Official AEPD guidance · 20 April 2026

How to comply with the AEPD guidance on AI voice transcription without losing productivity

On 20 April 2026 the Spanish Data Protection Agency published four key requirements for businesses and professionals using AI to transcribe conversations. This page explains them and shows you how to comply.

Try AudioMap free See full AEPD mapping

The 4 AEPD requirements

Session-specific consent

A generic service-join notice is not valid consent. Each recording requires explicit and recorded acceptance.

Multi-speaker right of access

Any recorded participant can demand access to their data, even if the recording contains more people. "I protect the rest" is not valid.

Vendor due diligence

You must document where data is processed, what subprocessors are involved, and what additional processing they perform.

Transcription = personal data processing

It is not a technical feature. You need documented legal basis, DPIA if high-risk, written retention policy, and breach notification workflow.

Why this guidance matters for your business

If you record meetings with clients, patients, advisors, candidates, or employees, this guidance affects you. It is not optional. The AEPD has been explicit: AI transcription is not a low-risk technical utility, it is personal data processing under all GDPR obligations.

Potential sanctions can reach 4% of global annual turnover or €20M (GDPR Art. 83). In practice, the most serious thing is not the fine but the open investigation: if your business depends on client trust (law firm, clinic, advisory), an open investigation is already a problem.

The good news: compliance is feasible. With recorded consent, European vendor or US vendor with documented TIA, correct DPIA, and DSR procedure, any company can operate without regulatory risk.

How AudioMap helps you comply

Per-note specific consent with immutable audit log (IP + User Agent + version + timestamp).
100% EU processing: Hetzner DE + AssemblyAI EU + Vertex EU + Cloudflare R2 EU.
Local Whisper fallback on our own German server — zero US dependency if the cloud fails.
Speaker-level diarisation to handle multi-speaker DSARs.
Segregated consent types (audio_storage, processing, biometric_data, recording_party_acknowledgement) per Art. 7 and Art. 9.
Public endpoint for non-user third parties to exercise their rights directly.
DPA per GDPR Art. 28 signed same day.

How does AudioMap compare to Fireflies, Otter, Granola, and Plaud? We show it without hiding anything at /legal/comparison.

Frequently asked questions

Is having a signed DPA with my provider enough?

No. The AEPD clarifies that having a DPA is necessary but not sufficient. You also need a Transfer Impact Assessment if the provider processes outside the EU, written retention policy, contractual model training policy, and due diligence documentation.

Is the "this call is being recorded" warning at the start of the meeting enough?

Yes at minimum. But the AEPD recommends more: a log of who consented, when, with what text, in what legal version. AudioMap logs it automatically.

If a meeting participant asks me for deletion, what do I do?

You have 30 days to respond (GDPR Art. 12.3). If the recording is appropriate for deletion, you must do it. If the other party has the right to keep it (legitimate interest, legal obligation), you must justify it in writing.

Do I always need a DPIA?

If you record sensitive data at scale (clients under professional secrecy, patients, minors, tax data), yes. The AEPD considers it high-risk processing per GDPR Art. 35.

Does AudioMap sign DPAs?

Yes, same day and per GDPR Art. 28. Write to [email protected].

Get started now

Try AudioMap free (first hour, no card). For B2B with DPA + joint audit, contact us.

Start free Talk to us

Sources

AEPD guidance on automated voice transcription (20 April 2026)
General Data Protection Regulation (GDPR)
Schrems II judgment, CJEU C-311/18 (16 July 2020)
AEPD Resolution PS-00121/2023