This article is for informational purposes only and does not constitute legal advice. For your specific situation, consult a qualified data protection attorney or your company's data protection officer.
AI call recording is now a baseline capability for competitive B2B sales teams in Europe. The problem: most guides on the topic were written for US-based teams, and the GDPR compliance picture looks materially different if your reps are calling prospects in Germany, Austria, or Switzerland. This guide answers the questions DACH sales managers actually ask: what is legal, what lawful basis to use, whether you need a DPA, and what to say at the start of a call.
Is it legal to record sales calls in Germany and Austria?
Yes, recording sales calls in Germany and Austria is legal. The short answer is that it has always been legal as long as all parties are informed before or at the start of the recording. What is not legal, in either country, is secretly recording a call without the other party's knowledge.
In Germany, the legal framework comes from two sources. The Telekommunikationsgesetz (TKG) prohibits interception of telecommunications without all participants' knowledge. GDPR then layers on top: any recording that captures personal data (including names, job titles, and anything said during a conversation) must have a valid lawful basis and must be covered by your data protection documentation. The combination means that informed recording with a documented legal basis is legal; covert recording is not. For a deep dive into Germany-specific requirements, see our GDPR guide for recording sales calls in Germany.
Austria follows substantially the same framework under the Austrian Telecommunications Act (TKG 2021) and its national GDPR implementation. Switzerland, while not an EU member, applies similar requirements under the Federal Act on Data Protection (nDSG), which was revised in 2023 to align closely with GDPR principles.
The practical implication for sales teams: you do not need to obtain a signed consent form before every call. You need to announce the recording at the start of the call and have the underlying compliance documentation in place. If the other party objects, you stop recording.
What lawful basis can you use under GDPR Article 6?
GDPR Article 6 provides six lawful bases for processing personal data. For B2B sales call recording, two are relevant in practice.
Legitimate interests (Article 6(1)(f)) is the most commonly used basis for B2B call recording. It allows you to process personal data when you have a genuine business need, when that need is not overridden by the data subject's fundamental rights, and when you have documented the assessment. For B2B sales teams, legitimate interests cover recording for coaching and quality assurance, recording for dispute resolution, and recording to improve sales process understanding. The key requirement is completing a Legitimate Interests Assessment (LIA) and keeping it on file for DPA authority review.
Contract performance (Article 6(1)(b)) applies where recording is necessary to perform or prepare a contract. This basis is narrower than it sounds: it applies when the call is directly about negotiating, executing, or fulfilling a contract, not to general prospecting calls where no contract is in prospect. For inbound sales calls from existing customers or calls where a specific agreement is being discussed, contract performance can be a clean basis.
Consent (Article 6(1)(a)) is technically available but creates operational problems for sales teams. Consent under GDPR must be freely given, specific, informed, and revocable at any time. Using consent as your lawful basis means any call participant can later withdraw consent and demand deletion of the recording. For a coaching-focused use case, this creates significant data management overhead. Most GDPR practitioners advise B2B sales teams to use legitimate interests rather than consent.
A Legitimate Interests Assessment (LIA) is a three-part test that documents why your processing is necessary, whether that necessity is genuine, and whether it is proportionate relative to the data subject's privacy interests. It does not need to be long. It does need to be written down and available if a supervisory authority or data subject requests it.
Do you need a Data Processing Agreement for AI call tools?
Yes, without exception. If you use any third-party tool that records, transcribes, or analyzes your sales calls, that vendor is processing personal data on your behalf. Under GDPR Article 28, that makes them a data processor, and you are required to have a written Data Processing Agreement (DPA) in place before any data processing begins.
In German-speaking contexts this is called an Auftragsverarbeitungsvertrag, or AVV. The name is different; the requirement is identical.
A compliant DPA must specify: what data is being processed and for what purpose, the duration of the processing, the nature and subject matter of the processing, the categories of data subjects involved, the obligations and rights of the controller (you), and the sub-processors the vendor uses. For AI call recording tools, this last point matters: the transcription engine, any LLM used for analysis, and the storage provider may all be sub-processors that need to be listed.
Most reputable vendors provide a standard DPA. Before signing, check three things: where data is stored (EU or outside), whether the sub-processor list is complete and auditable, and what the deletion timeline is after contract termination. A vendor that cannot answer these questions clearly is a compliance risk regardless of what their marketing page says.
EU data residency: what it actually means for your call recordings
Data residency and data transfer are not the same thing, and conflating them is the most common mistake DACH compliance teams make when evaluating call recording tools.
Data residency means that your recordings and transcriptions are stored on servers physically located in the EU. This satisfies the storage requirement and ensures that requests from non-EU authorities to access the data have no direct legal pathway under EU law.
Data transfer refers to any movement of personal data to a country outside the EU/EEA. Under GDPR Chapter V, transferring data to a third country requires either an adequacy decision from the European Commission, Standard Contractual Clauses (SCCs), or another valid transfer mechanism. The US has had a complex history here: the Privacy Shield framework was invalidated by the Schrems II ruling in 2020, and while the EU-US Data Privacy Framework was adopted in 2023, its long-term stability is uncertain after the Schrems I and II precedents.
The practical implication: a US-based tool that claims GDPR compliance via SCCs is technically legal today, but it introduces regulatory risk. If the EU-US Data Privacy Framework is challenged again, your compliance position weakens overnight. For DACH teams processing sensitive B2B conversations, using an EU-based provider with EU-only storage eliminates this category of risk entirely. It is not a hypothetical concern; it is a live regulatory variable in 2026.
When evaluating AI call recording vendors, ask specifically: where are recordings stored at rest, where is transcription processing performed, what sub-processors are used, and are any sub-processors US-based? Get the answers in writing as part of your DPA.
Employee consent vs. customer consent: different rules apply
Call recording for B2B sales teams involves two distinct categories of data subject: your employees (the reps being recorded) and the customers or prospects on the other end of the call. The compliance requirements are different for each.
Your employees. Recording employees for coaching and quality assurance is a recognized legitimate interest, but it requires an additional layer of compliance in Germany specifically. German labor law (Betriebsverfassungsgesetz, BetrVG) requires works council (Betriebsrat) co-determination for any system of employee monitoring, including call recording for performance review. If your German entity has a works council, you must reach a Betriebsvereinbarung (works agreement) before deploying call recording. Skipping this step creates employment law exposure independent of GDPR compliance.
Your customers and prospects. The other party on a B2B sales call is an employee of the company you are selling to. They are a natural person and therefore a GDPR data subject. For this group, legitimate interests under Article 6(1)(f) is the standard basis used by most sales teams. Your obligation is to inform them of the recording and its purpose. This can be done verbally at the start of the call; it does not require written consent.
One practical note: if you are selling to individuals in a B2C context or if the call involves particularly sensitive topics, the legitimate interests analysis may tip differently. The standard B2B coaching and quality assurance use case is well-established and documented in guidance from the German DPA (Datenschutzkonferenz) and the Austrian DPA (Datenschutzbehorde).
What to say at the start of a call (consent scripts that work)
Informing the other party about recording does not require a legal monologue. A brief, clear notification at the start of every call is sufficient when you are relying on legitimate interests. The goal is to be specific enough that the person understands what is happening and why, without introducing friction that kills the call.
The following scripts work for most B2B sales contexts in Germany and Austria. Adapt them to your company name and specific use case.
English (for international calls from DACH teams):
"Before we start, I want to let you know that I'll be recording this call for coaching and quality purposes. If you'd prefer not to be recorded, just let me know and I'll turn it off."
German (for calls with German-speaking prospects):
"Bevor wir beginnen: Ich nehme dieses Gesprach zu Coaching- und Qualitätszwecken auf. Wenn Sie damit nicht einverstanden sind, schalte ich die Aufnahme selbstverständlich ab."
Several elements make these scripts legally defensible. They identify that a recording is happening. They state the purpose (coaching and quality). They give the other party a clear opt-out. And they are delivered before substantive conversation begins, which matters for the "informed" requirement under GDPR.
For inbound calls where you cannot announce before picking up, the notification should come within the first 30 seconds. For outbound calls, the standard practice is to give the notification after the other party confirms who they are and before moving into the substance of the call.
Some teams add a secondary notification in their email confirmations before a scheduled call: "This call will be recorded for internal coaching and quality purposes. Please reply if you have questions or if you prefer the call not be recorded." This belt-and-suspenders approach is not legally required but reduces the chance of objections on the call itself.
GDPR-compliant call recording: a checklist for DACH sales teams
Use this checklist before deploying any AI call recording tool in a DACH sales environment.
- Choose a vendor with EU-based data storage and a clear sub-processor list.
- Execute a Data Processing Agreement (DPA / AVV) before any recording begins.
- Document your lawful basis. For most B2B coaching use cases: legitimate interests (Article 6(1)(f)).
- Complete and file a Legitimate Interests Assessment (LIA) covering the specific use case.
- If your German entity has a Betriebsrat, negotiate a Betriebsvereinbarung covering call recording before going live.
- Add call recording to your Record of Processing Activities (Verzeichnis von Verarbeitungstatigkeiten, VVT).
- Update your privacy notices for employees and customers to include call recording as a processing activity.
- Train reps on the verbal notification script and what to do if a customer objects.
- Define and document your retention period for recordings. Ninety days is common for coaching use cases; longer retention increases risk.
- Confirm your deletion workflow: recordings must be deletable on data subject request.
This checklist covers the baseline. Depending on your company size, the volume of calls, and the sensitivity of the information discussed, a Datenschutz-Folgenabschatzung (DSFA, or Data Protection Impact Assessment) may also be required under GDPR Article 35. Consult your data protection officer or an external DPO if you are unsure whether DSFA applies to your use case. For a comparison of tools that meet these requirements for DACH teams, see best conversation intelligence tools for DACH in 2026.