You're going to record a job interview via video call. Or perhaps a meeting with a client. You know that recording interviews must comply with GDPR, but you're not sure what specific steps to take: Is it enough to simply notify the other party at the beginning of the call? What happens to the data the platform processes? What if you use an AI tool for transcription?
The reality is that most HR professionals and consultants record interviews—by phone, online, or in person—without being entirely sure if they're doing it correctly from a legal standpoint. And it's not for lack of trying: it's simply that GDPR can be confusing when multiple tools and providers are involved.
This guide explains, step by step, how to comply with data protection regulations when recording interviews and meetings. We'll see how recordings work in Teams, Google Meet, and Zoom, what your obligations are as a company, and how tools like Voicit They simplify compliance with features specifically designed for this purpose.
How to comply with GDPR when recording interviews? You must inform the participant before recording (what data you collect, for what purpose and who processes it), obtain their express consent, define a retention period, guarantee their rights and sign a data processing agreement with your technology provider (Art. 28 GDPR).
Contents of this guide
- What does the GDPR say about recording interviews and meetings?
- Data Controller vs. Data Processor
- How Microsoft Teams records and what it means for GDPR
- How Google Meet records and what it means for GDPR
- How Zoom records and what it means for GDPR
- How to record telephone interviews in compliance with the GDPR
- How to record face-to-face interviews in compliance with the GDPR
- The problem: the platforms record, but they don't manage your obligations.
- How Voicit helps you comply with the GDPR
- What to communicate to the candidate: the two layers of information
- GDPR compliance checklist for recording interviews
- Frequently Asked Questions
📜 What the GDPR says about recording interviews and meetings
The General Data Protection Regulation (EU 2016/679) does not prohibit recording interviews or meetings. What it does require is that the processing of personal data—and a voice or video recording is personal data—must be carried out in compliance with a series of principles and obligations.
The key items that affect the recording of interviews are:
- Art. 6 — Legal basis for processing: You need a legitimate basis for recording. In selection interviews, it's common practice to... express consent of the candidate. In internal meetings, it may be the legitimate interest of the company.
- Art. 13 — Duty to inform: Before recording, you must clearly inform the participant about what data you collect, for what purpose, who processes it, for how long, and what their rights are.
- Art. 28 — Data Controller: If you use a technology provider (such as Voicit, Zoom, or any transcription tool), you need a contract that regulates how that provider handles the data.
- Art. 17 — Right of erasure: The candidate can request that you delete their data at any time, and you must be able to do so.
- Art. 44-49 — International Transfers: If the data leaves the European Economic Area, you need additional guarantees (standard contractual clauses, adequacy decision, etc.).
🔑 Data controller vs. data processor: who assumes each obligation
This is the point that generates the most confusion. When a recruitment consultancy uses Voicit (or any tool) to record and process interviews, there are two legal issues at play:
- The company (data controller): It is the company that decides why and for what purpose the candidate's data is processed. The obligation to inform the candidate (Art. 13) falls on the company, not the tool.
- Voicit (processor): It carries out the processing on behalf of the company. It does not decide on the data; it processes it according to the instructions of the data controller.
What does this mean in practice?
What the company does need to communicate The candidate needs to know: what data is collected, for what purpose, who processes it, to whom it is disclosed, how long it is kept, and what their rights are. This includes mentioning that a data processor (Voicit) is used and that the data may pass through sub-processors.
What is not the company's responsibility It details how Voicit works internally, what encryption it uses exactly, and how it manages its servers. This is documentation that Voicit provides through two channels: public privacy policy and a data processor agreement in accordance with Art. 28 GDPR.
📹 How Microsoft Teams records and what it means for GDPR
Microsoft Teams allows you to record meetings and video calls, but this functionality has conditions that directly affect GDPR compliance:
How the recording works
- Only organizers and users with paid licenses (Business Basic or higher) can start recording.
- All participants receive a automatic notification that the meeting is being recorded.
- The recordings are stored in OneDrive or SharePoint, linked to the Microsoft 365 tenant.
- Customers with EU Data Boundary can keep their data within the European Union.
Limitations from a GDPR perspective
- The Teams recording notice is generic: it does not detail the purpose, retention period, or participant rights. It does not replace the duty to inform under Article 13.
- It does not offer scheduled automatic deletion: you decide when to delete, but Teams does not automate it.
- If you use Teams' automatic transcription (Copilot), you introduce an additional sub-manager (Microsoft AI) that you must document.
For a step-by-step guide on how to record in Teams, see our Complete guide to recording in Microsoft Teams.
📹 How Google Meet records and what it means for GDPR
How the recording works
- Available only on Google Workspace paid plans (Business Standard or higher).
- The recording is saved in Google Drive from the organizer, in a "Meet Recordings" folder.
- Google notifies all participants that the meeting is being recorded.
- Google Cloud complies with the EU-US Data Privacy Framework for international transfers.
Limitations from a GDPR perspective
- The recording notice is generic, without information on purpose, legal basis or rights of the interested party.
- There is no native automatic retention functionality with scheduled deletion.
- Google Meet's automatic transcription processes data on servers that may be located outside of Europe (although Google offers contractual commitments via DPA).
Check out our Google Meet recording guide for the step-by-step process.
📹 How Zoom records and what it means for GDPR
How the recording works
- Zoom allows recording both locally (computer disk) and in the cloud (paid plans).
- If you record to the cloud, the data is stored in data centers that you can select (including European centers, available in Business+ plans).
- Zoom displays a visual and audio alert to all participants when recording begins.
Limitations from a GDPR perspective
- The selection of European data centers It is only available on Business plans and above.In Pro plans, data may be processed in the USA.
- Zoom's automated notification also fails to comply with Article 13 of the GDPR: it does not inform about the purpose, the retention period, or the rights of the data subject.
- If you use Zoom AI Companion for transcription or summaries, the data passes through third-party AI models that you should identify as sub-processors.
Our Zoom recording guide It details the entire process.
📞 How to record telephone interviews in compliance with the GDPR
Telephone interviews are the first filter in many selection processes. And although they may seem more informal than a video call, the GDPR obligations are exactly the same: inform, obtain consent, and control data processing.
What to keep in mind when recording a call
- Consent must be given in advance: Before starting the recording, inform the candidate that you are going to record, why, and how their data will be handled. In a call, it's most practical to do this verbally at the beginning.
- Verbal consent is valid provided it is recorded. If you record the call, the recording itself serves as proof of consent (the candidate says "yes, I agree").
- Beware of mobile recording apps: Samsung's and Xiaomi's native recorders or Google's phone app record locally, but they don't help with GDPR management (retention, deletion, documentation).
- If you use a third-party app For recording (like Voicit, Cube ACR or others), that app is a sub-processor that you must document.
Key difference compared to video calls
In a video call on Teams or Meet, the platform at least displays a visual recording notification. In a phone call That automatic notification does not exist.It is entirely up to you to inform the candidate before pressing "record".
Check out our step-by-step guides for recording calls on iPhone and Android, or the comparison of apps to record calls.
🎙️ How to record face-to-face interviews in compliance with GDPR
Face-to-face interviews—whether at the consultant's office, the client's premises, or a shared space—generate the most trust, but they are also the least regulated in terms of recording. And the GDPR makes no distinction: if you record, you must comply.
Recording options and their implications
- Physical recorder or microphone: Devices such as the Voicit recorder (€39.90) or a USB microphone connected to a laptop. The data is then processed in the cloud, which involves a data transfer that must be covered by the contract (Art. 28).
- Mobile app: You can use the Voicit app directly from your smartphone. The recording is uploaded and processed on European servers.
- Laptop opened during the interview: If you record from a browser or desktop app, it works the same as an online meeting but without a camera. The same obligations apply.
Recommended protocol for in-person sessions
- Send the legal notice with the call for applications (by email or message), so that the candidate can read it before attending.
- At the beginning of the interview, verbally confirms: "As we informed you, we are going to record the conversation for [purpose]. Do you agree?".
- If the candidate refuses: Proceed with manual note-taking. No penalty.
- Activate recording only after obtaining consent.
For a complete guide with use cases, see our article on How to record in-person meetings with AI.
⚠️ The problem: the platforms record, but they don't manage your GDPR obligations
The pattern is repeated across all three platforms:
| GDPR aspect | Teams | Meet | Zoom |
| Recording Notice | Generic (without Art. 13) | Generic (without Art. 13) | Generic (without Art. 13) |
| Programmable automatic disposal | Non-native | Non-native | Non-native |
| Data only for Europe | With EU Data Boundary | Via contractual DPA | Business+ Only |
| Specific Contract Art. 28 | Generic Microsoft DPA | Generic Google DPA | Generic DPA Zoom |
| Candidate consent management | Not included | Not included | Not included |
And in the case of the telephone and face-to-face interviewsThe situation is even more critical: there are no automatic notifications from any platform. The entire burden of compliance falls on the interviewer.
In summary: Teams, Meet, and Zoom allow you to record, but the responsibility for GDPR compliance remains yours.None of these platforms manage informed consent, schedule automatic data deletion, or help you with the duty to inform the candidate.
And this becomes even more complicated when you introduce third-party AI transcription tools (bots that connect to the call, external apps that process the audio…), because each one of them is a additional sub-manager that you must document and control.
✅ How Voicit helps you comply with the GDPR
Voicit Voicit is a Spanish artificial intelligence tool designed to record and analyze job interviews and professional meetings. Unlike generic video conferencing platforms, Voicit incorporates specific features to facilitate GDPR compliance:
1. Automatic data deletion with a configurable timeframe
With Voicit, you decide how long candidate data is kept. You can set a retention period (for example, 6 months, 1 year, or 2 years) and, once that period has elapsed, The data is automatically deleted without you having to remember or do it manually.
This directly addresses two GDPR obligations:
- Principle of limitation of the retention period (Art. 5.1.e): data is not stored longer than necessary.
- Right of erasure (Art. 17): Facilitates compliance by proactively removing data.
2. The data does not leave the European area
Voicit processes and stores data on servers located within the European Economic Area. This eliminates the need to manage international data transfers (Articles 44-49 GDPR), which require standard contractual clauses or other complex legal mechanisms.
For recruitment consultancies that handle sensitive candidate data, this represents a huge simplification compared to tools with servers in the United States.
3. Data Processor Agreement (Art. 28)
Voicit offers a formal data processing agreement in accordance with Article 28 of the GDPR, which details:
- What data is processed and for what purpose?
- The technical and organizational security measures applied
- The identification of sub-managers
- The commitment not to use the data for personal purposes
- The commitment that The data is not used to train AI models
📋 What to communicate to the candidate: the two layers of information
Article 13 of the GDPR requires informing the candidate before to start recording. For practical purposes, we recommend a two-layer system:
Layer 1: Brief notice before consent
This is what the candidate legally needs to know before giving their consent. It should be clear, concise, and cover the essential points. Here's a template you can adapt for your consultancy:
📄 Candidate notification template
To offer you the best experience during your interview, in [YOUR COMPANY NAME] We use technology that allows us to record and/or transcribe the conversation (telephone, face-to-face or video call) and process the information collected using the tool VOICIT (Voicit Technologies SL).
Basic information on Data Protection:
- Purpose: Optimize our selection processes and ensure accurate information gathering, allowing the consultant to focus on the conversation with you.
- Data processed: Recording of the interview and resume data, if provided.
- Prosecution: The collected data is analyzed with the assistance of artificial intelligence to facilitate the evaluation process. All results are reviewed by our team before any decisions are made.
- Legal basis: Your explicit and unambiguous consent (EU GDPR 2016/679 and LOPDGDD 3/2018). It is entirely voluntary. If you do not authorize it, the interview will be conducted with manual note-taking and your application will not be affected.
- Recipients: [YOUR COMPANY] (controller), Voicit Technologies SL (processor) and its technology providers. The contracting company receives only the report prepared by the consultant, never the recording. The data is not used for artificial intelligence training.
- Conservation: Your data will be kept for a maximum of [PERIOD, e.g., 2 years] from the end of the selection process. After this period, we will request your consent to retain it. If you do not respond or refuse, your data will be deleted.
- Responsible: [YOUR COMPANY] — [CONTACT EMAIL]
- Your rights: Access, rectification, erasure, objection, restriction, portability, and the right to no longer be subject to automated decisions, by writing to [EMAIL]. You can also file a complaint with the Spanish Data Protection Agency (AEPD).www.aepd.es).
Layer 2: Candidate FAQs (optional but recommended)
A FAQ document that candidates can access if they want more information. You can link to it at the end of the job posting or make it available on your website. These are the most frequently asked questions:
Why is the interview recorded and/or transcribed?
The interview is recorded and/or transcribed to maximize interview time by giving 100% of our attention to the interviewee and avoiding the distraction of manual note-taking. This allows us to delve deeper into their professional profile and access the information at any time.
What is Voicit?
Voicit Technologies SL is a Spanish artificial intelligence solution designed to facilitate the consultant's work during the selection process. It allows for the processing and analysis of collected information with AI assistance, providing agile and structured insights. All results are reviewed by the human team before any decisions are made.
How is my data used?
Your data is processed in strict compliance with the GDPR and is used exclusively for preparing professional reports about your application. It is not shared with third parties outside the selection process nor used for artificial intelligence training.
Who has access to the recording?
The recording is the exclusive property of the recruitment consultancy. Only the consultancy team has access to it, and Voicit Technologies SL, as the data processor, handles its technical processing. Neither the hiring company nor any third parties have access to the recording.
Does the end customer hear the voice of the person being interviewed?
No. The client receives a detailed and professional report prepared by the consulting firm. The recording is used solely to assist in drafting this report accurately, in order to present the application as truthfully and professionally as possible.
If I do not authorize the recording, will my candidacy be harmed?
No. Consent to record is free and voluntary. If consent is not given, manual notes will be taken. The technical and personal evaluation of the application remains unchanged.
✅ GDPR compliance checklist for recording interviews
Before recording your next interview or meeting, make sure you follow these five steps:
- Inform before recording: Inform the candidate what data you collect, why, who processes it, for how long, and what their rights are. Do this. before to start the recording, not during.
- Obtain express consent: It can be verbal (and recorded in the recording itself) or written. It always offers the option of manual note-taking without penalty.
- Sign contract Art. 28 with your supplier: If you use Voicit, Teams, Zoom, or any other tool, you need a data processing agreement that documents the obligations of each party.
- Configure data retention: It defines how long the recordings and transcripts are kept. With VoicitYou can configure automatic deletion for the period you need.
- Guaranteeing the candidate's rights: Have a clear process for handling requests for access, rectification, erasure, and portability. The legal deadline for responding is 30 days.
❓ Frequently asked questions about GDPR and recording interviews
Can I record a job interview without the candidate's consent?
In Spain, recording selection interviews requires the candidate's explicit consent (Art. 6.1.a GDPR). Without consent, the recording may be considered unlawful. The only exception would be an overriding legitimate interest of the data controller, but in recruitment contexts, consent is the safest and most recommended legal basis.
Is the automatic notification from Teams, Meet, or Zoom enough to comply with the GDPR?
No. The generic notice on these platforms ("this meeting is being recorded") does not comply with Article 13 of the GDPR, which requires information about the purpose of the processing, the legal basis, the recipients, the retention period, and the data subject's rights. You need to provide that information separately.
How long can I keep a recording of an interview?
The GDPR doesn't specify a particular timeframe, but it requires that data be kept only for as long as necessary for the purpose for which it was collected. In recruitment processes, this is typically between 6 months and 2 years. With Voicit, you can configure automatic deletion after a period of your choosing.
Do I need a special contract to use AI-powered transcription tools?
Yes. Any tool that processes personal data on your behalf is a data processor and requires a contract in accordance with Article 28 of the GDPR. This includes transcription tools, AI summarization tools, and interview analysis tools. Voicit provides this contract as standard to all companies upon request.
What happens if the recording data is processed outside of Europe?
International data transfers require additional safeguards under Articles 44-49 of the GDPR: standard contractual clauses, an adequacy decision by the European Commission, or binding corporate rules. Voicit eliminates this complexity by processing and storing data exclusively within the European Economic Area.
Can I use the interview recording to train an AI?
Not without specific consent for that purpose. The GDPR requires that data be used exclusively for the purpose communicated to the data subject. If you collected consent for "managing the selection process," you cannot use that data to train AI models. Voicit does not use its customers' data for artificial intelligence training.
Record GDPR-compliant interviews, hassle-free
Automatic deletion, data stored in Europe, and Article 28 contract included. Try Voicit free for 7 days.
If you want to learn more about how Voicit manages privacy and ethics in the use of AI for HR, we recommend our HR ethics guide in technologyAnd if you're interested in how to automate the generation of interview reports, check out our AI interview report guide.
You can also explore our recording guides by platform: Teams, Google Meet, Zoom and face-to-face meetings.
CEO and co-founder of VoicitWe help recruitment consultancies and HR teams record, transcribe, and analyze interviews with AI, complying with GDPR by design.