A practical guide for SMEs — GDPR-compliant and with a sense of proportion
AI can take a huge load off customer service today — but only if you introduce it in a way that keeps you in control and legally sound. This guide walks you through a staged model to start small and safe, avoid the most common mistakes, and know exactly what Article 50 of the AI Act, the GDPR and phone-AI law require of you.
Last updated: July 2026 — not legal advice · approx. 10 min read
AI in the SME sector is no longer a topic for tomorrow. According to the Bitkom AI Study 2026 (604 companies with 20+ employees, February 2026), 41% of companies now actively use AI — a doubling from 17% the year before. Language processing and chatbots account for 64% of the use cases. Customer service is therefore not a side stage but the very field where AI arrives first.
And that is precisely where a second look pays off. The Bitkom consumer survey (1,006 users, May 2025) shows that 62% of people still want a reachable human in customer service, and only 36% want a chatbot. Satisfaction tells an even clearer story — 86% when dealing with a human versus 50% with a chatbot.
The lesson is not "better no AI at all", but: AI belongs behind the human, not in front of them. Used as an invisible assistant that supports the team, AI gains you speed without risking customer satisfaction. Turned loose on customers unfiltered, it loses you both. This principle — human-in-the-loop — runs through the entire guide.
41%
of companies actively use AI — a doubling from 17% the year before
Quelle: Bitkom AI Study 2026
62%
of consumers still want a reachable human
Quelle: Bitkom consumer survey 2025
86% vs. 50%
satisfaction: dealing with a human versus a chatbot
Quelle: Bitkom consumer survey 2025
Key message: AI in customer service works when it makes your team faster — not when it replaces them. Human-in-the-loop is not a compromise but the most successful adoption strategy.
Beyond the hype, four capabilities work reliably today and deliver real day-to-day value:
AI reads incoming emails, chats and forms, recognises the concern, prioritises and routes it to the right place. Your inbox effectively sorts itself.
Based on your past correspondence, FAQs and documents, the AI drafts replies — including salutation, tone and the right building blocks. A human reviews and approves.
Instead of searching five systems, the AI pulls the relevant information together: past cases, order data, contract status. It saves the minutes that add up over the day.
Clearly defined, recurring questions — opening hours, status checks, simple returns — can be answered by AI directly, provided a clean escalation path to a human is in place.
The decisive question is not "AI yes or no", but "how much autonomy do we give the AI". Answering it in stages lets you start safely and increase the level of automation only once trust and processes are in place. Three stages have proven themselves:
The AI handles understanding, research and drafting — but nothing leaves the building without human approval. This is the safest entry point: you gain speed immediately while carrying no risk that a wrong answer reaches a customer unchecked. For most SMEs this is the right place to start.
A concrete example of Stage 1: Ada
Our own product Ada is built exactly on this principle: an AI inbox that understands and sorts requests, drafts replies from your data — and nothing goes out without your approval. That is what human-in-the-loop looks like in practice.
Explore AdaThe AI answers clearly defined routine cases on its own. For anything outside that narrow scope — uncertainty, complaint, edge case — it escalates automatically to a human. The key is to keep the automation corridor deliberately narrow and continuously monitored.
An AI system answers calls, understands spoken language and responds in real time. This is the biggest lever — and the highest legal hurdle (see phone AI below). It pays off once stages 1 and 2 are in place and call volume is high enough.
Almost always start with Stage 1 — it brings noticeable relief quickly at minimal risk and is ready in days to a few weeks. Stage 2 follows once you can see which cases can be cleanly ring-fenced and your team trusts the AI. Stage 3 is a project of its own with substantial legal lead time and only pays off at the right call volume. Following this order builds automation on trust — not on hope.
AI in customer service touches three areas of law. The good news: all requirements are achievable with manageable effort if you build them in from the start rather than patching them in later.
From 2 August 2026, people must be able to tell they are interacting with an AI — visibly in chat, by announcement on the phone, at the latest at first interaction. The Digital Omnibus (formally adopted by the Council on 29 June 2026) keeps this deadline at August 2026. Penalties reach up to EUR 15 million or 3% of global annual turnover. We have prepared the concrete implementation in a dedicated checklist.
With every AI vendor that processes personal data, a data processing agreement (DPA) under Article 28 GDPR is mandatory. Add to that data minimisation — the AI only gets what it truly needs — and a deletion policy for chat transcripts. There is no fixed statutory deadline; in practice an automatic, tiered deletion after 30 to 90 days works well.
Recording AND transcribing a phone call is only permissible with the caller’s explicit, documented consent. A "legitimate interest" is not enough, and merely staying on the line after an announcement is not valid consent (the line taken by the German data protection conference). Best practice: no audio recording by default.
Many popular customer-service AIs run on US providers. Without a solid DPA and a workable transfer concept, using them for personal data is risky. Check vendor and data flow before you go live — EU-based or on-premise solutions save a lot of debate.
Almost every problem with AI in customer service traces back to one of these six causes — and all are avoidable:
The AI invents an answer and passes it to the customer unchecked. Ruled out on Stage 1 because a human approves.
The AI does not notice when it is out of its depth and leaves the customer going in circles. Without a guaranteed way out to a human, automation becomes a dead end.
A chatbot or voice bot does not disclose that it is an AI — a direct breach of Article 50 with a fine risk.
Personal data flows to a provider without a solid data processing agreement. The classic among GDPR breaches.
Chat histories are kept forever "just in case". Without a deletion policy this is not data-minimal and therefore exposed.
The call is recorded or transcribed without the caller having validly consented — a breach of the TDDDG.
Beyond the technology, the decision comes down to four questions:
Stage 1 is deliberately kept affordable — it needs no telephony infrastructure and no complex permission model. Effort only rises with higher stages. So you can start small and pay only for what you use.
The most tangible lever is the time saved per case: the AI handles understanding, research and drafting, your team reviews and approves. Across many cases this adds up to noticeable relief.
Stage 1 is ready in days to a few weeks — not a months-long project. You quickly see whether it works for your business before investing more.
How much the AI does on its own is your decision, set through the staged model — not the vendor’s. You keep control of the level of automation at all times and can raise it step by step.
A realistic roadmap for a safe start — without a mega-project:
Find the channel with the most routine effort (usually the support inbox). A clearly scoped starting point beats the grand plan.
DPA with the vendor, define a deletion policy for transcripts, prepare AI labelling. Ideally with an EU or on-premise solution to sidestep the DPA trap.
Provide FAQs, text building blocks and typical cases so the AI drafts in your tone and with your facts. Set up the approval workflow for the team.
Go live, but every reply passes through human approval. Measure the time saved per case and fine-tune.
Yes. Under Article 50 EU AI Act, which applies from 2 August 2026, people must be able to tell they are interacting with an AI — visibly in chat, by announcement on the phone, at the latest at first interaction. Breaches can be fined up to EUR 15 million or 3% of global annual turnover.
Yes, under three conditions: a data processing agreement (DPA) under Article 28 GDPR with every AI vendor, consistent data minimisation, and a deletion policy for chat transcripts. The most common mistake is storing transcripts indefinitely.
There is no fixed statutory deadline. What matters is the purpose: once it is fulfilled, the data must be deleted. In practice an automatic, tiered deletion after 30 to 90 days works well. Indefinite storage is the classic GDPR breach.
Only with the caller’s explicit, documented consent — governed by the TDDDG (formerly TTDSG). A "legitimate interest" is not enough, and simply staying on the line after an announcement is not valid consent. Best practice: no audio recording by default.
As much as you deliberately entrust to it — in stages. On Stage 1 the AI only drafts; a human approves every reply (human-in-the-loop). Only on Stage 2 do clearly defined standard cases run automatically, with guaranteed escalation to a human. You keep control of the level of automation.
In practice, no. 62% of consumers still want a reachable human (Bitkom 2025), and satisfaction is markedly higher with a human than with a chatbot. AI takes the load off routine and research so your team has more time for the cases that genuinely need a person.
See what human-in-the-loop looks like in practice, or discuss your use case with us directly. Pragmatic, without the hype.
Or discuss your customer-service use case in a no-obligation initial call.
Request an initial callLast updated: July 2026. This guide is general orientation and does not replace legal advice in individual cases.