By Sagar Shankaran, Founder of CallSphere
How GDPR Article 6 lawful bases interact with call recording, why voiceprints are biometric data, and what the EU AI Act August 2026 milestones mean for emotion detection on calls.
Key takeaways
Under the GDPR, recording an EU resident's call is processing personal data; under the EU AI Act, the moment your model identifies the speaker by voice it is processing biometric data. As of August 2, 2026, AI emotion inference in employment contexts becomes prohibited. AI voice operators must redesign or document around both.
flowchart LR
Phone["PSTN caller"] --> Carrier["Carrier"]
Carrier -- "SIP INVITE" --> SBC["Session Border Controller"]
SBC -- "SIP" --> PBX["Twilio / Asterisk"]
PBX -- "RTP · Opus" --> Bridge["AI Voice Gateway"]
Bridge --> AI["OpenAI Realtime"]
AI --> Bridge
Bridge --> PBXThree instruments stack here. The General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) governs personal data processing across the EU; voice is personal data. Article 6 requires a lawful basis for any processing: consent, contract, legal obligation, vital interest, public task, or legitimate interests. Article 9 elevates "biometric data for the purpose of uniquely identifying a natural person" to special-category data, requiring explicit consent or another Article 9(2) condition. The ePrivacy Directive 2002/58/EC and its national implementations require consent for many forms of communications-related processing. The EU AI Act (Regulation (EU) 2024/1689) entered into force August 1, 2024, with prohibition provisions applicable February 2, 2025, and most general-purpose AI obligations applicable August 2, 2026. Article 5(1)(f) prohibits AI systems that infer emotions in workplace and education contexts from biometric data.
A voice call recording in the EU needs a clear lawful basis. For most B2C use cases this is consent (explicit, freely given, specific, informed, unambiguous, withdrawable). For B2B you can sometimes rely on legitimate interests with a documented LIA (legitimate interest assessment), but recording always shifts the balance toward consent.
If your AI uses speaker diarization or speaker recognition that creates a "voiceprint" linkable to an individual, that is biometric processing under Article 9. You need explicit consent (Article 9(2)(a)) or another Article 9 condition. A simple "by continuing this call you consent to recording" notice does not cover voiceprint creation; the consent must specifically describe biometric processing.
Hear it before you finish reading
Talk to a live CallSphere AI voice agent in your browser — 60 seconds, no signup.
If your AI infers stress, sentiment, or emotion from voice features in an employment or education context (call center monitoring of agents, student tutoring), the EU AI Act prohibits that as of August 2, 2026. Customer-side emotion inference (detecting an angry caller to escalate) is not in the prohibited list but is high-risk and triggers the EU AI Act's high-risk obligations: risk management, data governance, transparency, human oversight, conformity assessment.
Cross-border data transfers (EU to US AI models) need an adequacy decision (the EU-US Data Privacy Framework) or Standard Contractual Clauses plus a transfer impact assessment.
CallSphere offers an EU-residency mode for tenants who require it: Twilio voice routing through EU regions, recording storage in EU buckets, and AI processing through EU-region OpenAI endpoints where available. We capture explicit consent at call start with a localized disclosure ("This call is being recorded by an automated assistant; data is processed under our privacy policy. Press 9 to opt out of recording."). Healthcare AI is HIPAA-aligned for US and ships a parallel GDPR Article 9 explicit-consent flow for EU clinics. We do not run emotion-inference models on agent-monitoring use cases. The Sales product surfaces caller-sentiment cues to the human only after a documented legitimate interest assessment per tenant. The platform across 6 verticals, 50+ businesses, 4.8/5 rating gives EU customers a 14-day trial that respects DPA execution and Schrems II transfer mapping.
Is one-party consent legal in the EU? Generally no. Most EU member states default to all-party consent for call recording, with narrow exceptions for legitimate interests. Consent at call start is the safe path.
Still reading? Stop comparing — try CallSphere live.
CallSphere ships complete AI voice agents per industry — 14 tools for healthcare, 10 agents for real estate, 4 specialists for salons. See how it actually handles a call before you book a demo.
Can I keep call recordings forever? No. GDPR storage limitation (Article 5(1)(e)) requires you to keep data only as long as necessary. Define a retention period per use case; 30-90 days for transcripts is typical, longer with documented justification.
What about "transcribe but don't store audio"? That is data minimization done well. Transcripts are still personal data, but the privacy and storage costs drop dramatically.
Are voiceprints always Article 9 biometric data? Only when used "for the purpose of uniquely identifying a natural person." If you only do diarization (separating speakers within one call) without identifying them across calls, courts have suggested that may not always be Article 9. Conservative path: treat any voiceprint as Article 9.
What is the AI Act fine for emotion-inference in workplace? Up to €35M or 7% of global turnover for prohibited-use violations.
Try the 14-day trial with EU residency, see pricing, or browse /industries/healthcare.
Written by
Sagar Shankaran· Founder, CallSphere
Sagar Shankaran is the founder of CallSphere, where he builds production AI voice and chat agents deployed across healthcare, hospitality, real estate, and home services. He writes about agentic AI, LLM engineering, and shipping voice agents that handle real calls in production.
See how AI voice agents work for your industry. Live demo available -- no signup required.
Memory stores live in regions, and that matters for GDPR, UK GDPR, and Schrems II compliance posture. The residency architecture for EU agent deployments built right.
Enterprise CIO Guide perspective on The first wave of EU AI Act enforcement landed in 2026 — here is the practical impact on agent deployments.
The compliance postures of major LLM providers in 2026 — HIPAA BAA, SOC 2, EU AI Act, ISO 42001 — compared side by side.
The August 2026 EU AI Act deadlines are real. The technical files, transparency reports, and incident docs GPAI providers actually have to ship.
The EU AI Office added two more general-purpose models to its systemic-risk list on April 28, 2026, triggering enhanced obligations including pre-market testing.
Voice cloning is now regulated. What EU AI Act Article 52 requires for synthetic speech in 2026, and how voice-agent platforms are complying.
© 2026 CallSphere LLC. All rights reserved.