Recording calls is a common practice used for training, quality assurance, legal compliance, or customer service. But when those recordings involve individuals in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) applies. Call recording is considered a form of personal data processing and must meet strict legal requirements.
This guide explains when GDPR applies to recorded calls and outlines the steps to help your organisation remain fully compliant.
1. Call recordings are considered personal data under GDPR
Any recorded call that can identify a person through voice, name, phone number, or other details falls under GDPR and must meet its requirements for lawful processing.
2. You must inform individuals before recording
Callers must be told that the call is being recorded, why it is recorded, on what legal basis, how long the data will be stored, and what rights they have regarding the recording.
3. Consent and security are critical
If you rely on consent, it must be freely given and informed. Recordings must also be securely stored, with limited access, proper retention periods, and a clear breach response plan in place.
A recorded voice is classified as personal data under GDPR. If a recording includes names, phone numbers, opinions, or any other information that could identify an individual, GDPR protections apply. Even voice alone can be enough to identify a person.
GDPR applies whenever the caller or recipient is located in the European Union or European Economic Area. It also applies if your business is located outside of the EU but targets EU-based individuals.
GDPR allows organisations to record calls only if there is a valid legal reason for doing so. These are known as lawful bases for processing.
This is the most common and recommended basis. The individual must agree to the recording after being informed of its purpose and the intended use. Consent must be freely given and cannot be assumed through silence or continued participation in the call.
You may record a call if it is necessary to fulfil a contract with the individual. This typically applies to specific transactions or agreements, not to general customer service calls.
In specific regulated industries, call recording may be required by law. If so, you must document which regulation applies and follow only what is necessary for legal compliance.
An organisation may justify recording if there is a legitimate interest, such as for training or dispute resolution. However, this requires a balancing test to ensure that your interests do not override the rights and freedoms of the individuals involved.
You must inform callers before recording begins. This includes:
• That the call is being recorded
• The reason for the recording
• The legal basis being used
• For how long will the recording be kept
• Who will have access to the recording
• What rights does the caller have regarding the recording
This information can be delivered through a recorded message or a clear verbal statement at the start of the call.
If you rely on consent, individuals must have the ability to refuse. This may involve offering an unrecorded call option or providing an alternative means of communication, such as email.
Only record what is necessary. Do not include sensitive personal data, such as financial information or health details, unless necessary. If you do collect sensitive data, additional safeguards must be in place.
Recordings must be stored in a secure environment. Access should be limited to authorised staff, and recordings should be encrypted or otherwise protected to prevent unauthorised access.
Establish a clear policy for the retention period of call recordings. Retain recordings only for as long as necessary to meet their purpose. After that, they must be safely deleted.
Document your call recording processes, including their purpose, legal basis, data storage method, retention period, and access controls. This is part of your organisation’s accountability obligations.
Callers must be clearly informed that they are being recorded and the reason for doing so. This must happen before the recording starts.
Individuals have the right to request a copy of their call recording. You must respond within a reasonable time and provide the recording in a secure format.
If the recording was based on consent, the individual has the right to withdraw that consent and request deletion, unless there is another legal reason to keep it.
When you rely on legitimate interest, individuals have the right to object to the recording. You must respect that objection unless there are compelling reasons not to.
Utilise technical controls, such as access restrictions, encryption, and monitoring, to protect call recordings against leaks or breaches.
If a call recording is lost, stolen, or accessed without authorisation, and this poses a risk to the individual, you must report it to the data protection authority within 72 hours. If the risk is high, you may also need to inform the affected individual.
If your organisation regularly records calls or handles large volumes of personal data, you may be required to appoint a Data Protection Officer. This person ensures compliance, monitors procedures, and acts as a point of contact for authorities.
If you use third-party software or cloud services to record calls, you must ensure they comply with GDPR. Contracts must define their responsibilities and include clear data protection terms.
Call recording offers many operational benefits, but without proper compliance, it can expose your organisation to legal risks. Fines for GDPR violations can reach up to 20 million euros or 4% of a company’s global turnover.
Proper compliance shows customers and clients that your organisation values privacy and operates with integrity. That builds trust and long-term credibility.
Review how and why you are recording calls, who has access to them, and how long recordings are stored.
Decide whether your recordings are based on consent, legal obligation, legitimate interest, or another lawful basis.
Ensure that your customer-facing messages are clear and consistent with the GDPR requirements.
Ensure team members understand how to explain call recording policies and handle data requests.
Confirm you can respond to access or deletion requests quickly and efficiently. Additionally, ensure you have a well-defined plan in place for addressing security incidents and data breaches.+
Can I record a call without the person on the other end being aware of it?
No. Under GDPR, individuals must be informed before the recording begins. Secret recordings without notice are not compliant.
Is consent always required to record calls?
Not always. While consent is the most common legal basis, you may also rely on contractual necessity, legal obligation, or legitimate interest, depending on the context and purpose of the recording.
What should I do if someone requests a copy of their recorded call?
You must provide access to the recording in a timely and secure manner, typically within one month of the request being made. If consent was the legal basis, the person may also request deletion.