It depends on the country.

Many EU countries have laws that address whether a company can record a call without obtaining the consent of the caller. For example, Germany has long required that consent from the caller be obtained before you can record the call. Failure to obtain consent may constitute a criminal offense under German law. Before the General European Data Protection Act (GDPR) took effect, in many EU countries it was sufficient to inform the caller at the beginning of the call that the call may be recorded, and consent was assumed if the caller continued with the call.

However, the GDPR changed what it means to get consent when you are collecting personal data, which includes the contents of a phone call. Specifically, Article 7 requires that consent be freely given, specific, informed, and unambiguous. This means that, for countries that require consent before recording a call, it is no longer sufficient to take the old approach of assuming consent. Now, companies must announce that the call is being recorded and identify the specific purpose for the recording. Companies should have the caller press a button or otherwise confirm that they provide their consent. If they do not want to have the call recorded, they should be given the right to opt out, i.e., if they don’t press the button, they can still proceed with the call.

The Dutch Data Protection Authority issued a decision last year ordering a company to stop recording calls without first obtaining the users’ affirmative consent and giving them the right to stop the recording but continue the call. While the company was not fined for this practice, it is possible that GDPR fines could be imposed, along with other fines for violating a country’s laws on consent to recordings.

Note, however, that consent under the GDPR is required only if the country requires consent to record the call (i.e., consent must be the legal basis for processing the personal data). Not all countries in the EU require consent. For example, in the United Kingdom (which is still following the GDPR post-Brexit), consent is not required provided that certain lawful monitoring conditions are met. Accordingly, assuming the company can satisfy another legal basis for processing (e.g., legitimate interest in training employees and monitoring customer interactions to ensure quality), then you do not need to follow the steps outlined above.

Note as well that certain laws may require that calls be recorded for certain regulated industries, like financial institutions. If that is the case, then consent is not required as the legal basis for processing, since the legal basis would be to comply with law. If your company is in a regulated industry, you should research whether any laws require you to record customer calls.

The net result is that most companies who do business in multiple countries throughout the EU and want to record customer service calls may want to err on the side of caution and take specialist local advice to confirm if they need to obtain affirmative GDPR-standard consent or whether they can rely on an alternative, less onerous approach.