GDPR and Transcription: What Companies Need to Know

Anyone who records meetings, transcribes interviews or processes dictation is processing personal data. Voices, names, opinions, sometimes health data or trade secrets – all of this falls under the General Data Protection Regulation (GDPR). Even so, many companies use transcription services without knowing the legal requirements.

This article explains which obligations apply, where the most common mistakes lie and how to use transcription in a privacy-compliant manner.

Why audio recordings are particularly sensitive

Audio recordings contain biometric features (the voice), often names and regularly sensitive information. In Germany, the non-publicly spoken word is additionally protected by § 201 of the Criminal Code, and in Austria by § 120 of the Criminal Code. A recording made without the knowledge of those involved can therefore be a criminal offense.

The GDPR classifies the processing of audio data as the processing of personal data under Art. 4(2). That means: every recording, storage and transcription needs a legal basis.

Legal bases for transcription

The safest legal basis for transcriptions is the explicit consent of all parties under Art. 6(1)(a) GDPR. Alternatives such as legitimate interest or contract performance are hard to enforce in practice, since courts regard manual minutes as the less intrusive option.

Art. 6(1) GDPR lists several possible legal bases. Three are relevant for transcriptions:

• Consent (Art. 6(1)(a)) – The safest basis. All parties must be informed before the recording and actively agree. Consent must be freely given, informed and revocable.
• Legitimate interest (Art. 6(1)(f)) – Theoretically possible, difficult in practice. Courts and data protection authorities argue that manual minutes are a less intrusive option.
• Contract performance (Art. 6(1)(b)) – Tenable only in exceptional cases, for example when the transcription is explicitly part of the contract.

Practical recommendation: Always obtain explicit consent. For meetings, this should be done in writing in the invitation and verbally at the start.

Special categories: health data and more

If recordings contain health data (medical dictation), trade union membership or religious beliefs, Art. 9 GDPR applies. These special categories require explicit consent – tacit agreement is not enough.

Transparency obligations: what you must disclose

Art. 13 and 14 GDPR require companies to inform data subjects comprehensively before the recording:

• That the recording and transcription take place, and for what purpose
• How long recordings and transcripts are stored
• Who gets access to the data (internally and externally)
• Whether a third-party provider (transcription service) is used
• What rights data subjects have (access, deletion, objection)

The problem with cloud transcription services

Many transcription tools process audio on servers outside the EU. This is problematic from a data-protection standpoint:

• Third-country transfer: Without an adequate level of protection (an adequacy decision, standard contractual clauses), the transfer is unlawful.
• Processing on behalf of a controller: The transcription service is a processor under Art. 28 GDPR – a data processing agreement (DPA) is mandatory.
• Access by the provider: With server-side processing, the provider has access to the plain text – a risk that many companies underestimate.

The safest solution: client-side encryption

Client-side encryption is the strongest technical safeguard under Art. 32 GDPR. Audio files are encrypted in the browser before they reach the server. Even in the event of a data breach at the provider, the data is worthless without the user’s key.

With client-side encryption, audio files are encrypted in the browser before they reach the server. The transcript is also stored encrypted – not even the provider can read the stored content.

For the GDPR this means: even in the event of a data breach at the provider, the data is worthless, because it cannot be decrypted without the user’s key. This is the strongest technical measure under Art. 32 GDPR.

Checklist for privacy-compliant transcription

• Obtain the consent of all parties before the recording
• Document the purpose and retention period
• Conclude a data processing agreement with the provider
• Check where the data is processed and stored (EU vs. third country)
• Ensure encryption – ideally client-side
• Define a deletion concept: when are recordings and transcripts deleted?
• Guarantee data-subject rights (access, deletion, objection)
• Maintain a record of processing activities under Art. 30 GDPR

Conclusion

Transcription without data protection is a legal risk. The GDPR sets clear requirements for consent, transparency and technical safeguards. Companies that process audio recordings should carefully vet their transcription service – in particular, whether the provider has access to the plain text and where the data is stored.

Note: This article serves general information purposes and is no substitute for legal advice in individual cases.