GDPR Recording Calls: What You Need to Know
Recording calls is a common practice used for training, quality assurance, legal compliance, or customer service. But when those recordings involve individuals in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) applies. Call recording is considered a form of personal data processing and must meet strict legal requirements.
This guide explains when GDPR applies to recorded calls and outlines the steps to help your organisation remain fully compliant.
Key Takeaways
1. Call recordings are considered personal data under GDPR
Any recorded call that can identify a person through voice, name, phone number, or other details falls under GDPR and must meet its requirements for lawful processing.
2. You must inform individuals before recording
Callers must be told that the call is being recorded, why it is recorded, on what legal basis, how long the data will be stored, and what rights they have regarding the recording.
3. Consent and security are critical
If you rely on consent, it must be freely given and informed. Recordings must also be securely stored, with limited access, proper retention periods, and a clear breach response plan in place.
Why GDPR Applies to Call Recording
When Call Recordings Count as Personal Data
A recorded voice is classified as personal data under GDPR. If a recording includes names, phone numbers, opinions, or any other information that could identify an individual, GDPR protections apply. Even voice alone can be enough to identify a person.
When GDPR Applies
GDPR applies whenever the caller or recipient is located in the European Union or European Economic Area. It also applies if your business is located outside of the EU but targets EU-based individuals.
Legal Grounds for Recording Calls
GDPR allows organisations to record calls only if there is a valid legal reason for doing so. These are known as lawful bases for processing.
Consent
This is the most common and recommended basis. The individual must agree to the recording after being informed of its purpose and the intended use. Consent must be freely given and cannot be assumed through silence or continued participation in the call.
Contract
You may record a call if it is necessary to fulfil a contract with the individual. This typically applies to specific transactions or agreements, not to general customer service calls.
Legal Obligation
In specific regulated industries, call recording may be required by law. If so, you must document which regulation applies and follow only what is necessary for legal compliance.
Legitimate Interest
An organisation may justify recording if there is a legitimate interest, such as for training or dispute resolution. However, this requires a balancing test to ensure that your interests do not override the rights and freedoms of the individuals involved.
How to Record Calls in a GDPR-Compliant Way
Inform Callers Clearly
You must inform callers before recording begins. This includes:
• That the call is being recorded
• The reason for the recording
• The legal basis being used
• For how long will the recording be kept
• Who will have access to the recording
• What rights does the caller have regarding the recording
This information can be delivered through a recorded message or a clear verbal statement at the start of the call.
Offer a Real Choice
If you rely on consent, individuals must have the ability to refuse. This may involve offering an unrecorded call option or providing an alternative means of communication, such as email.
Avoid Collecting Excess Data
Only record what is necessary. Do not include sensitive personal data, such as financial information or health details, unless necessary. If you do collect sensitive data, additional safeguards must be in place.
Secure Storage and Limited Access
Recordings must be stored in a secure environment. Access should be limited to authorised staff, and recordings should be encrypted or otherwise protected to prevent unauthorised access.
Limit Retention Periods
Establish a clear policy for the retention period of call recordings. Retain recordings only for as long as necessary to meet their purpose. After that, they must be safely deleted.
Keep a Record of Processing Activities
Document your call recording processes, including their purpose, legal basis, data storage method, retention period, and access controls. This is part of your organisation’s accountability obligations.
What Rights Do Individuals Have
Right to Be Informed
Callers must be clearly informed that they are being recorded and the reason for doing so. This must happen before the recording starts.
Right to Access
Individuals have the right to request a copy of their call recording. You must respond within a reasonable time and provide the recording in a secure format.
Right to Erasure
If the recording was based on consent, the individual has the right to withdraw that consent and request deletion, unless there is another legal reason to keep it.
Right to Object
When you rely on legitimate interest, individuals have the right to object to the recording. You must respect that objection unless there are compelling reasons not to.
Security and Breach Planning
Protect Your Systems
Utilise technical controls, such as access restrictions, encryption, and monitoring, to protect call recordings against leaks or breaches.
Be Prepared for Breaches
If a call recording is lost, stolen, or accessed without authorisation, and this poses a risk to the individual, you must report it to the data protection authority within 72 hours. If the risk is high, you may also need to inform the affected individual.
Assigning Roles and Managing Responsibility
Appointing a Data Protection Officer
If your organisation regularly records calls or handles large volumes of personal data, you may be required to appoint a Data Protection Officer. This person ensures compliance, monitors procedures, and acts as a point of contact for authorities.
Managing Vendors and Processors
If you use third-party software or cloud services to record calls, you must ensure they comply with GDPR. Contracts must define their responsibilities and include clear data protection terms.
Benefits of Getting It Right
Call recording offers many operational benefits, but without proper compliance, it can expose your organisation to legal risks. Fines for GDPR violations can reach up to 20 million euros or 4% of a company’s global turnover.
Proper compliance shows customers and clients that your organisation values privacy and operates with integrity. That builds trust and long-term credibility.
Next Steps for Compliance
Audit Your Current Practices
Review how and why you are recording calls, who has access to them, and how long recordings are stored.
Choose the Right Legal Basis
Decide whether your recordings are based on consent, legal obligation, legitimate interest, or another lawful basis.
Update Your Scripts and Privacy Notices
Ensure that your customer-facing messages are clear and consistent with the GDPR requirements.
Train Your Staff
Ensure team members understand how to explain call recording policies and handle data requests.
Test Your Processes
Confirm you can respond to access or deletion requests quickly and efficiently. Additionally, ensure you have a well-defined plan in place for addressing security incidents and data breaches.+
Frequently Asked Questions
Can I record a call without the person on the other end being aware of it?
No. Under GDPR, individuals must be informed before the recording begins. Secret recordings without notice are not compliant.
Is consent always required to record calls?
Not always. While consent is the most common legal basis, you may also rely on contractual necessity, legal obligation, or legitimate interest, depending on the context and purpose of the recording.
What should I do if someone requests a copy of their recorded call?
You must provide access to the recording in a timely and secure manner, typically within one month of the request being made. If consent was the legal basis, the person may also request deletion.