You are drafting a request for proposals for an AI agent (chatbot, virtual assistant) and the GDPR part is blocking you? You are not alone. In 2026, 73% of companies are still struggling to define compliance requirements in their specifications.

As a result: non-compliant suppliers, a major legal risk regarding the AI Act, and potential fines reaching 4% of your turnover. This guide provides you with the essential criteria to integrate, along with a free Excel template to evaluate your providers.

Why GDPR changes your selection of AI supplier

Choosing an AI conversational agent means delegating the processing of massive personal data. Legally, you remain the Data Controller. A solid specification protects you on three levels:

1. Legal compliance (Article 28 of GDPR and AI Act).

2. Immediate filtering of at-risk suppliers.

3. Data security for your clients and collaborators.

1. What data will your AI Agent process?

The first step of your request for proposals is to map the flows. Ask suppliers about:

Data types and purposes

• Collection: Names, emails, phones, as well as browsing histories and voice data.

• Critical question: "Do you use our conversations to train your language models (LLM)?" (Require a no-training option or a strict opt-in).

Retention and deletion period

• Ability to configure data retention (3, 6, 12 months).

• Automatic deletion process upon expiration.

• Reversibility: Final deletion period at the end of the contract (require a certificate).

Note: A supplier training its models with your data without explicit consent is now considered "high risk".

2. The 4 non-negotiable security requirements

Your consultation document must impose these technical measures:

1. Encryption: Data encrypted in transit (TLS 1.3 minimum) and at rest (AES-256).

2. Access control: Mandatory multi-factor authentication (MFA) for administration.

3. Incident notification: The supplier must commit to inform you within 48 hours of a breach, so you can comply with the 72-hour deadline of the CNIL.

4. Subcontracting: Complete list of third parties (hosting providers, OpenAI/Mistral type APIs, analytics) with proof of signed DPA contracts.

3. Hosting: The issue of sovereignty

The location of servers is the criterion that often eliminates 50% of candidates. Ask these specific questions:

• Hosting country: France or European Union?

• Backup location: Are they also in the EU?

• Transfers outside the EU: If the data leaves the European space, what legal mechanism is used (TIE, standard contractual clauses)?

4. Mandatory contractual documents

A serious supplier must be able to provide immediately:

✅ DPA (Data Processing Agreement) compliant with article 28.

✅ Security Annex: Detailed description of technical measures.

✅ Pentest Report: A recent intrusion audit (< 12 months).

✅ AI Act Sheet: Classification of the risk level of the proposed AI.

[Free Template] Download the Excel specifications

Save time in drafting your AI request for proposals. We have condensed the best practices into a ready-to-use tool.

Pack content:

• 60+ evaluation criteria organized by themes (GDPR, Technical, Business).

• Automatic scoring grid to compare candidates.

• Levels of requirements: (Mandatory / Important / Optional).

.xlsx format compatible with Google Sheets — Estimated time saving: 15 hours of writing.

FAQ: Chatbot Request for Proposals & GDPR

What are the mandatory requirements for an AI chatbot?

At a minimum, a DPA contract, data encryption, a clear retention policy, and transparency regarding the use of data for training models are required.

Is hosting in France mandatory?

It is not a strict legal requirement (the EU is sufficient), but it is a significant competitive advantage for data sovereignty and reducing legal risks related to extraterritorial laws.

What does the CNIL say about conversational agents?

The CNIL emphasizes the principle of minimization (only collect what is necessary) and on clearly informing the user: they must know they are interacting with a machine from the very first message.