GDPR and AI-recorded phone calls: what you need to know

An AI voice agent that picks up a phone call records two streams of personal data at minimum: the audio of both speakers, and the transcription of what they said. In the EU, that is regulated by GDPR (and by the ePrivacy directive). Here is the short version of what you need to set up before you turn the agent on.

The 5 things GDPR requires

1. A legal basis

You need a clear legal basis to record. The two that fit in practice: consent (the caller agrees before recording starts) or legitimate interest (e.g. quality assurance, fraud prevention) with a documented impact assessment. Consent is the simplest path; the agent announces "this call is recorded" at the start and offers an opt-out.

2. Information to the caller

Even with legitimate interest, the caller must be informed: who's recording, why, how long the recording is kept, and who else might access it. In voice, this is the standard announcement at the start of the call. Two sentences are enough.

3. Retention

Recordings must be deleted when they are no longer needed. The standard practice: 6 months for quality assurance, 1 to 5 years for proof of consent or contract, depending on the use case. Hard-coding a retention policy avoids "we still have a recording from 2019" surprises in an audit.

4. EU hosting (or proper transfer mechanism)

If the recording is stored on US servers, you need to ensure a valid transfer mechanism (Standard Contractual Clauses + supplementary measures, or qualifying under the EU–US Data Privacy Framework). The cleaner path is to keep the recording on EU servers from the start. Phonevoice's storage is EU-hosted (Google Cloud Storage in EU regions).

5. A data processor agreement (DPA) with your vendor

If you use a third-party provider (Twilio, OpenAI, Phonevoice, ElevenLabs…) to handle the call, that provider is a data processor and you need a signed DPA. Phonevoice ships a standard DPA with the contract; the platforms that pass through to Twilio + OpenAI mean you need a DPA with each of those too.

The audio is sensitive — sometimes more than you think

A phone call recording can contain health data (medical secretary), financial data (bank, accounting), identification data (passport numbers read aloud), biometric data (voiceprint). In practice, this means: minimize what gets transcribed and stored, redact obvious PII when possible, restrict who in your team can play back recordings.

Two practical patterns we see work

A. Recording on by default, transcription only for the analyst

The audio is recorded for proof; the transcript is what your team and your CRM see. PII redaction runs on the transcript before it leaves Phonevoice. The raw recording is access-controlled and auto-deleted at 6 months.

B. No-record mode

For very sensitive use cases (legal calls, complaints) the agent can run in no-record mode: audio is never persisted, only the structured output (intent + summary) makes it out. Cleaner data minimization story for the DPA.

What Phonevoice does

• EU-hosted recording storage (Google Cloud Storage, EU regions).
• Signed DPA with the contract.
• Per-agent recording toggle (on/off/transcript-only).
• Configurable retention.
• Recording playback access controlled per organization member.
• French entity for invoicing — RGPD applies natively, no transfer mechanism dance.

What is not enough

"The recording is on our server" is not a GDPR compliance answer. The compliance answer is the documented combination of legal basis, retention, hosting, DPA, and access control. Voice is a place where regulators are very willing to issue meaningful fines; the cost of getting this right up front is much lower than the cost of getting it wrong.

If you want the practical setup, the Phonevoice developer docs include the recording API, the retention configuration and the webhook contract for "recording deleted" events.