Recording a meeting in 2026 has rarely been more useful — and rarely more regulated. If your team operates in or sells into the EU, GDPR governs what you can record, how long you can keep it, and who must consent. This post is a practical guide for engineering leads, ops, and legal-adjacent buyers. It is not legal advice; check with counsel for anything specific.
The short version
GDPR doesn't ban recording. It requires a lawful basis and respect for data-subject rights. For internal meetings between employees of the same organisation, the calculus is usually straightforward. For meetings with external participants — customers, vendors, candidates — the bar is higher and most teams under-comply.
What GDPR actually says about recording
Three concepts cover almost every case:
1. Lawful basis
You can process personal data — and audio of a person speaking is personal data — only if you have a lawful basis. For meeting recording the practical options are consent (Article 6(1)(a)) and legitimate interest (Article 6(1)(f)). Consent is cleaner and harder to dispute; legitimate interest works for narrow operational uses but requires a documented assessment.
2. Transparency
Participants must be told you are recording, what you will use it for, how long you will keep it, and who can access it. 'This meeting is being recorded' is the floor, not the ceiling — your privacy policy or a one-page meeting notice should cover the rest.
3. Data-subject rights
Any participant can request a copy of the recording about them, ask for it to be deleted, or restrict its processing. Your tooling and process must let you act on these requests within a month.
Where most teams get it wrong
Recording without disclosing the AI summary
Teams sometimes tell participants 'this call is being recorded' but don't mention that an AI summary will be generated and stored. If the summary is the artefact that gets shared internally — which it usually is — that processing should be disclosed.
Treating the recording as eternal
If you keep meeting recordings indefinitely you're inviting trouble. Set a retention policy — 30, 60, 90 days — and have the tooling enforce it. Mavio defaults to 90 days; many teams set it to 30.
Confusing the controller and the processor
Your meeting-recording vendor is a processor. You are the controller. You must have a data processing agreement (DPA) in place. Without it, you're technically uncompliant from the first call you record.
What to check on any vendor
Five questions for any tool you're evaluating:
- Where is the recording stored, and in what region? (For EU customers, EU storage simplifies a lot.)
- Is there a DPA available, and what does it say about sub-processors?
- How is data encrypted at rest and in transit?
- How are deletion requests honoured — and what is the maximum time to act?
- Is participant audio used to train models? (For most vendors the answer is 'no for paid customers'; verify in writing.)
What Mavio does
Briefly, for our customers:
- All recordings and transcripts are encrypted at rest (AES-256) and in transit (TLS 1.3).
- Storage is regional — EU data stays in the EU.
- Customer data is never used to train models.
- Configurable retention; deletion requests honoured within 24 hours.
- DPA available on request; reach out to support.
Full detail is in our security overview.
A note on consent at the meeting itself
If you record meetings with external participants, build the consent into the workflow. Two patterns that work:
- A line in the meeting invite: 'This meeting will be recorded and an AI-generated summary stored for 60 days. Reply to this invite or message the host if you'd prefer we don't.'
- A short opening: 'Quick note: I'm recording so I have notes — totally fine to ask me to pause. Anyone object?'
Both establish a clear opportunity to decline. Both are friendlier than a bot reading a notice.
Try Mavio
If you'd like to see how Mavio's controls work in practice — including the retention dial, the export view, and the per-meeting privacy toggle — start free.