How to run a chatbot without breaking GDPR.
AI chatbots process personal data by definition: names, email addresses, order numbers, sometimes health or financial information. Under GDPR, that makes your chatbot a data processing activity. Most vendors say they're 'GDPR compliant' but process data in the US and can't tell you where their sub-processors are. Here's what actually matters.
A GDPR-compliant chatbot needs EU data residency, a Data Processing Agreement, explicit consent collection, data minimization, and a clear sub-processor list. If your vendor can't produce these in writing, they're not compliant.
- ✓EU data residency means the data physically stays in Europe. SCCs alone don't eliminate transfer risk.
- ✓Every chatbot vendor is a data processor. You need a DPA that specifies processing purposes, retention, and sub-processors.
- ✓Consent banners for the chatbot widget are often legally required, especially if the bot starts the conversation.
- ✓Data minimization: the chatbot should only collect information needed to answer the question. No hidden profiling.
What GDPR requires from chatbots
GDPR applies to any automated processing of personal data of EU residents. When a customer types their name, email, or order number into your chatbot, that's personal data. The chatbot vendor becomes your data processor, and you need a lawful basis for processing (typically legitimate interest or consent), a Data Processing Agreement, and transparency about how the data is used.
EU data residency vs Standard Contractual Clauses
Many US-based chatbot vendors claim GDPR compliance through Standard Contractual Clauses (SCCs). While SCCs are a legal mechanism for cross-border transfers, they don't eliminate the risk. The Schrems II ruling established that SCCs alone may not provide adequate protection when US surveillance laws apply. EU data residency — where the data physically stays in Europe — is the cleaner path. Keloa hosts all data in Amsterdam, with no cross-border transfer.
The DPA checklist
Your chatbot vendor's Data Processing Agreement should specify: what data is processed, for what purpose, where it's stored, how long it's retained, who the sub-processors are, how breach notification works, and what happens to data when you cancel. If the vendor can't produce a DPA or it's vague on sub-processors, that's a red flag. Keloa provides a DPA, transparent sub-processor list, and data export on request.
Consent and the chatbot widget
If your chatbot uses cookies or local storage to track conversations across sessions, you likely need consent under the ePrivacy Directive. If the chatbot proactively starts conversations (pop-ups), some DPAs argue this requires explicit opt-in. Best practice: let the user initiate, minimize tracking, and integrate with your cookie consent tool.
What to ask your chatbot vendor
Before signing: Where is data stored? (Country, not just 'cloud'.) Who are your sub-processors? Can I get a DPA? How long is data retained? What happens to my data if I cancel? Do you use customer data to train your AI models? Can I export all data? A vendor that answers all of these clearly is worth your time.
topics.gdpr-chatbot.faq.h2
Is an AI chatbot GDPR compliant by default?
No. GDPR compliance depends on how the chatbot handles data: where it's stored, how it's processed, what consent mechanisms are in place, and whether you have a DPA with the vendor. The technology itself is neutral; the implementation determines compliance.
Do I need consent before someone uses my chatbot?
It depends. If the chatbot only processes data for the purpose of answering the user's question (legitimate interest), you may not need explicit consent for the conversation itself. But if you use cookies to track the user across sessions or share data with third parties, consent is typically required.
Can I use a US-based chatbot and still be GDPR compliant?
Technically, yes, with Standard Contractual Clauses and supplementary measures. Practically, the Schrems II ruling makes this legally risky. The simplest path to compliance is using a chatbot that hosts all data in the EU. That eliminates cross-border transfer concerns entirely.
What's the penalty for running a non-compliant chatbot?
GDPR fines can reach up to €20 million or 4% of annual global revenue, whichever is higher. In practice, most chatbot-related enforcement has been in the €50,000 to €500,000 range, typically for insufficient consent or unauthorized data transfers. The reputational cost can be higher than the fine.
Is Keloa GDPR compliant?
Yes. Keloa is an EU company, hosted in Amsterdam, with EU-only data processing. We provide a DPA, a transparent sub-processor list, and data export on request. No data leaves the EU. No customer data is used for AI model training.