Is it legal to record a sales call in Germany without telling the other person?

No. Recording a phone call in Germany without the other party's knowledge is a criminal offense under Paragraph 201 of the Strafgesetzbuch (StGB), which prohibits covert recording of non-public spoken words. All parties must be informed before the recording begins. A simple verbal notice at the start of the call satisfies this requirement, provided the other party does not object and continues the conversation.

Do you have to tell someone you are recording a call in Germany?

Yes. German law requires that all participants in a call are informed of the recording before it starts. This applies to both customer calls and internal employee calls. The notification must be explicit: stating 'this call may be recorded' in a general terms document is not sufficient. A spoken announcement at the start of the call is the standard and legally reliable method.

What does Paragraph 201 StGB say about call recording?

Paragraph 201 of the German Criminal Code (Strafgesetzbuch) makes it a criminal offense to secretly record or use a recording of the non-public spoken words of another person without their consent. Violations can result in fines or imprisonment of up to three years. The statute applies to all telephone and VoIP calls, regardless of whether the caller is located in Germany or abroad, if any party to the call is in Germany.

Does GDPR apply to B2B sales call recordings?

Yes. GDPR applies to call recordings in B2B contexts whenever the recording captures the voice of an identifiable natural person, which covers virtually all sales calls. The business-to-business nature of the conversation does not remove the recording from GDPR scope. The most practical lawful basis for B2B call recording is legitimate interests under Article 6(1)(f), but this requires a documented balancing test showing the recording interest outweighs the data subject's privacy interest.

How long can you keep sales call recordings under GDPR?

GDPR's storage limitation principle (Article 5(1)(e)) requires that recordings are kept only as long as necessary for the purpose they were collected. For sales coaching and quality assurance, most legal advisors recommend a retention window of 30 to 90 days. If the recording documents a contractual agreement, retention for the duration of the contract plus applicable commercial retention periods (typically six to ten years under German HGB) may be justified. You must define and document your retention period in your privacy policy and internal records.

Recording Sales Calls in Germany: GDPR Compliance Guide (§201 StGB, 2026)

This article is for informational purposes only and does not constitute legal advice. Consult a qualified lawyer for guidance specific to your situation.

Recording sales calls in Germany is legal. It is also, done incorrectly, a criminal offense. The line between compliant and criminal comes down to one thing: consent. German law combines Paragraph 201 of the Criminal Code with GDPR in a way that is stricter than most European countries, and the compliance requirements are specific enough that a generic "calls may be recorded" footer in your email signature will not protect you. This guide walks through every layer of the legal framework, what it requires in practice, and how DACH sales teams can record calls lawfully.

Is it legal to record sales calls in Germany?

Yes, with explicit prior notice to all participants. The governing statute is Paragraph 201 of the Strafgesetzbuch (StGB), which makes it a criminal offense to secretly record the non-public spoken words of another person. The penalty is a fine or imprisonment of up to three years. This applies regardless of whether the recording party is in Germany or abroad: if any participant to the call is physically in Germany, German law applies.

The critical distinction in Paragraph 201 is the word "secretly." A recording is lawful when all parties know it is happening before the call is recorded. This does not require written consent forms or tick-boxes. A spoken notification at the start of the call is sufficient, provided the other party does not object and chooses to continue the conversation. Continuing the call after notification constitutes implicit acceptance under German legal interpretation, though this position should be verified with a local counsel for high-stakes contexts.

Key statute

Paragraph 201 StGB (Verletzung der Vertraulichkeit des Wortes) prohibits recording or using a recording of the non-public spoken words of another without their knowledge. Violations are prosecuted criminally, not just administratively. This is distinct from GDPR, which is a civil/regulatory framework. Both apply simultaneously to German sales call recordings.

The practical implication: your call recording workflow must include a verbal announcement before recording starts, every time. An automated recording that begins the moment the call connects, without a prior announcement, violates Paragraph 201 regardless of any GDPR compliance steps you have taken. The announcement must come first.

GDPR Article 6: what lawful basis applies to call recording?

Paragraph 201 StGB handles the criminal law layer. GDPR handles the data protection layer. Both apply, and satisfying one does not satisfy the other. For GDPR purposes, every call recording that captures an identifiable person's voice is processing of personal data under Article 4, and you need a lawful basis under Article 6 before processing begins.

Three Article 6 bases are commonly considered for B2B sales call recording:

Article 6(1)(b) — contractual necessity: Processing is necessary for the performance of a contract or to take pre-contractual steps at the request of the data subject. This is arguable for calls where the recording directly documents an agreement being reached, but it is difficult to justify for routine sales prospecting or coaching purposes.
Article 6(1)(a) — consent: The data subject has given explicit consent to the recording for specific purposes. This is the most legally defensible basis but also the most operationally burdensome. Consent must be freely given, specific, informed, and unambiguous. It must be as easy to withdraw as to give. For outbound prospecting calls where the prospect did not initiate contact, relying on consent creates friction at exactly the wrong moment in the sales process.
Article 6(1)(f) — legitimate interests: Processing is necessary for the legitimate interests of the controller, provided those interests are not overridden by the data subject's fundamental rights. This is the most practical basis for B2B sales call recording, but it requires a documented Legitimate Interests Assessment (LIA) showing that your interest in recording (coaching, quality assurance, dispute resolution) is proportionate and does not override the caller's reasonable privacy expectations.

For B2B sales teams, legitimate interests is the most workable lawful basis. The balancing test generally favors recording when: the caller is acting in their professional capacity, the recording is used only for coaching and quality purposes, the retention period is short and defined, and there is a clear opt-out mechanism (i.e., the person can decline the recording and the call can still proceed). Document your LIA. Supervisory authorities in Germany, particularly the BayLDA and the Berliner Beauftragte, have issued guidance expecting this documentation to be in place before recording begins.

Employee recording vs. customer call recording: different rules

German law draws a hard distinction between recording customer calls and recording employees. Customer call recording is primarily governed by GDPR plus Paragraph 201 StGB. Employee call recording introduces a third legal framework: Bundesdatenschutzgesetz (BDSG) Section 26, which restricts processing of employee personal data to what is necessary for the employment relationship, and the co-determination rights of the Betriebsrat (works council) under Betriebsverfassungsgesetz (BetrVG) Section 87. For Mittelstand-specific adoption patterns, see revenue intelligence for German Mittelstand.

If your company has a Betriebsrat, recording employee calls for performance monitoring or coaching purposes typically requires a Betriebsvereinbarung (works council agreement) before implementation. The Betriebsrat has a mandatory co-determination right over "technical facilities designed to monitor the conduct or performance of employees." Recording calls for quality assurance or sales coaching falls squarely within that definition.

Practically: if you are deploying call recording for rep coaching and you have a works council, negotiate and document the Betriebsvereinbarung before rollout. Deploying without it creates both works council grievance exposure and the risk that recorded call data cannot be used in performance-related decisions. If you do not have a Betriebsrat, BDSG Section 26 still applies, requiring that the recording purpose is documented, proportionate, and disclosed to employees in advance via an updated employment agreement addendum or data protection notice.

What to say at the start of a recorded call

The verbal announcement satisfies both the Paragraph 201 "non-secret" requirement and contributes to your GDPR transparency obligation under Article 13. It does not need to be long, but it does need to be explicit and delivered before the recording begins.

Example notification script (English)

"Hi [name], before we start I want to let you know that this call may be recorded for quality and training purposes. If you would prefer we do not record, just let me know and I will switch it off. Otherwise, by continuing the conversation you are agreeing to the recording."

Example notification script (German)

"Hallo [Name], bevor wir beginnen: dieses Gesprach kann zu Qualitats- und Schulungszwecken aufgezeichnet werden. Wenn Sie das nicht mochten, sagen Sie es mir kurz und ich schalte die Aufzeichnung aus. Ansonsten gilt Ihre weitere Teilnahme am Gesprach als Einverstandnis."

Key elements to include: the fact that recording is happening, the stated purpose (quality, training, documentation), and an explicit opt-out mechanism. The opt-out must be real: if the call proceeds regardless of whether the person objects, the notice is ineffective. Your call recording platform should support a way to pause or cancel the recording if the other party declines.

For automated dialing systems where a bot delivers the recording notice, confirm that the notice plays before the recording channel opens, not simultaneously. Several common configurations deliver the notice and begin recording at the same moment, which does not satisfy the "prior" notification requirement under German interpretation.

Data Processing Agreements (DPAs/AVV): when you need one

Any call recording platform that stores or processes call audio or transcripts on your behalf is a data processor under GDPR Article 28. You are required to have a Data Processing Agreement (Auftragsverarbeitungsvertrag, or AVV in German) in place before using that service to process customer or employee data. For a detailed comparison of tools, see our GDPR-compliant AI call recording guide for B2B teams.

This is non-negotiable. The obligation exists regardless of whether the processor is based in the EU. If you use Zoom, Google Meet, a telephony provider, or a dedicated call intelligence platform to record calls, you need a valid AVV with that vendor. Most enterprise vendors supply a standard DPA that can be countersigned; some require an active request through their legal or compliance portal.

What a compliant AVV must specify under Article 28(3): the subject matter and duration of processing, the nature and purpose of processing, the type of personal data and categories of data subjects, your obligations and rights as controller, requirements for subprocessors, security measures (Article 32), assistance with data subject rights, return or deletion of data after service termination, and audit rights.

German data protection authorities have specifically called out inadequate or missing AVVs as a common enforcement trigger. Do not assume a vendor's terms of service double as a DPA: they rarely satisfy all Article 28(3) requirements without a separate document.

Cloud storage and data residency: what GDPR-compliant actually requires

After Schrems II (CJEU Case C-311/18, July 2020), transfers of personal data to the United States require additional legal safeguards beyond Standard Contractual Clauses (SCCs) alone. The Court invalidated the EU-US Privacy Shield and found that SCCs are not automatically sufficient when the receiving country's surveillance laws prevent the data importer from complying with EU data protection standards.

For call recordings specifically, this means: storing call audio on US-based servers without a Transfer Impact Assessment (TIA) and supplementary measures creates legal exposure. The German supervisory authorities have been among the most active in Europe in enforcing post-Schrems II requirements. The DSK (Datenschutzkonferenz) issued a paper in 2021 stating that transfers to the US under SCCs alone are difficult to justify for many data categories.

The practical options for DACH sales teams are: EU-based cloud storage with processors that process data exclusively within the EEA, or US-based processors with valid SCCs plus a documented TIA plus contractual supplementary measures. EU-based storage eliminates the transfer complexity entirely and is the lower-risk path. When evaluating call recording platforms, ask specifically: where is audio stored? Where is transcription processing performed? Where are embeddings or AI model outputs stored? Each of these may constitute a separate data transfer.

How long can you store call recordings?

GDPR's storage limitation principle (Article 5(1)(e)) requires that personal data is kept in a form that permits identification of data subjects for no longer than necessary for the purposes for which it is processed. There is no single statutory retention limit for call recordings in Germany; the limit depends on your stated purpose.

For sales coaching and quality assurance, the supervisory authority guidance clusters around 30 to 90 days as a defensible retention window. After that period, the coaching signal has been extracted and the original recording serves no additional legitimate purpose. Retaining recordings beyond that window for vague "future reference" purposes is unlikely to survive regulatory scrutiny.

For recordings that document a commercial agreement, the calculus changes. German commercial law (HGB Section 257) requires retention of business correspondence and trade letters for six years, and accounting documents for ten years. If a call recording constitutes documentary evidence of a contract conclusion, that retention period may justify keeping the recording for the commercial retention window. This requires the recording to be explicitly flagged as contractual documentation, not simply retained by default.

Define your retention periods in writing, document the justification, configure your platform to automatically delete recordings at the defined limit, and include the retention period in your privacy notice. Automated deletion is better than manual deletion: it removes the risk that individual recordings are retained indefinitely through administrative oversight.

GDPR call recording compliance checklist for DACH sales teams

Use the checklist below to audit your current call recording setup against the key requirements under German law and GDPR.

Verbal notification before recording begins: every call, every time, in the caller's language where possible.
Real opt-out mechanism: the call can continue without recording if the other party declines.
Lawful basis documented: legitimate interests assessment (LIA) completed and on file, or consent mechanism implemented with compliant consent records.
AVV in place with every processor: call recording platform, telephony provider, transcription service, cloud storage vendor.
EU data residency confirmed or TIA completed: know where audio, transcripts, and AI outputs are stored and processed.
Retention policy defined and automated: specific retention period justified by purpose, automated deletion configured.
Privacy notice updated: call recording purpose, lawful basis, retention period, and processor identities disclosed to data subjects.
BDSG Section 26 / Betriebsvereinbarung: if employees are being recorded for performance monitoring and a works council exists, agreement in place before rollout.
Records of Processing Activities (RoPA) updated: call recording added as a processing activity under Article 30.
Data subject rights process tested: able to locate, export, and delete specific call recordings in response to a DSAR within 30 days.