What are the GDPR Rules for Recording Calls?


Many organizations record telephone calls to maintain quality, train employees and resolve client disputes.  However with the observance of the GDPR guidelines starting May 25, 2018, organizations have to adhere to new regulations for recording calls.

Any business from any location must adhere to the GDPR rules for recording calls every time dealing with residents in the EU. Call recording can proceed under GDPR, since recording phone conversations isn’t forbidden, however there are added conditions to safeguard the rights and freedoms of data subjects. Much like the cookies on websites along with other sorts of data gathering, recording phone calls can only happen when the data subject provides his or her permission (GDPR Article 7).

In the past, to adhere to current rules, companies would tell people that the telephone conversation is recorded for a specific purpose and permission was acquired when the client carried on with the phone call. Even when the client was quiet or did not carry out any specific action, it was considered as saying yes to the recording. Having said that, GDPR Rules for recording phone calls now demands consent to be supplied with an affirmative action. Silence or doing no specific action is no longer enough. A particular action like pressing a key on the phone or giving verbal permission is required under the GDPR. The company must retain a recording of the consent provided.

GDPR Rules for recording calls entail not only consent. There has to be a legitimate reason for gathering the information prior to the recording of the call is permitted. Generally speaking, companies should make sure that one or more conditions in the list below is fulfilled besides obtaining the consent:

  • Recording is necessary to follow a contract
  • Recording is essential for legal reasons
  • Recording is needed to safeguard the welfare of one or more people
  • Recording is required to keep public security
  • Recording is in the legal interests of the recorder, given that those interests aren’t overwritten by the interests of the individuals participating in the calls.

Additionally, the following GDPR Guidelines for recording calls should be followed

  • Saved call recordings must be secure with proper controls blocking unauthorized individuals from getting the recordings. Businesses need to perform a risk analysis to identify the level of risk involved, and implement guidelines, physical, and technical safety measures to minimize risk to an appropriate level.
  • GDPR Article 5 claims that data are to be retained only so long as it satisfies a legitimate purpose for obtaining the information. Once the call recordings are not needed, they should be discarded appropriately.
  • GDPR Article 15 describes the right of data subjects to gain access to their private information, which includes recordings of phone calls. In case a request is gotten from a data subject to gain access to their personal information, it is required for the business to grant that request in 30 days.
  • GDPR Article 17 points out the right of a data subject residing in the EU to request the removal of his personal information. When an EU resident demands his right to be forgotten, all data – which includes call recordings – should be erased, unless the removal of such data violates state or federal regulations and the data are not required for the purpose for which the data was initially gathered. This right is not applicable to the establishment, for the protection of legal claims, archiving for general public interest and for exercising the freedom of expression.
  • The GDPR Rules for recording calls should be adopted or there will be stringent fines. The maximum penalty is €20 million or 4% of global annual turnover, whichever amount is greater.