GDPR and AI Outbound Calling: Guide for European Sales

Nobody wants a €20 million fine. But a lot of European sales teams are running AI outbound campaigns without knowing exactly where the legal line sits.

GDPR AI cold calling isn't banned. It's regulated. The law makes you prove you have a legitimate reason to call, document that reason, and respect opt-outs when they come. That's a different framework from US TCPA compliance rules, and it surprises a lot of teams that run AI cold calling campaigns and then expand into Europe.

This guide covers what the law actually says, where B2B and B2C diverge, what AI dialers need to do differently, and how country-by-country rules are shifting through 2025-2026.

1. Can You Still Cold Call Under GDPR?

Short answer: yes, for B2B. Usually no for consumers, except in a few narrow situations.

GDPR doesn't ban outbound sales calls. It regulates how you use personal data to make them. For B2B, Article 6(1)(f), legitimate interest, is typically your legal basis. For consumer calls, you generally need explicit prior consent, which is hard to collect at scale.

The distinction matters because enforcement risk is very different. A German logistics company calling procurement directors at manufacturing firms can argue legitimate interest. A SaaS startup cold calling individual consumers without consent is exposed. Article 83 allows penalties up to €20 million or 4% of global annual turnover. Those aren't theoretical numbers. France's CNIL fined Google €150 million and Amazon €35 million for cookie consent violations in 2022 alone.

One nuance that surprises teams: business email addresses and direct phone numbers of employees are personal data under GDPR. Even in a pure B2B context, you're processing personal data every time you dial someone. The rules apply fully.

2. The Legitimate Interest Test: How It Actually Works

Legitimate interest is a three-part test, not a rubber stamp. You can't write "we have a business reason" in your privacy policy and call it done. Each part has to be worked through:

• Purpose test: Is the interest genuine? Selling B2B software to companies that would plausibly use it counts. Calling random consumer numbers from a purchased list does not.
• Necessity test: Is calling necessary to achieve that goal? If you can reach the same result without processing personal data at all, the necessity argument fails.
• Balancing test: Do your interests outweigh the contact's rights and expectations? Publicly listed business contacts who'd reasonably expect relevant outreach usually tips in your favor. Cold calling a private individual's mobile number does not.

The key word is documented. A Legitimate Interest Assessment (LIA) needs to exist on paper before you start the campaign, not after a regulator asks for it. It can be one page. It just has to exist.

If you're spending $0.35/minute on AI calls and connecting with 60% more leads than your old system, you can afford to be selective on list quality. Run your numbers with the AI calling ROI calculator and you'll see the math works even with a more conservative prospect list.

3. Country-by-Country Rules for 2025-2026

Here's where it gets complicated. GDPR sets a floor, not a ceiling. EU member states can go further, and several have. The rules below reflect where things stand going into 2026.

Germany operates under the UWG (Unfair Competition Act) and BDSG alongside GDPR. Consumer calls without prior explicit consent violate the UWG regardless of GDPR's legitimate interest framework. B2B has more flexibility, but the contact must have a plausible professional interest in what you're selling. Germany's DPA is active and the courts have issued substantial fines for telemarketing violations.

France tightened its telemarketing rules as of January 1, 2026. Consumer calls now require prior consent. All callers must check the Bloctel opt-out registry before dialing. B2B is still possible under legitimate interest, but France's CNIL is one of Europe's most active regulators and has issued major fines for telemarketing violations.

Spain banned commercial calls from mobile numbers starting mid-2025. Consumer calls must use landlines only. Consent records must be renewed every two years. B2B exceptions exist but they're narrower than in Germany.

UK operates under UK GDPR post-Brexit but adds PECR (Privacy and Electronic Communications Regulations), which is stricter than GDPR on telemarketing specifically. PECR applies to automated dialing systems and recorded messages, requiring prior consent in most consumer cases.

The safest approach across all markets: build consent records and suppression lists into your AI calling platform before you launch any European campaign. TopCalls' secure infrastructure includes GDPR-ready consent tracking, complete audit logs, and data processing agreements (DPAs) for European deployments.

4. What GDPR Requires from AI Dialers Specifically

General GDPR rules apply to all data processing, but several articles hit AI outbound systems directly:

• Articles 12-14 (Transparency): The AI agent must identify itself as automated at the start of the call. It must state the company name and the purpose of the contact. No pretending to be human.
• Article 17 (Right to Erasure): "Remove me from your list" is a legal right, not a request. Your CRM and dialer need to sync opt-out flags in real time, not at the end of the week.
• Article 21 (Right to Object): Prospects can object to being contacted at any time. That objection has to be logged immediately and respected on all future campaigns.
• Article 22 (Automated Decision-Making): AI systems that make significant decisions about individuals need human oversight. A fully automated loop that qualifies, scores, and routes leads with no human review of the logic is risky under this article.
• Article 35 (DPIA): If you're transcribing calls at scale, profiling leads from call audio, or running high-risk automated scoring, you likely need a Data Protection Impact Assessment before you start.

The practical result: your AI dialer needs built-in consent management, real-time opt-out syncing, and automated identity disclosure on every call. In Europe, these aren't optional.

5. Call Recording and Voice Data Under GDPR

AI outbound platforms record calls by default. Under GDPR, recording is a separate data processing activity from the call itself. Your legal basis needs to cover both.

If you're using legitimate interest for the call, you can usually extend that to recording for quality assurance and compliance. But you have to disclose it. That disclosure can't be buried in your privacy policy. It belongs in the opening of every call.

Voice data from calls is personal data. Transcripts are personal data. AI analysis of sentiment or call outcomes is derived personal data. You need retention windows that match data minimization requirements (Article 5(1)(e)). Keeping call recordings indefinitely isn't consistent with GDPR, and a regulator will spot it.

TopCalls records and transcribes 100% of calls, feeding that data into real-time analytics and CRM sync. European clients configure data retention windows and include recording disclosure in their AI agent opening scripts. The platform generates complete audit logs you can hand to a regulator.

6. Where AI Cold Calling Won't Work Under GDPR

Not every use case survives GDPR scrutiny. Here's where the model breaks:

• Consumer campaigns without consent in Germany, France, or Spain: National rules make this nearly impossible unless you've built an explicit opt-in list. Legitimate interest won't save you here. These markets require consent for consumer outbound calling.
• Unverified third-party data: Buying a contact list doesn't transfer legal basis to you. If your data vendor can't prove GDPR-compliant collection, the compliance risk falls on you as the data controller.
• Special category industries: Healthcare, financial advice, political campaigns. If calls might touch Article 9 categories, like health data, financial situation, or political views, you need additional safeguards well beyond standard GDPR compliance.
• Fully automated lead scoring with no human review: Article 22 requires a path to human oversight for significant decisions. An AI that qualifies, scores, and routes leads with zero human review of the scoring logic is exposed.

7. Building a GDPR-Compliant AI Calling Stack

If you're running or planning European AI outbound campaigns, here's what needs to be in place before the first call goes out.

Document your legal basis for each campaign. A one-page Legitimate Interest Assessment per use case. 30 minutes of work upfront becomes your evidence file if a regulator ever knocks. Most companies skip this. Most enforcement actions find companies that skipped this.

Build suppression lists into the system before launch. Opt-outs from previous campaigns, national registries (France's Bloctel, Germany's Robinson List), and any prior objections need to be checked before dialing. TopCalls' smart campaigns flag contacts against suppression lists automatically. For a full breakdown of how AI dialers handle opt-out registries, see our guide on do-not-call lists for AI dialers.

Script your AI agent to disclose identity, company name, call purpose, and recording at the start of every call. These go in the opening, not buried halfway through. TopCalls' AI voice agents support custom opening scripts with variable injection so every call starts with the right disclosures.

Wire opt-out handling into your CRM integration. When an AI call ends with an opt-out request, that flag needs to sync within hours, not days. Our CRM integrations with HubSpot, Salesforce, Pipedrive, and Close support real-time webhook sync so opt-outs propagate immediately.

Run a DPIA if you're processing recordings at scale, using AI scoring, or operating in sensitive verticals. It's a forcing function that catches compliance gaps before a regulator does. If your legal counsel hasn't done one for your AI outbound system, that's worth fixing before you scale.

Running compliant AI outbound in Europe is doable. The teams doing it well are running 10x the call volume of their manual teams while staying clean. If you want help structuring a GDPR-ready campaign from scratch, talk to our team. And if you're still mapping the full legal picture, read our guide on AI cold calling legal requirements and the metrics that matter for AI calling campaigns.