Is a Voice Bot Legal in Poland - GDPR, Marketing Consent, and DNC Registry

TL;DR I get this question daily. Short answer: yes, voice bots are legal in Poland - but there are specific conditions you must meet to avoid fines from the Polish Data Protection Authority (UODO). In this article, I break down: what GDPR says about automated calls, what marketing consent you need, how Poland’s DNC (“Do Not Call”) registry works, and what changed in telecom law in 2025. Zero legal jargon. Concrete regulations, obligations, and risks.

For clarity: I am not a lawyer. What I write here is based on my experience deploying voice bots and consulting with law firms. Before launching any campaign, consult your own legal counsel.

Why legal compliance is the biggest voice bot blocker

From my conversations with clients, one thing is clear: 8 out of 10 companies delay voice bot adoption because they’re afraid of fines. “What if UODO shows up?”, “What about marketing consent?”, “What about GDPR?”. I get it. I had the same fear before I got the legal side sorted.

Here’s the reality: the regulations exist, but they are navigable. And they don’t require an army of lawyers. They require understanding three pillars: GDPR (the legal basis for processing data), marketing consent (when you need consent and when you don’t), and telecom law (technical requirements for calls). This is not rocket science. It’s a handful of specific requirements that you either meet or you don’t.

In this piece, I’ll show you what this looks like in practice - no fearmongering, no legal jargon. Just what you actually need to know to sleep well at night.

Filter 1: GDPR - what legal basis do you have for calling?

Let’s start with the fundamentals. Every processing of personal data (and a phone number is personal data) needs a legal basis under Article 6 of the GDPR. For voice bots, you have three real options:

Consent (Art. 6(1)(a)) - the safest option but the hardest to obtain at scale. The person must knowingly consent to phone contact for marketing purposes. A checkbox on a form saying “I consent to phone contact” - that’s enough.

Legitimate interest (Art. 6(1)(f)) - this is the path most B2B companies take. You argue that you have a legitimate interest in contacting a potential customer. But here’s the catch: you must conduct a legitimate interest assessment (LIA) and document it. In practice: if you’re calling a company that publicly lists its phone number and operates in an industry related to your offer, LIA makes sense. “Because I want to sell” is not enough.

Contract performance (Art. 6(1)(b)) - only works for existing customers. If someone has already bought from you, you can call them about contract-related matters. But here’s the catch: offering a new product is marketing, not contract performance.

In practice, for B2B cold calling, most companies rely on legitimate interest. But this requires a legitimate interest assessment. Here’s how I do it: before each campaign, I prepare LIA documentation - who the recipient is, why I’m calling, what benefit the recipient gets, how they can object. I keep this on file in case of an audit.

Filter 2: Marketing consent - when do you need it?

This is where most of the myths live. Let me debunk the main one: you do NOT always need marketing consent for phone calls.

The rule is: marketing consent is required when you use automated calling systems (Article 172 of Poland’s Telecommunications Law). A voice bot is such a system. This means you need consent for automated calling - but that’s not the same thing as marketing consent.

In practice, it works like this:

• B2C (to consumers): you ALWAYS need prior consent. Zero exceptions. Without marketing consent, you do not call a consumer.
• B2B (to businesses): it’s more complex. You can call without consent if you have another legal basis (legitimate interest), but you must comply with the DNC registry and information obligations.
• Existing B2B customers: you can call under “soft opt-in” - if someone previously bought from you and you’re offering a similar product or service. Condition: you must provide a clear opt-out option with every contact.

The biggest trap: marketing consent and automated system consent are two different things. If you have marketing consent for email, that does NOT mean you can call with a bot. That’s a separate consent. Check your database - most companies have consent for “electronic contact” which doesn’t cover phone calls.

Filter 3: The DNC registry - check before your bot dials

The DNC (Do Not Call) registry, operated in Poland as “Rejestr Nie dzwonić,” is a mandatory step before every campaign. In short: if someone has registered their number, you cannot call them. Even if you have marketing consent.

Here’s my process:

1. Before each campaign, I run the database against the DNC registry
2. I remove all numbers that are on the registry
3. I repeat this process every 30 days - the registry updates
4. I document each verification (date, database scope, result)

The penalty for ignoring the DNC registry? Up to 1,000,000 PLN. Not worth the risk.

For more on practical database preparation and number verification, check my guide on automating cold calling.

Information obligation - what your bot MUST say at the start of every call

This is the part that separates a legal bot from spam. Under GDPR and telecom law, the bot must inform the person about several things BEFORE the actual conversation begins.

My bot says the following at the start of every call:

1. Who is calling - full company name (not just “Coldbot,” but “TZORDON INTELLIGENCE sp. z o.o.”)
2. The purpose of the call - “regarding our sales automation offer”
3. Where the number came from - “from publicly available data” or “based on your consent dated X”
4. That the conversation will be recorded - this is critical for GDPR
5. That recording and contact can be refused - and how to opt out
6. Where to find the full privacy notice - “on our website at…”

These are not optional extras. They are obligations. If your bot doesn’t provide this information, you’re violating GDPR.

As a side note - this information obligation is also a good moment to build trust. My clients often fear that revealing the bot is a bot will scare people off. From my data, it’s the opposite - people appreciate honesty. Conversion doesn’t drop, and the risk of UODO complaints drops to zero.

For more on how bots handle difficult conversations, check our FAQ page.

Call recording - what’s allowed and what’s not

Call recording is a separate legal issue that often gets overlooked during deployments. The rules:

• You must inform about recording - before recording starts, not after
• You must have consent for recording - legitimate interest is not enough here. Voice recordings are a special category of data (biometric data), so the legal basis must be strong. In practice: consent.
• You must enable objection - “If you don’t agree to recording, say ‘stop’ and I’ll transfer you to a consultant without recording.”
• You must store recordings securely - encryption, limited access, retention policy.

The standard question: can I record without consent? Technically - if you rely on legitimate interest and pass the balancing test. But UODO interprets this very restrictively. For safety: always get consent for recording.

Post-call data processing - where do the leads go?

After the call, the bot generates data: name, company, qualification score, call recording. Where does it go and for how long?

The data minimization principle (Art. 5 GDPR): you only process the data that’s necessary. If a lead showed no interest, you don’t need their recording. If they did - yes, you do.

My data retention looks like this:

• Hot leads: I store data in CRM for the duration of the relationship + 5 years (legal claims)
• Warm leads: 12 months from last contact (potential future sale)
• Cold or rejected leads: deleted after 30 days (unless the lead requests earlier deletion)
• Call recordings: stored for a maximum of 90 days (quality and complaint purposes), then deleted

This is my policy - yours may differ, but it must be documented. GDPR requires you to know WHY you’re storing data and for how long.

If you’re using a third-party platform for voice bots (like ElevenLabs), you must have a data processing agreement with them. Without it - you’re liable for their mistakes.

What happens if you break the rules - real risks

I won’t tell you that UODO only threatens. The fines are real. In 2025, UODO imposed fines totaling over 20 million PLN. Not all were telemarketing-related, but the trend is clear - supervisory authorities are tightening enforcement.

The most common voice bot violations:

• Calling without a legal basis - fine up to 20 million EUR or 4% of global turnover
• No information obligation - administrative fine, cease-and-desist order
• Ignoring the DNC registry - fine up to 1 million PLN (telecom law)
• No recording consent - order to delete recordings, financial penalty

Does this mean you shouldn’t deploy a voice bot? No. It means you should do it properly. 90% of fines result from negligence that can be eliminated with one document and three procedures.

FAQ

Is a voice bot legal for B2B without marketing consent? Yes, provided you have another legal basis (e.g. legitimate interest) and comply with the remaining requirements: DNC registry, information obligation, data processing agreement with your platform provider.

What about the DNC registry - does the bot check it automatically? No. You must verify the database yourself before each campaign. Some platforms offer integration with the UOKiK API, but it’s still your responsibility.

Can I record calls without consent? I don’t recommend it. Technically you could try under legitimate interest, but UODO interprets this very restrictively. For safety, always get consent at the start of the call.

Does a bot calling from a foreign number bypass Polish law? No. If the recipient is in Poland, Polish law applies - regardless of where the bot is calling from.

How long does legal preparation for deployment take? For me: 2-3 days for GDPR documentation, legitimate interest assessment, data processing agreement, and retention policy. You don’t need weeks. You need specifics.

Questions about voice bot legality for your specific situation? Check our pricing page - as part of implementation, we help sort out all legal matters.