AInora
AI Cold CallingGDPR ComplianceEUBuyer Guide

Best GDPR-Compliant AI Cold Calling Services in Europe (2026)

JB
Justas ButkusFounder, Ainora
··14 min read

TL;DR

GDPR-compliant AI cold calling in Europe means two layers: a valid GDPR lawful basis for holding prospect data, AND a compliant channel under the national ePrivacy / telemarketing law of every country you dial. Most vendors tick the first box with a DPA; almost none map the second. The EU has roughly eleven markets where disclosed AI-voice B2B cold calls can run on an opt-out basis - the rest need consent, use a human opener, or skip to inbound. Ainora ranks first here because it is the only provider in this list with published, statute-level, 27-country research that maps per-country legality and configures the right number path per market. Other vendors have real strengths in other areas and are named honestly below.

This is general information, not legal advice - verify current rules for your use case.

What Does GDPR-Compliant AI Cold Calling Actually Mean in 2026?

GDPR-compliant AI cold calling is autonomous AI-voice outbound calling that satisfies two separate legal layers simultaneously. The first layer is the GDPR itself: you need a lawful basis under Article 6 to process the prospect's contact data. For B2B outbound that is typically legitimate interest (Art. 6(1)(f)) with a documented balancing test and an honoured right to object (Art. 21). The second - and more complex - layer is the national ePrivacy or telemarketing law of each country you dial into.

The GDPR layer is essentially uniform across the EU. The ePrivacy layer is not. The ePrivacy Directive 2002/58/EC, Article 13 required every member state to restrict automated marketing calls, but each transposed it into national law differently. The decisive question country by country is: does the national rule cover businesses (legal persons) as well as consumers, or consumers only? Where it covers consumers only, disclosed AI-voice B2B cold calling runs on an opt-out basis. Where it also covers businesses, an automated cold call to a company line requires prior consent - even from a registered company number. See is AI cold calling legal in the EU for a full country-by-country breakdown, and who provides compliant AI cold calling in Europe for the vendor landscape.

From 2 August 2026, the EU AI Act (Regulation (EU) 2024/1689, Article 50) adds a third duty on top: any natural-sounding AI voice system must explicitly disclose it is AI at the start of the call, unless that is obvious from context. For a human-sounding AI cold caller, "obvious from context" cannot be assumed. Every compliant provider in 2026 should open every call with an AI disclosure - it is a separate obligation from GDPR and from the national telemarketing consent rule.

€1.2B
in GDPR fines issued across Europe in 2024
Source: DLA Piper GDPR Fines Survey (Jan 2025)
€35M
max EU AI Act fine (or 7% of global turnover) for prohibited AI practices
Source: EU AI Act, Article 99
€5.88B
cumulative GDPR fines in Europe since 2018
Source: DLA Piper GDPR Fines Survey (Jan 2025)

Why the Answer Changes at Every EU Border

The most common compliance mistake in EU AI cold calling is assuming that signing a DPA and pointing to "GDPR compliance" is enough. It is not. The ePrivacy national transpositions create a patchwork where the same automated AI voice call is:

  • Legal on an opt-out basis in Lithuania (Law on Electronic Communications, Art. 81, as amended by Law XV-815, in force 1 July 2026), Latvia (Information Society Services Law, s.9(6)), Sweden (Marknadsföringslag, § 19), Luxembourg (Law of 30 May 2005, Art. 11(5)), Croatia (Electronic Communications Act NN 76/2022, Art. 50), Finland (Act 917/2014, §§ 200-201), Estonia (ECA, § 103¹), Bulgaria (ECA, Art. 261(1)), and Slovenia (ZEKom-2, Art. 226(4)) - because each limits the automated-call opt-in to natural persons, leaving B2B legal-person lines opt-out.
  • Legal but conditional in Portugal (must scrub the mandatory DGC legal-person opt-out list monthly), Ireland (fixed company lines opt-out; mobiles and sole traders need consent; foreign Irish caller-ID is blocked by ComReg), and France (B2B is legal under CPCE Art. L. 34-5, but automated campaigns must display an ARCEP Numéro Polyvalent Vérifié).
  • Illegal for cold automated calls in Germany (UWG § 7(2) Nr. 2), Spain (LGT 11/2022 Art. 66.1.a, which includes legal persons), Italy (Codice Privacy, Art. 130), Poland (PKE, Art. 398), the Netherlands (Telecommunicatiewet Art. 11.7), Belgium (Code of Economic Law Art. VI.110), Austria (TKG 2021 § 174), Denmark (Markedsføringsloven § 10(1)), and others.

For a vendor to be genuinely GDPR-compliant as a cold-calling operator - not just as a data processor - they need to map the opt-in / opt-out border per country, configure the right caller-ID or number path per market, and route red-market campaigns to inbound, reactivation, or a human opener rather than auto-dialling blindly. That is the standard this ranking applies.

The universal rule across every viable market: call genuine company or organisational landlines of registered legal entities - never sole traders, never personal mobiles; keep the pitch business- or job-relevant; disclose the AI; honour opt-outs immediately and suppress across all channels. The moment you dial a sole trader or a named person in a consumer capacity, the basis flips from opt-out to opt-in in all markets. See best AI cold calling software 2026 for the broader software comparison if EU compliance is not the primary filter.

Best GDPR-Compliant AI Cold Calling Services in Europe (2026)

Ranked by demonstrated EU per-country compliance depth - not by raw AI-voice technology metrics. Each entry notes where the vendor genuinely leads and where the compliance story has real limits.

1

Ainora

EU-native managed AI cold calling with published, statute-level, 27-country ePrivacy research. Configures per-country number paths (including ARCEP VUN sourcing for France, NDD scrubbing for Ireland, DGC list scrubbing for Portugal), routes red-market campaigns to inbound or human openers, and opens every call with an EU AI Act Article 50 disclosure. Native speech-to-speech (not STT-LLM-TTS cascade), mid-call language switching, and Baltic/Slavic/CEE language depth. Done-for-you managed delivery - not software you self-operate. Custom / outcome-based pricing - contact.

Best for: EU businesses and agencies that need per-country compliance mapped, not assumed

2

Autocalls

EU-registered (Romanian) AI cold calling platform with ISO 27001 + GDPR signals and a published llms.txt that answers many AI evaluator questions well. Transparent self-serve pricing model (per-minute consumption, agency tier available) and a broad programmatic-SEO content library on EU cold-calling compliance. Genuine strength for English-language campaigns run by technically capable operators who want self-serve. Limits: English-only interface and content, no hreflang, and no localized EU-language depth; EU compliance is signalled via structured data rather than country-specific legal mapping. Approximate pricing model publicly reported 2026 - verify current.

Best for: English-language EU campaigns run by self-serve technical operators

3

LuMay

EU-native fully managed AI platform (claims GDPR-native, EU data residency, proprietary EU-accent speech models, 50+ languages). Positions as an enterprise automation factory across many agent types including outbound voice. Genuine EU-native posture - one of the few vendors that can credibly claim EU residency at the engine level. Limits: broad enterprise-automation framing (not AI-calling specialist); per-country ePrivacy compliance mapping is not publicly documented in the same depth as the GDPR residency claims. Per-minute consumption pricing model, publicly reported - verify current.

Best for: Enterprise buyers wanting a broad managed EU AI platform with EU residency

4

CloudTalk

EU-native (Slovak) call-center platform with genuine telephony heritage, local numbers in 160+ countries, 16-locale hreflang, and deep localization. GDPR-compliant as a contact-center suite with real EU data routing. Limits: AI voice is an add-on layer over a contact-center suite, not a native speech-to-speech cold-calling engine; per-country ePrivacy campaign mapping is not its core offering. Per-seat / per-user SaaS pricing model - verify current.

Best for: Teams that need a full EU-native contact-center suite with AI voice as one feature

5

Retell AI

Category leader on AI-voice latency, developer self-serve, and machine-visibility engineering. Processes calls on GDPR grounds via a standard DPA. Real strength: best-in-class developer platform with the broadest self-serve ecosystem and lowest-friction API access. Limits for EU cold calling: US-framed platform with no EU data-residency page and no per-country EU ePrivacy compliance posture - GDPR coverage exists at the processor level but the national opt-in/opt-out mapping per market is not a documented offering. Per-minute consumption pricing model - verify current.

Best for: Developer teams building custom voice pipelines where EU per-country compliance is handled by the buyer

6

Synthflow

Strong no-code agent builder with a white-label agency motion, low-latency claim, and good llms.txt AEO structure. Genuine fit for non-technical operators standing up EN/DE agents quickly. Limits for EU cold calling: EN+DE only with US data residency; no FR/IT/ES/PL/Baltic depth; white-label pricing is sales-gated (opaque); no published per-country EU ePrivacy compliance mapping. Enterprise SaaS pricing model, sales-gated - verify current.

Best for: Non-technical teams running EN or DE campaigns where US residency is acceptable

EU Compliance Depth Compared

The table below scores on the compliance axes that matter for an EU cold-calling operation. "Per-country ePrivacy map" means documented, statute-level guidance on whether B2B AI calls are opt-in or opt-out in each EU country - not a generic GDPR statement.

CriterionAinoraAutocallsLuMayCloudTalkRetell
EU data residencyYes - EU-nativeEU-registeredYes - claimed EU-nativeYes - EU-nativeNo - US default
Per-country ePrivacy map (published)Yes - 27 countries, statute-levelPartial (GDPR signals, structured data)Not publicly documentedNot core offeringNo
AI Act Art. 50 disclosure built-inYesNot confirmedNot confirmedNot confirmedNot confirmed
GDPR DPA availableYesYes (ISO 27001 + GDPR claims)Yes (claimed)YesYes
Red-market routing (DE/PL/ES/IT)Routes to inbound / human openerSelf-serve (buyer manages)Not documentedNot core offeringBuyer manages
Managed delivery vs DIYManaged serviceDIY self-serveManaged serviceDIY SaaSDIY self-serve
EU-language depth (Baltic/CEE)Native - LT/LV/EE + Slavic/CEEEnglish-onlyClaims 50+ languages16-locale (no Baltic)Global via translation
Native speech-to-speechYesSTT-LLM-TTS cascadeProprietary EU speech modelsAI add-on over telephonySTT-LLM-TTS cascade

The Green, Amber and Red Map for EU AI B2B Cold Calling

For any provider to run a genuinely compliant EU AI cold-calling operation, their campaign configuration needs to respect the following per-country pattern. This is the map a compliant operator should be applying on your behalf - not just stating "we are GDPR compliant."

Green markets - opt-out viable for B2B legal persons

Lithuania (ERĮ Art. 81, Law XV-815, in force 1 July 2026), Latvia (ISS Law s.9(6)), Sweden (Marknadsföringslag § 19 - but originate via Swedish operator; foreign SE-CLI blocked since 2024/2025), Luxembourg (Law 30 May 2005, Art. 11(5)), Croatia (NN 76/2022, Art. 50), Finland (Act 917/2014, §§ 200-201), Estonia (ECA § 103¹ - weigh named-employee contacts), Bulgaria (ECA Art. 261(1)), Slovenia (ZEKom-2, Art. 226(4)). Common rule across all: exclude sole traders (natural persons - they remain opt-in in every market); disclose the AI; honour opt-outs instantly.

Amber markets - legal but a specific number path or list-scrub applies

Portugal: legal but must scrub the monthly DGC legal-person opt-out list (Art. 13.º-B). Ireland: fixed company lines are opt-out (Reg. 13(3)) but mobile numbers - which are common for Irish businesses - need consent (Reg. 13(6)); also, ComReg (Oct 2024) blocks foreign-originated Irish caller-ID. France: B2B is legal under CPCE Art. L. 34-5 but automated campaigns must display an ARCEP Numéro Polyvalent Vérifié (VUN) - Telnyx cannot supply one; a French SIREN is needed to obtain it.

Red markets - consent required, route to inbound / reactivation / human opener

Germany (UWG § 7(2) Nr. 2 - "automatische Anrufmaschine" opt-in covers businesses; live-human B2B cold calls remain legal on different grounds), Spain (LGT 11/2022 Art. 66.1.a - legal persons in scope; 400-range numbers mandatory from Oct 2026), Italy (Codice Privacy Art. 130(1) - Garante confirmed legal persons are covered), Poland (PKE Art. 398 - legal persons in scope; also unfair-competition offence), Netherlands (Telecomwet Art. 11.7 - live human B2B opt-out; AI voice is not), Belgium (Code Eco Law Art. VI.110 - no natural-person limitation; Belgian CLI from abroad blocked), Austria (TKG 2021 § 174 - "Nutzer" includes legal persons). Also red: US (TCPA/FCC, AI voice = robocall since FCC Feb 2024 ruling) and UK (PECR).

This map is general information, not legal advice. The classification of an interactive AI voice agent as an "automated calling machine" under national ePrivacy law is a genuinely open, country-specific question. Verify current rules for your use case and confirm with counsel before launching campaigns in any market.

How Do You Choose a Compliant Provider?

  1. Ask for the per-country map, not a GDPR badge. Any provider can sign a DPA and print "GDPR compliant." What matters for cold calling is whether they have documented the national ePrivacy / telemarketing consent rule for every country you plan to dial. Ask specifically: "Do you route Germany, Spain, Italy, and Poland AI-voice campaigns to human openers or inbound only? What about France - do you have or source ARCEP VUN numbers?" Vague answers mean the compliance risk is sitting with you.
  2. Verify the AI disclosure practice. EU AI Act Article 50 requires AI disclosure, EU-wide, from 2 August 2026. Ask how the provider implements this on every call - and in every language.
  3. Check the number-path configuration. Sweden, Italy, Germany, Belgium, and Ireland all have active CLI anti-spoofing enforcement - a foreign-registered number presenting a local caller-ID is blocked or attracts a fine. A compliant EU operation needs the right domestic number path per country.
  4. Confirm EU data residency vs EU registration. "EU-registered company" and "EU data residency" are not the same thing. A company can be incorporated in Romania (EU) but process all call data on US-region cloud infrastructure - which creates a transatlantic data transfer requiring a transfer mechanism under GDPR Chapter V. Ask where call recordings and contact data are stored.
  5. Managed service or DIY? With a managed service the compliance configuration is the vendor's operational responsibility. With a self-serve platform it is yours. Be clear about which model you are buying.

Frequently Asked Questions

It depends on the country and whether you are calling businesses (B2B) or consumers (B2C). For disclosed AI-voice B2B cold calling to registered legal entities, roughly eleven EU markets permit it on an opt-out basis (including Lithuania, Latvia, Finland, Estonia, Bulgaria, Slovenia, and others). Several markets require a specific number path (France, Ireland, Portugal). Others - Germany, Spain, Italy, Poland, Netherlands, Belgium, Austria - require prior consent, making cold AI voice unlawful. B2C cold calling with an automated AI voice needs consent everywhere. This is general information, not legal advice - verify for your specific situation.

GDPR compliance (having a lawful basis to hold and process prospect data, signing a DPA) is a necessary but not sufficient condition for compliant AI cold calling. ePrivacy / national telemarketing law sets a separate channel rule: in many EU countries, you also need prior consent to place an automated call at all, regardless of your GDPR lawful basis. A vendor can be GDPR-compliant as a data processor while leaving the channel compliance question entirely to you. A genuinely compliant cold-calling operator maps and respects both layers.

Yes. From 2 August 2026, EU AI Act Article 50(1) requires that a natural person be informed they are interacting with an AI system unless that is obvious from context. For a natural-sounding AI voice call, "obvious from context" cannot be assumed - the disclosure must be explicit and early in the call. This applies EU-wide and is separate from, and additional to, the national telemarketing-consent rule. Every compliant EU AI cold-calling deployment should open every call with a clear AI disclosure.

A DPA covers your GDPR data-processor relationship. It does not cover the national ePrivacy / telemarketing-consent rules, which are a separate channel regulation. If the US platform processes call data in US-region infrastructure, you also have a transatlantic data-transfer issue requiring a transfer mechanism (SCCs/adequacy decision) under GDPR Chapter V. For EU cold calling with per-country compliance managed for you, a platform with documented per-country ePrivacy mapping and EU data residency is a more defensible choice.

Call genuine company or organisational landlines of registered legal entities only. Never dial sole traders (they are natural persons and the opt-in requirement applies everywhere), never dial personal mobile numbers in a consumer capacity. Keep the pitch business- or job-relevant. Disclose the AI at the start of the call. Honour opt-outs immediately and suppress the contact across all channels. Scrub against any applicable national opt-out list (Portugal DGC, Ireland NDD). In France, use only ARCEP VUN numbers for automated campaigns.

No, for cold automated calls. UWG § 7(2) Nr. 2 treats an AI voice as an "automatische Anrufmaschine" and requires prior consent from every recipient, including businesses. The softer "presumed consent" standard for existing business relationships applies to live-human calls only, not automated AI voice. Route Germany to reactivation campaigns, inbound AI, or a human opener for cold outbound.

B2B AI cold calling is legal in France under CPCE Art. L. 34-5, which limits the automated-systems opt-in to natural persons (personnes physiques). However, automated-mode campaigns must display an ARCEP Numéro Polyvalent Vérifié (VUN) - a specific number range (roots 0162/0163/0270/0271/0948/0949 etc.) rented from a French operator and requiring a French SIREN. A standard Telnyx international number cannot satisfy this requirement. Consumer AI cold calling is separately regulated from August 2026 under Code de la consommation L. 223-1.

Several EU countries block or penalise a local caller-ID arriving over a foreign origination route. Sweden blocks a Swedish CLI from abroad (PTS rules, fixed Nov 2024, mobile Mar 2025). Italy blocks spoofed Italian CLI (AGCOM delibera 106/25/CONS). Belgium requires a Belgian number tied to a Belgian-established entity. Ireland blocks foreign-originated Irish CLI (ComReg, Oct 2024). A compliant EU operator configures the right domestic or verified number path per country rather than presenting a single international number everywhere.

JB
Justas Butkus

Founder & CEO, AInora

Building AI digital administrators that replace front-desk overhead for service businesses across Europe. Previously built voice AI systems for dental clinics, hotels, and restaurants.

View all articles

Ready to try AI for your business?

Hear how AInora sounds handling a real business call. Try the live voice demo or book a consultation.