Not legal advice. This site is an editorial reference. Laws change — always confirm with a qualified attorney in the relevant jurisdiction before recording, and check each page’s last reviewed date.

Call Recording Laws in the European Union

Plain-English summary

Within the European Union, call recording is regulated primarily as the processing of personal data under the General Data Protection Regulation (GDPR). The recording of a voice is the processing of biometric and personal data; doing so requires a lawful basis under Article 6, transparency under Articles 13–14, a defined retention period under Article 5(1)(e), and appropriate technical and organizational measures under Article 32.

The EU does not impose a single “all-party consent” rule across member states — member-state criminal codes still vary — but the practical effect of GDPR transparency and lawful-basis requirements is that ordinary business call recording in the EU is conducted with audible notice and an opportunity to object. National data-protection authorities have repeatedly stated that consent is the most defensible lawful basis for ordinary call recording.

Statutory framework

The relevant instruments:

  • GDPR, Articles 5–7, 13–14, 32, 82–83. Lawful basis, transparency, data-subject rights, security obligations, remedies, and fines.
  • ePrivacy Directive 2002/58/EC (as amended). Confidentiality of communications; Article 5(1) prohibits listening, tapping, storage, or other kinds of interception or surveillance of communications without the consent of the users concerned, except when legally authorized.
  • Member-state implementing law. National criminal codes — e.g., § 201 StGB in Germany, Article 226-1 du Code pénal in France — that criminalize secret recording of private conversations.

The interaction between the ePrivacy Directive and GDPR is layered: the Directive governs the act of interception; GDPR governs everything that happens to the resulting personal data afterward (storage, sharing, retention, security).

Regulator guidance

The European Data Protection Board (EDPB) coordinates national regulators’ positions on call recording but does not enforce. National regulators — the CNIL in France, the BfDI and state authorities in Germany, the Garante in Italy, the AEPD in Spain, the DPC in Ireland, the AP in the Netherlands — issue specific guidance and impose fines.

A recurring theme across regulator guidance:

  • Audible notice at the start of the call is the baseline.
  • The caller must be told the purpose of the recording, the lawful basis, and the retention period.
  • The caller must be offered a means to object or to continue without recording where the recording is not strictly necessary.
  • Retention beyond six months is generally suspect absent a specific legal need.

GDPR specifics for call recording

Lawful basis (Article 6)

  • Consent (Art. 6(1)(a)). Express, informed, freely given. Must be the recorded party’s decision; pre-ticked or refuse-to-continue consent is not freely given.
  • Contract performance (Art. 6(1)(b)). Available where the recording is genuinely necessary to perform a contract — for example, financial-services transaction confirmation under MiFID II.
  • Legitimate interest (Art. 6(1)(f)). Available where the controller’s interest is not overridden by the data subject’s rights. Requires a documented balancing test (LIA).
  • Legal obligation (Art. 6(1)(c)). Available where a specific legal obligation requires the recording — for example, MiFID II Article 16(7) for investment firms.

Transparency (Articles 13–14)

At the time of the call, the data subject must be informed of: the identity of the controller, the purposes, the lawful basis, the retention period, the recipients, the data subject’s rights, and the right to lodge a complaint with the supervisory authority. A typical pre-call announcement satisfies this only if it covers all of these elements or directs the caller to a privacy notice that does.

Retention (Article 5(1)(e))

No longer than necessary. Regulator guidance frequently treats six months as the upper end for general business recording; longer retention requires a specific lawful basis (litigation, regulatory obligation).

Special categories (Article 9)

If a call inevitably captures special-category data (health, religion, sexuality, political opinion, biometric data uniquely identifying a person), Article 9 applies and a narrow exception is needed. Voice as biometric identifier triggers Art. 9 only where the recording is intended to identify the speaker, which is uncommon in routine recording.

Workplace and business calls

Employer recording of employee phone calls (for training, quality assurance, or dispute resolution) requires both a GDPR lawful basis and compliance with member-state employment law. Most EU member states require:

  • Prior consultation with the works council or employee representative body.
  • A written policy made available to employees.
  • A clear notice to the employee at the start of the recorded call (a beep or banner does not, on its own, satisfy the works-council requirement).
  • Restricted access to recordings; segregation from performance-management systems unless a specific lawful basis covers that use.

Cross-border and conflict-of-laws notes

GDPR applies extraterritorially under Article 3(2) to processing of EU residents’ personal data where the processing relates to offering goods or services to those residents or monitoring their behavior. A US company recording calls with EU customers is subject to GDPR, and to the supervisory authority of the relevant member state. See our cross-border calls page.

Transfer of recordings outside the EEA requires an Article 44 transfer mechanism — an adequacy decision, standard contractual clauses, or one of the limited derogations.

Penalties and remedies

Administrative fines under Article 83 GDPR may reach €20 million or 4% of global annual turnover, whichever is higher, for the most serious infringements. Member-state criminal statutes for secret recording impose criminal penalties on top (see country pages).

Data subjects have a right of compensation under Article 82 for material or non-material damage caused by an infringement. National courts have awarded modest non-material damages for unlawful recording (the level varies by jurisdiction).

Practical guidance

  • Build the consent preamble into the system, not the agent script. Make the recording stop if the caller does not consent.
  • Document the lawful basis. If you rely on legitimate interest, document the balancing test in writing.
  • Set a retention period and stick to it. Automate deletion.
  • Train staff on data-subject access requests. A request for a copy of a recorded call is an Article 15 access request and must be handled in time.
  • For cross-border processing, identify your lead supervisory authority under the one-stop-shop mechanism.

Related