Compliance & GDPR

AI call analysis and the GDPR: where are your recordings really processed?

Deploying AI call analysis is not just a technology decision — it is a decision to entrust the processing of personal data. A recorded customer call contains at least a voice, often a full name, address details, contract specifics, and in some industries health or financial data. Before you sign a contract with a speech analytics vendor, it pays to know what to ask. This guide brings together in one place the legal bases for recording, information duties, DPIA requirements and a checklist of questions for your vendor.

A call recording is personal data — all of it

The GDPR does not distinguish between the “content of the call” and “metadata”. The voice is personal data, the transcript is personal data, and an AI score linked to a specific agent — that too. This means the entire processing chain — uploading the recording, transcription (speech-to-text), analysis by an AI model and storage of the results — must have a clearly defined location, legal basis and safeguards.

Scale makes the difference. A team of 40 agents handling 60 calls a day each generates around 2,400 recordings per day and over 50,000 per month. With 12-month retention that is more than 600,000 files, each subject to individuals’ rights: access (Art. 15 GDPR), rectification (Art. 16) and erasure (Art. 17). The question “can we find and delete every call from a single customer?” is better asked before deployment than after the first request. The stakes: violations carry fines of up to €20 million or 4% of worldwide annual turnover (Art. 83 GDPR).

The legal basis for recording customer calls: consent is not always needed

Counterintuitively, customer consent is rarely the right basis for recording — it can be withdrawn at any time, which creates operational chaos across hundreds of thousands of recordings. In most call centers the basis is the controller’s legitimate interest (Art. 6(1)(f) GDPR): securing evidence, handling complaints, quality control. The condition is a documented balancing test showing that the company’s interest does not unduly infringe the caller’s rights and freedoms.

A separate layer is the confidentiality of electronic communications under Poland’s Electronic Communications Law of 12 July 2024 (PKE), which replaced the former Telecommunications Law. Recording the content of communications requires a basis — including the consent of the sender or recipient of the message. Hence the standard “this call is being recorded” notice at the start of the call — and anyone who objects to being recorded should have an alternative contact channel.

Processing purpose, legal basis, notes — a quick map

Processing purposeTypical legal basisPractical notes
Recording calls for evidence and service quality controlArt. 6(1)(f) GDPR (legitimate interest)Documented balancing test + recording notice at the start of the call
Concluding or performing a contract over the phoneArt. 6(1)(b) GDPRThe recording documents the parties’ declarations; data scope limited to what is necessary
Recording required by sector-specific regulationsArt. 6(1)(c) GDPR (legal obligation)Applies to some financial institutions, among others — verify your industry’s rules
Monitoring and evaluating agents’ work qualityArt. 6(1)(f) GDPR + Art. 22³ of the Polish Labour CodePurposes, scope and method of monitoring set out in work regulations or an announcement; staff informed at least 2 weeks before launch
Special-category data disclosed in a call (e.g. health)Art. 9(2) GDPR (separate condition)Minimization: AI scoring criteria should not deliberately extract such data

This is an indicative map — the specific basis for each purpose is chosen by the controller together with the DPO, separately for customers and agents.

The information duty: the customer hears a notice, the agent gets a document

For customers, layered information works best. The first layer is a short notice at the start of the call: who is recording, for what purpose and where to find the full information. The second layer is a complete Art. 13 GDPR notice — controller, purposes and bases, retention periods, data recipients, individuals’ rights — available on the website or provided on request. A notice that says only “this call may be recorded for training purposes” does not satisfy this duty.

For agents the duties go further, because call analysis is employee monitoring. Art. 22³ of the Polish Labour Code requires the purposes, scope and method of monitoring to be set out in a collective agreement, work regulations or an announcement — and employees to be informed no later than 2 weeks before it starts. If an AI system evaluates the calls, Art. 26(7) of the AI Act adds: the employer informs employees and their representatives before the system is put into use.

Checklist: 10 questions for your call analysis vendor

  1. Where are the servers physically located? “European cloud” is sometimes a marketing shortcut. Ask for the specific regions and countries where recordings and transcripts are stored.
  2. Where do transcription and the AI models run? This is the most common trap: data is stored in the EU, but sent to APIs outside Europe for transcription or scoring. The entire pipeline — not just storage — should run in the EU region.
  3. Does your data train the vendor’s models? Make sure recordings and transcripts are not used to train models made available to other clients.
  4. What does the data processing agreement (DPA) look like? The list of sub-processors, locations, retention periods and the data deletion procedure should be transparent and part of the contract.
  5. Who on the platform side has access to recordings? Check the permissions model: who in your organization sees which campaigns, calls and results.
  6. How long are recordings, transcripts and results kept? Retention should be separated per data type — audio does not need to live as long as a score. Also ask about the data deletion procedure after the contract ends.
  7. How will you fulfil an access or erasure request? The platform should let you find all calls of a given person (e.g. by phone number) and permanently delete them — otherwise Art. 15–17 GDPR become manual, multi-day work.
  8. Will the vendor supply the inputs for a DPIA? A data flow diagram, the list of sub-processors, locations, technical and organizational measures — without these you cannot close the impact assessment (Art. 35 GDPR, Art. 26(9) AI Act).
  9. Does the system analyze agents’ emotions or tone of voice? The correct answer is: no, and it is technically impossible. Inferring employees’ emotions in the workplace is prohibited by Art. 5 of the AI Act.
  10. How does the vendor classify its system under the AI Act? A system that evaluates employees is a high-risk system (Annex III, point 4(b)). A vendor who denies this is shifting the regulatory risk onto you.

A DPIA before launch: when call analysis requires an impact assessment (Art. 35 GDPR)

A data protection impact assessment (DPIA) is mandatory when processing is likely to result in a high risk to individuals’ rights and freedoms — in particular in the case of systematic, extensive evaluation of personal aspects based on automated processing (Art. 35(3)(a) GDPR). Poland’s supervisory authority (UODO) clarified this in its list of 17 June 2019, naming 12 categories of operations; the accepted view is that meeting at least two criteria triggers the DPIA obligation.

Automated call analysis usually meets three at once:

  • evaluation and scoring of individuals — the system scores agents and builds their quality profiles,
  • systematic monitoring — 100% of calls are analyzed, day after day,
  • innovative use of technology — transcription and scoring by AI models.

The practical takeaway: treat the DPIA as a standard part of the deployment, not an exception. Your organization carries it out as the controller, but you cannot close it without material from the vendor — which is why the data flow diagram, the sub-processor list and the retention periods from the checklist above are not formalities, but inputs to the document.

The EU AI Act: a new level of requirements

Since the EU AI Act entered into force, AI systems used at work — including those evaluating employees — are subject to additional requirements: transparency of operation, human oversight of decisions and documentation. Annex III, point 4(b), explicitly lists systems for monitoring and evaluating the performance of people in work-related relationships — automated scoring of agents’ calls falls within that definition. For a call center manager this comes down to two practical questions: do you know why the AI scored a call one way and not another, and can a human verify and correct that score.

The second hard boundary is emotions. Art. 5(1)(f) of the AI Act — applicable since 2 February 2025 — prohibits systems that infer people’s emotions in the workplace. A voice technically analyzed by an AI system constitutes biometric data, so analyzing an agent’s tone of voice or “emotional attitude” is not a grey area — it is a prohibited practice. We cover the full list of employer duties as a deployer in our article on the EU AI Act in the call center.

That is why the ability to drill down from every score to the specific call and a transcript quote matters so much — the score stops being a “black box” and becomes a verifiable finding.

How CallSea solves this

  • Servers in Germany — recordings, transcripts and results never leave EU data centers.
  • Call transcription and AI models in the EU region — the entire processing pipeline runs on European infrastructure, without sending data overseas.
  • Audio recordings are not permanently stored — after transcription and scoring you work on text and results, which shrinks the risk surface and simplifies retention.
  • Controlled flow of recordings — files reach the platform automatically via SFTP or API, with permissions at the personal, campaign and organization level.
  • An architecture ready for the EU AI Act — every call quality score is linked to the call and a transcript quote, and inferring agents’ emotions is technically blocked: the models read text only.
  • A deployment pack — a DPA, an employee notice template, DPIA input data and AI literacy materials cut your DPO’s workload.

Practical tip: ask the vendor for a data flow diagram for a single recording — from the moment it is uploaded to its deletion. If they cannot show one, that is a warning sign.

Frequently asked questions about the GDPR and AI call analysis

Does recording customer calls require the customer's consent?

Not always. In most call centers the processing basis is the controller's legitimate interest (Art. 6(1)(f) GDPR), confirmed by a balancing test — not consent. What is mandatory is a recording notice at the start of the call and a real alternative for anyone who does not want to be recorded, e.g. contact through another channel. In regulated industries, recording can be an outright legal obligation.

Do I need a DPIA before deploying AI call analysis?

In practice, yes. A data protection impact assessment (Art. 35 GDPR) is required when processing meets at least two criteria from the supervisory authority's list — and automated call scoring usually meets three at once: evaluation and scoring of individuals, systematic monitoring, and innovative use of technology. The DPIA is carried out by the controller, but the vendor should supply the necessary details on data flows, sub-processors and safeguards.

Can AI analyze an agent's emotions and tone of voice?

No. Art. 5(1)(f) of the AI Act prohibits systems that infer people's emotions in the workplace. That is why a safe call analysis architecture relies exclusively on transcript text — this is how CallSea works: the AI models do not analyze tone of voice or prosody, so inferring an agent's emotions is technically unfeasible, not merely contractually forbidden.

Where does CallSea store call recordings and transcripts?

The entire pipeline — receiving recordings, transcription, AI scoring and storing the results — runs in the European Union, on servers in Germany. Data is not sent to APIs outside Europe and does not train models made available to other clients, and audio recordings are not permanently stored after processing.

How should call center employees be informed about call monitoring?

Poland's Labour Code (Art. 22³) requires setting out the purposes, scope and method of monitoring in a collective agreement, work regulations or an announcement, and informing employees no later than 2 weeks before it starts. Where an AI system evaluates the calls, Art. 26(7) of the AI Act adds a duty to inform employees and their representatives before the system is put into use. CallSea provides clients with a ready-made template for this notice.

Disclaimer: this article is for information purposes and is not legal advice. The choice of legal bases and the scope of duties depend on your specific deployment — consult your lawyer or DPO.