Transcription of online meetings

Introduction

For many employees, online meetings are an integral part of their schedule. Until now, handwritten minutes have often been taken to document and follow up on the content discussed there. To simplify this task, transcription soft­ware is increasingly being used. Transcription is the automatic creation of meeting minutes by recording the participants‘ contributions in real time and then transcribing them. This regularly involves the processing of employees‘ personal data, such as their name, voice, and the content of their contributions, which means that the General Data Protection Regulation (GDPR) applies. The company that has decided to use the transcription software is responsible for ensuring that it is used in compliance with data protection regulations. It should be noted that the protection of natural persons with regard to the processing of personal data concerning them is a fundamental right (see Recital 1 GDPR), which includes the protection of the voice and one‘s own words. The speaker should be able to decide for themselves who is allowed to hear what they say. If the spoken word is transcribed in real time without the speaker having any influence, the intensity of the intervention is considered high. This is exacerbated by the hierarchical re­lationship between employer and employee. This raises the question for companies using transcription software as to the legal basis on which the associated data processing can be based and how the comprehensive information obligations towards the data subject can be implemented.

Consent as a legal basis 

The processing of personal data is only lawful if it can be based on a legal basis (prohibition with reservation of permission, Art. 6 (1) GDPR). Only consent in accordance with Art. 6 (1) (a) GDPR covers the processing activities in the context of transcription in a legally compliant manner. The legitimate interest pursuant to Art. 6 (1) (f) GDPR is already countered by the overriding interest of the data subject in ensuring the confidentiality of non-public speech when recording telephone conversations (cf. Activity Report 2022 of the LfD Sachsen). This should then apply all the more to transcription. Consequently, the consent of the data subjects is mandatory. However, the company must fulfill various requirements for consent to be effective and must take into account not only data protection issues but also criminal law concerns.

Companies with a works council are also free to conclude a works agreement that serves as the legal basis for the use of transcription software (Art. 88 (2) GDPR in conjunction with Section 26 (4) BDSG).

The criminal law requirements of Section 201 of the German Criminal Code (StGB)

The spoken word is considered particularly worthy of protection under German law. The unauthorized recording of another person’s non-public spoken words on an audio medium may constitute a criminal offense for breach of confidentiality pursuant to Section 201 of the German Criminal Code (StGB). Transcription — i.e., the written recording of the spoken word — does not in itself fulfill these requirements. Nevertheless, when a transcript is created, it is often temporarily stored (on the software provider’s servers) and thus constitutes a recording within the meaning of Section 201 of the German Criminal Code (StGB). A recording is unauthorized if it is made without or against the will of the person concerned — i.e., without consent. The decisive difference between the criminal law and data protection law assessment lies in the requirements for the validity of consent. In criminal law, tacit or presumed consent is sufficient (see Activity Report 2024 of the LfDI BW). Implied consent means that the person concerned is aware of the recording and does not consciously object to it. Consequently, companies should inform their employees of the possible criminal liability under Section 201 StGB for (secretly) recording audio files, as well as storing and distributing them.

The data protection requirements of Art. 6 (1) (a) GDPR

In contrast to criminal law, the GDPR imposes higher requirements on data protection law with regard to effective consent for the transcription of online meetings. For consent to be effective, the data subject must give it in an informed manner, voluntarily, and in relation to a specific case in the form of an explicit statement or a clear affirmative action (see Recital 32 GDPR).

The company must provide the data subject with comprehensive information about the data processing procedure (principle of transparency pursuant to Art. 5 (1) (a) GDPR). This includes, among other things, information about the purpose of the transcription, the categories of data collected, the recipients of the data, the storage period, and, in the case of automated processing, the logic involved. When using external transcription software, the company is initially dependent on the information provided by the software provider. Even if this information is insufficient, the company is not released from its obligation to provide information and should select the software provider carefully. The information must be communicated to the data subject when their personal data is collected, i.e., prior to the transcription of the online meeting. In its 2024 activity report (page 135),  the LfDI BW recommends providing information on data processing pursuant to Art. 13 GDPR in the invitation to the online meeting. In addition, a pop-up window should be displayed in the meeting immediately before the recording begins, which must be actively clicked away by the data subject.

Furthermore, consent must be given voluntarily, i.e. without external coercion. The GDPR is a regulation of the European Union, whereby member states are permitted to enact specific regulations for data processing in the employment context (so-called opening clause). In Germany, Section 26 of the Federal Data Protection Act (BDSG) makes use of the power to specify provisions in the employment context under Art. 88 (1) GDPR. In addition to the circumstances surrounding the granting of consent, Section 26 (2) BDSG takes into account the existing dependency between employer and employee. Accordingly, consent may be deemed to be voluntary in particular if it results in a legal or economic advantage for employees or if the employer and employee pursue similar interests. As soon as the person speaking feels influenced, pressured, determined, or coerced, without the need for actual coercion, voluntariness is ruled out (see DSK Brief Paper No. 14). Various situations are conceivable in which peer pressure arises and leads to an involuntary declaration of consent. This could be the case, for example, if consent is requested during a meeting that is already taking place or in the presence of other employees. In job interviews, an applicant might fear disadvantages that could induce them to give their consent. Pressure situations, such as contract negotiations, can also push the speaker to give consent.

In contrast to criminal law, data protection law requires active participation by the data subject for consent to be valid. Tacit consent by the data subject or pre-ticked checkboxes do not constitute valid consent. In employment relationships, the right to self-determination is additionally safeguarded by the requirement that consent must be given in written or electronic form.

Furthermore, the speaker has a right of revocation. The declaration of consent can be revoked by the speaker at any time with effect for the future, which means that further transcription of the revoking person’s contributions becomes unlawful. This can not only pose technical challenges for the software, but also challenge companies if data subjects declare their revocation during an ongoing online meeting.

Due to the high data protection requirements, companies should therefore ensure that employees are fully informed when requesting consent and that they do not face any disadvantages if they refuse to give their consent. In addition, companies must include the use of transcription software in their record of processing activities and, if necessary, carry out a data protection impact assessment in order to comply with data protection documentation requirements.

Special categories of data

During an online meeting, it may happen that particularly sensitive data is discussed and further protective measures are required. As soon as the spoken content contains information about, for example, health conditions, political opinions, or union membership, Art. 9 GDPR tightens the requirements. Consent must now be expressly declared. This means that there must be no doubt that the person speaking has consented to the transcription.

Occasionally, personalized voice profiles are created during transcription to separate individual contributions from different people. Since the voice is a physical characteristic that enables the unique identification of individuals, it constitutes biometric data pursuant to Art. 4 No. 14 GDPR and also requires special protection. However, the creation of voice profiles mainly concerns face-to-face meetings in which no (user) names can be used to separate the contributions. For the processing of biometric data, it is also conceivable that the transcription software could be used to create profiles of the voting behavior of individual persons. In these cases, explicit consent is also required.

Furthermore, with the exception of special cases, recourse to the additional legal bases of Art. 9 (2) GDPR is likely to be excluded for particularly sensitive categories of data. Above all, if the speaker has not obviously made their contributions public, Art. 9 (2) (e) GDPR. To assume this, however, the group of persons who usually take note of the speaker’s contributions in the context of an online meeting is too limited.

Video conferencing tools with integrated transcription function

Some video conferencing tools already have a built-in transcription feature, including Zoom and Microsoft Teams. The feature is technically designed so that participants see a notification in the form of a pop-up window on their screens as soon as the transcript is created by recording the spoken contributions. The notification asks participants to give their consent by clicking on the “Agree” button. However, according to Art. 4 No. 11 GDPR, not every expression of will by the data subject is sufficient for effective consent, but only one that is given voluntarily for the specific case, in an informed manner and unambiguously. In practice, consent fails here because the information requirements under Art. 13 GDPR have not been implemented. Pressure situations cannot be ruled out either, which means that the voluntary nature of the declaration also remains questionable. As a result, the notification pop-ups used by video conferencing providers do not meet the data protection requirements for effective consent. Regardless of technically preset notifications, it therefore remains the responsibility of companies to obtain the prior consent of participants and to comply with their information obligations.

Conclusion

The automatic creation of conversation logs in real time can be advantageous for companies, but it also constitutes a significant intrusion into the privacy of the person speaking, including the protection of their voice and their own words. From a data protection perspective, this can only be done with the consent of the person speaking, except in the case of company agreements. In this context, a distinction must be made between the data protection requirements for consent under Art. 6 (1) (a) GDPR and the criminal law requirements under Section 201 of the German Criminal Code (StGB).

In criminal law, the act of temporarily storing data (on the software provider’s server) for the purpose of creating a transcript can be justified by implied consent. In contrast, under data protection law, transcription can only be justified by consent that has been given by the speaker in an informed manner, voluntarily, and in relation to a specific case in the form of an explicit declaration or a clear confirmatory action. Data protection law is therefore stricter than criminal law in this respect. This means that companies or the respective responsible persons are generally not liable to prosecution if they only use the notification pop-ups provided for this purpose by well-known video conferencing providers — such as Zoom or Microsoft Teams — to obtain their employees’ consent to the transcription of online meetings, but they nevertheless regularly violate data protection law. Companies are therefore required to draft their own declarations of consent and data protection notices — in accordance with Art. 13 GDPR — and to present these to their employees in a transparent and proper manner in order to obtain their effective consent to the transcription of online meetings. In addition to the information requirements, the documentation requirements must not be neglected.