AEPD April 2026 guidance for businesses that record meetings: what changed and what you need to do

What changed

On April 20, 2026, the Spanish Data Protection Agency (AEPD) published specific guidance on GDPR compliance for automated AI voice transcription tools. It's the second one in four months — the first was in January 2026 — and the combination of both marks a clear line for any business or professional using AI to transcribe meetings, calls, or any other audio with personal data.

If you record meetings with clients, patients, advisors, candidates, or employees, this guidance affects you. It's not optional.

Why now

Adoption of tools like Otter, Fireflies, Fathom, Granola, Read.ai, or Plaud has exploded in the past 18 months. The AEPD sees two parallel issues:

1. Uncritical adoption. Most professionals and businesses using these tools have not done due diligence on where data is processed, what's trained with it, or how the rights of the other participants in the recording are managed.
2. Product designed in the US for the US market. The main players are designed for jurisdictions with one-party consent (California is the exception). The "auto-join bot with email opt-out 1h before" model does not meet European standards of specific and informed consent.

The guidance does not prohibit these tools. It clarifies what the business or professional using them must do to avoid infringement.

The four requirements, explained

### 1. Session-specific consent

What the AEPD says: consent must be specific to each recording session. A generic notice when joining the service ("by using this product you accept that your meetings will be recorded") does not constitute valid consent. Each recording is a separate processing act.

In practice: - It's not enough that you, as host, accepted the service's terms. You must confirm that each participant in each meeting agrees to that specific meeting being recorded. - Consent must be prior to recording, not after. Warning "this call is being recorded" 30 seconds in is problematic. - Consent must be recorded. If asked "prove that client X consented to the recording on March 11 at 16:00", you must be able to show the evidence.

How to meet it: - Documented procedure before each meeting. Specific phrase, not paraphrased: "this meeting will be recorded and transcribed with AudioMap. Do you agree?". Log the response. - If you use an auto-join bot: check that the email opt-out flow works, doesn't depend only on email (what if the participant doesn't open it?), and is also signaled at the start of the session. - If you use intentional capture (you upload the audio): ask for explicit consent before starting. AudioMap logs this in an immutable audit log (IP + User Agent + version + timestamp) each time you accept the modal.

### 2. Right of access in multi-speaker recordings too

What the AEPD says: the right of access under GDPR Art. 15 also applies when the recording contains multiple speakers. You cannot deny access to a subject on the grounds of protecting the personal data of the other participants.

In practice: - If a meeting participant asks you for access to "their data" — and the recording includes more voices — you cannot refuse on the basis of protecting the others' privacy. - You must deliver at least the transcription portion that belongs to them, or document why it's not technically possible. - Also applies to portability (Art. 20), rectification (Art. 16), erasure (Art. 17), and objection (Art. 21).

How to meet it: - Your transcription tool must support reasonably good diarisation (separation by speaker). Without diarisation, compliance is almost impossible. - Clear internal procedure: when you receive a Data Subject Access Request, within one month (Art. 12.3 GDPR), deliver the subject's portion. - If you record meetings with third parties who are not your users — clients, candidates, patients — you need a channel for THEM to ask you for access directly without going through the tool. AudioMap is building this public endpoint.

### 3. Vendor due diligence

What the AEPD says: the data controller (the business or professional recording) must document due diligence in selecting the transcription provider. This includes: actual jurisdiction of processing, subprocessors, retention policy, model training policy.

In practice: - "They have a DPA" is not a sufficient answer. You must be able to explain what the DPA says, what subprocessors they use, and what happens to your audio at each stage. - "They're in the EU-US Data Privacy Framework" is not a sufficient answer either. The framework is valid as of today but NOYB is litigating to invalidate it (it's the third attempt — the two previous ones fell). Building your compliance on it is building on sand. - You must have a Transfer Impact Assessment (TIA) for each US-based subprocessor. The AEPD has sanctioned companies that had SCCs signed but no documented TIA.

How to meet it: - Ask the vendor for the public subprocessor list. If they don't have it or don't want to provide it, you have your answer. - Ask for the retention policy in writing. "30 days" is not the same as "indefinite for backup/legal". - Ask for the training policy. "We don't train on your content" must be contractually in the DPA, not just in marketing. - Consider European providers. AudioMap processes 100% in EU territory (Hetzner DE + AssemblyAI EU + Vertex EU + R2 EU) and publishes everything: [/legal/subprocessors](/legal/subprocessors), [/legal/data-residency](/legal/data-residency), [/legal/aepd-compliance](/legal/aepd-compliance).

### 4. Transcription ≠ technical feature

What the AEPD says: transcription is not a low-risk technical utility. It is personal data processing with ongoing governance, clear transparency, and proactive safeguards.

In practice: - You need a DPIA (Data Protection Impact Assessment, GDPR Art. 35) if the processing is high-risk. Recording meetings with clients/patients is: there is multi-speaker, potentially sensitive data, automated AI processing. - You need a record of processing activities (GDPR Art. 30) that includes AI transcription as a documented activity. - You need a written and applied retention policy (not "we retain whatever the vendor wants"). - You need a breach notification workflow (GDPR Art. 33 — 72 hours) that includes the scenario "leak from the transcription vendor".

How to meet it: - DPIA: if you don't know how to do one, hire an external DPO. They start at €80/hour. A well-done AI transcription DPIA fits in 4-6 pages. - Activity record: add a concrete entry "Automated transcription of client meetings" with legal basis, purpose, data categories, retention periods. - Retention policy: document how much you retain and how much the vendor retains. AudioMap retains 30 days after account closure and publishes this commitment at /privacy.

What does NOT change

The AEPD guidance does not prohibit AI transcription. It does not require using European tools. It does not void already-signed DPAs. What it does is raise the bar for what counts as "compliant use" in Spain.

Companies that already had a mature compliance program (registered consent, DPIA, procedurised DSR, vendor management) are well positioned to continue as they are. Those who assumed "having a DPA" was sufficient have work to do.

Potential sanctions

The AEPD can sanction non-compliance with fines of up to 4% of global annual turnover or €20 million, whichever is higher (GDPR Art. 83). In practice, sanctions on Spanish medium-sized companies for transcription/recording-related matters range from €5,000 to €200,000, depending on severity and cooperation with the inspector.

More relevant than the potential fine is the reputational cost and operational disruption of an AEPD inspection. If your business depends on client trust (tax advisory, law firm, clinic), an open inspection is already a problem before any resolution.

How AudioMap meets it

AudioMap maps the four requirements point by point. The page [/legal/aepd-compliance](/legal/aepd-compliance) breaks it down with technical detail. In short:

1. Specific consent: per-note consent + immutable audit log + segregated types (GDPR Art. 7 and Art. 9).
2. Multi-speaker access: user dashboard + public endpoint for third parties under construction + speaker-level diarisation.
3. Vendor due diligence: 100% EU processing, public subprocessors, local Whisper fallback to eliminate cloud dependency.
4. Ongoing governance: DPIA under construction, 30-day retention, 72h breach notification workflow, subprocessors with prior change notification.

Next step

If you run a tax advisory, law firm, clinic, or consultancy in Spain and have not yet reviewed your AI transcription compliance against this guidance, I recommend:

1. Quick audit (2 hours): list of AI tools you use, where they process, what consent you obtain.
2. Quick wins (1 week): per-meeting consent log, written policy on intranet, list of signed DPAs.
3. Background work (1 month): DPIA, TIA, DSR procedure.
4. Vendor switch if applicable (next 3 months): if your current tool processes in the US and you handle sensitive data, evaluate a European alternative.

If AudioMap fits your case, [try it free](/dashboard) or [talk to us](mailto:[email protected]). We sign DPAs per GDPR Art. 28 same day.

---

Sources: - AEPD guidance on automated voice transcription, 20 April 2026. - General Data Protection Regulation (GDPR), Art. 6, 7, 9, 12-22, 28, 30, 33-34, 35, 83. - Schrems II judgment, CJEU C-311/18, 16 July 2020. - AEPD Resolution PS-00121/2023.