LSM Agents

Compliance · Voice agents · DSGVO + AI Act

GDPR-compliant voice agents for clinics, restaurants, hotels — built in Berlin.

Voice is biometric data under Art. 9 GDPR. Add Article 50 from August 2026 and the DSK medical-AI guidance from June 2025 and the bar gets specific. We build voice agents that pass both audits by default — EU-only data, no recordings, AVV-ready, Article 50 disclosure scripts built in.

TL;DR

  • ·Voice = biometric data (Art. 9 GDPR). Special-category processing requires a specific lawful basis beyond consent.
  • ·For medical practices, the DSK Positionspapier of 16 June 2025 sets explicit conditions: EU hosting, no recording, structured intake only, AVV with the practice operator.
  • ·From 2 August 2026, every voice agent must disclose itself as AI under EU AI Act Article 50 — not just at session start, but before the first AI-generated response.
  • ·Our delivery: Discovery sprint (€4,900) → MVP build (€18,000, single language, fully compliant) → multi-language enterprise package up to €75,000.

Who needs a compliant voice agent

Three buyer profiles where the compliance requirements are non-negotiable. First: medical practices (Arztpraxis, Klinik, Zahnarzt) — the DSK guidance is binding for processors handling patient data. Second: hospitality (restaurants, hotels) — voice intake captures booking data, allergies, preferences, all of which can include sensitive categories. Third: legal and financial advisory — confidentiality is statutory (§43a BRAO, §57 StBerG) and recorded calls violate it. Generic voice agents like Doctolib, Clinia or off-the-shelf Twilio bots typically fail at least one of these conditions; a custom-built EU-only voice agent passes them all.

What a compliant voice agent actually requires

Eight technical requirements. We see most off-the-shelf voice agents fail at least three of them. Each is a deal-breaker for a regulated buyer.

  • Audio recordings stored — even briefly, even 'just for QA'. Voice = biometric, recording = special-category processing, AVV alone does not cover it.
  • Speech-to-text endpoint outside the EU (Deepgram US, OpenAI Whisper US) — third-country transfer without SCC + supplementary measures
  • Text-to-speech endpoint outside the EU (default ElevenLabs is multi-region; you must explicitly pin EU)
  • No AI disclosure ("Hi, I'm Maria") — Article 50 violation as of August 2026
  • AI disclosure only at session start, not before the first AI-generated response
  • No human-handoff path — Art. 14 of the AI Act for high-risk uses requires it; for general use it is best practice
  • No DPIA / data-protection impact assessment specific to voice processing
  • No AVV (Auftragsverarbeitungsvertrag) with the medical practice / hotel / restaurant — strict-liability under Art. 28

What enforcement actually looks like

Three risk vectors. First: BfDI / LfDI investigation — fines up to €20M or 4% turnover (DSGVO) plus up to €15M or 3% turnover (AI Act). The two are cumulative. Second: patient complaints in the medical context. Datenschutz-Aufsichtsbehörden in NRW and Bayern have started auditing AI in healthcare in 2025; the DSK guidance gives them a clear template. Third: practice operator's own indemnity exposure — if your voice agent leaks patient data, the practice is the data controller, and they will pursue you for the breach. Our contracts include LSM-side indemnity for compliance defects we ship; we do not ship without that confidence.

How we run a voice-agent project

  1. 01

    Discovery sprint (2 weeks, €4,900): use-case definition, regulatory class, conversation flow design, integration map. Output: signed scope + DPIA template.

  2. 02

    Architecture: EU hosting (Twilio EU + Deepgram EU + ElevenLabs EU + OpenAI/Anthropic via European endpoints), no-recording pipeline, structured-only intake with field-level redaction.

  3. 03

    Build (4–6 weeks for MVP): conversation logic, Article 50 disclosure scripts, audit logging, AVV templates ready for client signature, human-handoff path.

  4. 04

    Compliance verification: third-party DSGVO + AI Act review. Output: signed-off readiness pack.

  5. 05

    Pilot deployment: 1–2 week shadow run alongside existing reception. KPIs: capture rate, escalation rate, complaint count.

  6. 06

    Go-live + retainer: full deployment with Operator-tier monitoring (€2,999/mo) covering compliance updates, quarterly reviews, and conversation-flow tuning.

Source material

Voice agents — frequently asked questions

Can I use Doctolib or Cognigy or fonio.ai instead?+

Sometimes — for non-medical, non-sensitive use cases. For medical practices specifically, none of the off-the-shelf vendors currently satisfies all DSK conditions out of the box (no-recording, EU-only, structured-only, signed AVV with the practice). They might in 12 months. If you need it now, custom is the path.

Why is voice biometric? It is just a phone call.+

Art. 9(1) GDPR + Recital 51 + EDPB Guidelines 4/2018: voiceprints are 'biometric data' if used or capable of being used for unique identification of a natural person. Any voice signal that is recorded or analyzed for speaker identification triggers Art. 9. Even transient processing for speech-to-text in the absence of recording is debated — we err on the side of treating it as Art. 9 and processing under explicit consent + necessary-for-medical-care basis.

Do I need to record calls for QA?+

No. Structured intake replaces it. Every field captured by the agent is logged as text (name, appointment type, urgency, callback number); voice is processed in flight and discarded. QA review is over the structured logs, not the audio.

What about emergencies — what if someone is calling 112?+

The agent recognises emergency keywords and immediately offers to transfer to a human or to dial 112. We test this explicitly during build. Article 14 of the AI Act requires a human-oversight path; we include it by default for any agent in a medical or safety-related context.

How long does it take?+

2-week discovery, 4–6 weeks build for MVP, 1–2 week pilot. End-to-end ~9–11 weeks for a single-language deployment. Multi-language deployments add 3–4 weeks per additional language.

How much does it cost?+

Discovery sprint: €4,900 fixed. MVP (single language, full compliance): €18,000–€28,000 depending on integration scope. Multi-language enterprise: up to €75,000. Operator-tier retainer thereafter at €2,999/mo. Configure in the calculator.

Configure your scope →

← Back to compliance overview