How long must recorded calls be kept?

One of the most common questions when introducing call recording is: how long must the recordings be kept? The answer is not uniform — the retention period depends on the legal basis applied, the industry and the content of the particular call. This article summarises the retention periods under the current rules, the principle of data minimisation and the practical aspects of secure storage.

Legal notice: This article is for information only and does not constitute legal advice. For specific cases, involving a data protection expert or lawyer is strongly recommended.

Why does the retention period matter?

One of the core principles of the GDPR is data minimisation (Article 5(1)(e)): personal data may be stored only for as long as the purpose of processing justifies. This means that:

• recordings must not be kept for an unjustifiably long time (privacy protection, storage cost),
• but they must not be deleted prematurely either — especially when a recording may serve as evidence (e.g. a consumer complaint, an employment dispute, litigation).

The balance is determined by the legal basis and the circumstances of the specific case.

Retention periods by legal basis

Customer-service calls under Section 17/B of the Fgytv.

Customer-service calls recorded under the Consumer Protection Act must, under the current rules, be kept for at least 5 years. This is the mandatory minimum — if the call also falls under another statute (e.g. accounting or anti-money-laundering rules), the longer period set there prevails.

Calls recorded for quality assurance and training

If recording is done solely for internal quality assurance or staff development (legal basis: legitimate interest), the retention period can be shorter — generally 30–90 days is enough, unless a specific recording requires longer storage for a concrete reason.

Calls recorded for dispute and complaint handling

Calls involving a customer complaint are best retained beyond the closure of the complaint — generally the civil-law limitation period (5 years) applies, but depending on the nature of the dispute an agreement between the parties or a court decision may justify longer retention.

Financial and insurance sector

In the financial sector (investment service providers, insurers) sector-specific rules may prescribe a 5–7 year retention obligation — affected businesses should involve a sector-specific lawyer.

Applying data minimisation in practice

The GDPR not only limits the length of storage but also requires that we do not record more than necessary. Practical considerations:

• Purpose limitation: for every recorded call, document the purpose and legal basis of recording.
• Automatic deletion: introducing a retention policy is recommended, which deletes recordings automatically — without human intervention — when the retention period expires.
• Partial deletion: some systems make it possible to remove only payment-card data or other sensitive parts of a recording (using a pause-resume function) while keeping the rest.

Secure storage: technical requirements

Based on GDPR Article 32 and data protection principles, the call-recording system's security should meet the following minimum requirements.

Encryption

• Data at rest: AES-256 or equivalent encryption on the disks and databases that store the recordings.
• In transit: TLS 1.2 or newer on all connections (web interface, SFTP download, API access).

Access control

• Role-based permissions: only the manager responsible for the given area or a quality-assurance staff member may access the calls.
• Two-factor authentication (2FA) for accounts with access to the call archive.
• Intrusion detection: alerts on unusual access patterns.

Logging and auditability

• Every recording playback, download and deletion must be logged: who accessed which recording and when.
• Logs must be kept at least as long as the recordings concerned — or longer, if needed for an official procedure.

SFTP and searchability

• Archived recordings should be exportable via the SFTP protocol — this makes compliance audits and data provision to authorities easier.
• Without metadata-based search (date, calling number, agent name, customer ID), finding a single recording can take weeks.

The duty to delete: when and how?

It follows from data minimisation that recordings must be actively deleted once the retention period expires — it is not enough to simply "leave them untouched". Deletion must mean genuine destruction:

• Software overwriting or cryptographic erasure of the storage medium.
• Reviewing backups: recordings must be deleted from backups too, not only from primary storage.
• Documentation: it is worth logging that deletion took place (when, whom it affected, who carried it out) — it has evidentiary value during an inspection.

Retention checklist for SMEs

• A defined legal basis and purpose for every call
• Notice at the start of the call (voice message)
• Retention periods documented by legal basis (retention policy)
• An automatic deletion mechanism configured
• Encryption at rest and in transit
• Access control and roles defined
• An access log maintained
• A deletion process for backups worked out
• A record of processing activities (ROPA) kept up to date, including call recording
• Handling of data-subject rights solved (access, deletion requests)

Related pages

• Call recording — automatic deletion policy and encrypted storage in Innotel's solution.
• Cloud PBX — call recording in the cloud PBX, including storage management.
• Lawful call recording: Fgytv. and GDPR — the legal basics in one place.