GDPR-compliant meeting transcription: what you actually need to know

The moment you hit "record" on a meeting with anyone in the EU, you are processing personal data under GDPR. Not might be. Are.

Voice recordings contain biometric data. Transcripts contain names, opinions, sometimes health information or financial details. A meeting where a Berlin-based engineer casually mentions their doctor's appointment just became a record of health-related personal data.

Most teams know they need to "do something" about GDPR. Fewer know what that something actually is.

Why transcription triggers GDPR

GDPR applies whenever you process personal data of EU residents. Processing means collecting, storing, analyzing, or transmitting. A meeting transcript hits all four.

Voice is personal data because it identifies a person. Even if you strip the name from a transcript, voice patterns are considered biometric identifiers under Article 9.

Here is the part that catches people: GDPR does not only apply if your company is in the EU. It applies if any participant in the meeting is in the EU. An American company running a call with one developer in Amsterdam is subject to GDPR for that recording. The Irish Data Protection Commission confirmed this interpretation in their 2023 guidance.

Consent is not just a banner

The most common GDPR mistake with transcription is treating consent like a formality. Teams add a "this meeting is being recorded" disclaimer to the calendar invite and assume they are covered.

They are not.

GDPR consent under Article 7 has specific requirements. It must be freely given — the person cannot face negative consequences for refusing. It must be specific — consenting to recording is different from consenting to transcription, which is different from consenting to storage. It must be informed. And it must be unambiguous — silence or pre-checked boxes do not count.

In practice, a calendar invite disclaimer is not consent. A verbal "we are recording this" is closer but still not sufficient if people feel they cannot object without professional consequences.

What works: a clear notification before recording starts, an explanation of what the recording will be used for, an easy way to opt out without leaving the meeting, and documentation that all of this happened.

The six lawful bases

Consent is only one of six lawful bases for processing personal data under Article 6. For workplace meetings, legitimate interest (Article 6(1)(f)) is often a better fit.

Legitimate interest works when the processing serves a real business purpose (accurate meeting records), the processing is necessary for that purpose, and the individual's rights do not override your interest.

The advantage over consent: you do not need individual opt-in from every participant. The disadvantage: you need to document your Legitimate Interest Assessment, and you must still inform participants and give them the right to object.

Many companies in regulated industries use legitimate interest for meeting recordings because consent in an employer-employee context is inherently questionable.

Data residency

GDPR restricts transferring personal data outside the EU unless the destination country has an adequacy decision or you have Standard Contractual Clauses.

For transcription services, this means asking: where does the audio go? Where is the transcript stored?

Our speech-to-text provider processes audio in US and EU data centers. Our translation provider routes through global infrastructure. For MangoFinch, we mapped every data flow and ensure EU-origin audio stays in EU-region processing where possible. When it does cross borders, we rely on Standard Contractual Clauses and our own Data Processing Agreements with each provider.

Right to erasure

Article 17 gives individuals the right to have their personal data deleted. Applied to meeting transcripts, this creates a challenge.

If a participant requests erasure, you need to delete all recordings and transcripts containing their voice. Not archive. Delete. Within 30 days.

This is straightforward if your transcripts are individual files. It is a nightmare if your transcription provider uses recordings to improve their models. Your participant's voice data may be distributed across model weights in a way that cannot be extracted.

We designed MangoFinch around this constraint. Audio is processed in real time and never stored permanently. Transcripts are stored in the user's session and can be exported or deleted at any time. We do not use any customer audio or transcript data for model training.

When someone objects mid-meeting

You are 20 minutes into a recorded meeting. A new participant joins late, sees the recording indicator, and says they do not consent. What do you do?

Under GDPR, you have three options: stop recording entirely, exclude the objecting participant's audio, or pause recording while that participant speaks. The first disrupts everyone. The third is impractical.

MangoFinch handles this with per-participant controls. The meeting host can exclude a specific participant's audio from transcription without stopping the entire recording. A legal services company in our beta had this exact situation in their second week.

Common misconceptions

"We anonymize the transcripts, so GDPR does not apply." Pseudonymization reduces risk but does not exempt you unless the data is truly irreversibly anonymized. If you can re-identify someone from context, it is still personal data.

"Internal meetings do not count." They do. GDPR does not distinguish between internal and external communications.

"We only keep recordings for 30 days, so we are fine." Storage limitation requires that you do not keep data longer than necessary, but "necessary" is your determination. You need to define a retention period and justify it.

"Our vendor is GDPR-compliant, so we are covered." Your vendor's compliance does not transfer to you. You are the data controller. You need a Data Processing Agreement with every vendor that touches the data.

Compliance checklist

Before the meeting: determine your lawful basis, notify all participants, explain what happens with the data, provide a mechanism to object.

During the meeting: display a visible recording indicator, have a process for mid-meeting objections, ensure per-participant exclusion if needed.

After the meeting: store transcripts only as long as necessary, maintain ability to delete on request within 30 days, keep records of processing activities.

For your vendor relationship: execute a Data Processing Agreement, verify where audio is processed, confirm whether the vendor uses your data for training, ensure the vendor can support deletion requests.

The enforcement reality

As of early 2026, GDPR fines related to meeting recordings specifically are still rare. But fines for improper consent and insufficient data processing agreements are not. The Italian DPA fined a company EUR 20,000 in 2024 for recording employee calls without proper consent. The Spanish AEPD issued EUR 50,000 for video surveillance lacking proper notice.

The trend is toward more enforcement. The European Data Protection Board published updated guidance on employee monitoring in 2025 that specifically mentions AI-powered transcription as a high-risk processing activity.

Getting this right now costs you a few hours of documentation. Getting it wrong later could cost significantly more.