ForgetLess Transcriber logo
ForgetLessTranscriber
Get started free

GDPR and AI transcription: what is allowed, and what is not?

A practical guide for legal professionals, researchers and HR teams: how to process sensitive recordings in a GDPR-compliant way under Dutch law.

All blog posts
GDPR & Privacy22 March 20268 min readTeam ForgetLess

The GDPR and AI transcription

When you record a conversation and transcribe it, you are processing personal data β€” and often special category data (health, religion, sexual orientation). The GDPR sets strict requirements for how you handle this. ForgetLess is based in the Netherlands, so the Dutch implementation of the GDPR (UAVG) and Dutch supervision by the Autoriteit Persoonsgegevens apply.

This article covers the practical questions we get asked most.

When are you allowed to record a conversation?

Dutch law distinguishes between two situations:

You are a participant in the conversation

  • You may record, even without explicit consent from the other participant
  • You may not publish or share the recording without consent
  • In professional contexts (HR meetings, client meetings) we strongly recommend informing the other side in advance

You record without being a participant yourself

  • This is in principle a criminal offence under Article 139a of the Dutch Criminal Code (Wetboek van Strafrecht), unless you have explicit consent from every participant
  • For academic research there is an exception if you hold an ethics-committee approval

Which legal basis do you use?

The GDPR requires a legal basis to process personal data. The most common ones:

  • Consent β€” clearly requested, freely given, and revocable
  • Performance of a contract β€” for example client meetings at a law firm
  • Legal obligation β€” rarely applies to transcription
  • Legitimate interest β€” must be weighed carefully against the privacy impact

For sensitive conversations (health, legal, financial), explicit consent is almost always the safest route.

Data Processing Agreement (DPA)

When you use an external transcription service like ForgetLess, we are a processor and you are the controller. You need a Data Processing Agreement.

  • Our standard DPA is available on request at [email protected]
  • We process on EU servers (Frankfurt region)
  • Audio is automatically deleted after a configurable retention period
  • Transcripts are encrypted at rest (AES-256) and in transit (TLS 1.3)

Retention periods

The GDPR requires: do not keep data longer than necessary. Our recommendation per use case:

  • Journalism β€” until publication plus 2 years for accountability
  • Research β€” depends on protocol; often until publication plus 10 years
  • Legal β€” depends on the case; often 5–7 years in line with the Dutch Bar (NOvA) guidelines
  • HR β€” up to 2 years after the end of employment

Within ForgetLess you can set an audio retention period per transcript.

Rights of data subjects

Anyone appearing in a recording has rights:

  • Access β€” request a copy of the transcript
  • Rectification β€” have incorrect information corrected
  • Erasure β€” the "right to be forgotten"
  • Objection β€” to the processing

These rights also apply to transcripts you create via ForgetLess. We support you with data export and deletion features.

Practical checklist

For every transcription workflow:

  • Do you have a valid legal basis (often consent)?
  • Do you have a DPA with your transcription service?
  • Are you keeping data no longer than necessary?
  • Can you let data subjects exercise their rights?
  • Have you carried out a DPIA for sensitive situations?

Disclaimer

This article is intended as a general guide and is not legal advice. For specific situations β€” particularly involving sensitive data β€” we strongly recommend consulting a DPO or qualified lawyer.

Questions about our privacy or security?
We’re happy to help. Email us at [email protected].
Start free