AI for debt collection in Europe: a GDPR and AI Act guide

Five workloads dominate live deployments. The first is portfolio segmentation, where machine-learning scores rank cases by likelihood-to-pay and right-time-to-contact. The second is automated outreach, including AI-mediated communication that handles inbound and outbound contact in the debtor's language. The third is payment-plan negotiation, where the AI proposes affordable instalments within rules set by the recoveries team. The fourth is hardship and vulnerability detection, which flags cases that should be routed to a human agent or paused. The fifth is predictive recoveries forecasting, used by the finance team to model expected cashflow.

The European Banking Authority's 2023 report on the use of machine learning in IRB models is the closest official reference for the credit-side analytics that feed recoveries scoring [2]. For the operational layer, the relevant references are the GDPR Article 22 jurisprudence on automated decision-making and the EU AI Act risk classification [1][5].

Three GDPR provisions are load-bearing. Article 6 requires a lawful basis for processing, which in collections is typically contract or legitimate interest, with a documented balancing test. Article 22 limits decisions based solely on automated processing that produce legal or similarly significant effects on the data subject, which includes most adverse recovery actions. In practice, this means a human agent must remain in the loop for any decision that escalates the case, denies a payment plan, or triggers legal action. Article 35 requires a Data Protection Impact Assessment for systematic, large-scale processing of debtor data using new technology, which AI deployments almost always trigger.

The European Data Protection Board's 2024 guidelines on automated decision-making confirm that voice-AI conversations with debtors fall inside Article 22 when the conversation contributes materially to a downstream decision [3]. The practical consequence is that the AI's recommendation must be reviewable, the human override path must be documented, and the debtor must be informed of the AI involvement.

It depends on the system's role. Annex III of the AI Act lists "AI systems intended to be used for evaluating the creditworthiness of natural persons or establishing their credit score" as high-risk, with limited carve-outs [5]. Recoveries AI sits adjacent to this category and the assessment is fact-specific.

If the AI scores debtors to determine recovery strategy, payment-plan eligibility or escalation thresholds, the safer interpretation is that the system is high-risk and the full Annex III obligations apply: a written conformity assessment, technical documentation, data and data governance evidence, logging, human oversight, transparency to users, and post-market monitoring. Most high-risk obligations apply from August 2026. Vendors that cannot produce a written assessment plan should not be on a 2026 shortlist.

If the AI is used purely for operational logistics (contact-time optimisation, language routing, transcription) without influencing a decision that affects the debtor's rights or finances, the lower-risk obligations apply. Even in this case, GDPR Articles 22 and 35 still bind.

The market splits into three tiers. Scaled integrators (Accenture, Deloitte, Capgemini, IBM Consulting) build bespoke recoveries AI inside larger banking and BPO transformations. Decision intelligence specialists (Quantexa) sell graph-based contextual decisioning that touches both fraud and recoveries. Applied-AI specialists (Faculty AI, ML6, Impetora) build bespoke decisioning and automation systems for individual recoveries operations.

Productised conversational-AI platforms exist but most were not designed for the GDPR Article 22 and AI Act obligations described above. Buyers evaluating a productised platform should ask the vendor to produce a written DPIA template, a documented human-in-the-loop architecture, and evidence of an AI Act conformity assessment for at least one similar deployment. If the answers are vague, the platform is likely a marketing-grade product without the regulated-industry engineering work behind it.

Six questions sort the field. Where will the data live, including all sub-processors and back-up locations? What is the documented human-in-the-loop architecture and which decisions are escalated by default? Which AI Act risk classification has the vendor assigned and what is the conformity assessment plan? What is the DPIA evidence and is it shareable under NDA? How does the vendor handle vulnerable-customer detection, including the specific triggers and the escalation path? What is the model retraining cadence and how is drift detected and reported?

The Bank for International Settlements' 2024 paper on generative AI in banking is a useful reference frame for the operational risks [4], and the European Commission's AI Office guidance is the canonical source on Act obligations [5].

Impetora is an enterprise AI consultancy and solutions partner that builds auditable, production-grade AI for regulated workloads. In recoveries, this means decisioning and automation systems where every interaction is logged, every recommendation is traceable to its inputs, every adverse decision routes to a human agent by default, and every system ships with a written conformity assessment that the buyer's DPO and risk committee can sign off. We deliver in five languages from EU-headquartered teams in Vilnius and Amsterdam, working with enterprise clients worldwide, and we operate inside the GDPR and AI Act regime as a matter of design, not retrofit.

If you are scoping a debt-collection AI build for 2026, the Impetora intake asks for the six dimensions above and the discovery phase produces a written readiness audit before any code is committed.