Compliance

Voice AI Legitimate Interest: The GDPR Balancing Test

Most enterprises list 'legitimate interest' without completing an LIA. Here is the Article 6(1)(f) three-part test — purpose, necessity, balancing — applied to every common voice AI use case.

STEP 01 Purpose Test Is the interest legitimate? STEP 02 Necessity Test Is processing necessary? STEP 03 Balancing Test Do rights override the interest? LEGITIMATE INTEREST ASSESSMENT (LIA) Article 6(1)(f) GDPR — the documented test enterprises skip DILR.AI COMPLIANCE Voice AI and the GDPR Legitimate Interest Balancing Test

Most UK enterprises running voice AI programmes list "legitimate interest" as their lawful basis in a privacy policy, add a line to their Data Protection Register, and consider the matter closed. That is not a legitimate interest assessment. It is a label on an empty box.

Article 6(1)(f) GDPR is the provision enterprises reach for when consent is impractical and there is no contractual or legal obligation. It allows processing where the controller has a genuine interest, the processing is necessary to pursue it, and that interest is not overridden by the data subject's rights. The critical word is "necessary." Not useful. Not efficient. Necessary — and documented. The ICO has been explicit: where legitimate interest is claimed, a Legitimate Interest Assessment (LIA) must be on file before processing begins.

For voice AI, this matters acutely. A voice programme typically processes audio recordings, real-time transcripts, sentiment classifications, CRM-written call summaries, and sometimes intent scores — across thousands or millions of calls. Each of these processing operations sits inside the scope of the LIA, and the LIA must survive ICO scrutiny. In 2026, with the ICO Code of Practice on AI in force from May and the FCA issuing AI governance guidance for financial services, the question "can you show us the LIA?" is moving from theoretical to operational.

This post walks the three-part test, applies it to the most common voice AI use cases, and provides the documentation architecture that keeps your programme's lawful basis standing.

3
stages every LIA must clear
6(1)(f)
the GDPR article that legitimises processing
May 2026
ICO AI Code of Practice in force (SI 2026/425)
0
valid marketing calls on LI — PECR requires consent

This guide is written by the team behind Dilr Voice — enterprise voice AI deployed across regulated industries. For a full compliance architecture review, see DATS operating model consulting.

What Legitimate Interest Actually Means Under GDPR

Article 6(1)(f) reads: processing is lawful if it is "necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject."

Three things stand out. "Legitimate interests" is plural and intentionally broad — commercial efficiency, fraud prevention, network security, and service delivery all count. "Necessary" is a real constraint, not a formality — the ICO reads it as: would a less privacy-invasive approach achieve the same result? And "overridden" sets up the balancing test — even a legitimate, necessary purpose can fail if the data subject's rights weigh more.

For voice AI programmes, the processing that typically needs a lawful basis includes:

  • Audio recording: capturing the call in full
  • Real-time transcription: converting speech to text during the call
  • Post-call sentiment and intent scoring: AI classification of call content
  • Call summary generation: LLM-produced summaries written to CRM
  • Quality assurance analytics: aggregate and per-call performance data
  • Model refinement or fine-tuning: use of call data to improve AI performance

Each operation should be mapped to a specific lawful basis. A blanket "legitimate interest for call processing" claim that does not distinguish between recording a call for service delivery and using call transcripts to train a proprietary model will not survive an ICO subject access request — or a procurement legal review.

The contrast with consent is important. Consent as a lawful basis under GDPR requires a freely given, specific, informed, and unambiguous indication from the data subject — and the right to withdraw at any time without detriment. Legitimate interest does not require prior consent, but it requires a documented assessment that the balance tips in the controller's favour. For operational call handling where obtaining meaningful consent at scale is impractical, LI is often the right basis — provided the LIA is done properly.

The Three-Part Test in Detail

Part 1: The Purpose Test

The first question is whether the controller has a "legitimate interest" in the processing. The ICO's guidance is permissive: commercial interests, legitimate business activities, and purposes that are lawful and not contrary to public policy all qualify. A voice AI programme processing calls for customer service, fraud prevention, collections, or operational efficiency has a legitimate interest in principle.

What fails:

  • Vague purposes: "to improve our services" is too broad. The purpose must be specific enough to be testable in Parts 2 and 3. "To reduce inbound call abandonment rate by automating tier-one enquiry handling" is specific.
  • Purposes that undermine data subject rights: processing primarily designed to build profiles for undisclosed secondary uses.
  • Purposes that are illegal or contrary to public policy: even if framed as legitimate, a purpose that breaches sector-specific regulation (FCA consumer communications rules, NHS data governance) cannot be a legitimate interest.

For most voice AI deployments — service delivery, operational efficiency, fraud detection, quality assurance — the purpose test is the easiest to pass. The difficulty comes in Parts 2 and 3.

Part 2: The Necessity Test

"Necessary" does not mean merely useful or convenient. The ICO interprets it as: if a less privacy-invasive alternative could achieve the same purpose, the processing is not necessary and LI cannot be claimed.

Applied to voice AI:

ProcessingNecessity Assessment
Recording the call (audio)Necessary for QA, compliance, and dispute resolution purposes — passes
Full transcript (real-time)Necessary for CRM notes and AI escalation logic — passes for service purposes
Sentiment scoring per callNecessary for QA if the stated purpose is 100% call coverage — borderline if QA purpose could be achieved by sampling
Storing audio for 12 monthsTypically fails necessity test unless a specific regulatory obligation justifies it
Using call data to train a proprietary modelFails necessity test for the service-delivery purpose — this is a separate, additional purpose that needs its own basis
Sharing transcripts with third-party analyticsFails unless the third party's involvement is necessary for the stated purpose

The necessity analysis must be documented. For each processing operation, the LIA should record what alternatives were considered and why they were insufficient.

Part 3: The Balancing Test

This is where most legitimate interest claims for voice AI actually fail — because enterprises underestimate the weight on the data subject side of the scales.

The ICO's balancing guidance asks controllers to weigh their legitimate interest against:

1. The nature of the data. Calls contain voice data, which may qualify as biometric data if it is used to identify the individual. AI systems that perform emotion or tone analysis may be processing data that infers health or psychological states — potentially special category data under Article 9. If that threshold is crossed, Article 6(1)(f) is insufficient on its own; an Article 9(2) condition is also required.

2. The reasonable expectations of data subjects. Callers who hear "this call may be recorded for training and quality purposes" reasonably expect audio retention and manual QA. They are less likely to expect: real-time AI sentiment analysis, automated intent scoring, LLM-generated summaries written to a CRM, or call transcripts shared with third parties. The gap between expectation and actual processing weakens the balance.

3. The likely impact on data subjects. Does the processing create risks of discrimination, financial harm, or chilling effects on communication? A voice AI that flags calls for agent intervention based on sentiment scores carries a concrete impact risk if the flags influence credit decisions, claims handling, or service prioritisation.

4. Safeguards implemented. Strong safeguards — data minimisation, pseudonymisation, strict access controls, short retention periods, documented right to object — shift the balance toward the controller. Absence of safeguards shifts it toward the data subject.

5. Whether the data subject has previously objected. Under Article 21, data subjects have the right to object to processing based on legitimate interest at any time. The objection must be accommodated unless the controller can demonstrate compelling legitimate grounds. Call centre voice AI programmes that make objecting to AI processing impractical will fail this aspect of the balancing test.

The balancing test must be specifically run for voice AI — not imported from a generic corporate "legitimate interest" template. The audio-rich, biometric-adjacent nature of call data makes the balance harder to demonstrate than, for example, LI for website analytics or fraud detection on transactional data.

For the EU AI Act compliance layer applying from August 2026, Article 50 transparency obligations sit alongside GDPR — callers must be told they are interacting with AI at first contact. This mandatory disclosure improves the LI balancing position because it closes part of the expectations gap.

How the Test Applies to Common Voice AI Use Cases

The Article 6(1)(f) analysis is not uniform across use cases. Here is how the three-part test maps to the processing operations most enterprise voice AI programmes actually run:

Voice AI Use CaseLI Available?Weakness to Address
Inbound customer service (AI handles)Generally yesDisclose AI at start of call; right to object to AI handling
Outbound appointment remindersGenerally yesPrior relationship must exist; expectation of contact reasonable
Collections and debt reminder callsPossible but harderBalancing test harder; FCA Consumer Duty overlay; prominent objection rights
Outbound marketing and sales callsNo — PECR pre-emptsPECR Reg 19 requires prior consent for automated marketing calls. LI unavailable.
QA monitoring and sentiment scoringCase by caseScope of analysis must match stated QA purpose; emotion inference is risky
Model training on call dataRarelyFails necessity test for service delivery purpose; needs separate lawful basis
Aggregate analytics and dashboardsGenerally yesPseudonymisation or aggregation reduces individual impact; passes balancing easily

The PECR row is critical for outbound programmes. PECR Regulation 19 prohibits automated calls made for the purpose of direct marketing unless the called party has specifically consented to receive them from the caller. Legitimate interest as a GDPR basis does not override PECR. If you are running an outbound AI calling programme under GDPR and PECR, your marketing calls require consent — the LI analysis is irrelevant for that category.

Writing a Legitimate Interest Assessment That Holds

The LIA is not a form — it is a structured argument. An ICO-ready LIA for a voice AI programme should address seven areas:

Section 1: Purpose State the specific business purpose with enough precision to be testable. "Provide automated handling of inbound customer account enquiries for customers of [service] to reduce average handling time and improve first-contact resolution" — not "improve customer experience."

Section 2: Identify the Legitimate Interest Name the interest — commercial efficiency, fraud prevention, regulatory compliance, public safety, etc. If multiple purposes apply to the same processing, document each separately. Controllers and joint controllers must be identified.

Section 3: Necessity Assessment For each processing operation within scope, document why it is necessary for the stated purpose. Note what alternatives were considered (e.g., manual QA sampling rather than 100% AI scoring) and why they were insufficient to achieve the purpose.

Section 4: Nature of Data and Data Subjects Describe the personal data processed, its sensitivity, and the population of data subjects (customers, leads, third parties incidentally recorded). Flag where voice data edges into special category territory — biometric identification, health inference from emotion analysis.

Section 5: Reasonable Expectations Describe what a typical data subject would reasonably expect given the context of the call. Document what disclosures are made at the start of the call. Note the gap, if any, between actual processing and likely expectation, and how that gap is addressed.

Section 6: Impact and Safeguards Assess the likely impact on data subjects — ranging from negligible (routine inbound call recorded for QA) to significant (AI sentiment score influences a credit decision). Document the safeguards in place: encryption, pseudonymisation, access controls, retention periods aligned to GDPR minimisation obligations, and right to object procedures.

Section 7: Conclusion State whether the legitimate interest is outweighed by data subjects' rights. If it is not outweighed — if the processing passes the balance — document that conclusion and the evidence on which it rests. Sign and date by an accountable owner.

The LIA must be reviewed when the programme changes scope (new use cases, new AI models, new data destinations). Article 5(2) accountability means the document must be retained and available on request.

Common LIA failure point

Enterprises frequently complete Sections 1–3 (the easy parts) and leave Sections 5–6 blank. The balancing test — the part the ICO actually cares about — is where the hard thinking happens. A document that does not record reasonable expectations, impact assessment, and the specific safeguards in place for voice data will not hold under scrutiny.

When Legitimate Interest Is Not Available

Some processing in a voice AI programme genuinely cannot rely on Article 6(1)(f). Recognising these situations before go-live prevents the larger problem of a lawful basis that collapses under examination.

Special category data (Article 9) If the AI system processes voice biometrics for identification purposes, or if sentiment/tone analysis infers health states, psychological conditions, or racial/ethnic origin from voice characteristics, Article 9 GDPR applies. Article 6(1)(f) does not authorise the processing of special category data — an Article 9(2) condition must be satisfied separately, most commonly explicit consent (Article 9(2)(a)) or substantial public interest (Article 9(2)(g)). The ICO AI Code of Practice (in force May 2026) gives specific guidance on automated processing involving special category data.

Solely automated decisions with significant effects (Article 22) If a voice agent makes a decision — declining a claim, setting a price, refusing a request — that has a "legal or similarly significant effect" on the caller, Article 22 rights apply. These include the right to obtain human intervention, to express a point of view, and to contest the decision. Legitimate interest does not neutralise these rights — they are triggered by the nature of the decision, not the lawful basis for processing. The programme design must provide a route to human review for decisions in scope.

PECR Regulation 19: automated marketing calls For any outbound call whose purpose is direct marketing — including calls about products, services, promotions, or fundraising — PECR Regulation 19 requires the called person to have specifically consented to receive automated calls from the caller. This is separate from and additional to GDPR. No amount of legitimate interest analysis changes this obligation.

Where contract performance works better Where the voice AI interaction is necessary to perform a contract the caller has entered into — for example, processing a claim the policyholder submitted — Article 6(1)(b) (contract performance) is a cleaner basis than LI for the processing directly related to fulfilling that obligation. LI is the right tool when there is no contract — but using LI where a contract exists creates unnecessary complexity.

The Governance Architecture That Makes LIA Work

An LIA that exists as a one-time document is only marginally better than no LIA. The governance architecture around it determines whether the legitimate interest basis remains valid as the voice programme evolves.

Appoint an LIA owner. Someone with authority to block new use cases — typically the DPO, privacy lead, or a senior compliance officer — must be the named owner. When engineering proposes a new processing operation (e.g., using call transcripts to improve model performance), the owner runs the LIA update before the feature ships.

Integrate the LIA into the change management gate. For any material change to the voice AI programme — new data flows, new third-party processors, new AI models, extended retention, new use cases — an LIA review is required before the change goes live. This is a process change, not a documentation exercise. The enterprise voice AI governance framework should include LIA review as a named stage in the change control checklist.

Build right-to-object fulfilment into the call design. Article 21 requires that the right to object to LI-based processing must be accessible and easy to exercise. For voice AI, this means a clear verbal route during the call ("press 2 if you would prefer to speak with a human agent and opt out of automated call processing") and a process for handling opt-outs that does not require multiple follow-up steps. Auditability of AI voice processing decisions — including which calls were subject to which processing and whether any objections were received — is increasingly expected by regulators.

Link the LIA to the DPIA if high-risk processing is in scope. The LIA establishes the lawful basis. If the processing is high-risk — large scale, systematic processing of sensitive data, decisions with significant effects — a Data Protection Impact Assessment (DPIA) is also required under Article 35. The LIA and DPIA are separate documents with different purposes, but they share evidence: the necessity analysis and balancing assessment in the LIA feeds directly into the DPIA risk identification.

Retain LIA documents as accountability evidence. Article 5(2) requires controllers to be able to demonstrate compliance. In a voice AI programme, that means the LIA (and its revision history) must be retrievable on request from the ICO, from an enterprise client in a procurement due diligence review, or from a data subject exercising access rights.

Want to see this applied in a live programme? Try Dilr Voice (free, $20 credits), book an AI placement diagnostic, or read how DATS structures compliance-ready deployments.

Key takeaways
  • Article 6(1)(f) requires a documented Legitimate Interest Assessment — a policy line is not sufficient.
  • The three-part test (purpose / necessity / balancing) must all be passed and recorded in writing before processing begins.
  • Outbound marketing calls are governed by PECR Reg 19 — legitimate interest does not apply to that processing category.
  • Voice biometric and emotion inference data may trigger Article 9 special category obligations on top of Article 6.
  • The LIA is a live document: it must be reviewed whenever the programme's processing scope changes.
  • Right-to-object routes must be genuinely accessible in the call design — Article 21 is not satisfied by a buried privacy policy link.
Service
AI Operating Model
Service
AI Placement Diagnostic
Product
Dilr Voice
Talk to the operators

Build the LIA before procurement stalls.

DILR.AI's DATS operating model engagement maps your voice AI processing operations to documented lawful bases — LIA, DPIA, and accountability evidence included. 30-min scoping call to start.

Written by the Dilr.ai engineering team — practitioners who ship enterprise AI in production. Follow us on LinkedIn for shipping notes, or subscribe via the RSS feed.

voice AI GDPR legitimate interestArticle 6(1)(f) voice AIlegitimate interest assessment LIAvoice AI lawful basis GDPRGDPR balancing test AIICO legitimate interest voicevoice AI data processing compliance

Related articles

← Previous
AI Voice for Private Equity: Cross-Portfolio Value Creation

One email, once a month. No hype. Just what we learned shipping.