As previously mentioned, providing transparent information about the data processing that takes place via the chatbot and ensuring a legal basis for the processing is provided for are paramount considerations.
According to Art. 13 GDPR,
the data controller (e.g. the company who wants to provide a chatbot or a voice assistant to its customers, see also section 4.3)
shall, at the time when personal data are obtained, provide the chatbot user with various information about the relevant data processing activity. This information includes, among others, the purposes of the processing for which the personal data are intended, the legal basis for the processing as well as the recipients or categories of recipients of the personal data, if any.
In order to fulfil the information obligations according to Art. 13 GDPR, it is necessary to inform the user at the beginning of the chat or before using the digital assistant about the purpose and scope of processing.
This must be done, in accordance with Art. 12 GDPR, in a precise, transparent, comprehensible and easily accessible form in clear and straightforward language.
In the case of a chatbot, it is advisable to indicate within the chat itself, in a basic form, how personal data are processed and to provide a link to the privacy policy which contains further information.
This information must also be provided before personal data is processed, ideally before the digital assistant is installed, and must be kept available via the app or website. Informing the user about the purposes of processing is feasible as long as the chatbot’s functionalities are limited, thus, making it possible to predetermine which topics will be covered by the chatbot. The situation is, however, different and more complex with regard to the variety of possible voice commands in the field of digital assistants.
Art. 6 GDPR provides that processing of personal data is lawful only if, and to the extent that, a legal basis as provided under Art. 6 GDPR is applicable for a given data processing activity. These legal bases under Art. 6 GDPR include, among others, the user's consent
to the processing (Art. 6(1)(a) GDPR), or, as an alternative, the necessity of processing the data to enter into or perform a contract
or contractual negotiations (Art. 6(1)(b) GDPR; contractual necessity). Moreover, Art. 6(1)(f) GDPR establishes that a processing activity necessary for the legitimate interests pursued by a data controller
(or by a third party) form a legal basis for processing, insofar as the controller's interests are not overridden by the interests, fundamental rights or freedoms of the affected data subjects. We recommended carrying out as many data processing operations as possible based on Art. 6(1)(b) GDPR because this legal basis neither provides for the possibility of withdrawal – as in the case of consent by the user – nor for a possibility of objection.
Since many chatbots are currently still designed for a specific function (e.g. customer support) and the corresponding user input usually contains product- or service-related questions or orders from the user, it is often possible to base the data processing operation on contractual necessity according to Art. 6(1)(b) GDPR.
Also, it seems feasible to argue that the purpose of data processing is aligned with the contractually-agreed provision of a functional digital assistant. However, should court case law or regulators opt against this approach, the legal basis of contractual necessity (Art. 6(1)(b) GDPR) could in many cases fail to serve as a legal basis for data processing by digital assistants. In view of the fact that the legal basis of the legitimate interest under Art. 6(1)(f) GDPR involves, depending on the specific individual case, significant legal uncertainties, the providers of digital assistants would in many instances be advised to obtain consent from the user, which conforms with the requirements under Art. 6 (1)(a) GDPR for legally valid consent.
Moreover, if a user discloses sensitive data to a chatbot or voice assistant and if the company that offers the chatbot or voice assistant to its customers obtains the consent from the users, Art. 9 GDPR requires the explicit informed consent of the user. This requires among others that the user is informed by the controller before giving his consent as to which specific data processing activities will be covered by his consent.
A mere voice command to activate a digital assistant, for example, is most likely not sufficient to be considered as legally valid consent according to the requirements of Art. 6 (1)(a) and 9 GDPR, particularly because of the absence of sufficient prior information about the relevant data processing activities for the user by the data controller. However, practically this is often done, which is solved by the chatbot providers through anonymisation of data.