A chatbot that answers politely at three in the morning, pre-sorts tickets, and resolves standard questions in seconds — the appeal of AI in customer service is obvious. Less obvious is what happens when the bot makes a false promise, dismisses a complaint on its own initiative, or sends personal data somewhere it doesn’t belong. This is exactly where an efficiency gain can turn into a liability risk.
The good news first: AI in customer service is permitted. The inconvenient news: from 2 August 2026 clear obligations come with it, and a recent ruling shows that liability stays with the deploying company — not “with the bot.” This article places the legal situation in precise context and ends with a concrete checklist. (Professional analysis, not legal advice for an individual case. As of: May 2026.)
What does “using AI in customer service compliantly” mean?
Compliant means: the chatbot is labeled as AI (transparency obligation under Art. 50 EU AI Act from 2 August 2026), the data processing has a GDPR legal basis, a human remains involved in consequential decisions — and the deploying company takes full responsibility for what the bot says. Three areas of law interlock: the AI Act, the GDPR, and general law (UWG, i.e. the German Act Against Unfair Competition, and contract law).
Three legal layers that work together
Anyone who wants to operate a service chatbot compliantly does not have to observe one statute, but three overlapping layers:
- AI Act (EU 2024/1689): A chatbot that interacts with people is an AI system of “limited risk.” Permitted — but subject to a transparency obligation (Art. 50).
- GDPR: As soon as the bot processes personal data (name, email, request, order number), the rules on legal basis, information obligations, possibly data processing on behalf of a controller, and the limits of automated decisions all apply.
- General law: What the bot says may be anti-competitive (under the UWG, the German Act Against Unfair Competition) or contractually bind your company. This layer is the one most often underestimated.
Only all three together add up to “compliant.” A GDPR-compliant but unlabeled bot is just as incomplete as a labeled one that makes false promises.
Only all three layers together — the AI Act, data protection, and competition/contract law — support a compliant service chatbot. Satisfying a single obligation is not enough.
Transparency obligation: the chatbot must identify itself as AI (Art. 50 EU AI Act)
The central new obligation is simply phrased and hard to circumvent: anyone who interacts with an AI system must know it — unless it is obvious from the context to a reasonable person anyway.
When does this apply?
From 2 August 2026. This date is fixed. The AI Act does not take effect all at once but in stages: the prohibitions on certain practices (Art. 5) have applied since 2 February 2025, and the obligations for general-purpose AI (GPAI) models since 2 August 2025 (AI Act Implementation Timeline). The transparency obligation in Art. 50 is therefore the next step in an already-running schedule, not a distant date. Unlike the high-risk deadlines, which are expected to be postponed by the EU legislative package “Digital Omnibus,” the transparency obligation in Art. 50 remains in force in principle (TÜV Rheinland Consulting). Important for practice: the “Digital Omnibus” draft provides for a transition period (expected until 2 December 2026) for systems already placed on the market before 2 August 2026 — so this can also affect an existing, running chatbot, not just the machine-readable labeling of synthetic content under Art. 50(2) (Morrison Foerster). The draft is not yet final; anyone introducing a new bot should treat the August date as binding. What comes toward companies beyond the transparency obligation is laid out in my article “AI Act: What companies must do now”.
What must the labeling look like?
Visible, understandable, and early. The notice belongs at the entry point of the conversation or as a permanent marker in the user interface — not hidden in the terms and conditions or the privacy policy. A short sentence is enough: “You are chatting with an AI assistant.” What matters is that the information arrives before or at the first interaction and is recognizable to a reasonably attentive person.
Provider or deployer — who is bound by the obligation?
The AI Act distinguishes two roles. Anyone who deploys someone else’s model (for instance, a chatbot platform) under their own name is, as a rule, the deployer — and bears responsibility for integration, labeling, and output on their own website.
| Question | Provider | Deployer (you as the company) |
|---|---|---|
| Who is this? | Develops/markets the AI system | Deploys the system under its own responsibility |
| Typical role in customer service | The chatbot platform / the AI model | The company with the bot on its website |
| Transparency obligation | Enable technical labeling capability | Implement visible AI labeling in the conversation |
| Responsibility for the output | — | Full (content, accuracy, consequences) |
In practice, then, as an SME you are almost always the deployer — and it is precisely this role that triggers the visible labeling obligation in the customer dialog.
Who is liable when the AI chatbot answers incorrectly?
Short and unambiguous: the deploying company. The chatbot is not an independent third party whose conduct can be pushed away from oneself, but a tool of the company — its statements are attributed directly to the deployer.
The OLG Hamm case (judgment of 12 May 2026, case no. I-4 UKl 3/25)
Aesthetify GmbH operated an AI-powered appointment-booking bot on its website. When asked, the bot invented specialist-physician qualifications for two doctors (“Dr. Rick” and “Dr. Nick”) — including a specialist title that does not actually exist. The consumer advice center of North Rhine-Westphalia (Verbraucherzentrale NRW) brought suit. The Higher Regional Court of Hamm (Oberlandesgericht Hamm) assessed the bot’s statements as a misleading commercial practice under sec. 5(1), (2) no. 3 UWG (the German Act Against Unfair Competition) (anwalt.de, LTO).
The core point: the chatbot is not a “third party” for whose misconduct the deployer would not be answerable. It is part of the business organization — its statements are attributed directly to the company, regardless of whether the AI “hallucinated” or processed correct inputs incorrectly (paloubis.com).
Important context: The ruling is not yet final and binding (not yet rechtskräftig). Because of the fundamental significance of liability for AI hallucinations, the OLG allowed an appeal on points of law to the German Federal Court of Justice (BGH). The line is therefore strong, but not yet confirmed by the highest court (as of: May 2026).
Can the bot contractually bind my company?
Caution is warranted — and the underlying mechanism is agency (sec. 164 et seq. BGB, the German Civil Code). The bot is not a legal subject but a tool; its declarations are attributed to the company that deploys it. If the bot states a concrete, seemingly binding price for a specific service, this can amount to an offer within the meaning of sec. 145 BGB that the customer accepts with a simple “yes” — the contract would then be concluded before any human steps in. Even where the company never “authorized” the bot to do so, the principles of apparent and tolerated authority (Anscheins- and Duldungsvollmacht) come into play: anyone who visibly lets the bot make offers and tolerates this must be held to whatever creates the appearance of authority in the customer’s eyes. Pre-contractual obligations and damages can apply on top. Anyone who gives the bot a free hand in statements about prices and services opens up a genuine flank of risk — the clean solution is to technically rule out binding promises and reserve them for the human conclusion of contract.
Is a disclaimer “answers without warranty” enough?
No. A disclaimer does not replace substantive care. It can sharpen the user’s awareness, but it does not make a misleading or false statement lawful. The OLG Hamm logic cannot be contracted away by a footnote. Disclaimers make sense as a supplementary element — not as a shield.
GDPR — what data protection requires
As soon as the bot processes personal data, the GDPR applies in full breadth. Four points are decisive in customer service.
Legal basis and information obligation (Art. 6, Art. 13)
Every processing operation needs a legal basis under Art. 6 GDPR — usually performance of a contract (lit. b, for instance with order inquiries), legitimate interest (lit. f), or consent (lit. a). Alongside this, the information obligation applies: users must know which data is processed for which purpose. Whether a separate consent is required depends on the processing — it becomes relevant when data is stored permanently or used for an unrelated purpose (e.g. for training).
Processing on behalf of a controller and third-country transfer
If you deploy an external chatbot platform, a data processing agreement (Art. 28 GDPR) is generally mandatory — no AI tool without a DPA. If the data flows to servers outside the EU, the GDPR’s third-country chapter additionally applies. The cleanest lever is EU hosting: a model operated within the EU defuses the transfer question from the outset. Where the differences between EU-hosted and US models lie in detail, I compare in “EU-hosted vs. US LLMs: data sovereignty”.
Automated decisions and human oversight (Art. 22)
This is where an often-overlooked limit lies. Art. 22 GDPR prohibits solely automated decisions with significant legal or similar effect — without human involvement. So if the bot independently and definitively rejects a complaint, a refund, or an application, that can be problematic (dejure.org, Art. 22 GDPR). The solution is called human-in-the-loop: for consequential decisions, a human must be able to review and approve. Pure information and pre-sorting is unproblematic — the final “no” belongs in human hands. How such a control layer can be technically safeguarded against hallucinations is shown in “Securing against hallucinations: control-layer design”.
When is a DPIA necessary?
A data protection impact assessment (DPIA, Art. 35 GDPR) becomes due when the processing is likely to entail a high risk for the data subjects — for instance with large-scale processing, systematic evaluation, or sensitive data categories. For a lean FAQ bot, probably not; for a bot that reaches deep into customer data and prepares decisions, more likely yes. How such an assessment works in practice for AI systems is described in “The DPIA for AI systems”.
Checklist: setting up customer-service AI compliantly
| Obligation | Norm / Basis | Concrete implementation |
|---|---|---|
| AI labeling | Art. 50 EU AI Act | Visible notice “You are chatting with an AI assistant” at the entry point |
| Clarify the legal basis | Art. 6 GDPR | Establish in writing before go-live (contract, legitimate interest, or consent) |
| Fulfill the information duty | Art. 13 GDPR | Privacy notice linked, purposes transparent |
| Data processing agreement | Art. 28 GDPR | Conclude a DPA with the chatbot platform |
| Secure third-country transfers | Chapter V GDPR | Prefer EU hosting or secure the transfer legally |
| Human involvement in decisions | Art. 22 GDPR | Human-in-the-loop for rejections/consequential decisions |
| Set output limits | UWG, contract law | No unchecked price/service promises; narrow the topics |
| Document & log | Accountability | Keep configuration, data flows, and decisions traceable |
Anyone who works through these eight points cleanly has defused the biggest risks — and can put the bot into production with a clear conscience.
What fines are at stake?
Here, precision pays off rather than panic. A breach of the transparency obligation in Art. 50 falls under the fine tier of up to €15 million or 3% of worldwide annual turnover (for SMEs and start-ups, the lower of the two amounts applies) — not under the highest tier (€35 million / 7%), which is reserved for prohibited practices (TÜV Rheinland Consulting). There is no fixed percentage reduction for small companies; the authorities must, however, set fines proportionately in relation to SMEs and start-ups (Art. 99(6) EU AI Act) (ai-act-law.eu, Art. 99). Alongside this, GDPR fines and competition-law consequences such as cease-and-desist warnings (Abmahnungen) or injunction suits are possible — the latter is illustrated by the OLG Hamm case.
Frequently asked questions (FAQ)
Am I even allowed to use a chatbot in customer service?
Yes. A service chatbot is a low-risk AI system and is permitted subject to conditions. You must label it, comply with the GDPR, and stand behind its statements — it is not prohibited.
Do I have to label that a chatbot is an AI?
Yes, from 2 August 2026 under Art. 50 EU AI Act. The labeling must be visible and early — at the entry point of the dialog, not hidden in the terms and conditions.
Do I need consent for the chatbot?
That depends on the processing. If the legal basis of contract performance or legitimate interest suffices, no separate consent is needed. If personal data is stored or used for an unrelated purpose, active consent is generally required.
What applies to automated decisions, such as a complaint?
Art. 22 GDPR prohibits solely automated decisions with significant effect. Rejections or consequential decisions therefore require human involvement (human-in-the-loop).
Is a disclaimer “without warranty” enough?
No. A disclaimer does not replace substantive accuracy and care. Under the OLG Hamm line, the company is liable for misleading bot statements — regardless of the disclaimer.
Compliant from the start — from the lawyer who builds the chatbot
Most articles on this topic come either from the legal corner (they explain the obligations but build nothing) or from the tech corner (they deliver the tool and treat the law as an afterthought). The real difficulty lies in the middle: to design and build a chatbot so that labeling, legal basis, DPA, EU hosting, and human oversight are built in from the start — rather than bolted on afterward.
This very intersection is my work: as a business lawyer (Wirtschaftsjurist) and developer in one person, I plan and develop customer-service AI that treats the obligation under Art. 50 EU AI Act and the GDPR not as an obstacle but as a blueprint. If you are considering introducing a service chatbot or making an existing one compliant: let’s clarify in a no-obligation initial conversation where your risk lies and how the bot can be set up cleanly.
As of: May 2026. This article is a professional analysis and does not replace legal advice for an individual case. This is general information, not legal advice. The OLG Hamm judgment (12 May 2026, I-4 UKl 3/25) is not final and binding; an appeal on points of law to the BGH has been allowed. The effective date and fine tiers of Art. 50 EU AI Act may change as a result of ongoing EU legislation — check the current state of affairs before making binding decisions.
Sources — as of 30.05.2026
- TÜV Rheinland Consulting — Transparenzpflichten EU AI Act Art. 50
- anwalt.de — KI-Chatbot lügt, Betreiber haftet: OLG Hamm, Urt. v. 12.05.2026, Az. 4 UKl 3/25
- paloubis.com / Internetrecht München — Wer haftet, wenn der KI-Chatbot lügt? OLG Hamm zieht klare Linie
- LTO — OLG zur Haftung für irreführende KI-Chatbot-Aussagen
- anwalt.de — Die vier Säulen der Transparenzpflichten nach Art. 50 KI-VO
- caralegal.eu — Transparenzpflichten für Anbieter und Betreiber (Art. 50 AI Act)
- dejure.org — Art. 22 DSGVO (Volltext)
- Morrison Foerster — EU Digital Omnibus on AI: What Is in It and What Is Not
- AI Act Implementation Timeline — application dates of the EU AI Act
Leon Lotz
Leon Lotz is a business lawyer and founder of MusketierSoftware. He combines legal depth with real software craft.
