AI agents, GDPR & the EU AI Act: is your data safe? (2026)

Two laws, not one

GDPR has applied across the EU since 2018 and answers the question 'what may you do with personal data'. A name, a phone number, a chat history, a booking record — all of it is personal data, whether a human or an AI agent handles it. The rules are the same: a lawful basis, minimal data, security, and the customer's right to know what happens to their data.

The EU AI Act is the new one. It entered into force in August 2024 and rolls out in stages, one requirement at a time. It answers a different question: how risky is the AI, and what must you disclose. The two laws don't replace each other — your agent has to satisfy both.

Good news: your agent almost certainly isn't 'high-risk'

The EU AI Act sorts systems by risk level. 'High-risk' covers things like AI for hiring, credit scoring or medical diagnosis, where the requirements are heavy. A normal support agent that answers questions, qualifies a request and books an appointment doesn't land there — it's a 'limited-risk' system. That changes only if the agent itself makes hiring, credit or medical decisions — then it's 'high-risk', with its own rules.

For those systems the main duty is simple: a person must understand they're talking to an AI, not a live manager. On the European Commission's current timeline, the transparency rule (Article 50 of the AI Act) starts to apply on 2 August 2026. In practice it's one honest line at the start of the chat, and you're within the law.

What GDPR asks of the agent

GDPR is older and stricter than the AI Act, and it's the part you follow every day:

• A lawful basis. You need a reason to process the data — the customer's consent, performing a contract, or your legitimate interest. For taking a booking or answering a request, that basis is usually there by default.
• Data minimisation. The agent should see only what the task needs. A booking assistant has no reason to reach your whole accounting system.
• Transparency. The customer has the right to know an AI is replying and what happens to their data — a short note in the chat and in your privacy policy covers it.
• Security and EU processing. Data travels over secure channels, access is scoped and controlled, and processing sits on EU infrastructure where possible.
• A route to a human. The customer can always ask for a live person — a good agent has the handoff built in from the start.

A legal-AI-agent checklist

Before launch, run through this list — it covers most of both GDPR and the AI Act:

• The agent introduces itself as AI in its first message.
• Data access is trimmed to the minimum for its specific tasks.
• Complex and sensitive cases are handed to a human with context.
• Data is processed and stored on EU infrastructure.
• You've signed a data processing agreement (DPA) with your AI vendor.
• Your privacy policy says what data the agent sees and why.

How Nordic Homes runs a compliant agent (real numbers)

For the real-estate agency Nordic Homes we deployed an AI agent that replies in about 30 seconds, qualifies the lead and offers a viewing slot itself. Its CRM access is scoped to the minimum: the agent only sees what it needs to reply and book, and hands tricky cases to a manager with full context.

The result: 47% more leads taken to a viewing and 60% less routine for managers, running 24/7. The point is that 'legal' and 'effective' don't fight here — the same scoped access GDPR demands also cuts the risk of an error or a leak.

What to ask a vendor before you start

If someone's building your AI agent, these questions weed out the unserious:

• Where is customer data physically processed and stored?
• What's the minimum access the agent gets, and who controls it?
• How will the customer know it's an AI, and how do they reach a human?
• Will you sign a data processing agreement (DPA)?
• What happens to the conversation data after the chat ends?