GDPR Chatbot Compliance Checklist
Last reviewed: 2026-06-23
Practical Chatbot Privacy Checklist
| Area | What to check | Evidence to collect |
|---|---|---|
| Purpose | Why does the chatbot exist? | Product purpose, support workflow, approved use cases. |
| Data collection | What personal data can enter the chat? | Data inventory, prompt/log examples, input fields. |
| Lawful basis | What basis supports the processing? | Privacy memo, policy decision, review note. |
| Transparency | Does the user know AI or automated support is involved? | Chat UI disclosure, privacy notice, help center text. |
| Vendor role | Is the chatbot vendor a processor, subprocessor, or another role? | DPA, vendor terms, subprocessor list. |
| Retention | How long are chat logs, prompts, and analytics kept? | Retention schedule, deletion settings. |
| User rights | Can users request access, deletion, correction, or objection where applicable? | DSAR process, support SOP. |
| Security | Who can access chat logs and admin tools? | Access policy, SSO settings, audit logs. |
| ePrivacy/cookies | Does the widget use cookies, local storage, tracking, or marketing pixels? | Cookie list, consent banner config. |
AI-Specific Chatbot Questions
- Are messages sent to an AI model provider?
- Are prompts or outputs stored by the vendor?
- Are messages used for training, improvement, abuse monitoring, or analytics?
- Can the system reveal personal data in generated output?
- Is there a human review path for high-risk or sensitive messages?
- Does the chatbot clearly state its limitations?
- Are logs monitored for prompt injection, data leakage, or unsafe output?
Privacy Notice Evidence To Prepare
- What the chatbot does.
- What data may be collected.
- Whether a third-party vendor handles messages.
- Whether AI is used to generate or classify replies.
- Whether logs are stored and for how long.
- How users can contact support or exercise rights.
- Whether cookies or tracking are used.
Example Evidence-Readiness Result
| Area | Status | Evidence gap |
|---|---|---|
| Vendor DPA | Present | DPA link added. |
| Retention | Missing | Chat log retention period not documented. |
| AI disclosure | Partial | UI says "assistant" but does not clarify AI-generated support. |
| Cookie review | Needs review | Chat widget local storage not mapped. |
| User rights | Missing | No DSAR process for chat transcript exports. |
FAQ
Does every chatbot need cookie consent?
Not every chatbot uses cookies or tracking, but teams should map cookies, local storage, analytics, and consent settings before launch.
Can we send chatbot messages to an AI model provider?
Teams should document what data is sent, the vendor role, retention, training or improvement use, and user notices before review.
Should users be told when a chatbot uses AI?
AI disclosure is often important for transparency. The exact wording should match the product flow and applicable review.
Use the existing ActCheck assessment flow from the homepage.