ActCheck

GDPR Chatbot Compliance Checklist

Last reviewed: 2026-06-23

Short answer: A chatbot can collect personal data through messages, account details, support history, device information, cookies, and logs. GDPR/ePrivacy readiness starts by documenting what is collected, why, by whom, for how long, and what users are told.

Practical Chatbot Privacy Checklist

AreaWhat to checkEvidence to collect
PurposeWhy does the chatbot exist?Product purpose, support workflow, approved use cases.
Data collectionWhat personal data can enter the chat?Data inventory, prompt/log examples, input fields.
Lawful basisWhat basis supports the processing?Privacy memo, policy decision, review note.
TransparencyDoes the user know AI or automated support is involved?Chat UI disclosure, privacy notice, help center text.
Vendor roleIs the chatbot vendor a processor, subprocessor, or another role?DPA, vendor terms, subprocessor list.
RetentionHow long are chat logs, prompts, and analytics kept?Retention schedule, deletion settings.
User rightsCan users request access, deletion, correction, or objection where applicable?DSAR process, support SOP.
SecurityWho can access chat logs and admin tools?Access policy, SSO settings, audit logs.
ePrivacy/cookiesDoes the widget use cookies, local storage, tracking, or marketing pixels?Cookie list, consent banner config.

AI-Specific Chatbot Questions

Privacy Notice Evidence To Prepare

Example Evidence-Readiness Result

AreaStatusEvidence gap
Vendor DPAPresentDPA link added.
RetentionMissingChat log retention period not documented.
AI disclosurePartialUI says "assistant" but does not clarify AI-generated support.
Cookie reviewNeeds reviewChat widget local storage not mapped.
User rightsMissingNo DSAR process for chat transcript exports.

FAQ

Does every chatbot need cookie consent?

Not every chatbot uses cookies or tracking, but teams should map cookies, local storage, analytics, and consent settings before launch.

Can we send chatbot messages to an AI model provider?

Teams should document what data is sent, the vendor role, retention, training or improvement use, and user notices before review.

Should users be told when a chatbot uses AI?

AI disclosure is often important for transparency. The exact wording should match the product flow and applicable review.

Run a GDPR and ePrivacy evidence readiness check

Use the existing ActCheck assessment flow from the homepage.

ActCheck provides informational self-assessment and evidence-readiness support. It does not provide legal advice, legal review, compliance certification, lawyer services, or a guarantee of compliance.

Related Pages

Official Sources