Core requirements: lawful basis for processing, data minimization, right to access / delete / port, breach notification within 72 hours, DPA between controller and processor.
Callsy operates as a GDPR processor: customers are the data controllers. We sign DPAs, maintain a current sub-processor list (annex), and host EU customer data in EU data centers.
Penalties reach 4% of global annual turnover or €20M, whichever is higher. Real penalties have been issued against AI voice deployments that failed to obtain or honor consent.