GDPR-Compliant Transcription: A Practical Checklist

GDPR compliance is not a checkbox you tick once. For transcription specifically, the regulation creates real obligations around consent, retention, cross-border transfers, and data subject rights that change how you handle audio recordings. This guide walks through what GDPR actually requires for transcription workflows in 2026, with practical patterns that work for journalists, consultants, healthcare adjacent businesses, and any organization handling EU residents' voice data.

What GDPR Says About Voice Recordings

Voice recordings of identifiable individuals are personal data under Article 4 of the GDPR. That triggers the full set of regulatory requirements: lawful basis, transparency, data subject rights, security obligations, and breach notification.

This applies whether you are the controller (you decide what to do with the recording) or processor (you act on behalf of someone else). For most teams using a transcription tool, the team is the controller and the transcription provider is a processor.

Key consequences:

• You need a lawful basis to record and transcribe (usually consent or legitimate interest)
• The data subject has rights of access, deletion, correction, and portability
• Cross-border transfers require specific safeguards
• A data processing agreement is required between controller and processor
• Breaches must be notified within 72 hours

The penalties for non-compliance are up to 4% of global annual revenue or 20 million euros, whichever is higher. The regulatory bodies have shown they will actually levy these against companies that get it wrong.

Lawful Basis for Transcription

Article 6 of the GDPR requires a lawful basis for processing personal data. For transcription, the relevant bases are:

Consent (Article 6(1)(a)): The data subject agreed to recording and transcription. Must be freely given, specific, informed, and unambiguous. Pre-checked boxes do not count. Bundled consent (consenting to recording as a condition of receiving service) is usually not "freely given."

Contract (Article 6(1)(b)): The recording is necessary to perform a contract with the data subject. Example: a coaching call where the client paid for a service that includes a recorded session.

Legitimate interest (Article 6(1)(f)): You have a legitimate business interest, and the processing does not override the data subject's rights. Requires a balancing test documented in your records.

For most transcription scenarios involving B2B work, legitimate interest with clear disclosure works. For consumer-facing recording, explicit consent is safer.

What Explicit Consent Looks Like

The disclosure pattern that satisfies most GDPR-relevant scenarios:

"This call is being recorded and the audio will be transcribed using AI for [specific purpose]. We will retain the audio for [number] days and the transcript for [number] days. You can request deletion at any time. Do you consent to this?"

Capture the verbal "yes" on the recording itself. This creates an evidentiary record of consent inside the data itself, which satisfies the documentation requirement.

Data Subject Rights for Transcription

GDPR gives EU residents specific rights over their personal data. For voice recordings and transcripts:

Right of access: They can request a copy of all audio recordings and transcripts referring to them.

Right to erasure: They can request deletion of audio and transcripts.

Right to rectification: They can request correction of inaccurate transcript content.

Right to portability: They can request the data in a structured machine-readable format.

Right to object: They can object to processing based on legitimate interest, requiring you to stop unless there are overriding legitimate grounds.

Practically, this means you need to be able to:

1. Find all recordings referring to a specific person within a reasonable time
2. Provide them in a portable format
3. Delete them on request
4. Correct transcript errors when reported

For small teams this can be a simple folder structure with filename conventions. For larger operations a proper data inventory and search tool is needed.

Cross-Border Transfers

If your transcription provider hosts data outside the EU/EEA, GDPR requires specific safeguards.

In 2026, the available mechanisms are:

• EU-US Data Privacy Framework (DPF): For US-based providers certified under the DPF, transfers are permitted
• Standard Contractual Clauses (SCCs): Pre-approved contract language between controller and non-EU processor
• Binding Corporate Rules: For multinational organizations transferring within the group
• EU-resident infrastructure: If the data physically stays in the EU/EEA, no transfer mechanism is needed

For a provider claiming GDPR compliance, ask specifically which mechanism applies to your transfer. "We are GDPR compliant" without naming the mechanism means little.

CATT currently uses Cloudflare R2 infrastructure on a global network. We do not yet offer formally certified EU-only data residency. For data residency for transcription requirements specifically, this matters and we are transparent about it.

The Data Processing Agreement (DPA)

GDPR Article 28 requires a written contract between controller and processor that specifies:

• Subject matter and duration of processing
• Nature and purpose of processing
• Type of personal data and categories of data subjects
• Obligations and rights of the controller
• Specific terms around confidentiality, security, sub-processors, data subject assistance, breach notification, return/deletion of data, and audit rights

Most professional transcription services offer a DPA on request. For SaaS providers, this is often a standardized document you can request through the support flow.

CATT offers a DPA for business customers on request. The terms cover the standard Article 28 obligations including breach notification, sub-processor management, and deletion on contract termination. Request access through the pricing inquiry process.

Retention Periods

GDPR Article 5 requires data minimization and storage limitation. Translated: do not keep recordings longer than necessary for the purpose.

For transcription specifically, "necessary" is context-dependent:

• Customer service quality assurance: typically 30-90 days
• Compliance audit recordings: typically the regulatory period plus a buffer (often 5-7 years for financial services)
• Journalism source material: until publication plus a defensible buffer
• Research interviews: until research publication plus the academic retention norm
• Operational meeting recordings: typically 90 days to 1 year

Whatever period you choose, document the rationale and stick to it. Indefinite retention is a GDPR violation. Auto-deletion on a defined schedule turns this from a manual cleanup burden into a defensible default.

CATT supports user-configurable auto-deletion. See auto-delete transcription files for the specific settings and what they mean.

Sub-Processors

If your transcription provider uses other vendors (cloud hosting, AI model providers, payment processors), those are sub-processors. GDPR requires:

• The controller approves sub-processors (often a list in the DPA)
• Sub-processors are bound by the same obligations as the processor
• Changes to sub-processor list are notified to the controller

For CATT, our active sub-processors include:

• Cloudflare (infrastructure and R2 storage)
• Deepgram (transcription model API)
• OpenAI Whisper Large-v3 (transcription model, processed via our infrastructure)

Updates to this list are notified to DPA-holding customers in advance.

Special Categories of Data

GDPR Article 9 creates additional restrictions for "special categories" including health data, biometric data, racial/ethnic information, political opinions, religious beliefs, and sexual orientation/life data.

Voice recordings can contain any of these as content. If your transcripts include health information (therapy sessions, medical consultations), the additional restrictions apply.

For health information specifically, GDPR overlaps with HIPAA in the US and similar regulations elsewhere. CATT is not HIPAA-certified and does not sign BAAs. Healthcare organizations processing PHI through transcription should use a HIPAA-certified provider.

For other special categories (political, religious, etc.), explicit consent is usually required, and you must document the lawful basis under Article 9 in addition to Article 6.

Breach Notification

GDPR Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a personal data breach. Article 34 requires notification to affected data subjects if the breach poses a high risk to their rights.

For transcription specifically, a breach could mean:

• Unauthorized access to audio files
• Accidental disclosure of transcripts
• Loss of recordings (deletion or hardware failure)
• Sub-processor security incident affecting your data

Your DPA with the transcription provider should specify how they notify you of breaches affecting your data. CATT's DPA includes breach notification within 24 hours of confirming the incident, giving you the remaining 48 hours to assess and notify the supervisory authority.

Practical Compliance Workflow

For a small team transcribing EU resident audio:

1. Document your lawful basis for each type of recording (call recording, interview recording, meeting recording)
2. Update consent capture to include AI transcription specifically, not just generic "recording"
3. Sign a DPA with your transcription provider
4. Set retention periods and configure auto-deletion in the transcription tool
5. Create a process for data subject deletion requests
6. Maintain a record of processing activities (Article 30) listing transcription as a processing activity

For an established organization:

1. Add transcription to your existing data inventory
2. Update your privacy notice to disclose AI transcription
3. Conduct a DPIA (data protection impact assessment) if the processing is high-risk
4. Train staff on the new workflow
5. Audit your transcription provider's certifications and DPA terms

Common Compliance Mistakes

Recording without consent: Even in single-party consent jurisdictions, GDPR requires consent or other lawful basis if the data subject is identifiable. The US wiretap law and GDPR are different frameworks.

Bundled consent: "By using this service you agree to recording" is not valid GDPR consent. Recording must be separately consentable.

Indefinite retention: "We keep recordings until you tell us to delete" violates the storage limitation principle. Define a default retention period.

Skipping the DPA: Using a transcription service without a DPA is a Article 28 violation, even if the service itself is GDPR-aware.

No deletion process: Article 17 erasure rights require you to actually delete data when requested. A manual process is fine if it works. No process is not fine.

Treating SCCs as set-and-forget: SCCs require ongoing assessment of the recipient country's data protection regime. The 2021 Schrems II decision created additional supplementary measures requirements.

When CATT Fits and When It Does Not

CATT fits for GDPR compliance when:

• You are the controller and need a transparent processor
• Your retention needs are 7-90 days (configurable auto-deletion)
• You do not require formally certified EU-only data residency
• You can sign a DPA and accept Cloudflare and Deepgram as sub-processors

CATT does not fit when:

• You require certified EU-resident-only infrastructure (we are working on this but not generally available)
• You are handling healthcare PHI requiring HIPAA + GDPR overlap
• You require SOC 2 Type 2 audit reports (we are not currently audited)

Be honest with yourself about which case you are in. The right transcription provider matches your actual compliance needs, not just the marketing claims.

After You Are Compliant

Once the GDPR plumbing is in place, transcription becomes routine. Upload audio to Audio to Text, get transcripts with auto-deletion configured, run the meeting summary template for actionable outputs. The compliance work is one-time setup and the daily workflow is unchanged.

For specific transcription languages, French transcription, Spanish transcription, and German transcription all run on the same pipeline with the same compliance posture.

GDPR compliance for transcription is achievable. It requires deliberate decisions about consent, retention, and vendor management. The teams who treat it as a one-time setup investment end up with both compliance and faster transcription workflows.