Is it legal to record a conversation?

Is my Com­pa­ny allowed to record a con­ver­sa­tion?

Like any lawyer would say, it depends!

The answer is YES; how­ev­er, it depends. As a Data con­troller, a com­pa­ny must take into con­sid­er­a­tion the law­ful­ness of record­ings and how this can be achieved and pro­tect­ed with strong cyber­se­cu­ri­ty mech­a­nisms. It is the Company’s oblig­a­tion to ensure which devices may be used and to con­sid­er the imple­men­ta­tion of addi­tion­al safe­guards on a best effort basis.

Call Recording under the GDPR

Rules for record­ing calls encom­pass more than con­sent. The record­ing of audio con­ver­sa­tions is only pos­si­ble if there is a valid and legal rea­son for that rel­e­vant infor­ma­tion to be col­lect­ed.

Call/ Audio Record­ing is allowed under the GDPR, as record­ings of con­ver­sa­tions are not pro­hib­it­ed, but there are applic­a­ble addi­tion­al require­ments to pro­tect the rights and free­doms of data sub­jects under the GDPR.

With the GDPR in place, all Com­pa­nies record­ing con­ver­sa­tions need to jus­ti­fy their pur­pose for record­ing a call. Such jus­ti­fi­ca­tion would need to ful­fil one of the fol­low­ing:

    1. Person/s which are call participant/s have giv­en their con­sent to be record­ed. Such con­sent has to be spe­cif­ic and unam­bigu­ous and may take dif­fer­ent forms such as oral accep­tance;
    2. The pur­pose of record­ing a call is to ful­fil a con­tract to which the indi­vid­ual tak­ing part in the call is a par­ty there­to;
    3. The call record­ing is required to ful­fil a legal oblig­a­tion to which the com­pa­ny record­ing the call is sub­ject to;
    4. Record­ing is required to pro­tect the inter­ests of one or more par­tic­i­pants of the call;
    5. Record­ing is being made in the inter­est of the pub­lic;
    6. Record­ing is in the recorder’s inter­est giv­en that such inter­est is ‘less’ impor­tant than the inter­est of the par­tic­i­pant in the call.

As a data sub­ject you need to know that you have the right to be informed on the gath­er­ing pf per­son­al data and the pro­cess­ing there­of. Also, as the data sub­ject you need to under­stand that you have the right to access data relat­ing to you, be informed about the exis­tence and pro­cess­ing of such data, rec­ti­fy incor­rect per­son­al data and oppose fur­ther pro­cess­ing giv­en that there are seri­ous and legit­i­mate grounds.

Is it legal to record a conversation? Call Recording under the GDPR

To read more about the Law­ful­ness of Pro­cess­ing click here:

Right of Information

The GDPR gives indi­vid­u­als the right to be informed about the col­lec­tion and use of their per­son­al data, which leads to a vari­ety of infor­ma­tion oblig­a­tions.

Recorders must be able to recall any audio files and/or data gath­ered dur­ing a record­ed call upon request, and thus should be able to pro­vide cus­tomers with the request­ed infor­ma­tion with­in one month of the request.

A request can be made for a copy of the record­ing under data pro­tec­tion leg­is­la­tion- known as a sub­ject access request.

A sub­ject access request (SAR) is sim­ply a writ­ten request made by or on behalf of an indi­vid­ual for the infor­ma­tion which he or she is enti­tled to ask for. A SAR maybe in any form. The Com­pa­ny hav­ing the infor­ma­tion has one month with­in which it is to pro­vide the request­ed infor­ma­tion, in line with the GDPR.

Is an audio recording personal data?


The con­text in which voice data is being obtained is not what clas­si­fies it as per­son­al data.  Voice is legal­ly defined as a per­sona datade­spite the con­text and/or sup­port that the data orig­i­nates from.

The GDPR applies because record­ing calls are gen­er­al­ly con­sid­ered as ‘per­son­al data’ and, poten­tial­ly, ‘spe­cial cat­e­gories’ of per­son­al data. The GDPR strives to find a bal­ance between hav­ing a strong Reg­u­la­tion which gives data sub­jects clear pro­tec­tion and being flex­i­ble from busi­ness­es per­spec­tives. For this rea­son, the GDPR delves into defin­ing per­son­al data.

The like­li­hood that calls will involve spe­cial cat­e­go­ry per­son­al data depends on the con­text. For instance, a com­pa­ny with­in the health indus­try that records its call/s with the cus­tomers will be record­ing and han­dling spe­cial cat­e­go­ry per­son­al data — in the form of health infor­ma­tion. How­ev­er, for most com­pa­nies, it should in gen­er­al be unlike­ly that any giv­en call will involve spe­cial cat­e­go­ry per­son­al data.

Use of video conferencing tools

In view of the gen­er­al rise in the use of video con­fer­enc­ing tools, it is worth­while to invest in an effi­cient cyber­se­cu­ri­ty man­age­ment sys­tem as part of the Company’s risk man­age­ment. One needs to also make sure that GDPR rules are adhered to when sat­is­fy­ing cer­tain legal oblig­a­tions.

Use case — If your com­pa­ny is a sub­ject per­son under the Imple­ment­ing Pro­ce­dures, your Com­pa­ny may be mak­ing use of video con­fer­enc­ing tools, espe­cial­ly dur­ing these times. Such tools allow you to ver­i­fy the iden­ti­ty using dif­fer­ent online tools.

When car­ry­ing out such ver­i­fi­ca­tion, com­pli­ance with the Imple­ment­ing Pro­ce­dures should be demon­strat­ed and for this rea­son records should be kept. As per the FIAU’s require­ments, which are bind­ing on all per­sons car­ry­ing out rel­e­vant finan­cial busi­ness or rel­e­vant activ­i­ty, a sub­ject per­son should keep at least an audio record­ing of the video call or the entire video call itself, which shall also include the entire con­ver­sa­tion between the sub­ject per­son and the cus­tomer.

Read more here:


As users of dig­i­tal tech­nol­o­gy, we all have the right to pri­va­cy, and thus what is impor­tant to note is that per­son­al data shall remain secure and pro­tect­ed. For every pro­cess­ing of per­son­al data there needs to be a com­pli­ance process which com­plies with the GDPR. If you are inter­est­ed to know more, con­tact us on

Dis­claimer: The above-men­tioned arti­cle is sim­ply based on inde­pen­dent research car­ried out by Dr. Wern­er and Part­ner and can­not con­sti­tute any form of legal advice. If you would like to meet up with any of our rep­re­sen­ta­tives to seek fur­ther infor­ma­tion, please con­tact us for an appoint­ment.

About Dr. Rebecca Mifsud

Dr Rebec­ca Mif­sud, born 6th May 1994, attend­ed the Uni­ver­si­ty of Mal­ta and is an LLB Hon­ours grad­u­ate. She also grad­u­at­ed in the Mas­ters in Advo­ca­cy and will be sit­ting for her Mal­ta War­rant Exam in 2019. She suc­cess­ful­ly defend­ed her dis­ser­ta­tion enti­tled: ‘Imput­ing respon­si­bil­i­ty for foot­ball injuries inflict­ed by minors in the Mal­tese sce­nario,’ in 2017.

View All Posts

Leave a Reply

Your email address will not be published.