Sales
Press Releases

A Guide to GDPR Call Recording Compliance

Otter
April 28, 2026
7 min
In this article

Try Otter today

  • 300 monthly transcription minutes

  • 30 minutes per conversation

  • 3 audio or video file imports

Start for free

Try Otter for enterprise today

  • Industry leading transcription

  • Advanced AI Chat

  • Custom integrations & workflows

Schedule demo
Share this post
Update
Otter has transformed with Otter Meeting Agents

Intelligent, voice-activated, meeting agents that directly participate in meetings answering questions and completing tasks - to make capturing, understanding, and acting on conversations effortless. Learn more about what’s new here.

Learn more

GDPR call recording compliance is one of the trickiest operational problems facing organizations with EU customers. The moment you hit record on a call with someone in the EU, you've created personal data, and a long list of legal obligations attaches to that file: lawful basis, disclosure, retention limits, access controls, rights requests, and vendor contracts. Get any of them wrong, and the consequences could include multi-million-euro fines.

The General Data Protection Regulation (GDPR) is the EU's data protection and privacy law, setting the rules for how organizations collect, store, and use personal information about people in the EU.

For any team recording calls that involve people in the EU, GDPR call recording compliance is an ongoing operational requirement with real enforcement behind it. The rules apply the same way to a 50-person sales floor and to a one-on-one customer call taken from a home office.

The Short on Time Version

  • GDPR applies to voice recordings because any recording that can be linked to an identifiable person in the EU is considered personal data.
  • You need a lawful basis before you record, for most B2B sales and customer calls, "legitimate interests" is the right rationale. 
  • Every participant needs to know the call is being recorded, who is recording it, why, and how to refuse. A generic "this call may be recorded for training" no longer meets the standard.
  • People in your recordings have rights: they can ask for a copy, ask you to delete it, or object to how it's being used, and you have one month to respond.
  • The right AI meeting notetaker platform makes most of this easier and does so much more than just transcribe. Otter handles the recording announcement, retention, access controls, and audit logging through configuration, so your team doesn't have to manage compliance call by call.

Why GDPR Applies the Moment You Hit Record

Most people assume GDPR kicks in when you store data or share it; for call recordings, it kicks in the instant you start recording.

Voice Recordings Count as Personal Data

Article 4(1) of the GDPR defines personal data as "any information relating to an identified or identifiable natural person," and voice recordings are specifically mentioned as an example. The moment a recording can be linked to an identifiable person, all GDPR obligations that apply to personal data also apply to that recording.

If your call recording software also does speaker identification or voiceprint analysis, it gets more serious. That kind of processing can involve biometric data, which would classify it as special category data under Article 9.

GDPR Obligations Apply to You, Not Your Vendor

When you decide to record a call and choose the tool to do so, you are the controller under the GDPR. Your vendor, whoever runs the infrastructure, is the processor. Controllers carry the primary obligations: lawful basis, disclosure, rights requests, retention, and security. The processor has its own duties, but the regulator's first call is to you.

GDPR Follows Your EU Prospects Across Borders

GDPR doesn't stop at the EU border; under Article 3, it applies to any organization with an EU establishment whose activities involve processing personal data, and any organization offering goods or services to people in the EU. If your SDRs are in Denver but your prospects are in Dublin, GDPR applies to those calls.

How to Record Calls in a GDPR-Compliant Way

Recording compliantly comes down to five decisions, made in order, before and around each call. 

1. Choose the Right Lawful Basis Before You Record

Before you record a single call, you need a lawful basis under Article 6. There are six of them, but for business call recording, three bases cover almost every case.

  • Legitimate interests assessment (LIA)(Article 6(1)(f)) covers quality assurance, staff training, dispute resolution, and fraud prevention. For a typical B2B sales or customer success call, this is usually the right basis. You should also document a short Legitimate Interests Assessment naming the specific purpose, why the recording is necessary, and the safeguards you have in place. 
  • Legal obligation (Article 6(1)(c)) applies when you're in a regulated sector that actively requires recording, such as financial services under MiFID II. If the law tells you to record, this is your basis.
  • Consent (Article 6(1)(a)) is only appropriate in narrow situations where the person has a genuine, consequence-free choice, like an optional research interview. Consent must be freely given, specific, and active, and under Article 7(3), it can be withdrawn at any time.

Step 2: Disclose the Recording to Every Participant

GDPR requires you to tell people you're recording, why, and what rights they have. Disclosure is not the same as consent, but it is always required.

Your pre-call announcement should do four things: 

  • Identify who is recording
  • State each specific purpose
  • Explain the right to refuse
  • Point to a fuller privacy notice

In practice, replace "this call may be recorded for training purposes" with something closer to: "This call is being recorded by Acme Ltd so we can coach our team and resolve any disputes. You can ask us to stop at any time, and you can see the full details in our privacy notice at acme.com/privacy."

If someone says they don't want to be recorded, stop the recording, continue the conversation unrecorded, and log the refusal. Don't pretend you stopped while the tool keeps running, and don't make continuing the call contingent on accepting the recording; under Article 7(4), conditioning a service on unnecessary consent is invalid.

A lot of this disclosure overhead can be automated. For example, Otter can be configured to handle the recording announcement and consent logging, documenting whether participants stayed or objected, taking one more responsibility off the host’s plate.

However, you are still responsible for obtaining all required rights and consents from the customer. The platform handles the operational workflow while you still own the policy underneath it.

Step 3: Build a Workflow for Rights Requests

Once recordings exist, the people on them have rights over them. Audio is difficult to search, redact, or correct, so these workflows must be in place before the first request arrives.

  • Right of access. Under Article 15, a data subject can ask you to confirm whether recordings of them exist and to provide a copy. Article 12 gives you one month to respond. You'll need a way to find every recording in which a specific person appears across all systems. If a recording includes other participants' voices, you may need to redact them before handing over the file.
  • Right to erasure. Under Article 17, people can ask you to delete recordings when they're no longer necessary, when consent is withdrawn, or when a successful objection under Article 21 applies. You can refuse erasure where the recording is genuinely needed for legal claims, but not because deletion is inconvenient. 
  • Right to rectification. You cannot "correct" audio without falsifying the record. The workable middle path is to correct the associated metadata, add an annotation documenting the data subject's concern, and decline to alter the audio itself, with a documented justification. 

Step 4: Control Who Can Access Recordings, and for How Long

Once recordings exist, two things determine whether you remain compliant over time: how long you keep them and who can access them.

Article 5(1)(e) says personal data must be kept "no longer than is necessary." Match your retention period to your stated purpose. If your LIA says you're recording for coaching, six months is often defensible; seven years almost certainly isn't. Document the rationale and configure automated deletion.

Article 32(1) requires appropriate technical and organizational measures, including encryption. Uncontrolled access to recordings can itself breach Articles 5(1)(f) and 32, even without an external attacker. The fix is role-based access control plus audit logging, so every access is recorded against a specific person, at a specific time, for a specific recording.

If what you actually need is conversation content rather than voice, storing only the transcript can satisfy Article 5(1)(c) data minimization while carrying lesser privacy risks. Transcripts still require a lawful basis, a retention period, and a rights workflow, but they're a lower-risk default than keeping every audio file.

Step 5: Get the Vendor Relationship Right Before You Sign

Most teams record meetings with a SaaS tool, which means a third party is processing personal data on your behalf. That relationship is its own compliance surface.

Article 28 requires a written Data Processing Agreement covering the scope and nature of processing, security measures, sub-processor rules, breach notification timelines, and audit rights. The 2021 EU Standard Contractual Clauses (Module 2, Controller-to-Processor) incorporate all Article 28 requirements, making them the cleanest starting point for an EU-focused DPA.

Storing recordings outside the EEA (European Economic Area) triggers Chapter V. The 2020 Schrems II ruling added a condition to the SCCs: you now have to conduct a Transfer Impact Assessment documenting the specific transfer and the supplementary measures in place. The EU-US Data Privacy Framework is currently a valid transfer mechanism for certified US providers, but keeping the executed 2021 SCCs in parallel remains the sensible move for any US-based tool.

Before you commit to any recording vendor, get clear answers to five questions:

  1. Does the vendor offer a DPA that covers every Article 28 requirement?
  2. Where does the data actually get processed and stored?
  3. What breach notification timeline do they commit to in writing?
  4. Does the platform support configurable, automated retention and deletion?
  5. Can they produce a current SOC 2 Type II or ISO 27001 certification?

Otter answers the five questions above directly: it offers a DPA, is SOC 2 Type II certified and HIPAA compliant, and gives admins configurable retention, role-based access, audit logging, and SSO via Okta and Azure AD. 

It also gives IT a single, governed platform to point to, rather than managing a patchwork of meeting tools that each team picked up on its own. The platform doesn't replace your lawful basis work or your disclosure policy, but it does give you something defensible to hand to a regulator when they ask how recordings are stored, retained, and controlled.

Run These Checks Before Your First Recording

The five steps above are the ongoing work. Before the first call is recorded, there are three pre-flight checks worth running to ensure the whole program starts on solid ground.

Run a Data Protection Impact Assessment

A Data Protection Impact Assessment is required under Article 35 when processing is likely to result in a high risk to individuals' rights and freedoms.

Under WP29 DPIA guidance recognized by the EDPB, processing that meets at least two of the nine criteria will generally require one. Systematic recording of business calls, especially when it involves speaker identification or special category data, will often meet that bar. 

Update Your Privacy Notice and Recording Announcement

Your privacy notice should name each recording purpose, the lawful basis for each, the retention period, who has access, whether recordings leave the EEA (and on what legal basis), and the rights that apply.

If you have a recording announcement, update it to match: replace generic "may be recorded for training" with the purpose-specific and basis-specific language you drafted in your LIA, so the spoken disclosure and the written notice line up.

Train Your Team on Disclosure and Refusal Handling

Cover three things with any team that records: the lawful basis your organization relies on and why; how to deliver the opening disclosure and handle a refusal without derailing the conversation; and how to spot a verbal access or erasure request mid-call, so it gets routed correctly instead of disappearing into a call note. Refresh the training whenever the policy, the purpose, or the tool changes.

Compliant Recording Doesn't Have to Be Complicated

Recording calls under GDPR requires a handful of decisions, made in the right order, and supported by tools that respect the rules by default. You decide the basis, write the LIA, update the privacy notice, train the team on disclosure, build the rights workflow, and pick a platform that makes retention and access controls the path of least resistance. Once made and quietly maintained, these decisions keep you out of every risk category in this guide.

The hardest part is enforcing the rules call after call, across a team that's busy doing its actual job. That's where the right platform takes the weight off. Otter handles the operational side of a GDPR-compliant recording program: it offers an Article 28 DPA, announces recordings to participants automatically, gives admins configurable retention and automated deletion to match your stated purpose, and enforces role-based access with full audit logging so you can show a regulator exactly who opened what, when, and why.

Get a demo of Otter to see how the controls work in practice.

Related posts

No items found.
AI

AI in Customer Service: Everything You Need to Know

Discover how AI in customer service can streamline operations, enhance customer experience, and boost efficiency for all kinds of businesses.

Richard Tasker

min

Productivity Hacks

Why It's Important to Rethink How to Manage your Energy — and Your Meetings

Summer is winding down, and for most of us, that means the end of vacations and a refocus on work. This year, we’re in an environment that...

Darius Contractor

min

Customer Stories

Featured Part-Time Student – Catherine O' Neil

Catherine O' Neil works in an academic library, studies part-time at university, and is a freelance writer on the side. She discovered Otter...

Chang Chen

min

AI

Best AI Tools for Teachers To Enhance Productivity and Engagement

The best AI tools for teachers empower educators to shape young minds. Here are nine tools for teachers to streamline workflow and inspire students.

Richard Tasker

min

How To

How to transcribe a video on a Mac with Otter.ai

The easiest way to transcribe a (live) video on a Mac without playing the sound on speaker mode is by using Otter.ai - here's how...

Simon Lau

min

Product Update

Comments

Wished you could annotate your notes and exchange messages with collaborators in Otter.ai? Now you can, with Comments.

Simon Lau

min

Use cases

Resources

Download

Social