Contact us +1 888-901-3006 Support Downloads Demo Search
Why VoIPstudio?
Why voipstudio?
Rocket
It’s a complete business phone system

VoIPstudio is an award-winning cloud telephony service that’s been designed for businesses like yours
VoIP integrations
It has lots of integrations

VoIPstudio fits right in with your most important apps and CRMs to simplify your workflow
VoIP calls
It’s easy to use and cost-effective

Business telephones don’t have to be complicated or expensive. We’ve made VoIPstudio in a different way
Customers
Our customers think we’re excellent

Check out the case studies and reviews to see what our customers have to say about the service we provide
try it for free! See the demo
features
Features
Headphones
A complete Call Centre

A fully equipped Call Centre, direct from the cloud, get started today
VoIP call recording
Call recording

Unlimited call recording to help you manage compliance and performance
VoIP collaboration
Collaboration

Bring your teams together with our collaboration features, including video calls and video conferencing.NEW
Information
Virtual Switchboard

Manage your calls in real-time with drag and drop call control
Global connections
Virtual numbers

Thousands of cities, millions of numbers to choose, geo and non-geographic
Business phone support
40+ Advanced call control features

Build IVR systems, complex routing and manage calls
try it for free! See the demo
Pricing
pricing plans
Pay as you go

Mostly inbound calls?
Choose a low-cost monthly licence fee and simply pay as you go for the calls you make

$ 4.99
Per user/ month
2K Bundle

Outbound calls to different places?
Get 2,000 outbound minutes per user/ month and one inbound number per user

Covers international calls to over 45 countries including:

USA flag UK flag Canada flag Australia flag German flag Spain flag
$ 16.99
Per user/ month
Call Rates and Hardware
VoIP call rates
Call rates

See the per min call rates to every country you’ll ever need to connect to
VoIP telephone numbers
Telephone numbers

Prices for the set up and maintenance of local and international numbers
Business telephones
Hardware

View our range of IP handsets and desk phones from leading vendors
try it for free! See the demo
Resources
Resources
VoIPstudio tutorial
Tutorial videos

Get some help with the basics! Watch our tutorial videos
VoIP guide
How to guides

Learn how to optimise your VoIPstudio with our helpful ‘How to’ guides
VoIP blog business
Our blog

Read our latest thoughts on the telecoms industry and technology
Business communications case studies
White papers

Learn more about business telephone systems and everything VoIP
VoIP business case studies
Case Studies

Thousands of happy customers! Here’s what they have to say
VoIP business FAQ
FAQs

Got a question? We’ve probably already answered it!
try it for free! See the demo
Try it for 30 days!
Why voipstudio?
Why voipstudio?
Features
Features
pricing, call rates, hardware
pricing, call rates, hardware
Resources
Resources
Start 30 day free trial

No credit card required – 200 min. free calls

Customer Support Menu IconCustomer SupportArrow Menu Icon

Talk to Sales Menu IconTalk to SalesArrow Menu Icon

Contact Us Menu IconContact UsArrow Menu Icon

Sign Up Free
5 minute read |

Call recording and GDPR: what must you do to comply?

VoIP phone service background
BUSINESS COMMUNICATIONS

Any business’s call centers and customer service departments must be aware of the legal requirements when recording calls. That’s not surprising, but the call recording landscape has changed since the European Union’s General Data Protection Regulation (GDPR) came into force. The relationship between call recording and GDPR compliance can be difficult to manage, so here’s what you need to know.

Call recording and GDPR

Call recording is a form of data processing, as recordings often contain personal or sensitive information. Users may give their PIN, address, financial or health information over the phone. Companies capture all of that information when recording calls. Consequently, call recording must comply with specific rules described in the GDPR.

Unlike regulations in other countries, the GDPR provides strict guidelines on how and when calls can be recorded, how to obtain user consent, and how to store recorded calls. The GDPR aims to unite existing laws and regulations in EU member states so businesses have a central reference source. It is intended to strengthen the rights of EU citizens and help them control the information companies have about them.

VoIPstudio free trial

Who should follow the GDPR?

The GDPR applies to the export of personal data outside the EU and to any company that processes EU citizens’ data, even if your company is not within EU borders. That last part is very important to remember. If you think you don’t need to comply with GDPR because you’re located in another country, you’re wrong.

Your company must comply with GDPR if:

  • You process data relating to EU citizens even if you are located elsewhere.
  • If you offer goods and services to EU citizens, even if you do not charge for them.
  • You are tracking behavior within EU borders.

While there are exceptions for small businesses that meet specific criteria, most businesses must adhere to the GDPR if they deal with EU citizens or handle their data.

Risks of non-compliance with the GDPR in call recording

What happens if you don’t comply or don’t implement the proper measures?

Failing to comply with GDPR on call recording can lead to several significant risks for businesses:

  1. Fines and penalties: Failure to comply with the GDPR can result in substantial fines, reaching up to 4% of the company’s global annual turnover or €20 million, whichever is greater.
  2. Reputational damage: Violations of the GDPR can seriously damage a company’s reputation. Loss of trust from customers and business partners can have a lasting and negative impact on the business.
  3. Legal claims: Individuals affected by a breach of the GDPR have the right to file lawsuits against the company. This can lead to costly litigation and damage awards.
  4. Operational disruptions: Investigations and audits resulting from a GDPR breach can disrupt normal business operations, resulting in additional financial losses.
  5. Data loss: Non-compliance with the GDPR is often associated with a lack of adequate security measures, which can result in the loss or leakage of sensitive personal data.
  6. Notification obligations: In the event of a data breach, the company must notify authorities and affected individuals, which may result in additional costs and an increased administrative burden.
  7. Additional regulation: Companies that fail to comply with the GDPR may face increased oversight and regulation from authorities, which may result in additional compliance and ongoing monitoring requirements.

Call recording regulations

So make sure your solution covers all the bases and leaves you free time to focus on what’s important: your users.

Call recording and GDPR consent

GDPR significantly changes the rules for obtaining consent from callers to record calls.

You’re probably familiar with the message at the beginning of a call that says, “This call will be recorded for training purposes.” If the caller continues on the call and does not hang up, the company assumes they have consented. This is what is known as implied consent.

Under GDPR, implied consent is no longer sufficient. According to the regulations, companies must obtain consent explicitly and only after informing the caller of the reason.

Therefore, a company must state the reason for call recording and provide a means for the caller to consent. Most organizations will ask the caller to press one number to give consent and another to decline the recording.

Conditions for call recording to comply with GDPR

Before GDPR came into effect in 2018, companies could indicate that the recording was for training or anything else.

A company may want to review recorded calls for user feedback or regulatory compliance, even if the reason is different.

In the post-GDPR world, organizations can no longer do that.

Any call you record must meet one of the following conditions:

  1. All participants have consented to the recording for one or more stated and specific reasons.
  2. The recording is necessary to fulfill a contract, and the caller is a party.
  3. The call recording is necessary to fulfill a legal obligation on the part of the company.
  4. The company can demonstrate that the recording is necessary to protect the interests of one or more participants.
  5. The call recording is in the public interest or necessary to exercise official authority.
  6. Call recording is in the company’s interest, provided it does not override the caller’s interest when it is necessary to collect personal data.

A quick review of the terms and conditions reveals that call recording is permitted and not prohibited by RGPD. It is a means to ensure that companies do not trample on individual rights when collecting personal data.

After all, you don’t have to worry about losing user data if you never had it. It also frees companies from wasting resources on collecting data when they don’t need it.

Call recording and GDPR RGPD: when, where and who

The GDPR insists that companies clarify when, where, and how calls are recorded.

So, if your call center has integrated landlines, VoIP, and mobile devices into one system, it must comply with GDPR requirements.

It is no longer sufficient to obtain consent or the purpose of call recording from the state on landline phones without ignoring mobile devices.

When is call recording GDPR compliant?

Call recording can be lawful and GDPR-compliant in the following cases:

  1. Express consent: when all parties involved in the call have given explicit and informed consent to the recording.
  2. Legitimate interests: When the recording is necessary for the company’s legitimate interests, provided that the fundamental rights and freedoms of the data subject do not prevail.
  3. Legal obligations: When the recording is necessary to comply with a legal obligation.
  4. Performance of a contract: When the recording is necessary for the performance of a contract to which the data subject is a party.
  5. Protection of vital interests: Recording is necessary in exceptional cases to protect a person’s vital interests.

Where call recording must be performed to comply with GDPR

Call recording must be carried out:

  1. A secure environment: systems and servers that meet appropriate security standards protect the personal data recorded.
  2. Data location: Data should be stored preferably within the European Economic Area (EEA) or in countries with adequate data protection recognized by the European Commission.

How call recording should be done to comply with the GDPR

To comply with GDPR when recording calls, these steps must be followed:

  1. Obtaining consent: Inform all participants about the recording and its purpose and obtain their explicit consent before starting.
  2. Adequate notification: Provide participants with clear and concise information about the recording and the use of the data, preferably at the beginning of the call.
  3. Data encryption: Implement encryption in transit and at rest to protect recordings from unauthorized access.
  4. Access control: Establish strict access controls to ensure only authorized personnel can access recordings.
  5. Storage and retention: Define clear data storage and retention policies, ensuring that recordings are only retained for as long as necessary and disposed of securely.
  6. Data subjects’ rights: Make it easy for individuals to exercise their rights under the GDPR, such as the right of access, rectification, erasure, and objection to the processing of their data.
  7. Impact assessment: If call recording poses a high risk to the rights and freedoms of data subjects, conduct a data protection impact assessment (DPIA).

GDPR rights and obligations

Most companies have focused on the changes to obtain consent and the purpose of call recording, as these are the most critical components of GDPR compliance. It is easy to forget that the legislation takes into account other factors related to call recording, such as:

  • the right to access data
  • the right to be forgotten
  • how long companies can keep recordings
  • How can data be protected against theft or loss?

Right to access data

The GDPR states that users have the right to access the data stored by any company. This rule also applies to recorded calls.

So, if one of your users requests access to their call recording, you must complete it within 30 days. In practical terms, your company must be able to search and retrieve particular calls when necessary. You can’t just put all the collected calls on a server and forget about it.

Right to be forgotten

The GDPR also ensures that users have the right to be forgotten, i.e., they can ask a company to delete all their stored data.

Again, call recordings fall within the definition of personal data for this purpose. Once such a request arrives, the company has to comply and securely delete the data.

However, a company does not need to delete the data if:

  • The stated purpose still needs to be fulfilled.
  • It would violate any state or federal law.
  • It is necessary to defend legal claims or establish legal rights.
  • The data is necessary to exercise freedom of expression or information.
  • It is necessary to file in the public interest.

From a business perspective, any solution you use to store recordings must be able to completely and securely delete them at any time.

Data retention and protection standards

Over the past decade, businesses have witnessed increased media scrutiny of security breaches and the potential loss associated with data theft. As a result, GDPR also has compliance requirements regarding data protection and retention.

Call recordings must be stored securely, and companies must ensure that appropriate access controls are implemented.

Physical and technical safeguards for data security and privacy must also exist. You must assess the risks associated with hackers, malicious insiders, and even careless employees and take appropriate action.

In addition, there are provisions for how long companies can store and retain call recordings. Once the original purpose for which it was collected is fulfilled, companies must securely dispose of them.

Some organizations may balk at the cost or effort involved, but the potential loss of user data is too risky to ignore.

GDPR only requires companies to take reasonable steps to provide adequate security and does not demand a 100% perfect security landscape.

Call recordings and GDPR-compliant solutions

What does all this mean for your company?

Any solution you implement must have the following capabilities:

  1. Explicit consent from callers.
  2. Clearly state the intended purposes of call recording.
  3. Store recorded data securely.
  4. Easily access and retrieve particular call recordings when needed.
  5. Securely delete recorded calls when requested by a user.
  6. Be reasonably secure against internal and external security risks.

This may seem only achievable for large enterprises, but it doesn’t have to be. Several solutions are on the market that can meet GDPR requirements.

The hard part is finding a provider that offers the service you need at an affordable price.

Ensure the protection and security of your call recordings with VoIPstudio

VoIPstudio free trial

VoIPstudio ensures the protection and security of call recordings to comply with GDPR in the following ways:

Data encryption

All call recordings are encrypted both in transit and at rest, protecting data against unauthorized access.

Access control

Only authorized personnel have access to call recordings. VoIPstudio implements strict role-based access controls to ensure that only the right people can access the data.

Informed consent

VoIPstudio makes obtaining explicit consent from parties involved in calls easy, which is critical for GDPR compliance. Users can set up automatic alerts to inform participants about the recording.

Secure storage

Recordings are stored on secure servers that comply with international security standards. In addition, VoIPstudio offers customizable storage options to adhere to each company’s data retention policies.

Secure data deletion

VoIPstudio provides tools for secure deletion of call recordings once they are no longer needed, ensuring that personal data is not retained longer than necessary.

Audits and monitoring

Regular audits and monitoring are performed to detect and respond quickly to security breaches. It ensures that any security incidents are handled promptly and effectively.

Legal compliance

VoIPstudio continuously works to stay current with legal and security regulations, ensuring that its practices comply with GDPR and other relevant regulations.

These measures ensure that VoIPstudio adequately protects call recordings and complies with the strict requirements of the GDPR.

Remember that you can record calls in VoIPstudio as shown in this video:

Contact us for more information about call recording.

Frequently asked questions about GDPR compliance in call recording

Is it legal to record VoIP calls under the GDPR?

Yes, it is legal if specific requirements are met, such as obtaining informed consent from the parties involved or having a clear legal basis for doing so.

What consent is needed to record VoIP calls under the GDPR?

Explicit and clear consent needs to be obtained from all parties involved in the call, informing them about the recording and the purpose of the call.

How can I inform the participants of a VoIP call about the GDPR recording?

You must notify the participants before the recording begins, clearly explaining that the call will be recorded, the purpose of the recording, and how the data will be used.

What security measures should I implement to protect VoIP call recordings under the GDPR?

To protect the data, implement appropriate technical and organizational measures, such as encryption of recordings, strict access control, and regular security audits.

Ready to get started with VoIPstudio?

Start a free 30 day trial now, no credit card details are needed!

Thousands of businesses across the world trust VoIPstudio for all of their most vital business communications. Why not be the next?

Thousands of businesses across the world trust VoIPstudio for all of their most vital business communications. Why not be the next?

Start my trial! Take a 30 day free trial

Start a free 30 day trial now, no credit card details are needed!