyer fees from offenders. The Wettbewerbszentrale's annual report routinely covers hundreds of telephone-marketing complaints.

The B2B "Presumed Consent" Doctrine

The B2B exception under UWG Section 7(2) No. 1 is narrower than most foreign sales teams assume. The leading case is the BGH ruling in Telefonwerbung im Geschaeftsverkehr (BGH, judgment of 20 September 2007 - I ZR 88/05), reinforced by subsequent decisions. The court set out a four-part test that German civil chambers still apply today.

The four-part presumed-consent test

1. Concrete factual basis. The caller must be able to point to specific facts - not generic industry assumptions - showing that the recipient's business has a tangible need for the offered product or service.
2. Direct relevance to the recipient's business activity. A pitch for a CRM tool to a sales-driven SME is more defensible than a pitch for office plants to the same SME. Relevance is judged from the recipient's perspective, not the caller's convenience.
3. Business phone number, business decision-maker. The number must be a published business number, and the person reached must be in a role that would plausibly handle the offered product.
4. Documented reasoning prior to the call. The presumed-consent justification has to exist before the dial, not be reconstructed afterwards. This is the part most AI dialer setups fail.

“The Bundesnetzagentur consistently registers high numbers of complaints about unsolicited advertising calls. We will continue to take rigorous action against unlawful telephone advertising and impose substantial fines.”

What kills presumed consent for AI voice specifically

Two facts repeatedly destroy the presumed-consent defence in German AI cold-call cases:

• Mass-dialing patterns. If discovery shows the same campaign placed thousands of calls to numbers scraped from a generic directory, the "concrete factual basis" prong fails by definition.
• Failure to disclose AI nature at call open. The EU AI Act now layers in - more on this below - but German civil courts had already started treating undisclosed automated calls as an aggravating factor under UWG before the AI Act took effect.

TKG and BDSG: The Other Two Statutes That Apply

TKG (Telekommunikationsgesetz)

The TKG 2021 regulates the technical conduct of the call. The two sections most relevant to AI voice are:

• TKG Section 120 - mandatory caller-ID transmission. Spoofing or suppressing caller ID for advertising calls is a regulatory offence and is one of the easiest violations for the Bundesnetzagentur to prove from network-side records.
• TKG Section 228 - administrative-offence catalogue. Automated calls without consent fall under the EUR 50,000 fine bracket, on top of any UWG remedy. The Bundesnetzagentur frequently combines TKG and UWG findings in a single proceeding.

BDSG (Bundesdatenschutzgesetz)

BDSG 2018 is Germany's national supplement to GDPR. For AI voice deployments, the BDSG-specific obligations include:

• Mandatory Data Protection Officer - BDSG Section 38 requires a DPO when 20 or more employees regularly process personal data. Most call-centre operations cross that threshold instantly.
• Employee monitoring rules - BDSG Section 26 governs how call recordings used for staff QA can be processed. Even when the substantive caller is an AI, the supervising humans are still subject to Section 26.
• Stricter rules for special categories - any AI voice flow that touches health information (medical practices, pharmacies, insurance claims) inherits BDSG Section 22, which is materially stricter than GDPR Article 9.

Bundesnetzagentur Enforcement: Real Cases and Fines

The Bundesnetzagentur (BNetzA) publishes annual telephone-advertising enforcement reports. The pattern across the last three years is consistent: rising complaint volumes, accelerating proceedings and growing average fines.

Reported figures from BNetzA press releases

• 2023: the agency processed 63,500+ complaints about unsolicited advertising calls and imposed total fines of EUR 1.165 million across 12 proceedings (BNetzA, 19 January 2024).
• 2024: EUR 1.37 million in disclosed fines across 11 proceedings, with multiple individual cases at the EUR 300,000 statutory ceiling (BNetzA English press release).
• Specific case patterns: energy-supply contract switching, lottery-participation calls, insurance and healthcare-tariff calls. Almost every published case involved either dialer software placing fully automated calls or caller-ID suppression.

Selected published enforcement examples

BNetzA periodically publishes anonymised case summaries. Recurring patterns in 2023-2024 include:

• Energy supply switching campaigns - dialers placing tens of thousands of calls offering electricity or gas tariff changes to consumers without prior express consent. Multiple operators received fines at or near the EUR 300,000 ceiling, with the Bundesnetzagentur explicitly citing the volume of complaints as an aggravating factor.
• Insurance and tariff comparison calls - companies pitching health insurance or tariff comparisons to consumers identified through purchased lead lists. The recurring failure was the absence of any auditable consent record at the moment of the call.
• Lottery participation calls - one of the most heavily fined categories, with operators using mass-dial software and suppressed caller IDs. The BNetzA combined UWG Section 7 and TKG Section 120 findings in a single proceeding to reach the maximum cumulative fine.
• Telephone advertising for charitable donations - even the non-profit framing did not displace the express-consent requirement. Operators were fined for relying on outdated donor consent records.

Why the cases matter for AI voice

Every single published BNetzA fine in the last three years involved at least one of three elements that map directly onto AI-voice deployment patterns:

• Automated dialing without prior express consent - the exact UWG Section 7(2) No. 2 offence that an unsupervised AI outbound campaign produces by default.
• Caller-ID suppression or spoofing - the same TKG Section 120 violation that occurs when a foreign-routed AI provider fails to present a valid German return number.
• Inadequate identification of the calling company - the EU AI Act's Article 50 disclosure obligation now overlaps directly with this BNetzA enforcement focus.

Penalty Schedule: What Each Violation Actually Costs

The fine bands are spread across UWG, TKG, BDSG and GDPR. The summary below shows the maxima per single occurrence; campaign-level totals stack each per-call violation.

EU AI Act Overlap: Disclosure, Manipulation, Transparency

The EU AI Act became applicable in stages from 2 February 2025. For AI voice agents, the operative provisions are:

• Article 50(1): any AI system that interacts with natural persons must disclose its AI nature unless that fact is obvious from context. Voice calls are not an "obvious" context. Disclosure must occur at the start of the conversation.
• Article 5(1)(a): prohibits AI systems that deploy subliminal techniques to materially distort behaviour. A voice agent that deliberately impersonates a human to extract a sale falls under this prohibition.
• Article 50(4): generated audio that imitates a real person must be labelled. Cloned-voice AI agents that mimic identifiable individuals (the manager, the doctor, the dentist) must disclose the synthetic nature.

Germany's implementing legislation - currently in draft as the KI-Marktueberwachungsgesetz - designates the Bundesnetzagentur as the national AI market-surveillance authority. The same agency that fines you under UWG and TKG will also enforce the AI Act. That concentration of enforcement makes parallel proceedings highly likely if one campaign breaches multiple statutes.

The disclosure wording that actually works

The shortest German disclosure we have seen survive scrutiny is roughly: "Hier spricht ein KI-Sprachassistent von [Firma]. Dieses Gespraech kann zu Qualitaetszwecken aufgezeichnet werden - moechten Sie damit einverstanden sein?" The construction packs three obligations into a single opener: AI-nature disclosure (Article 50 AI Act), company identification (UWG and TKG), and recording-consent request (StGB Section 201). The recipient's answer determines whether recording activates and is logged against the contact record. Anything shorter tends to fail one of the three tests under audit.

GDPR Overlap: Lawful Basis, Recording, Retention

On top of the call-conduct rules, every byte of personal data the AI voice agent touches is regulated by GDPR. Three points repeatedly catch German deployments:

• Lawful basis is not consent. Most AI cold-call setups try to lean on consent under GDPR Article 6(1)(a). For B2B presumed-consent calls, the cleaner lawful basis is legitimate interest under Article 6(1)(f), backed by a documented Legitimate Interest Assessment. The German DPAs (notably the Bavarian DPA, BayLDA) have published templates that are directly usable.
• Recording requires its own basis. Even if the call itself is lawful, the recording is a separate processing activity that requires its own legal basis and its own retention schedule.
• Retention. Conference of German Independent Data Protection Authorities guidance (DSK) treats raw call recordings as restricted to documented business needs - typically 30 to 90 days for QA, with longer retention only for active complaint or legal-defence purposes.

Privacy notices and Article 13/14 obligations

Any AI voice flow must surface a GDPR Article 13 notice the first time it processes personal data. For inbound calls, this is typically a short verbal disclosure ("This call may be recorded for quality purposes; for full information visit example.com/privacy") combined with a written notice on the website. For outbound, the Article 14 obligation - notifying recipients when their data was obtained from a third party - applies if the contact list came from a lead provider. The German DPAs have repeatedly held that the verbal notice alone is insufficient when the data came from a purchased list; a follow-up written notice is required within one month or at the next contact, whichever comes first.

For end-to-end GDPR architecture covering AI voice systems, see our companion GDPR compliance guide for AI voice agents. For the recording-specific subset of issues, including the StGB Section 201 criminal layer, see the call-recording compliance guide.

B2B vs B2C Rules at a Glance

Practical Compliance Checklist for AI Voice in Germany

The checklist below is what we run through before activating any AI voice deployment for a German-based client - inbound or outbound, B2C or B2B. Treat it as the minimum baseline, not the ceiling.

1. Pick the correct consent standard. B2C requires prior express consent. B2B requires documented presumed consent under the four-part BGH test. Mark each contact in the CRM with the standard that justifies the call.
2. Scrub against the Robinson-Liste. Run every dialing list - B2C and any sole-proprietor B2B - against the Robinson-Liste before campaign launch. Re-scrub at least quarterly.
3. Maintain a centralised suppression list. When a recipient opts out (verbal, SMS, email or by hanging up after AI disclosure), suppress within 24 hours. Sync the list across every dialer and every AI agent.
4. Disclose AI nature at call open. The first ten seconds of every call must include an explicit statement that the caller is an AI assistant. Bake this into the agent prompt as a non-skippable opener.
5. Identify the calling company unambiguously. Name the legal entity, not just a brand. Provide a callable German return number that resolves to a human escalation path.
6. Configure caller ID correctly. The number transmitted must be the actual return number. No spoofing, no suppression. TKG Section 120 violations are the easiest BNetzA findings.
7. Restrict calling hours. Standard German business hours, Monday to Friday, no weekends or public holidays. Configure the dialer to respect German federal and state holiday calendars (especially the regional differences).
8. Require two-party recording consent. The AI must ask for recording consent and offer to proceed without recording. Log the decision against the contact record. StGB Section 201 makes this criminal, not just regulatory.
9. Document a Legitimate Interest Assessment for B2B. Use the BayLDA template. Cover purpose, necessity and balancing. Keep the LIA on file before the first call goes out.
10. Sign a GDPR Article 28 DPA with the AI provider. Cover EU/EEA data residency, sub-processor list, breach notification, deletion on termination. Confirm BDSG-conform processing for any health-adjacent flows.
11. Set retention schedules. Recordings 30-90 days for QA, longer only with documented legal purpose. Transcripts and call metadata aligned. Automate deletion - no manual retention is defensible at scale.
12. Audit every quarter. Spot-check call recordings for AI Act disclosure compliance, opt-out handling, recording-consent capture and caller-ID transmission. Document the audit. Fix issues in writing.

Frequently Asked Questions