GDPR and Speech-to-Text: What You Need to Know

If you use speech-to-text services to transcribe calls, meetings, or interviews, GDPR likely applies to you. Voice recordings and their transcripts are considered personal data under European privacy law, which means specific rules govern how you collect, process, and store them.

This article is part of our speech-to-text privacy and compliance guide. Here we focus specifically on GDPR requirements and what they mean for anyone using transcription tools.

Why Voice Data Falls Under GDPR

Under GDPR, personal data includes any information that can identify an individual directly or indirectly. Voice recordings qualify because they contain identifiable speech patterns, and transcripts often include names, opinions, and other identifying details.

The European Data Protection Board has clarified that voice data is "inherently biometric personal data" because it can uniquely identify individuals. This classification triggers stricter requirements than ordinary text data.

If your transcribed recordings include names, phone numbers, addresses, health information, or financial details, these may qualify as sensitive data requiring additional protections.

Legal Basis: Why You Need One

GDPR requires a valid legal basis before processing any personal data. For transcription, the most common bases are:

Consent: The speaker explicitly agrees to be recorded and transcribed after being informed of the purpose. This is common for interviews, focus groups, and research. Consent must be freely given, specific, informed, and unambiguous. You cannot assume consent through silence or continued participation.

Contractual necessity: Recording is required to fulfill a contract. For example, a client meeting where notes are needed to deliver agreed services.

Legitimate interest: Your business interest in recording outweighs the individual’s privacy interests. This requires a documented balancing test and is harder to rely on for sensitive conversations.

For most transcription use cases involving external parties—interviews, customer calls, or research—explicit consent is the safest approach.

What GDPR Requires Before You Record

Before recording and transcribing, you must inform participants about:

• The fact that recording will occur
• The purpose of the recording and transcription
• The legal basis you’re relying on
• How long the data will be stored
• Their rights regarding the recording
• Who will have access to the data

Secret recordings without notice are not GDPR-compliant. Even if local law permits single-party consent, GDPR’s transparency requirements still apply when processing EU residents’ data.

Data Retention: You Cannot Keep Recordings Forever

GDPR’s storage limitation principle requires you to keep personal data only as long as necessary for its stated purpose. For transcription, this means:

• Define a clear retention period before collecting data
• Document why that period is necessary
• Delete recordings and transcripts when the purpose is fulfilled
• Automate deletion where possible to avoid human error

There is no single "correct" retention period. It depends on your purpose. A journalist might need interview recordings until an article is published. A researcher might need transcripts for the duration of a study. A business might keep call recordings for 30 days for quality assurance.

The key is being intentional. Storing raw audio "just in case" indefinitely is incompatible with GDPR unless you can document a specific ongoing need.

User Rights You Must Honor

GDPR gives individuals specific rights over their data, including voice recordings and transcripts:

Right to access: Individuals can request a copy of their recorded data. You must respond within one month.

Right to rectification: If a transcript contains errors, individuals can request corrections.

Right to erasure: Also called the "right to be forgotten," this allows individuals to request deletion of their recordings and transcripts. You must comply unless an exception applies (such as legal obligations or ongoing legal claims).

Right to data portability: Individuals can request their data in a machine-readable format to transfer elsewhere.

Right to object: Individuals can object to processing based on legitimate interest.

When someone exercises these rights, you generally have one month to respond. For complex requests, you can extend this by two months, but you must inform the individual before the initial deadline.

Data Processing Agreements With Transcription Providers

If you use a third-party transcription service, GDPR requires a Data Processing Agreement (DPA) between you and the provider. This contract specifies:

• What data the processor can access
• How they must handle it
• Security measures they must implement
• What happens when the relationship ends
• Breach notification procedures
• Sub-processor restrictions

As the data controller, you remain responsible for ensuring your transcription provider complies with GDPR. If they mishandle data, you share liability.

Before choosing a transcription service, ask about their data retention policies, where data is processed (EU vs. non-EU), and whether they use recordings to train their models. Many providers use audio to improve their AI, which may require additional consent from your speakers.

Practical Compliance Steps

Here’s a straightforward approach to GDPR-compliant transcription:

1. Before recording: Inform participants about the recording, its purpose, and their rights. Obtain explicit consent where required.

2. Choose your provider carefully: Select a transcription service with clear GDPR commitments, ideally with EU data processing and a published DPA.

3. Define retention upfront: Decide how long you’ll keep recordings and transcripts before you start. Document this decision.

4. Limit access: Only give access to recordings and transcripts to people who need them.

5. Respond to requests: Have a process for handling access, deletion, and correction requests within the required timeframes.

6. Delete when done: Remove recordings and transcripts when their purpose is fulfilled. Don’t let data accumulate indefinitely.

Penalties for Getting It Wrong

GDPR violations can result in fines up to €20 million or 4% of global annual turnover, whichever is higher. While maximum fines are reserved for serious violations, regulators have issued penalties in the millions for improper data handling.

Beyond fines, non-compliance can damage trust with customers, employees, and interview subjects who expect their conversations to be handled responsibly.

Conclusion

GDPR compliance for speech-to-text is not optional if you process EU residents’ voice data. The core requirements are straightforward: inform people before recording, have a valid legal basis, limit retention, and respect user rights.

Most transcription tools can support compliant workflows if you configure them properly. Look for services with transparent data practices, EU processing options, and published DPAs. If you want a lightweight option that respects privacy, Scriby offers straightforward transcription with pay-as-you-go pricing—no subscriptions or complex enterprise contracts.

For more on data handling and security in transcription, see our related guide on what happens to your audio files.