GDPR Recording Calls: What You Need to Know

Updated: June 2026

Recording calls is a common practice used for training, quality assurance, legal compliance, or customer service. When those recordings involve individuals in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) applies. Call recording is a form of personal data processing and must comply with applicable legal requirements.

Key Takeaways

• Any recorded call that can identify a person through voice, name, phone number, or other details falls under GDPR and must meet its requirements for lawful processing.

• Callers must be told that the call is being recorded, why it is recorded, on what legal basis, how long the data will be stored, and what rights they have regarding the recording.

• If you rely on consent, it must be freely given and informed. Recordings must also be securely stored, with limited access, proper retention periods, and a clear breach response plan in place.

Why does GDPR apply to call recording?

When do call recordings count as personal data?

A recorded voice is classified as personal data under GDPR. If a recording includes names, phone numbers, opinions, or any other information that could identify an individual, GDPR protections apply. Even voice alone can be enough to identify a person.

When does GDPR apply to call recordings?

GDPR applies whenever the caller or recipient is located in the European Union or European Economic Area. It also applies if your business is located outside of the EU but targets EU-based individuals.

What are the legal grounds for recording calls under GDPR?

GDPR allows organisations to record calls only if there is a valid legal reason. These are known as lawful bases for processing.

Can consent be used as the legal basis for recording calls?

This is the most common and recommended basis. The individual must agree to the recording after being informed of its purpose and the intended use. Consent must be freely given and cannot be assumed through silence or continued participation in the call.

When does contract apply as a legal basis for recording?

You may record a call if it is necessary to fulfil a contract with the individual. This typically applies to specific transactions or agreements, not to general customer service calls.

When does legal obligation apply to recording calls?

In specific regulated industries, call recording may be required by law. If so, you must document which regulation applies and follow only what is necessary for legal compliance.

When can legitimate interest justify recording calls?

An organisation may justify recording if there is a legitimate interest, such as for training or dispute resolution. However, this requires a balancing test to ensure that your interests do not override the rights and freedoms of the individuals involved.

How do you record calls in a GDPR-compliant way?

How should callers be informed about call recording?

You must inform callers before recording begins. This includes:

• That the call is being recorded

• The reason for the recording

• The legal basis being used

• For how long the recording will be kept

• Who will have access to the recording

• What rights the caller has regarding the recording

This information can be delivered through a recorded message or a clear verbal statement at the start of the call.

How should organisations offer callers a real choice?

If you rely on consent, individuals must be able to refuse. This may involve offering an unrecorded call option or providing an alternative means of communication, such as email.

What data should be collected when recording calls?

Only record what is necessary. Do not include sensitive personal data, such as financial information or health details, unless necessary. If you do collect sensitive data, additional safeguards must be in place.

How should call recordings be stored securely?

Recordings must be stored in a secure environment. Access should be limited to authorised staff, and recordings should be encrypted or otherwise protected to prevent unauthorised access.

How long should call recordings be retained?

Establish a clear policy for the retention period of call recordings. Retain recordings only for as long as necessary to meet their purpose. After that, they must be safely deleted.

What records of call recording processing must be kept?

Document your call recording processes, including their purpose, legal basis, data storage method, retention period, and access controls. This is part of your organisation’s accountability obligations.

What rights do individuals have regarding call recordings?

What is the right to be informed for call recordings?

Callers must be clearly informed that they are being recorded and the reason for doing so. This must happen before the recording starts.

What is the right to access call recordings?

Individuals have the right to request a copy of their call recording. You must respond within a reasonable time and provide the recording in a secure format.

What is the right to erasure for call recordings?

If the recording was made with consent, the individual has the right to withdraw that consent and request its deletion, unless there is another legal reason to keep it.

What is the right to object to call recording?

When you rely on legitimate interest, individuals have the right to object to the recording. You must respect that objection unless there are compelling reasons not to.

What security measures and breach procedures apply to call recordings?

How should organisations protect call recording systems?

Use technical controls such as access restrictions, encryption, and monitoring to protect call recordings against leaks or breaches.

What should organisations do if a call recording data breach occurs?

If a call recording is lost, stolen, or accessed without authorisation, and this poses a risk to the individual, you must report it to the data protection authority within 72 hours. If the risk is high, you may also need to inform the affected individual.

How should organisations assign roles and manage responsibility for call recordings?

When should a Data Protection Officer be appointed for call recording?

If your organisation regularly records calls or handles large volumes of personal data, you may be required to appoint a Data Protection Officer. This person ensures compliance, monitors procedures, and acts as a point of contact for authorities.

How should third-party call recording vendors be managed?

If you use third-party software or cloud services to record calls, you must ensure they comply with GDPR. Contracts must define their responsibilities and include clear data protection terms.

Why does GDPR compliance matter for call recording?

Call recording has clear operational uses. Without proper compliance, it also carries real legal risk. Fines for GDPR violations can reach up to 20 million euros or 4% of a company’s global turnover.

Proper compliance shows customers and clients that your organisation values privacy and operates with integrity. That builds trust and long-term credibility.

What steps should organisations take to comply with GDPR call recording rules?

How should organisations audit their call recording practices?

Review how and why you are recording calls, who has access to them, and how long recordings are stored.

How should the correct legal basis for call recording be chosen?

Decide whether your recordings are based on consent, legal obligation, legitimate interest, or another lawful basis.

How should scripts and privacy notices be updated?

Ensure that your customer-facing messages are clear and consistent with GDPR requirements.

How should staff be trained on GDPR call recording requirements?

Ensure team members understand how to explain call recording policies and handle data requests.

How should call recording processes be tested?

Confirm you can respond to access or deletion requests quickly and efficiently. Ensure you also have a clear plan in place for addressing security incidents and data breaches.

Frequently Asked Questions

Can I record a call without the person on the other end being aware of it?

No. Under GDPR, individuals must be informed before the recording begins. Secret recordings without notice are not compliant.

Is consent always required to record calls?

Not always. While consent is the most common legal basis, you may also rely on contractual necessity, legal obligation, or legitimate interest, depending on the context and purpose of the recording.

What should I do if someone requests a copy of their recorded call?

You must provide access to the recording in a timely and secure manner, typically within one month of the request. If consent was the legal basis, the person may also request deletion.