EU Recording Laws: GDPR, Consent Rules, and Country-by-Country Guide (2026)

Recording a phone call or in-person conversation anywhere in the European Union is never governed by just one law. Every EU country has its own criminal statute addressing wiretapping and eavesdropping, and those statutes vary widely. On top of that criminal layer sits the General Data Protection Regulation, which treats any voice recording of an identifiable person as personal data. Then there is the ePrivacy Directive, which imposes its own requirements on electronic communications.

The result is a compliance landscape that trips up individuals, businesses, and even seasoned lawyers. This guide breaks down how these three layers interact, maps which countries require consent from all parties versus just one, and covers the practical rules for workplace recording, business call recording, and cross-border situations.

The Three Legal Layers Governing Recording in Europe

Layer 1: National Criminal Law

Every EU member state has a criminal statute that addresses the recording or interception of private communications. These statutes were enacted independently, long before GDPR existed, and they reflect each country's own constitutional traditions around privacy.

Some countries, like Germany, treat recording without universal consent as a standalone criminal offense. Others, like the Netherlands and Italy, allow a participant to record their own conversations freely and only criminalize third-party interception.

This criminal layer is the first gate. If a recording violates the criminal statute of the country where it takes place, no amount of GDPR compliance will save you. Criminal liability comes first.

Layer 2: The ePrivacy Directive (2002/58/EC)

The ePrivacy Directive, adopted in 2002 and amended in 2009, specifically governs privacy in electronic communications. Article 5(1) of the directive prohibits listening, tapping, storage, or other kinds of interception or surveillance of communications without the consent of the users concerned.

There is an exception. Article 5(2) permits the recording of communications carried out in the course of lawful business practice for the purpose of providing evidence of a commercial transaction. This is the provision that allows businesses to record customer service calls and sales conversations, provided they give notice.

The directive was supposed to be replaced by a comprehensive ePrivacy Regulation, first proposed in January 2017. After years of legislative deadlock, the European Commission formally withdrew the ePrivacy Regulation proposal in February 2025 as part of a broader push to reduce regulatory burden. The 2002 directive, as amended, remains in force.

Because the ePrivacy Directive is a directive rather than a regulation, each member state transposed it into national law differently. The result is 27 slightly different versions of the same underlying rules.

Layer 3: The General Data Protection Regulation (GDPR)

GDPR applies to any recording that captures the voice, image, or other personal data of an identifiable person. A voice recording of someone speaking is personal data. Full stop.

Under Article 6 of the GDPR, you need a lawful basis before you can process that personal data. The six possible bases are:

• Consent (Article 6(1)(a)): The person explicitly agrees to be recorded.
• Contract performance (Article 6(1)(b)): The recording is necessary to fulfill a contract with the person.
• Legal obligation (Article 6(1)(c)): A law requires you to record (such as MiFID II for financial services).
• Vital interests (Article 6(1)(d)): Recording is necessary to protect someone's life.
• Public interest (Article 6(1)(e)): Recording is necessary for a task carried out in the public interest.
• Legitimate interest (Article 6(1)(f)): You have a legitimate reason to record, and it does not override the person's rights.

On top of the lawful basis requirement, GDPR demands transparency (you must tell people you are recording), purpose limitation (you cannot repurpose recordings for something unrelated), data minimization (do not record more than you need), storage limitation (define and enforce retention periods), and security (protect the recordings from unauthorized access).

The Interaction Problem: Legal Recording That Violates GDPR

Here is where most people get tripped up. In a one-party consent country like the Netherlands, you can legally record a phone conversation you are part of without telling the other person. The criminal law is satisfied. But under GDPR, that recording still constitutes personal data processing, and you still need a lawful basis, a privacy notice, a retention policy, and adequate security measures.

So a recording can be perfectly legal under criminal law while simultaneously violating GDPR. The Danish Data Protection Authority drove this point home in a landmark 2019 ruling.

The Danish DPA Ruling on TDC (2019)

In April 2019, the Danish Data Protection Authority (Datatilsynet) ruled against TDC A/S, Denmark's largest telecommunications company, over its practice of recording customer service calls for training purposes.

TDC informed callers that calls "may be recorded" but offered no mechanism to opt in or opt out. When a customer specifically asked that their call not be recorded, the service agent said there was no way to turn off the recording.

The Datatilsynet held that TDC needed the customer's affirmative consent to record calls for training purposes. Training is not the same as contract performance or legal obligation. It does not fall under the business transaction exception in the ePrivacy Directive. TDC could not point to any other valid lawful basis under Article 6.

The ruling sent a clear message: simply telling people that calls "may be recorded" is not consent. Consent under GDPR must be freely given, specific, informed, and unambiguous. Passive acceptance is not enough.

The Polish UODO Ruling on Audio Surveillance (2022)

In 2022, Poland's data protection authority (UODO) fined the Warsaw Centre for Intoxicated Persons for recording audio through its surveillance system. The facility had installed cameras with microphones that captured sound continuously.

UODO found that the Centre could not invoke any legal basis under Article 6(1) of the GDPR for capturing audio. The regulations governing the Centre's activities authorized video surveillance but said nothing about recording sound. Without a legal basis in national law, the audio recording constituted unlawful personal data processing.

The fine was PLN 10,000 (roughly EUR 2,200), modest in size but significant in principle. The ruling confirmed that audio recording requires its own distinct legal basis, separate from any authorization for video surveillance. You cannot simply add microphones to a camera system and assume the same legal basis covers both.

One-Party vs. All-Party Consent: The EU Country Map

The most fundamental question in any recording scenario is whether the country's criminal law requires consent from all parties or just one. Here is how EU and closely associated European countries currently split.

One-Party Consent Countries

In these countries, a participant in a conversation may record it without notifying or obtaining consent from the other parties, at least under the criminal wiretapping statute. GDPR obligations still apply separately.

Belgium. Article 314bis of the Belgian Criminal Code prohibits eavesdropping and recording conversations that the recording party is not part of. But if you are a participant, you may record without informing the other parties. The criminal prohibition targets third-party interception, not participant recording.

Netherlands. Section 139a of the Dutch Criminal Code makes it illegal to record or eavesdrop on a conversation in a dwelling or enclosed room using a technical device if you are not an active participant. Participants may record freely. You may even instruct someone else to record a conversation you are part of.

Italy. Italian law permits participants to record conversations without notifying others, particularly for legal protection. Third-party interception without judicial authorization is a criminal offense. For business contexts, GDPR disclosure obligations apply.

Poland. Under Article 267 of the Polish Penal Code, recording a private conversation is lawful when the recorder is a participant. No consent from the other party is needed. The statute criminalizes only unauthorized acquisition of information by third parties who are not part of the conversation.

Spain. Spanish law permits a participant to record a conversation for their own purposes. The Constitutional Court has upheld the legality of participant recording in multiple rulings. However, businesses must comply with both the LOPD (Organic Law on Data Protection) and GDPR transparency requirements.

Sweden. Swedish law allows any active participant to record a conversation. Recording private conversations you are not part of, or accessing them without authorization, is prohibited. The freedom to record your own conversations is well established in Swedish jurisprudence.

Denmark. Danish criminal law permits one-party consent for personal recording. An individual who is part of a conversation may record it. However, the 2019 Datatilsynet ruling on TDC demonstrated that businesses face additional GDPR requirements even in this one-party consent framework.

Finland. Finland's Constitution grants citizens the right to record their own communications, and the Criminal Code does not criminalize participant recording. Private individuals may record calls without informing the other party. Employers, however, must notify employees before recording workplace calls.

Ireland. Irish criminal law does not explicitly criminalize a participant recording their own conversation. The Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993 targets third-party interception by non-participants. For personal recording, Ireland functions as a single-party consent jurisdiction, though GDPR and constitutional privacy rights impose additional considerations for business use.

All-Party Consent Countries

In these countries, recording without the consent of all parties can carry criminal penalties, even for participants in the conversation.

Germany. Section 201 of the German Criminal Code (StGB) makes it a criminal offense to record the privately spoken words of another person without their authorization. This applies even if you are a participant in the conversation. Penalties reach up to three years in prison, or up to five years for public officials. Limited exceptions exist for self-defense (Section 32 StGB) and necessity (Section 34 StGB), but these are narrow.

France. Article 226-1 of the Code Penal prohibits capturing, recording, or transmitting words spoken in private or confidential circumstances without the consent of the speaker. Penalties include up to one year in prison and a EUR 45,000 fine, rising to two years if the offender is a spouse or civil partner. Consent may be presumed if the recording is carried out openly and the other party does not object while having the opportunity to do so.

Austria. Section 120 of the Austrian Criminal Code addresses the use of listening devices and unauthorized recording of confidential communications. Recording without consent from all parties can constitute a criminal offense. Austrian courts have, however, sometimes admitted illegally obtained recordings as evidence in civil proceedings, creating a tension between the criminal prohibition and the rules of evidence.

Greece. Article 370A of the Greek Penal Code criminalizes recording the content of a telephone conversation or non-public oral conversation without the explicit consent of the other party. The consent must be express, not merely implied. Penalties range from 10 days to 5 years imprisonment.

Portugal. Articles 190 through 194 of the Portuguese Penal Code criminalize unauthorized recording, dissemination of private communications, and breach of confidentiality. Recording a private conversation without consent from all parties can constitute a violation, and recordings obtained this way face restrictions on admissibility as evidence.

Switzerland. Although not an EU member, Switzerland participates in the Schengen Area and closely aligns its data protection rules with GDPR through the revised Federal Act on Data Protection (revFADP). Articles 179bis and 179ter of the Swiss Criminal Code make it an offense to record a private conversation even as a participant without the consent of all involved. A limited exception exists for recordings of calls with emergency services and for routine business transaction recordings.

Cyprus. The Supreme Court of Cyprus held in Georghiades (1982) that tape recordings of private conversations without consent from all parties violate constitutional protections under Articles 15 and 17 of the Cypriot Constitution, which guarantee privacy and the secrecy of communications. Such recordings are also inadmissible as evidence.

GDPR Lawful Basis for Recording: Consent vs. Legitimate Interest

The two lawful bases most commonly invoked for recording are consent and legitimate interest. They work very differently in practice.

Consent (Article 6(1)(a))

Consent is the cleanest legal basis, but it is also the hardest to maintain. Under GDPR, consent must be:

• Freely given: The person must have a genuine choice. If refusing to be recorded means they cannot access a service, the consent is not freely given.
• Specific: Generic "your call may be recorded" statements are not specific enough. You must explain what you are recording and why.
• Informed: The person must understand who is recording, for what purpose, how long the recording will be kept, and what their rights are.
• Unambiguous: Silence, pre-ticked boxes, or continued participation in a call do not constitute consent. The person must take a clear affirmative action.

Consent can also be withdrawn at any time, and you must make withdrawal as easy as giving consent. If a caller says "stop recording," you need the technical ability to comply.

Legitimate Interest (Article 6(1)(f))

Legitimate interest allows recording without explicit consent, but it requires a documented balancing test. The European Data Protection Board's Guidelines 1/2024 on legitimate interest lay out a three-part assessment:

1. Purpose test: Is there a legitimate interest being pursued? Fraud prevention, quality assurance, and evidence of transactions can qualify.
2. Necessity test: Is recording actually necessary for that purpose, or could a less intrusive method achieve the same result?
3. Balancing test: Do the interests, rights, and freedoms of the recorded person override your legitimate interest?

Legitimate interest does not eliminate the transparency requirement. Even when relying on this basis, you must inform people that recording is taking place. The difference is that you do not need their affirmative agreement.

For most business call recording, legitimate interest is the more practical basis. But the Danish TDC ruling shows that regulators will scrutinize whether the specific purpose actually qualifies. Training and quality improvement alone may not be enough without consent.

Workplace Recording and Employee Monitoring

Recording employees at work is one of the most heavily regulated areas in EU data protection law. The GDPR, national labor laws, and guidance from the European Court of Human Rights all constrain what employers can do.

General Principles

GDPR does not ban workplace recording outright, but it imposes strict conditions. Employers must demonstrate that any monitoring is:

• Strictly necessary for a specific, documented purpose
• Proportionate to the goal being pursued
• Transparent to employees, with clear written policies
• Subject to a Data Protection Impact Assessment (DPIA) when likely to result in high risk to employees' rights

In 2026, EU regulators increasingly focus on proportionality. Enforcement actions examine whether less intrusive alternatives were considered and rejected, not just whether the employer had a legitimate purpose.

Country-Specific Rules

Germany imposes some of the strictest workplace monitoring rules in Europe. Employers must obtain written consent before tracking emails, internet usage, or computer activity. Covert surveillance is almost always illegal. Works councils have co-determination rights over any monitoring measures, meaning employers cannot implement them unilaterally.

France requires employers to inform employees in writing before using monitoring software or workplace cameras. Hidden cameras are prohibited. The CNIL (France's DPA) has issued detailed guidance on proportionality in workplace surveillance.

Finland enacted a specific law on the protection of privacy in working life (Laki yksityisyyden suojasta tyoelamassa) that restricts the monitoring of employees' communications. Employers may monitor the flow of communications (metadata) in limited circumstances but may not access the content of personal messages.

Audio Recording in the Workplace

Continuous audio recording of a workplace is almost never permissible. The Polish UODO's 2022 ruling against the Warsaw Centre for Intoxicated Persons reinforced this principle. Even in facilities with a legitimate need for video surveillance, adding audio capture requires a separate and independently justified legal basis.

Recording specific business calls is a different matter. If an employee's role involves telephone sales, customer service, or financial transactions, recording those calls can be justified under legitimate interest or regulatory obligation. But the recording must be limited to business calls, not personal conversations, and employees must be informed of the practice.

Business Call Recording and Regulatory Obligations

The ePrivacy Business Exception

Article 5(2) of the ePrivacy Directive permits recording in the course of lawful business practice for the purpose of providing evidence of a commercial transaction. This is the legal foundation for the familiar "this call may be recorded for quality and training purposes" announcement.

But the exception is narrower than most businesses assume. It covers recording for evidence of commercial transactions. It does not automatically extend to recording for training, quality monitoring, or market research. Those purposes may require a separate lawful basis under GDPR.

MiFID II: Mandatory Recording for Financial Services

The Markets in Financial Instruments Directive II (MiFID II), in force since January 2018, requires financial institutions to record all communications that are intended to lead to a transaction. This includes telephone conversations, video calls, and electronic messages.

Recordings must be retained for a minimum of five years. Customers must be notified that their interactions are being recorded. Firms must conduct risk-based monitoring of recorded calls to ensure compliance.

For banks, brokerages, and other MiFID II-regulated entities, this regulatory obligation provides a clear lawful basis under GDPR Article 6(1)(c) (legal obligation). The tension between recording requirements and data protection rules is resolved because EU law itself mandates the recording.

Practical Compliance for Business Recording

Any business recording calls in the EU should take these steps:

State the purpose upfront. At the start of every recorded call, inform the other party that the call is being recorded and explain why. "This call is recorded for evidence of our agreement" is better than "calls may be recorded for quality purposes."

Offer an alternative. Where consent is the lawful basis, provide a way for the person to decline recording and still complete their transaction through another channel.

Limit retention. Define how long recordings are kept and enforce automated deletion. Retaining recordings indefinitely is a GDPR violation regardless of how they were obtained.

Restrict access. Only authorized personnel should be able to access recordings. Maintain access logs.

Conduct a DPIA. For systematic or large-scale call recording, a Data Protection Impact Assessment is required under GDPR Article 35.

Cross-Border Recording Challenges

When a phone call crosses national borders within the EU, the legal picture becomes significantly more complicated.

Which Country's Law Applies?

There is no single rule that definitively answers this question for criminal wiretapping statutes. In practice, both countries' laws may apply simultaneously. A call between a person in the Netherlands (one-party consent) and a person in Germany (all-party consent) potentially engages the criminal law of both jurisdictions.

The safest approach is to comply with the stricter of the two countries' requirements. In the Netherlands-Germany example, that means treating the call as if all-party consent is required.

GDPR Territorial Scope

For GDPR purposes, Article 3 establishes that the regulation applies to processing carried out in the context of the activities of an establishment in the EU, regardless of where the processing takes place. It also applies when personal data of individuals in the EU is processed by a controller outside the EU who offers goods or services to, or monitors the behavior of, EU residents.

When cross-border processing involves multiple EU establishments, the GDPR's lead supervisory authority mechanism (Articles 56 and 60) determines which DPA takes the lead. The DPA of the main establishment serves as lead authority. In November 2025, the EU Council adopted new rules to speed up handling of cross-border data protection complaints, addressing longstanding frustrations with the coordination process.

Practical Implications

For multinational companies operating call centers or conducting sales calls across EU borders, the practical consequence is this: you need a recording policy that satisfies the most restrictive jurisdiction you operate in. If your call center agents phone customers in Germany, France, and Austria, your policy must comply with all-party consent requirements, full GDPR transparency obligations, and applicable ePrivacy transpositions in each country.

Companies that try to apply a single, lowest-common-denominator policy based on their home country's more permissive rules routinely face enforcement action when they record calls involving residents of stricter jurisdictions.

Member State Derogations Under GDPR

GDPR is not a perfectly uniform law. Several articles allow member states to create their own derogations, and these directly affect recording scenarios.

Article 85: Freedom of Expression and Journalism

Article 85 requires member states to reconcile data protection with freedom of expression and information, including processing for journalistic purposes. Member states may provide exemptions from specified GDPR chapters for journalistic, academic, artistic, or literary expression.

The implementation varies widely. Some countries give broad protection to journalistic recordings, while others limit the exemption to narrow circumstances. The Court of Justice of the EU has defined "journalistic activities" expansively to include any activity with the purpose of disclosing information, opinions, or ideas to the public.

For journalists, this means the legality of recording a source without consent depends heavily on which country they are in and how that country transposed Article 85.

Article 23: Restrictions on Data Subject Rights

Article 23 permits member states to restrict the scope of certain data subject rights when necessary for national security, defense, public security, or the prevention and investigation of crime. This allows national law enforcement to conduct recorded surveillance under judicial authorization without full GDPR compliance.

Sector-Specific Derogations

Several member states have enacted sector-specific rules that modify the general recording framework. Germany's Telecommunications-Telemedia Data Protection Act (TDDDG) transposes ePrivacy requirements into national law with German-specific additions. France's CNIL has issued detailed sector guidance for healthcare call recording, financial services recording, and public sector recording.

What Happens When You Get It Wrong

The consequences of unlawful recording in the EU can be severe and can come from multiple directions simultaneously.

Criminal prosecution. In all-party consent countries, recording without consent is a criminal offense. Germany's Section 201 StGB carries up to three years in prison. France's Article 226-1 carries up to one year plus a EUR 45,000 fine. Greece's Article 370A can result in up to five years.

GDPR fines. DPAs can impose fines of up to EUR 20 million or 4% of global annual turnover, whichever is higher. While recording violations have not yet attracted the largest GDPR fines, the Polish UODO's audio surveillance ruling shows that DPAs are willing to act.

Civil liability. Individuals whose recordings were obtained unlawfully can seek damages through civil courts. In many jurisdictions, unlawfully obtained recordings are also inadmissible as evidence, which can undermine the very purpose for which they were made.

Reputational damage. Data protection violations are increasingly reported in mainstream media, and consumer awareness of recording rights continues to grow across Europe.