GDPR-Compliant Transcription: A Practical Checklist (2026)
GDPRcompliancetranscription

GDPR-Compliant Transcription: A Practical Checklist (2026)

BMMamane B. MoussaMay 26, 2026Updated July 2, 202615 min read

Summarize this article with:

The GDPR Checklist for Audio

Transcription is GDPR-compliant when you, as controller, establish a lawful basis, sign a DPA with your provider, set a retention schedule, and can fulfill deletion requests from the people whose voices you recorded. No tool earns the compliance badge on its own. The checklist below walks every step.

This post is not legal advice. For decisions with material legal consequences, consult a qualified data protection practitioner.

The six items every team transcribing EU resident audio must address:

  1. Confirm a lawful basis before you press record
  2. Tell people how their audio will be used (and by whom)
  3. Sign a data processing agreement with your transcription provider
  4. Know which sub-processors touch the audio and where the data goes
  5. Set a retention period and configure deletion
  6. Build a process to honor data subject rights requests

Each item is covered in detail below.

What GDPR Says About Voice Recordings

Voice recordings of identifiable individuals are personal data under Article 4 of the GDPR. That triggers the full regulatory stack: lawful basis, transparency obligations, data subject rights, security requirements, and breach notification.

This applies whether you are the controller (you decide why and how the recording is made) or processor (you act on someone else's instructions). For most teams using a transcription tool, the team is the controller and the transcription provider is the processor.

One nuance worth flagging: voice as biometric data, under Article 9, applies only when recordings are processed to uniquely identify a person through voiceprint analysis. Ordinary speech-to-text is content transcription, not biometric identification. However, the transcript content itself can contain special-category data: health information from a medical consultation, religious beliefs from a pastoral recording, political opinions from an interview. Whether Article 9 applies depends on what the transcript contains, not on the fact of transcription.

Penalties for non-compliance run up to 4% of global annual revenue or 20 million euros, whichever is higher, per Article 83.

Lawful Basis for Transcription

Article 6 of the GDPR requires a lawful basis for any processing of personal data. Three bases are relevant for most transcription scenarios:

Lawful BasisWhen It FitsKey Condition
Consent (Art. 6(1)(a))Consumer recordings, interviews with public participantsFreely given, specific, informed, unambiguous. Pre-checked boxes and bundled consent do not qualify.
Contract (Art. 6(1)(b))Coaching calls, paid consultations recorded for the clientRecording must be necessary to perform the contract, not merely convenient.
Legitimate interest (Art. 6(1)(f))B2B meetings, internal team calls, QA recording in business contextRequires a documented balancing test showing the interest does not override individual rights.

For most transcription of consumer-facing audio, explicit consent is the safest basis. For B2B work with disclosed recording policies, legitimate interest with clear notification usually works. Document whichever you choose: Article 5(2) accountability requires you to demonstrate compliance, not just assert it.

What Consent Disclosure Looks Like

A script that satisfies the core notification requirements for most GDPR-relevant scenarios:

"This call is being recorded and the audio will be transcribed using AI for [specific purpose]. We will retain the audio [until transcription is complete / for X days] and the transcript for [X days / until you request deletion]. You can request deletion at any time. Do you agree to this?"

Capture the verbal agreement on the recording itself. This creates an evidentiary record inside the data, which satisfies the documentation requirement without a separate form.

Data Subject Rights for Transcription

EU residents have eight rights under GDPR Chapter III. For voice recordings and transcripts, five are operationally significant:

Right of access (Article 15): They can request a copy of audio recordings and transcripts that refer to them. The response deadline is one calendar month.

Right to erasure (Article 17): They can request deletion of audio and transcripts. This right is not absolute: processing required by law or for legitimate public interest can override it, but routine business recordings do not generally meet that threshold.

Right to rectification (Article 16): They can request correction of inaccurate transcript content. AI transcription errors are a concrete example: if a speaker is misquoted in a transcript, they have standing to request a correction.

Right to portability (Article 20): They can request data in a structured, machine-readable format. This applies when processing is based on consent or contract.

Right to object (Article 21): They can object to processing based on legitimate interest, requiring you to stop unless you have overriding legitimate grounds.

Practically, this means you need a way to find all recordings and transcripts referring to a specific person, export them, delete them on request, and correct transcript errors when reported. For small teams a simple folder structure with consistent naming works. For larger operations, a data inventory with search capability is needed.

Cross-Border Transfers

If your transcription provider hosts data outside the EU or EEA, GDPR Chapter V requires a transfer mechanism.

The three mechanisms available in 2026:

EU-US Data Privacy Framework (DPF): Transfers to DPF-certified US providers are permitted under the European Commission's adequacy decision adopted in July 2023. As of mid-2026 the framework is in effect, but it faces active legal challenge: the Latombe case appeal (C-703/25 P) is pending before the CJEU, and NOYB has filed a separate challenge citing US surveillance laws. The CJEU is expected to rule on the core challenge by late 2026 or early 2027. Do not treat the DPF as your only mechanism if continuity is a concern.

Standard Contractual Clauses (SCCs): Pre-approved contract language between controller and non-EU processor that provides a lawful transfer basis independent of any adequacy decision. Since the Schrems II ruling (C-311/18, July 2020), SCCs require an accompanying Transfer Impact Assessment to evaluate whether the recipient country's laws undermine the protections. This is not a set-and-forget document.

EU-resident infrastructure: If the data physically stays in the EU or EEA, no transfer mechanism is needed at all. Ask vendors specifically which regions their storage infrastructure uses, and confirm it in the DPA, not just in marketing copy.

When a vendor says "we are GDPR compliant" without naming which mechanism covers your transfer, that answer is incomplete. Ask specifically.

The Data Processing Agreement

Article 28 requires a written contract between controller and processor before any processing begins. Using a transcription service without a DPA is a direct GDPR violation, regardless of how privacy-aware the service is.

A legally complete DPA under Article 28(3) must cover:

  • Processing only on documented controller instructions
  • Confidentiality obligations on all personnel with access
  • Security measures per Article 32
  • Sub-processor approval and notification of changes
  • Assistance with data subject rights requests
  • Return or deletion of data at contract end
  • Audit rights for the controller

Most professional transcription services offer a DPA on request. For SaaS providers this is usually a standardized document available through a support or procurement flow.

Before relying on any vendor, including CATT, request their current DPA and check that the Article 28 items above are covered, including which transfer mechanism they rely on and how quickly they notify you of a breach affecting your data. Get the current sub-processor list in writing, because it can change.

The processing step is where GDPR obligations attach
The processing step is where GDPR obligations attach

Retention Periods

GDPR Article 5(1)(e) requires storage limitation: keep data only as long as necessary for the purpose.

"Necessary" is context-dependent:

  • Customer service QA recordings: typically 30 to 90 days
  • Compliance and audit recordings: the regulatory period plus buffer (often 5 to 7 years for financial services)
  • Journalism source material: until publication plus a defensible post-publication buffer
  • Research interviews: until publication plus the relevant academic retention norm
  • Operational meeting recordings: typically 90 days to one year

Whatever period you choose, document the rationale and automate the deletion. Indefinite retention is a storage-limitation violation. Manual deletion that depends on someone remembering is not a defensible process.

On CATT specifically: audio files are deleted automatically once transcription completes unless you choose to keep them. Transcripts remain available while your account is active and can be deleted at any time from the dashboard. Account deletion removes associated data within 30 days per the published privacy policy. This auto-delete-on-transcription default is a practical fit for teams who do not need to archive source audio.

See auto-delete transcription files for more on how to configure retention to match your policy.

Sub-Processors

When your transcription provider uses other vendors, those vendors are sub-processors under Article 28. GDPR requires:

  • The controller approves the sub-processor list (usually documented in the DPA)
  • Sub-processors are bound by the same obligations as the processor
  • The controller is notified of any changes before they take effect

Ask any prospective vendor for their current sub-processor list in writing. Published sub-processor pages can change without notice; the list in the DPA is what creates accountability.

For reference, CATT's published sub-processors as of mid-2026 include Cloudflare (CDN, edge proxy, R2 object storage), Deepgram (primary speech-to-text, Nova-3), OpenAI (summarization, action items, translation), RunPod (fallback STT and diarization), Recall.ai (meeting bot), and Hetzner Cloud (application and database hosting), among others. The full list is published at convertaudiototext.com/subprocessors. If certified EU-only data residency is a hard requirement for your use case, verify current infrastructure options with any vendor before committing.

Special Categories of Data

Article 9 prohibits processing of special-category data unless a specific exception applies. The categories include health data, genetic data, biometric data (when used for identification), racial or ethnic origin, political opinions, religious beliefs, trade union membership, and data about sexual orientation or life.

Recordings can contain any of these as content: a therapy session, a medical consultation, a political interview. If your transcripts include special-category content, two things must both be true: a lawful basis under Article 6 and a specific exception under Article 9(2). The most operationally common exception is explicit consent (Article 9(2)(a)).

For health data in particular, GDPR overlaps with HIPAA in the US and NHS data protection obligations in the UK. CATT does not sign HIPAA Business Associate Agreements and is not HIPAA-certified. Healthcare organizations transcribing PHI should use a provider that can demonstrate HIPAA compliance and sign a BAA. See HIPAA-compliant transcription for what that evaluation looks like.

Breach Notification

GDPR Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in risk to individuals' rights. Article 34 requires notification to affected data subjects when the breach poses a high risk.

For transcription, a breach could include: unauthorized access to stored audio, accidental disclosure of transcripts to the wrong recipient, loss of recordings, or a security incident at a sub-processor.

Your DPA should specify how the processor notifies you when a breach affecting your data occurs. The GDPR says processors must alert controllers "without undue delay" so that the controller has time to assess and notify the supervisory authority within the 72-hour window. Pin down the notification timeline in the DPA before you start sending data.

Controllers must also document all breaches per Article 33(5), including facts, effects, and remedial actions, enabling the supervisory authority to verify compliance.

Practical Compliance Workflow

For a small team transcribing EU resident audio:

  1. Document your lawful basis for each type of recording. Different recording types (customer calls, internal meetings, interviews) may have different bases.
  2. Update consent capture to name AI transcription specifically. Consent to recording does not automatically cover consent to AI processing.
  3. Sign a DPA with your transcription provider before uploading any audio.
  4. Review the sub-processor list and confirm it appears in the DPA or an exhibit.
  5. Set retention periods matched to purpose, and configure auto-deletion in the tool.
  6. Create a process for data subject access and deletion requests, with a documented response timeline.
  7. Add transcription to your Article 30 record of processing activities.

For an established organization adding or auditing a transcription workflow:

  1. Add transcription to your existing data inventory with purpose, legal basis, retention period, and sub-processors listed
  2. Update your privacy notice to disclose AI transcription as a processing activity
  3. Conduct a Data Protection Impact Assessment (DPIA) if the processing is likely to result in high risk to individuals (e.g., large-scale sensitive content)
  4. Audit your provider's DPA terms against the Article 28 checklist above
  5. Train staff on consent capture procedures

Common Compliance Mistakes

Recording without proper notification. Even in jurisdictions with single-party consent for wiretap purposes, GDPR requires a lawful basis and transparency for any EU resident. The US wiretap framework and GDPR are separate legal frameworks with different requirements.

Bundled consent. "By joining this call, you agree to recording" is not valid GDPR consent. Recording consent must be separately obtainable and revocable without penalty.

No retention schedule. "We keep recordings until we do not need them" is not a defensible policy. Define a specific default period matched to your stated purpose and document the rationale.

Skipping the DPA. Uploading audio to a transcription service without a signed DPA is an Article 28 violation regardless of whether the service is otherwise privacy-aware.

No deletion process. Article 17 erasure rights require you to be able to act on them. A simple documented workflow is fine. No workflow is not.

Treating SCCs as permanent. Standard Contractual Clauses require an accompanying Transfer Impact Assessment since the Schrems II ruling (C-311/18, 16 July 2020) and ongoing monitoring of the recipient country's legal environment.

Relying solely on the DPF. The EU-US Data Privacy Framework is valid as of mid-2026 but under active legal challenge. Layer your transfer mechanisms.

When CATT Fits and When It Does Not

CATT fits for GDPR compliance when:

  • You are the controller and need a transparent processor with a published sub-processor list
  • Your use case is compatible with audio auto-deleted on transcription completion (or you actively opt to retain it)
  • You do not require formally certified EU-only data residency
  • You can accept Cloudflare, Deepgram, OpenAI, RunPod, and Hetzner as sub-processors

CATT does not fit when:

  • Certified EU-resident-only infrastructure is a contractual or regulatory requirement
  • You are handling healthcare PHI that requires a signed HIPAA BAA
  • Your organization requires SOC 2 Type II audit reports from processors

Before committing, request the current DPA from CATT's support channel and confirm the Article 28 terms match your requirements. Every vendor including CATT should be evaluated on actual documentation, not on the marketing summary. For general transcription without compliance complexity, audio to text offers no-signup instant start.

Frequently Asked Questions

Yes. Consent is a lawful basis for processing under Article 6(1)(a), but it does not exempt you from the rest of the regulation. You still need a DPA with your transcription provider, a retention schedule, a way to fulfill deletion requests, and breach notification procedures. Consent removes one barrier but does not create blanket GDPR compliance.

Is voice recording special-category data under GDPR Article 9?

A voice recording is Article 9 biometric data only when it is processed for the purpose of uniquely identifying a person through voiceprint analysis. Standard speech-to-text transcription is content processing, not biometric identification, and does not automatically invoke Article 9. However, if the transcript content includes health information, political opinions, religious beliefs, or other special-category data, the Article 9 restrictions apply to that content.

Do I need a DPA with every transcription service I use?

Yes. Article 28 requires a written contract between controller and processor before processing begins. Using any transcription tool without a DPA covering the eight Article 28(3) requirements is a direct GDPR violation, regardless of how privacy-conscious the vendor is. Request the DPA before uploading any audio.

Can I rely on the EU-US Data Privacy Framework for US-based transcription providers?

As of mid-2026, the DPF is valid and US providers certified under it can receive EU personal data on that basis. However, the framework faces active legal challenge: the CJEU is expected to rule on a core challenge by late 2026 or early 2027. Data protection advisors generally recommend not relying on the DPF as your sole transfer mechanism and maintaining Standard Contractual Clauses as a fallback.

What do I tell data subjects when they request their transcripts?

Under Article 15, you must provide a copy of all personal data relating to them, including any transcripts in which they appear as an identifiable speaker. The response deadline is one calendar month, extendable by two months for complex requests with notification. For deletion requests under Article 17, the same timeline applies. Having a simple lookup process by speaker name or recording date before you receive your first request is far easier than building one under deadline.

Sources

Try transcription free

Convert any audio or video to clean, unwatermarked text — speaker labels, timestamps, and AI summaries included. First 30 minutes free, no account.

Related Articles