Recording phone calls? What you can and cannot do

Note: This article is based on Dutch and European GDPR (AVG) regulations.

There are several legitimate reasons for recording phone calls, such as:

• Improving customer focus and service quality

• Training and coaching employees

• Documenting agreements or transactions

• Internal control, e.g. audits or compliance checks

• Security purposes, such as detecting abuse or threats

In all these cases, recording can be valuable. But it must be done carefully, with a clear purpose and proper justification.

The General Data Protection Regulation (GDPR, or AVG in Dutch) classifies call recordings as the processing of personal data. This means you may only record calls if you have a valid legal basis.

The most common legal bases are:

1. Consent of the data subject
   The customer agrees to the recording after being clearly informed. For example: “This call may be recorded for training purposes. You can object.”

2. Performance of a contract
   The recording is necessary to document agreed terms or verify transactions.

3. Legitimate interest
   For example, improving service delivery. You must show that your interest outweighs the customer’s right to privacy.

Without one of these legal bases, you may not record. Not even “just in case.”

Consent must be freely given, specific, informed, and unambiguous.
A vague announcement like “this call may be recorded” is not enough. Customers must know why the recording is happening and, in the case of consent, must truly have a choice. This could be via an IVR menu or a clear explanation from an employee. Refusing consent may not result in poorer service. Otherwise, it’s not considered freely given.

If you record calls, you are responsible for handling them with care and transparency. This means you must:

• Inform customers in advance that the call is being recorded, stating the purpose and legal basis

• Limit recordings to what is necessary for the stated purpose

• Secure recordings (encryption, access control, logging)

• Register them properly in your data processing records

• Give customers access to their rights: access, correction, deletion

• Define retention periods and delete recordings when no longer needed

The GDPR doesn’t set a fixed retention period, but it does require that you don’t keep data longer than necessary.

• For quality purposes, 30 to 90 days is common

• For legal purposes, you may keep them longer, provided you can justify it (e.g. a call needed as evidence in an ongoing complaint or legal case)
  Always document your retention periods and ensure they match the recording’s purpose.

In practice, call recording often goes wrong. Frequently, there’s no clear pre-call notice, or it’s too vague. Customers may be informed but given no real choice, which is required for valid consent.

Recordings are also often kept for too long without a clear reason or documented retention policy. Many organisations lack proper access control, meaning too many employees can access recordings without oversight.

Lastly, employees themselves are often unaware that calls are recorded or what happens to those recordings afterwards. This lack of clarity creates both confusion and risk. Such mistakes can lead to complaints, reputational damage, or even fines from the Dutch Data Protection Authority.

Voicebot conversations also fall under the GDPR. Customers often share personal data, so this is still a form of data processing.

With voicebots, transparency is even more important:

• Clearly state that the conversation is being recorded

• Explain the purpose of the recording (analysis, quality monitoring, etc.)

• Disclose that the interaction is with an automated system

Note: A voicebot without human involvement makes “legitimate interest” harder to justify. There’s often less necessity to train a bot through recordings than there is with human staff, and the privacy impact can be higher. Be especially careful in your legal justification.

AI tools are increasingly used to automatically detect sentiment, extract keywords, or assess call quality. This counts as a separate processing activity under the GDPR.

• Explicitly mention AI use in your privacy statement

• Define a separate legal basis for this analysis

• Anonymise where possible, this reduces risk and complexity

• Maintain transparency: customers have the right to explanation and access here too

AI can deliver valuable insights, but it also increases your responsibilities.

Employees are also considered data subjects under the GDPR. When you record calls, you’re also capturing their voice, performance, and sometimes emotions. Make sure that:

• Staff know when and why calls are recorded

• They know what happens to the recordings, how long they are kept, and who has access

• There is internal buy-in, ideally supported by clear policy and training

When recordings are used for performance reviews or monitoring, extra care is essential.

Recording calls can bring great value: better service, better training, better insights. But it must be done with care. The GDPR requires transparency, justification, and restraint.

So before you hit record, think about why you’re doing it, how you explain it to the customer, and how you handle the recordings. That way, you can enjoy the benefits of call recording without the risks.