- A recorded voice call is personal data, so the UK GDPR as set out in the Data Protection Act 2018 applies whenever a business records VoIP calls.
- A recording must rest on one of the lawful bases in Article 6 of the UK GDPR, chosen and documented before recording begins.
- Recordings must not be kept longer than necessary for the purpose, in line with the storage-limitation principle of the UK GDPR.
- Callers have the right to be informed that recording takes place, and a right of access to recordings that contain their personal data.
- Separate rules under the Investigatory Powers Act and related telecoms legislation govern interception, distinct from data-protection duties.
Recording VoIP calls is lawful under the UK GDPR if there is a documented lawful basis, callers are informed, recordings are kept no longer than needed, and access and erasure rights are honoured.
Last reviewed: June 2026
Why GDPR applies to recorded calls
A telephone call captured and stored as a recording is more than a conversation: it is a record containing the personal data of the people speaking, often including names, contact details, account information and sometimes sensitive matters. Under the UK GDPR, which sits alongside the Data Protection Act 2018, any processing of personal data brings legal duties, and recording, storing and later playing back a call all count as processing. This means a business that records VoIP calls is a data controller for those recordings and must meet the same obligations that apply to any other personal data it holds.
It helps to be precise about what counts as personal data in a recording. The UK GDPR defines personal data as information relating to an identified or identifiable living individual, and a voice itself can identify a person, so even a call in which no name is spoken can fall within scope. Where a conversation touches on health, ethnicity, religious belief or other categories listed in Article 9, the recording captures special category data, which carries stricter conditions for processing. A business that records broadly should assume that at least some calls will contain sensitive content, even if that was never the intention, and design its controls accordingly rather than assuming an ordinary commercial call is low risk.
The flexibility of VoIP makes recording easy to switch on, which is part of why the legal duties are sometimes overlooked. A modern system can capture every call with a single setting, but the law does not distinguish between a deliberate recording programme and one enabled casually. The same principles, including a lawful basis, transparency, minimisation and retention limits, apply in both cases. Treating recordings as regulated personal data from the outset is the way to stay compliant. The accountability principle in the UK GDPR also requires the controller to be able to demonstrate compliance, so the practical test is not only whether the recording is lawful but whether the business can show, in writing, why and how it is lawful.
Choosing and documenting a lawful basis
Every act of recording must rest on one of the lawful bases set out in Article 6 of the UK GDPR. For business call recording, the bases most often relied on are the performance of a contract, compliance with a legal obligation, the legitimate interests of the organisation, and consent. Which applies depends on the purpose. A firm recording for training and quality assurance might rely on legitimate interests, having weighed that interest against the privacy of callers. A business in a regulated sector required to keep records of certain conversations may rely on a legal obligation. Where consent is the basis, it must be freely given and the caller able to decline.
The mechanism behind each basis differs in a way that affects day-to-day operation. Legitimate interests requires a three-part assessment: identifying the interest, showing the recording is necessary to achieve it, and balancing that interest against the rights and reasonable expectations of the caller. Consent, by contrast, must be a clear affirmative act and must be as easy to withdraw as it was to give, which is difficult to engineer on a live phone line where declining recording would end the call. That practical difficulty is precisely why many organisations avoid relying on consent for general call recording and instead document legitimate interests, reserving consent for situations where the caller has a genuine, cost-free alternative.
The choice of basis is not a formality to settle later. It should be decided before recording starts, recorded in writing, and reflected in the information given to callers. Relying on legitimate interests in particular calls for a documented assessment balancing the business need against the rights of the individuals recorded. Choosing the wrong basis, or failing to identify one at all, undermines the lawfulness of every recording made, so this decision sits at the heart of compliance. A business cannot switch bases after the fact to justify a recording it has already made, which is why the documented decision matters before the first call is captured.
Retention: how long recordings can be kept
The storage-limitation principle requires that personal data is kept no longer than is necessary for the purpose it was collected for. There is no single fixed period that applies to all call recordings, because the right length depends on why the recording was made. A recording kept for training might be needed only briefly, while one retained to evidence a contract or to meet a regulatory requirement may justifiably be held longer. The duty is to set a defined retention period tied to the purpose, apply it consistently, and delete recordings securely once it expires.
Where a sector regulator sets a minimum holding period for certain conversations, that period gives a concrete anchor for the retention decision, but it is a floor rather than a licence to keep everything. A recording held to meet a legal obligation should be deleted once that obligation lapses, not carried forward indefinitely because deleting it is inconvenient. The mechanism that makes this workable is automated deletion: configuring the VoIP or recording platform to purge audio once the defined period passes removes the reliance on a person remembering to act, and it produces a consistent, auditable outcome that supports the accountability principle.
A retention schedule is the practical tool for this. It states, for each category of recording, how long it is held and what triggers its deletion, and it should be applied automatically wherever the system allows. Holding recordings indefinitely or with no schedule at all is a common failing and is difficult to defend, because it cannot be shown that continued retention remains necessary. Documenting the retention decision, like the lawful basis, demonstrates the accountability that the UK GDPR requires.
VoIP call recording GDPR compliance checklist
The table below summarises the core compliance steps for recording VoIP calls, what each involves and the principle it supports.
| Step | What it involves | Principle supported |
|---|---|---|
| Identify a lawful basis | Choose and document an Article 6 basis | Lawfulness |
| Inform callers | Give clear notice that recording occurs and why | Transparency |
| Limit what is recorded | Record only what the purpose requires | Data minimisation |
| Set a retention period | Define how long recordings are kept and delete after | Storage limitation |
| Secure the recordings | Restrict access and protect stored audio | Integrity and confidentiality |
| Honour individual rights | Handle access and erasure requests | Accountability |
Securing recordings and controlling access
The integrity and confidentiality principle of the UK GDPR requires personal data to be protected with appropriate technical and organisational measures, and stored call recordings are a concentrated store of exactly the kind of information that attracts that duty. Practical measures include encrypting recordings at rest, restricting playback to named roles rather than the whole organisation, and keeping an access log so it is possible to see who listened to a recording and when. Because VoIP recordings are often held by a third-party platform, the business should also confirm where the audio is stored and ensure a written processor agreement is in place, since the controller remains responsible for the data even when a supplier holds it.
Access control is not only a security measure but a compliance one, because the fewer people who can reach a recording, the easier it is to honour minimisation and to respond confidently to an access request. A breach involving call recordings can be serious precisely because audio may reveal far more than a customer expected to share, including tone, hesitation and incidental detail spoken in the background. Where a breach occurs that is likely to result in a risk to individuals, the controller must notify the relevant supervisory authority within the statutory timeframe, so having access logs and a clear inventory of what is stored is what makes a prompt, accurate notification possible.
What to tell callers and the rights they hold
Transparency is a core requirement, so callers must be told that their call may be recorded, who is recording it and for what purpose, before the substance of the conversation begins. This is commonly done through an announcement at the start of the call and supported by fuller detail in a privacy notice the business publishes. The notice should explain the lawful basis, the purpose, how long recordings are kept and how an individual can exercise their rights. Burying this information or omitting it leaves the recording open to challenge. The announcement should be specific enough that a caller understands what is happening; a vague statement that calls are recorded for unspecified reasons does less to satisfy the transparency duty than one that names the purpose.
Callers retain the rights that the UK GDPR gives all data subjects. They can make a subject access request to obtain a copy of recordings containing their personal data, and the business must respond within the statutory timeframe. They may also request erasure, object to processing based on legitimate interests, or ask for inaccurate associated data to be corrected. Where consent is the basis, they can withdraw it. Responding to an access request for audio raises a practical point: a recording may contain a second person's personal data, so the business may need to consider the rights of others before disclosing, redacting or withholding where appropriate. Separately from data protection, interception of communications is governed by the Investigatory Powers Act and related telecoms rules, which is why recording one's own business calls with proper notice is treated differently from intercepting calls one is not party to. Meeting both the data-protection duties and the interception rules is what keeps a recording programme lawful.
Frequently Asked Questions
Can I record VoIP calls under GDPR?
Yes, recording VoIP calls is lawful provided the requirements of the UK GDPR are met. There must be a documented lawful basis, callers must be informed, only necessary data should be captured, and recordings must be kept no longer than needed and held securely. Individual rights over the recordings must also be honoured, and the business must be able to demonstrate how it meets each of these duties.
What is the lawful basis for recording calls?
It must be one of the bases in Article 6 of the UK GDPR. Businesses commonly rely on legitimate interests, performance of a contract, a legal obligation, or consent, depending on why they record. The basis should be chosen and documented before recording begins, and where legitimate interests is used, a balancing assessment weighing the business need against the rights of callers should be carried out and kept on record.
How long can I keep call recordings?
Only as long as necessary for the purpose the recording was made. There is no single fixed period; the right length depends on the reason, so a training recording may be kept briefly while one evidencing a contract or meeting a regulatory duty may be held longer. A defined retention schedule should set the period and trigger secure deletion afterwards, ideally automatically so the outcome is consistent and auditable.
Do I need to tell callers they are being recorded?
Yes, transparency requires that callers are informed that recording takes place, by whom and why, before the conversation begins. This is usually done with an announcement at the start of the call, supported by a published privacy notice giving fuller detail on the lawful basis, retention and how to exercise rights. Omitting this information undermines the lawfulness of the recording.
What rights do callers have over their recorded calls?
Callers can make a subject access request for a copy of recordings containing their personal data, and may request erasure or object to processing based on legitimate interests. Where consent is the basis, they can withdraw it. The business must respond to such requests within the statutory timeframe set by the UK GDPR, while also considering the rights of any other individual whose data appears in the same recording.
