Assistance with the Data Protection Impact Assessment
Change history (2 entries)
- 05/05/2026 New section on the use of the LoyJoy Phone Agent added, including risk description, risk mitigation measures and risk-measures table.
- 24/02/2026 Initial publication of the DPIA assistance.
This document serves as a foundation for the customer (Data Controller under the GDPR) to conduct their own Data Protection Impact Assessment when implementing the LoyJoy platform. LoyJoy (Data Processor) provides transparent information regarding the technical architecture, data processing, and risk mitigation measures.
1. System Architecture and Hosting
Infrastructure: The core LoyJoy platform is hosted exclusively on servers in the EU.
Server Location: Hosting takes place exclusively at locations within the European Union (EU). There is no transfer of core databases to unsecure third countries.
Data Security: All data is encrypted according to current industry standards, both during transmission (in transit) and storage (at rest). Further details can be found in our Technical and Organizational Measures (TOMs).
2. Use of Artificial Intelligence (LLMs) & Sub-processors
LoyJoy utilizes state-of-the-art AI models (including Microsoft Azure OpenAI, Mistral, Nebius) for intelligent dialogue management.
Contractual Exclusion of AI Training: This is a core component of our data protection strategy. It is strictly contractually prohibited to use the input data (prompts) of end users to further train or improve the underlying AI base models (e.g., from OpenAI).
Purpose Limitation: Data transmission to the AI interfaces occurs exclusively in real-time to generate the respective chat response (fulfillment of purpose).
3. Risk Mitigation for Open Text Inputs
When using chatbots with free-text fields, there is an inherent risk that users may provide sensitive data unprompted (e.g., health data under Art. 9 GDPR, bank details). LoyJoy primarily addresses this risk through organizational and conceptual measures:
Dialogue Design: The chatbot is designed to specifically request only the data necessary for the given process (principle of data minimization).
User Guidance: Customers are advised to place a short, highly visible notice in the chat UI or before starting the chat, instructing users not to enter sensitive personal data into the free-text field.
4. Data Lifecycle and Data Subject Rights (Art. 17 GDPR)
Standard Retention Periods: To comply with the principle of storage limitation (Art. 5(1)(e) GDPR), chat logs within LoyJoy are automatically deleted or fully anonymized after 30 days by default. Session data is also flexibly configurable (e.g., from 30 minutes up to 14 days).
Handling Deletion Requests: If an end user exercises their right to erasure (Art. 17 GDPR) before the end of this 30-day period, LoyJoy supports the customer in fulfilling this request. If personal data has been recorded in the database (e.g., during registration or lead capture), the email address serves as the unique identifier. Using this key, the corresponding user’s chat logs can be manually searched and specifically deleted in the backend.
5. Summary Risk Assessment
Thanks to EU-based, encrypted hosting, the strict exclusion of AI model training using user data, and very short, automated deletion periods (30 days), LoyJoy’s technical and organizational protective measures maintain a very high standard. When the platform is used as intended, the risk to the rights and freedoms of natural persons is significantly minimized.
6. Use of the LoyJoy Phone Agent
When using the LoyJoy Phone Agent, callers can interact with an AI-powered telephone assistant. Voice inputs are processed in real time to capture the content of the conversation, generate responses and manage the dialogue. The audio stream is not permanently stored by LoyJoy. Transcripts are stored as chat messages in the existing conversation database. Call recordings are also stored in the conversation database. The default deletion period is 30 days.
Additional risks compared to text-based chat processes may arise in particular from the processing of voice data, the possible recognisability of the voice, the natural quality of synthetic speech output, unintentional disclosure of sensitive data by callers, possible misinterpretation of spoken inputs, call recordings, and the caller’s expectation of speaking with a human.
To mitigate these risks, LoyJoy provides technical and organisational features, in particular a configurable notice at the beginning of the call informing the caller that they are interacting with an AI system, storage of transcripts and recordings with configurable deletion periods, encrypted transmission, encrypted storage of stored conversation data, role-based access controls, logging of relevant access in LoyJoy Manager, and the ability for the controller to review and control process and response behaviour.
The controller should in particular assess whether the specific use case involves sensitive data, which legal basis applies to telephony, transcription and call recording, whether a human handover must be offered, and whether additional notices or consents are required from callers.
| Risk | Assessment | Possible measures |
|---|---|---|
| Caller does not recognise they are speaking with AI | Elevated with natural-sounding voice | Clear greeting with AI notice at the start of the interaction |
| Unintentional disclosure of sensitive data | Elevated in open voice dialogues | Process design, brief notices, avoiding unnecessary free-text queries, deletion periods |
| Processing of voice / audio recording | Elevated in telephony with call recording | No permanent storage of audio stream, short deletion period, access restriction |
| Misinterpretation of spoken inputs | Medium | Follow-up questions, confirmation of critical details, escalation to human agents |
| Lack of purpose limitation | Medium | Tenant-specific configuration, documented process purpose, no use for model training |