GDPR and Meeting Recordings: What You Need to Know in 2026

Opening

Meeting recordings serve a valuable purpose—creating clear documentation of discussions, decisions, and action items. Yet one regulatory framework towers over this practice in Europe: the General Data Protection Regulation (GDPR). If your organization records meetings with EU participants, GDPR requirements are not optional. Failure to comply can result in fines up to €20 million or 4% of global annual turnover, whichever is greater.

This guide walks you through the compliance essentials: what legal basis you need, how to obtain consent, what happens when participants request deletion, and how AI transcription services fit into this framework. Whether you're a small startup or an established enterprise, these principles apply to you.

---

GDPR Basics for Meeting Recordings

The GDPR treats meeting recordings as personal data processing. When you record someone's voice or video, you're capturing identifying information that falls under GDPR scope. This applies regardless of where your company is based—if your recordings include any EU resident, GDPR rules apply.

Meeting recordings pose a particular compliance challenge because they're typically captured once and then processed multiple times: stored, shared with others, transcribed by AI systems, searched, and sometimes deleted. Each of these actions is a separate processing activity under GDPR.

The regulation rests on three core principles that affect recordings:

Lawfulness: You must have a valid legal basis for processing before the recording starts.

Purpose Limitation: You cannot use the recording for purposes not disclosed to participants.

Data Minimization: Keep recordings only as long as necessary for their stated purpose.

---

Legal Basis for Recording: Consent vs. Legitimate Interest

GDPR Article 6 lists the lawful bases for processing personal data. For meeting recordings, two bases typically apply: consent or legitimate interest.

Consent requires participants to make a freely given, specific, informed decision to be recorded. Under GDPR, consent must be actively given—silence, pre-ticked boxes, or implied agreement do not meet the standard. In employment settings, consent is problematic because of the power imbalance between employer and employee. Courts have consistently ruled that employees cannot freely consent to recording by their employer, so organizations typically rely on legitimate interest instead.

Legitimate Interest allows recording when your business need outweighs the privacy impact on participants. However, this requires documented assessment: Why do you need to record? Who will access it? How long will you keep it? What safeguards protect participants? If the legitimate interest fails a balancing test, recording is not permitted.

For external meetings—client calls, vendor meetings, conference discussions—consent is often the more defensible approach. You disclose the recording upfront, participants can decline, and you have explicit evidence of their agreement.

---

What You Must Do: Consent, Notice, Retention, and Erasure

Meeting recordings require four essential compliance actions.

1. Obtain Explicit Consent

Before recording begins, inform participants that the meeting will be recorded. In practice, this means:

• Mention recording in the meeting invitation, not verbally minutes before the call starts
• Explain the purpose: "We record to create accurate documentation for internal use"
• State retention period: "Recordings are kept for one year, then deleted"
• Link to your privacy policy or data processing details
• Provide a way for participants to object (or simply allow them to decline attendance)

A verbal reminder immediately before recording begins strengthens your position, but does not replace prior notice.

2. Document Your Legal Basis

Written documentation of your legal basis is essential for compliance audits. If relying on consent, save evidence (email confirmations, checkboxes, or attendance records). If using legitimate interest, document your balancing assessment.

3. Implement Data Retention Schedules

GDPR requires that data "be kept in a form which permits identification of data subjects for no longer than is necessary." This means you must establish a retention schedule. One year is common; six months is reasonable for many business contexts. Set automatic deletion procedures rather than relying on manual processes—they are more reliable and demonstrate compliance.

4. Honor Right to Erasure Requests

Participants can request deletion of their data at any time (with narrow exceptions for legal claims, public interest archiving, or freedom of expression). You must respond within 30 days, without undue delay. For meeting recordings, this typically means:

• Deleting the recording if only one participant requests erasure
• Removing or redacting the individual's voice if others are present and wish to keep the recording
• In practice, deletion is often the simplest path

The right to erasure has exceptions. You may retain recordings if retention is required by law (financial regulations, labor law, sector-specific rules), if a legal claim is pending or reasonably anticipated, or if retention serves archiving in the public interest.

---

AI Transcription and GDPR Implications

Many organizations now transcribe meetings with AI services like Whisper, ChatGPT, or similar systems. This creates a second layer of GDPR processing.

When you send audio to an AI transcription service, that service becomes a data processor. GDPR Article 28 requires a Data Processing Agreement (DPA) with the service provider. The agreement must specify what data is processed, the purpose, security measures, and permitted subprocessors. Most major AI services (OpenAI, Google, Microsoft) provide standard DPAs that meet GDPR requirements.

However, sending audio to a third-party service creates additional risk: the data leaves your direct control. You remain the data controller and responsible for compliance, but the processor must meet GDPR standards. Key considerations:

• Is the processor GDPR compliant and located in an appropriate jurisdiction? (OpenAI uses the Standard Contractual Clauses mechanism to transfer data from the EU lawfully.)
• Does the processor use the data for any purpose beyond transcription? (Some services train models on customer data unless explicitly opted out.)
• Does the processor have your explicit consent to use the data for AI model improvement?

For organizations handling sensitive information, consider on-premise or self-hosted transcription solutions to avoid sending audio externally.

---

MinuteKeep's Approach to GDPR

MinuteKeep is designed with privacy-first principles in mind. Here's how it handles GDPR requirements:

Local Storage, No Accounts: MinuteKeep stores recordings locally on your device. You don't create an account, and recordings never sync to MinuteKeep servers. Only the audio you choose to transcribe is sent to OpenAI's API.

Transparent Third-Party Processing: When you request transcription, MinuteKeep sends the audio to OpenAI. OpenAI operates under a Data Processing Agreement compliant with GDPR. The audio is processed for transcription only—not used for model training without explicit consent.

Your Responsibility Remains: MinuteKeep does not manage consent collection or retention schedules for you. You remain responsible for:

• Obtaining participant consent before recording
• Retaining recordings according to your documented schedule
• Honoring deletion requests from participants
• Maintaining your Data Processing Agreement with OpenAI (OpenAI provides standard terms; review them independently)

User Control: You decide whether to transcribe recordings, how long to keep them, and when to delete them. All decisions remain in your hands on your device.

If you're running a business meeting and choose to transcribe via MinuteKeep, you still need documented consent from participants (or legitimate interest with a completed balancing test in employment contexts). GDPR compliance is your responsibility; MinuteKeep is a tool that supports your compliance by keeping recordings local and giving you full control.

---

Frequently Asked Questions

Q: Can I record a meeting if someone doesn't explicitly agree?

A: Only if you have another lawful basis (legitimate interest with documented assessment, or legal obligation). In employment contexts, legitimate interest is the only practical option. For external meetings, consent is typically required. If someone declines, you cannot record that meeting or must end the recording if they object during the call.

Q: What happens if I receive a right to erasure request?

A: You have 30 days to delete the recording (or redact the individual if multiple people are recorded). Exceptions exist only for legal claims, mandatory retention laws, or public interest archiving. Provide confirmation of deletion within your response.

Q: Does deleting a recording mean I also delete the transcript?

A: Yes. The transcript is derived from the recording and contains the same personal data. Delete both unless a separate legal basis justifies keeping the transcript. For example, if a legal claim is pending, both may be retained as evidence.

Q: Is transcription by AI a separate processing activity?

A: Yes. The recording is one processing activity; transcription is another. You need a lawful basis for transcription as well. If you obtained consent for recording, clarify whether consent covers transcription and AI use. If participants object to transcription, you can record but cannot transcribe.

Q: What if the meeting includes non-EU participants?

A: GDPR applies only to EU residents. If a meeting has mixed participants (EU and non-EU), GDPR covers only the EU participants' data. You should still notify all participants uniformly to avoid confusion.

---

Key Takeaways

• Obtain explicit consent or document legitimate interest before recording any meeting with EU participants. Silence, implied agreement, and pre-ticked boxes do not count.
• Disclose the purpose, retention period, and processing details in the meeting invitation or prior notice.
• Establish a retention schedule and automate deletion to ensure compliance and reduce risk.
• Honor right to erasure requests within 30 days, with exceptions only for legal necessity or law.
• Use a GDPR-compliant data processor for transcription (like OpenAI with Standard Contractual Clauses) and maintain a Data Processing Agreement.
• Remain accountable: Meeting recording tools like MinuteKeep support compliance by keeping recordings local, but you are ultimately responsible for consent, retention, and erasure.

GDPR compliance for meeting recordings is achievable with clear processes and documented decisions. The framework protects participant privacy while allowing legitimate business recording practices.

---

Meta

Internal Links: M33 (Privacy-First Pillar), M25 (Privacy-First Design)

External Resources:

• GDPR Meeting Recording Compliance - Requirements & Best Practices 2026
• How do the rules on audio recording change under the GDPR? – IAPP
• GDPR Compliance for Voice-to-Text Services – GDPR Advisor
• Call Recording and GDPR: What Must You Do To Comply? – VoIPstudio

CTA Placement: Right to Erasure section (50% of article)

Related Products: MinuteKeep iOS app (App Store) – local storage, no subscription, privacy-first meeting transcription.

Keywords for SEO: GDPR meeting recording, consent requirements, data retention, right to erasure, GDPR compliance 2026, AI transcription GDPR, meeting recording privacy, data processing agreement

Persona: E7 (Compliance/Regulatory Expert)

Date Published: April 11, 2026