GDPR applies to any processing of personal data of EU and EEA residents, including voice calls, call recordings, voicemail, and the metadata around them. Compliance is not just about getting consent — it requires legal basis, documented processing, retention controls, and the ability to respond to data subject requests.
The General Data Protection Regulation (GDPR) governs the processing of personal data of natural persons in the European Union and European Economic Area. The key trigger for voice operators is that GDPR applies to any organization that processes such personal data, regardless of where the organization is located.
For VoIP, this means:
The territorial scope is broad. A US-based business that calls EU customers, records the call, or stores caller information processes GDPR-protected data. Compliance is not limited to providers based in Europe.
Personal data under GDPR is “any information relating to an identified or identifiable natural person.” In voice contexts, this includes a wide range of data types:
The audio of a call is itself personal data when it contains identifiable speakers. Voice recordings are also biometric data when used for identification (voice biometrics, speaker recognition), which is a special category requiring stricter handling.
GDPR requires a legal basis for processing personal data. Article 6 lists six possible bases. For voice processing, the most relevant are:
The data subject has given specific, informed, freely given, and unambiguous consent. Standard for marketing recordings, training analytics, and similar non-essential processing. Consent must be obtainable and revocable.
Processing is necessary to perform a contract with the data subject. Common for telecom operators providing service — the calls themselves, related billing, and basic CDRs are necessary to provide the service the customer signed up for.
Processing is necessary to comply with a legal obligation. Lawful intercept, regulatory retention requirements (CDRs for billing disputes), and emergency call routing fall here.
Processing is necessary for legitimate interests of the controller, balanced against the data subject's rights and freedoms. Fraud prevention, network security monitoring, and quality assurance often use this basis. Requires a documented legitimate interest assessment (LIA).
Choosing the right basis matters because it affects what you can do with the data and what rights the data subject has. Consent gives the data subject the right to revoke and have data deleted; contractual necessity does not.
If calls are recorded, all parties should be informed. Most jurisdictions require either two-party consent (both parties must agree) or one-party consent (one party can record without informing the other). GDPR overlays additional notification requirements regardless of jurisdiction.
Common approaches:
GDPR transparency obligations under Articles 13 and 14 require informing the data subject of:
Putting all of this in a 30-second pre-call announcement is impractical. Most operators provide a brief verbal notice and reference a privacy policy URL or document for the full disclosure.
GDPR Article 5(1)(c) requires data minimization — processing only what is necessary for the purpose. Article 5(1)(e) requires storage limitation — keeping data only as long as necessary.
Define explicit retention periods for each data type:
If recorded calls handle payment card data, the recording should be paused during card number entry to avoid storing PAN data. See VoIP PCI-DSS compliance. The same approach applies to other sensitive data — passwords, social security numbers, health information — even if not strictly required by other regulations, minimization principles favor not storing them.
Automated deletion at retention expiry is required practice. Recordings, transcripts, and metadata older than the retention window must be irrecoverably destroyed, including from backups, analytics datasets, and any third-party processors.
Under GDPR, individuals can request:
You must respond within one month of receipt (extendable to three months for complex requests). For voice data, this means being able to find all recordings, CDRs, transcripts, and analytics output linked to the requesting individual — usually by phone number, account ID, or other identifier.
Implementation requires indexing personal data by data subject. CDR systems usually do this naturally; recording archives often do not, and retrofitting search-by-subject capability is significant work.
Article 33 requires notifying the supervisory authority of personal data breaches within 72 hours of becoming aware. Voice-relevant breaches include:
Article 34 requires notifying affected data subjects directly when the breach is likely to result in high risk to their rights and freedoms. The notification must describe the nature of the breach, likely consequences, and measures being taken to address it.
Yes. GDPR applies to processing personal data of EU and EEA residents regardless of where the controller is located. Voice calls, call recordings, voicemail, transcriptions, CDRs, and SIP traces all contain personal data when associated with identifiable individuals. A US-based business that calls or records EU customers is processing GDPR-protected data and must comply.
The most common legal bases for call recording are explicit consent (for marketing, training, or analytics), contractual necessity (when recording is part of the service the customer signed up for), legitimate interests (for fraud prevention or quality assurance, requires a documented legitimate interest assessment), or legal obligation (for regulatory or lawful intercept requirements). Choice of basis affects what you can do with the recording and what rights the data subject has.
Only as long as necessary for the documented purpose. Typical retention periods range from 6 months for training and quality purposes to 7 years for dispute resolution or regulatory compliance. The retention period must be defined in advance, documented in your privacy notice, and enforced with automatic deletion. Keeping recordings indefinitely violates the storage limitation principle.
Paste your SIP trace into SIPSymposium. The analyzer identifies caller and called numbers, IP addresses, and other personal data fields in SIP messages to help review what your traces expose.