Skip to main content

Securing privacy compliance for Virtual Voice Assistants


Virtual Voice Assistants (“VVA”) continue to grow in popularity as the precision of the technology improves. The European Data Protection Board (“EDPB”) recently adopted new guidelines addressing how data controllers and data processors shall manage personal data to ensure that their VVAs are compliant with the European General Data Protection Regulation (“GDPR”).

VVAs offer speech-based interactions and serve as an interface between users and their devices, e.g. smartphones. Although the use and purposes of VVAs stretch over many different areas and industries, the most commonly known example is presumably the smartphone integrated VVAs that help users to set timers, book appointments, or check the weather forecast. It is primarily for these purposes, simplifying everyday tasks, that the technology has proven to be very popular. VVAs have also shown their capacity within more complex settings, for example, health centres have started using VVA-based call bots that enable pre-diagnosis and self-assessments over the phone. Another example demonstrating the potential of VVAs is within the field of manufacturing where it may be difficult to manage manufacturing tools and written commands simultaneously.

A data controller must carefully consider for what purposes the voice data will be processed and upon what legal basis the processing activities are performed. The primary purpose of processing voice data within the application of a VVA is to execute the voice request of a user. Moreover, EDPB identifies three other purposes that are relevant for providers and designers of VVA applications:

  1.  improving the capacity by training VVA models with machine learning techniques,

  2. biometric identification, and

  3. user profiling for personalized content or advertising.

There is also a risk that VVA applications collect personal data from background interactions or sources that are not intended for the stated purpose. The data controller is obliged to make sure that there is a valid legal basis for each purpose of processing such data which might have been accidentally collected, and consequently delete unnecessary collections. Data minimization by deleting background noise, interactions or sources is therefore a key technical requirement for lawful VVAs.

EDPB highlights several privacy challenges that stakeholders must take into consideration whilst designing VVAs. The core functionalities of VVAs rely heavily on the processing of, not only personal data, but also sensitive personal data. Information processed by VVAs may contain sensitive personal data, for example in the event users share information about their medical condition to the VVA. There can also be sensitive meta-information processed, for example, the use of voice data for user identification implies the processing of biometric data which thus, requires a higher level of protection and extra attention when it comes to ensuring legal basis and lawful processing according to Articles 6 and 9 of the GDPR.

Data controllers must also ensure an appropriate level of security for the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures according to Article 5 of the GDPR. VVAs are sometimes designed to be bundled with other services, such as communication or entertainment services. This practice lays the ground for complex processing chains involving multiple stakeholders and purposes of the processing of personal data, which requires the data controller and processor to continuously ensure a high standard of technical and organisational measures safeguarding the processing activities according to Articles 24 and 32 of the GDPR.

The Swedish Authority for Privacy Protection (“IMY”) recently confirmed the importance of ensuring appropriate security measures in complex processing chains of personal data. The decisions (for several stakeholders involved) concerned the investigation of an incident where recorded phone calls (for the avoidance of doubt, not VVAs) to a medical consultation service in Sweden were publicly accessible on an unprotected server on the internet. As the recorded phone calls concerned physical persons mainly calling for the purpose of medical consultation, the recorded phone calls also contained sensitive personal data about health, requiring a high level of security. Although some of the decisions have been appealed, IMY importantly highlights the importance of ensuring appropriate technical and organisational measures throughout the complex processing chains, i.e. not only for the data controller, but also for the processors, to ensure an adequate level of security to protect the voice recordings and personal data therein.


Article provided by INPLP member: Fredrik Roos and Astrid Svensson (Setterwalls, Sweden)



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.