Jun 09 2026

When voice becomes data: legal obligations of automated transcription

Pressing the transcription button in a meeting and receiving the minutes minutes later has become standard practice in many organisations. What frequently goes unnoticed is that behind this convenience lies personal data processing with concrete legal obligations. The Spanish Data Protection Authority (AEPD) addressed this in two articles published on its blog in January and April 2026, and their conclusions deserve to be applied in a business context.

Voice is personal data and carries associated metadata

A person’s voice can identify them directly or indirectly, which means the GDPR applies from the moment it is recorded. In addition, digital transcription services generate metadata that also constitutes personal data: the phone number, the connection’s IP address, the time and duration of the call, or information about application usage. The Regulation would only cease to apply in the case of synthetic voices or recordings modified at source to entirely eliminate any possibility of identification.

Transcription and retraining: two processing activities with different legal bases

One aspect the AEPD emphasises particularly strongly is that AI transcription services may involve two distinct processing activities. The first is transcription proper (meeting minutes, customer service records, etc.). The second, less visible, is the possible use of recordings to retrain or fine-tune the provider’s model, a common practice that may result in third parties outside the organisation listening to fragments of the recording.

Each of these processing activities requires its own legal basis. The organisation deploying the service must explicitly ask its provider whether it carries out such additional processing and under what conditions. When the provider uses the data for its own purposes, it assumes the role of controller in respect of that activity, regardless of the data processing agreement signed with the client organisation.

Transparency, consent and due diligence in provider selection

The controller must inform data subjects before the recording begins and, in addition, maintain an active and visible indicator while it is in progress, such as an on-screen notice or a light signal. Where the legal basis is consent, this must be freely given, specific and unambiguous: the AEPD has expressly rejected the notion that it is sufficient for participants to join a session after a generic notice. Consent also expires at the end of the specific activity for which it was given.

As regards provider selection, Article 28 of the GDPR requires the controller to exercise due diligence not only at the contracting stage but throughout the entire lifecycle of the processing, verifying confidentiality guarantees, security measures, retention periods, metadata minimisation and data location.

Accuracy, data subject rights and the limits of the AI Act

Transcription errors are not mere technical glitches: attributing to a person something they did not say has direct legal relevance under the accuracy principle in Article 5 of the GDPR and triggers the rectification obligation under Article 16. Proactive accountability therefore requires anticipation: informing data subjects about the system’s limitations, establishing review procedures and enabling access and rectification mechanisms. Furthermore, services that go beyond transcription and infer emotions, beliefs or health status may affect special categories of data, and some such uses conflict with the prohibited practices under Regulation (EU) 2024/1689 on Artificial Intelligence.

How Letslaw can help you

At Letslaw we specialise in data protection and artificial intelligence. If your organisation already uses or is considering implementing automated voice transcription tools, we can help you review provider contracts, define the appropriate legal basis, update privacy notices and assess whether a Data Protection Impact Assessment (DPIA) is required. Do not hesitate to contact us.