Innotel

Back to the knowledge base

Lawful call recording in Hungary: what do the Fgytv. and the GDPR require?

Published: June 20, 2026

For telephone customer-service teams, sales departments and call centres, call recording is now a basic tool: it supports quality assurance, dispute resolution and staff development. At the same time the legal framework is complex — the Hungarian Consumer Protection Act (Fgytv.), the European General Data Protection Regulation (GDPR) and the Hungarian Information Act (Infotv.) all apply at once. This article collects the most important points so you can meet these obligations with confidence.

Legal notice: This article is for information only and does not constitute legal advice. For specific cases, involving a data protection expert or lawyer is strongly recommended.

Section 17/B of the Fgytv.: what applies to customer-service calls?

Section 17/B of the Hungarian Consumer Protection Act (Act CLV of 1997, "Fgytv.") requires businesses to record incoming calls on their customer-service telephone lines — and to retain those recordings. The act's main provisions:

  • Recording obligation: customer-service calls must be recorded.
  • Retention period: under the current rules, recordings of customer-service calls must be kept for at least 5 years, so they are available as evidence in the event of a consumer complaint, official procedure or dispute.
  • Information obligation: at the start of the call — by an automatic voice message or another clear means — the caller must be informed that the conversation is being recorded. Failing to do so is itself a violation.
  • Right of access: the consumer has the right to request to listen to, or receive a copy of, the recording of their own call.

Important: Section 17/B of the Fgytv. does not apply to every phone call — it mainly covers customer-service lines (complaint handling, information). For internal workplace calls or outbound sales, the GDPR and the Infotv. are the relevant basis.

GDPR legal bases: when may I lawfully record a call?

Under the General Data Protection Regulation (EU) 2016/679 (GDPR), call recording qualifies as the processing of personal data and therefore requires a legal basis. The most commonly used bases:

1. Legitimate interest (GDPR Article 6(1)(f))

A business may rely on its legitimate interest — for example quality assurance, staff training or dispute resolution — if:

  • the interest is real and specific (not a generic reference),
  • the balancing test shows the business's interest outweighs the private interest of the data subject,
  • the data subject can reasonably expect the recording (e.g. due to prior notice).

It is advisable to document the balancing test in writing — the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) may request it during an inspection.

2. Compliance with a legal obligation (GDPR Article 6(1)(c))

Where Section 17/B of the Fgytv. creates a statutory obligation to record, this legal basis applies — no separate consent is required.

3. Consent (GDPR Article 6(1)(a))

Consent can also be a legal basis, but it is risky in a customer-service setting: consent must be freely given, unambiguous and revocable. If the caller withholds consent yet the business still cannot provide service, the "freely given" nature is questionable.

Recommended approach: record customer-service calls on the basis of the statutory obligation in the Fgytv. and/or the GDPR legitimate interest, and document the balancing test.

Information obligation: what should the message say?

GDPR Articles 13–14 and the Fgytv. both require that the data subject receive prior information. The voice message should contain at least the following:

  1. Who records the call (the name of the controller)?
  2. What is the purpose of the recording?
  3. What is the legal basis?
  4. How long is the recording kept?
  5. Where and how can the data subject request further information (availability of the privacy notice)?

A short, concise text is enough — e.g. "Please note that your call is being recorded for quality assurance and dispute-resolution purposes. You can find our privacy notice on our website." — together with a link to the full notice.

Data security requirements (GDPR Article 32)

Recorded calls may contain sensitive personal data (customer name, account number, the content of a complaint). The GDPR requires appropriate technical and organisational measures:

  • Encryption at rest and in transit (e.g. AES-256 for stored recordings, TLS on the transmission channel)
  • Access control: only authorised staff may access the recordings (role-based permissions)
  • Logging: who listened to which recording and when
  • Regular review to enforce retention periods

Common mistakes worth avoiding

  1. Missing notice at the start of the call — one of the most common grounds for NAIH complaints.
  2. No documented legal basis — "we have always done it this way" is not a sufficient argument during an inspection.
  3. Ignoring retention periods — neither early deletion nor unjustifiably long storage complies with the GDPR.
  4. Unrestricted access to recordings — not every employee may listen to every call.
  5. No record of processing activities (ROPA) — call recording must be listed in the record of processing activities.

Related pages

  • Call recording — how Innotel implements proper notice and encryption.
  • Cloud PBX — a cloud PBX with built-in call recording.
  • SIP trunk — own number range, number portability and call recording from a single provider.

Innotel's call-recording solution covers everything from compliant notice to encrypted storage — so that the requirements of the Fgytv. and the GDPR are met automatically.