GDPR applies to customer feedback data. Survey verbatims, NPS open-ends, and complaint descriptions regularly contain personal data — and in regulated industries, often special category data under Article 9. Here is what a compliant VoC platform must cover.
A GDPR-aligned VoC platform must operate as a compliant data processor: no training on client data, documented data flows, lawful basis support, data residency options, and verifiable deletion on request.
Ipiphany AI is GDPR aligned, ISO 27001 certified, and does not train on customer data. It is available from US $83/month with an on-premises deployment option for organisations with strict data residency requirements.
When your customers write "the adviser who called me on Tuesday was unhelpful" or "I've been struggling since my husband passed away and nobody called me back," they are generating personal data — and in the second case, special category data under GDPR Article 9.
GDPR treats a VoC platform as a data processor: an entity that processes personal data on behalf of the data controller. As a controller, you remain responsible for ensuring your processor operates under a valid Data Processing Agreement and meets the standard of technical and organisational measures required by GDPR Article 28.
Before a VoC analytics platform is deployed in a regulated enterprise, these questions must be answered: Where is the verbatim data processed and stored? Is the platform training its AI models on client data? What is the retention policy, and can data be deleted on request? Who are the subprocessors, and what are their certifications? Does the platform support data subject access requests? These are standard due diligence questions for any third-party data processor in the EU and UK.
Survey scores and selections carry limited GDPR risk. Open-ended verbatim data is a different matter entirely. Assess each of these before deploying any VoC platform.
Survey respondents regularly include names, account numbers, contact details, and specific transaction references in open-ended comments — even when the survey does not ask for them. The platform processing this data must handle it under the same controls as any personal data.
GDPR Article 9 special categories include health data, financial vulnerability signals, racial or ethnic origin, religious beliefs, and sexual orientation. Customer complaints and verbatims regularly contain health-related context ("I was in hospital when the bill arrived") and financial vulnerability indicators. Processing this data requires either explicit consent or a specific legal basis.
If the platform processes data in a country outside the EEA that does not have an adequacy decision, a valid transfer mechanism — Standard Contractual Clauses or Binding Corporate Rules — is required. Teams must verify where their verbatim data goes after upload.
If the platform uses client data to train or improve its AI models, that use must be covered by the original lawful basis or a separate consent. For most enterprise customers, the lawful basis for collecting NPS or complaints data does not extend to AI model training by a third-party vendor. This is where the majority of GDPR procurement issues originate.
GDPR's storage limitation principle requires that personal data is not retained longer than necessary. Platforms must have documented retention periods and must be able to delete data on request under Article 17 (right to erasure).
The platform's data handling architecture reflects GDPR requirements. Data Processing Agreement templates are available for procurement teams. Lawful basis documentation, data minimisation practices, and subprocessor lists are included.
Ipiphany AI does not use verbatim data from client datasets to train, improve, or fine-tune its models. Customer feedback processed through the platform is used to produce your organisation's analysis outputs — it does not feed back into a shared model.
Security controls cover access management, data handling, incident response, and supplier risk. The ISMS is certified to ISO/IEC 27001. Certificate scope available on request.
For organisations with data residency requirements — where processing verbatim data in a cloud environment is prohibited by policy or regulation — Ipiphany AI can be deployed within your own infrastructure.
Processed data can be deleted in accordance with your retention policy and data subject requests. The DPA includes a data deletion confirmation process. On contract termination, deletion can be confirmed in writing.
Cloud deployments are available in EU-region infrastructure to support data residency requirements for EEA organisations. No transfer to third countries is required for EU-region deployments.
A regional bank deploys a new VoC programme to capture customer feedback on its digital banking service. The privacy team applies these controls — this reflects the standard procurement pathway for regulated enterprises deploying Ipiphany AI.
The survey is designed to avoid directly asking for personal identifiers in open-ended fields. A brief notice in the survey acknowledges that respondents may include personal details and explains how this data is handled.
A signed Data Processing Agreement with Ipiphany AI covers lawful basis, retention periods, subprocessor list, and data deletion obligations before any data is uploaded.
Verbatim data is processed within EU-region infrastructure. No transfer to third countries is required. The Data Processing Agreement confirms this in writing.
The bank's DPO confirms in writing that the platform's no-training policy means the original lawful basis — legitimate interest or consent — is not extended to a secondary purpose.
The platform's analysis identifies comments that appear to contain identifiable personal data and flags these for the team's attention in accordance with the agreed data handling protocol.
Verbatim data is deleted from the platform at the end of the agreed retention period. The DPA includes a data deletion confirmation process.
← Scroll to view →
| GDPR criterion | Question to ask the vendor | Red flag answer |
|---|---|---|
| Data Processing Agreement | "Do you provide a standard DPA, and can we negotiate additional terms?" | No DPA available / DPA is non-negotiable boilerplate |
| Model training | "Do you use our data to train or improve your models?" | Yes, unless opted out / unclear |
| Data location | "Where is our verbatim data processed and stored?" | Outside EEA with no adequacy / no SCCs |
| Special category data | "How does your platform handle Article 9 data in verbatims?" | No separate handling / unaware of the issue |
| Data retention | "What is your data retention policy, and can you delete our data on request?" | Retention is indefinite / deletion cannot be guaranteed |
| Subprocessors | "Can you provide your full subprocessor list?" | List unavailable / subprocessors not certified |
| ISO 27001 | "Are you ISO 27001 certified? Can we see the certificate scope?" | Not certified / certification in progress only |
| Breach notification SLA | "What is your contractual SLA for notifying us of a data breach?" | >72 hours or unspecified |
The FCA's Consumer Duty (in force since July 2023) requires firms to monitor consumer outcomes continuously. The ICO has confirmed that Consumer Duty does not override GDPR — both frameworks apply simultaneously. VoC data processors must meet both standards.
Policyholders frequently disclose health or financial circumstances in complaints and feedback. Article 9 applies. Processors must be able to demonstrate appropriate technical and organisational measures. A DPA is mandatory — not optional.
Vulnerability data in complaints — illness, financial hardship, bereavement — is increasingly captured in VoC programmes as regulators require firms to evidence how they handle vulnerable customers. This data requires the same GDPR controls as any special category data.
ePrivacy Regulation applies to electronic communications data in addition to GDPR. Verbatims from contact centre recordings or messaging feedback may carry additional ePrivacy obligations. Multi-jurisdiction operators need a platform that can handle varied residency requirements.
If GDPR compliance, data residency, or processor due diligence have been raised as requirements, book a call and we will include the DPA template and security documentation in the follow-up.
