Recording sales calls: what GDPR actually requires

The question 'can I record the sales call?' feels like one question, but it's really two. One is whether the recording itself is allowed. The other is what you're then permitted to do with it. They're answered by different laws, and almost all the confusion around the topic comes from lumping them together. This is an overview, not legal advice — but the principles are simpler than they're often made out to be.

Two laws, not one

The fact that it's lawful to hit record doesn't mean it's a free-for-all to store and analyze what you recorded. The first question is governed by the Criminal Code, the second by the GDPR. You can have every right to record a call you're part of, and still breach GDPR in how your company handles the file afterward. Keep the two apart and the rest becomes clear.

Recording: allowed if you're a participant

The Swedish Criminal Code's rule on unlawful eavesdropping (Chapter 4, Section 9 a) targets someone who secretly records or listens to a conversation they are not themselves part of. The decisive point is participation: a party to the conversation who records it does not commit unlawful eavesdropping. As a rep, you may therefore record your own customer calls without breaching that provision. But note this is only the criminal-law layer — it says nothing about what the company may do with the recording afterward.

Storing and analyzing: now GDPR wakes up

A recording in which an identifiable person can be heard is personal data. Recording, storing and AI-analyzing it is processing of personal data, and that requires a lawful basis under GDPR Article 6 — usually either consent or a so-called legitimate interest. On top of that comes the duty to inform in Article 13: you have to tell the recorded person who's processing the data, for what purpose, on what basis and for how long it's kept. Article 5 adds data minimization and storage limitation: don't keep more, or longer, than the purpose requires.

What the Swedish regulator has actually said

Sweden's data protection authority, IMY, examined how Telia and Tele2 recorded customer-service calls back in 2016. The conclusion is instructive: recording for training and quality assurance can rest on legitimate interest, but the companies were ordered either to stop recording or to inform customers better, because the information given was insufficient. In other words — the basis was there, but the transparency failed. That's the most common trap: companies sort out the lawful basis and forget to clearly tell the other party the call is being recorded.

Consent is often a weaker basis than people think

Many assume you just need to ask 'is it okay if I record?' and get a yes. IMY is clear that consent must be a genuinely free choice to be valid. In situations of imbalance — for example employer toward employee — consent is often not even a suitable basis. It gets especially sensitive when it's your own reps' calls being recorded and scored: an employee asked to consent to being monitored is rarely in a free position. There, a documented legitimate interest is usually a more stable route than a forced yes.

The hidden risk: special-category data

You don't control what the customer says. If someone mentions illness, union membership, religion or political opinion during the call, the recording has suddenly captured special-category data, which under Article 9 is, as a rule, prohibited to process without a specific exception. It's a hard-to-predict risk precisely because it arises from a sentence the customer happens to drop, not from anything you planned. A synthetic practice counterpart has no private life to accidentally reveal.

Sensible practice, consistent with IMY

• Inform the other party that the call is being recorded, and why — transparency is exactly what IMY's decision turned on.
• Document your lawful basis, and run a balancing test if you're relying on legitimate interest.
• Limit the retention period and delete once the purpose is met.
• Minimize and restrict access — only those who need the recordings should be able to reach them.

The way around the whole question: practice against an AI persona

There's a way to train sales calls that never lands in the recording question at all: practicing against an AI counterpart instead of recording real customers. GDPR only applies to personal data about real, identifiable people — under Recital 26, information that doesn't relate to an identifiable natural person is out of scope. A practice run against an invented persona has no real customer on the other end, so the entire chain of lawful basis, notice, retention and special-category data on the customer side falls away.

One honest caveat: this removes the customer-side recording problem, not the employer's obligations. If you score the rep's own performance, that's still personal data about a real employee, and GDPR applies there as usual. But the sensitive part — recording and storing the real customer call — disappears. If you want to examine your specific setup, a data protection officer or lawyer should look at it; if you just want to train the conversations without amassing real recordings, the synthetic route is the simplest.