Chatbots & data protection: 7 tips for a GDPR-compliant chatbot

Inhaltsverzeichnis

Über diesen Guide

That chatbots Still the No. 1 topic for the media public in the context of digitization and artificial intelligence, is not surprising due to their technical capabilities, advantages and progress. But as with almost every technology, AI chatbots also have the question of Data protection: Do chatbots, including ChatGPT, comply with the European General Data Protection Regulation (GDPR)? What criteria must a provider meet in order to be GDPR-compliant to apply? In this lexicon article, we explain all important dos and don'ts about data protection and give you 7 tips On the way, how to use a GDPR-compliant AI chatbots can be successful in your company.

Chatbots: Definition and meaning

Chatbots are computer-based programs that work with people conversations and be able to provide information via text, image, sound or code. Even though chatbot technology has been around for many years, the launch of ChatGPT — the intelligent chatbot from OpenAI — the starting signal for the provision of chatbots to the general public in 2022. Numerous companies are now using AI chatbots in customer service, marketing or sales to customer communication to facilitate internal processes toward Streamline And the user satisfaction toward improving. As technology develops, chatbots are becoming increasingly personalized and intuitive, which further strengthens their role in digital transformation.

Relevance of data protection and GDPR

Parallel to progressive technology development, the importance of data protection and data security is also becoming ever more important. Since the European General Data Protection Regulation (GDPR) came into force in 2016, uniform standards in Europe for handling personal data, which website operators, online shops and companies must comply with. This has the advantage that there is a clear legal framework for everyone and consumers against data misuse, identity theft and other risks sheltered become. Compliance with data protection regulations is therefore not a nice-to-have for European companies, but a clear Must-have. This is a continuous process, as companies are constantly introducing new products, processes or tools. As a result, most companies usually have a data protection officer person, which ensures compliance with data protection regulations.

Using chatbots in compliance with GDPR: The 7 most important tips

Privacy and chatbots are closely linked, as a bot has a variety of conversations with people every day and therefore processes large amounts of data. The scope personal information From users to whom the chatbot has access, varies depending on the area of application of the chatbot. The information processed may include names, contact details, preferences, and even personal issues or concerns. It is therefore crucial that companies ensure that their chatbots comply with European and German data protection regulations and respect user privacy. But there's no need to worry, because data protection and chatbots are perfectly compatible. You can use the following tips to get an idea of How do you recognize a GDPR-compliant provider:

Tip #1: Don't forget the right to be forgotten

An important criterion for being chatbot provider And as a company that uses it, to be GDPR-compliant is to guarantee the right to be forgotten. Accordingly, all users are entitled to the Delete all personal data about them. If a user expresses this request, the provider must comply with this request and reset the user data.

Tip #2: Guarantee the right to data access

Users generally have the right to obtain from the respective service provider a information about the data that is stored about yourself, to request.

Tip No. 3: Ensure the right to correct & amend

In addition to the right to be forgotten and the right to access data, users have the right to correct and supplement. This means that companies must ensure that users have their data, such as the address or telephone number, modifying Can. The chatbot can help here, for example by being the interface through which a user communicates to the company that certain data in the system should be changed.

Tip #4: Get consent

Before a company can store and share user data, it must obtain user consent via Opt-in process catch up. Examples include confirming cookies, subscribing to a newsletter, or downloading documents. An opt-in procedure can also be used within a chatbot, e.g. by displaying a data protection notice before the conversation starts. Whether such a notice is required depends on the classification under data protection law.

Tip No. 5: Conclude contract for order processing

An order processing contract (AVV) should always be used when a company personal data on behalf of third parties passes on, processes or uses them. It is therefore best to conclude a privacy-compliant AVV with the chatbot provider of your choice in order to be able to ensure proper handling of your users' data.

Tip #6: Provide a full privacy statement

Another important point that should be considered when choosing the right chatbot provider is a current, easily accessible and complete Privacy statement. Website operators must ensure that the statement is easy to understand and can be viewed from every subpage of the website within one click.

Beispiel für einen leicht zugänglichen Hinweis auf die Datenschutzerklärung — *Example of an easily accessible privacy statement*

Tip #7: Choose a server location in Germany

According to the regulations of European data protection law, no personal data may be transferred from the EU to unsafe third countries. As safe third countries In addition to all EU countries and the countries of the European Economic Area, the following apply:

Andorra,
Argentina,
Canada (commercial organizations only),
Faroe Islands,
Guernsey,
Israel,
Isle of Man,
Jersey,
New Zealand,
Switzerland,
Uruguay,
Japan,
the United Kingdom and
South Korea

countries such as the USA, Russia or China Are considered, for example, as unsafe third countries. Will a GDPR-compliant chatbot provider wanted, it must therefore have servers that are located either in the EU, the European Economic Area or in one of the mentioned secure third countries.

All 7 tips at a glance

7 Tipps für einen DSGVO-konformen Chatbot — 7 tips for a GDPR-compliant chatbot

Data protection, GDPR and ChatGPT — why they don't go together

Anyone who discusses the topic of data protection and chatbots cannot avoid a discussion about ChatGPT. ChatGPT triggered a veritable wave of AI in 2022 and was able to get many people excited about chatbots. However, after an initial ChatGPT hype, there were also some critical voices voicing privacy concerns about the use of the tool. For example, shortly after the chatbot was published, Italian regulators blocked access for some time because they Data breaches had identified. In Germany and other European countries, the data protection authorities are also examining ChatGPT and are therefore contacting OpenAI.

In particular, the following three points Make it clear that data protection, GDPR and ChatGPT do not go well together:

Lack of legal basis for data processing

According to Article 6 paragraph 1 of the General Data Protection Regulation, data processing is only permitted if a corresponding legal basis There are, i.e. there must be specific contractual obligations. Otherwise, the consent of the person concerned is required for data processing. Since OpenAI does not communicate much about their own data processing, companies are also unable to provide comprehensive information about it. Conversely, this means that consent from users is also almost impossible.

Processing of data in uncertain third countries

In order to be considered GDPR-compliant, ChatGPT would have to process data either in the EU or the European Economic Area or in third countries considered secure by the EU. OpenAI, however, is a US company that has its Servers in the USA managed. The American data regulations apply there, which are currently not yet compatible with European ones. Using ChatGPT in companies in compliance with data protection regulations is therefore virtually impossible.

Lack of transparency about data processing

Article 13 of the European Data Protection Regulation provides that companies must provide users informing must know how their data is handled, i.e. which data is processed and in which context it may be accessed. OpenAI does not currently meet these requirements of the GDPR, as it does not provide comprehensive enough information about data processing and algorithms. This also makes the legally compliant use of ChatGPT in companies significantly more difficult.

ChatGPT? Practical but not suitable for customer communication.

Companies that choose chatbot providers such as ChatGPT for customer communication are not only risking finesbecause they violate the GDPR, but also Image damage through so-called”Chatbot fails”. These arise primarily when generative AI offers no control options and hallucinates — i.e. plays freely invented, false or inappropriate content.

For more information about AI hallucinations and how to prevent them, read our article”The 6 biggest chatbot fails and tips on how to avoid them.”

Conclusion: On the safe side with a German AI chatbot provider

A closer look at the GDPR and ChatGPT's analysis in this context shows: Keep an eye out when choosing a chatbot provider. GDPR-compliant providers are taking the rights by consumers seriously, protect them, offer complete transparency regarding the handling of data and ensure data processing at safe locationsn like Germany.

Would you like to use an example to illustrate that data protection and AI chatbots are not opposites, but can be easily combined with each other? moinAI not only has years of industry experience, but also offers AI made in Hamburg. Find out on our Data protection page Everything about how moinAI is implementing the requirements of the GDPR.