Call center evaluations are personal data processing activities under GDPR. Recording a call for quality monitoring, scoring it with AI, and storing the results all require a lawful basis, documented data flows, a signed Data Processing Agreement, and a retention policy. Most contact centers handle the recording side of compliance but underestimate the additional obligations that AI scoring introduces.

This guide covers the 6 steps for compliance and IT managers ensuring evaluations meet GDPR data protection requirements. According to ICO guidance on workplace monitoring, organizations must document their lawful basis and conduct a legitimate interests assessment before monitoring employees' calls.

What you need before you start: A list of all call recording systems in use, your AI evaluation vendor's name, your existing data retention policy, and a copy of your vendor's current DPA.

Does GDPR apply to phone calls?

Yes. Under GDPR, call recordings are personal data when they can identify an individual by voice, name, or phone number. Article 4(1) defines personal data as any information relating to an identified or identifiable natural person. Every recorded call involving an EU or UK data subject is subject to GDPR requirements for lawful processing, retention, and subject rights.

Step 1 — Map What Call Data Is Captured and Where It Is Stored

Before configuring any compliance settings, produce a data map documenting every point where call data is captured, transformed, or stored. This map is the foundation of your Data Protection Impact Assessment and the document demonstrating compliance accountability to regulators.

Your data map should include the recording point (which platform captures the raw audio and where it is stored), the transcription layer (if calls are transcribed by a third-party engine, that is a separate processing activity), the AI evaluation layer (which platform scores the calls and where scores are stored), and downstream systems where scorecards and reports are stored.

Common mistake: Mapping only the recording system and assuming everything downstream is covered by the same consent or lawful basis. Each new processing activity — transcription, AI scoring, scorecard storage — may require separate documentation and potentially a separate lawful basis.

This mapping step typically takes 4–8 hours for a mid-size contact center with 2–3 integrated systems. Revisit the map whenever you add a new integration or vendor.

Step 2 — Confirm Data Residency for EU Calls

GDPR Articles 44–49 restrict transfers of personal data outside the EU or UK Adequacy Zone without a legal transfer mechanism. For contact centers with EU-based callers or agents, call recordings, transcripts, and AI scores must either remain in EU/UK data centers or be covered by Standard Contractual Clauses (SCCs) or an equivalent transfer mechanism.

How Insight7 handles this step

Insight7 stores data in the customer's region of residence. For EU-based contact centers, call recordings and AI scoring data are processed and stored on EU-region AWS and Google Cloud infrastructure. Insight7 holds SOC 2, HIPAA, and GDPR certifications and does not train its models on customer data.

Request written confirmation of data residency from every vendor in your call processing chain. Transcription vendors and analytics platforms are equally subject to the Article 44 transfer restriction if they process personal data from EU calls.

Decision point: Single-vendor end-to-end processing (recording, transcription, and AI scoring in one platform) versus multi-vendor architecture. Single-vendor reduces transfer risk; multi-vendor requires a separate DPA and transfer mechanism for each vendor.

The UK ICO provides current guidance on data transfers at ico.org.uk/for-organisations/guide-to-data-protection.

See how Insight7 handles data residency and security: insight7.io/insight7-for-sales-cx-learning/

Step 3 — Verify the Vendor's DPA Covers Evaluation Use

A standard DPA covering call recording may not explicitly cover AI-based quality evaluation as a processing purpose. Review your vendor's DPA against a 5-point checklist:

  1. Named processing purposes (does the DPA explicitly name quality evaluation and AI scoring?)
  2. Sub-processor disclosure (are all sub-processors named, including cloud infrastructure and LLM providers?)
  3. Data deletion obligations (does the DPA specify deletion timelines when contract ends?)
  4. Breach notification timeline (does the DPA commit to Article 33-compliant notification within 72 hours?)
  5. Audit rights (does the DPA grant you audit rights or require third-party audit evidence?)

Common mistake: Accepting the vendor's standard DPA without reviewing against your specific use case. If the DPA does not address AI scoring specifically, request a DPA addendum naming the additional processing purposes.

GDPR Article 28 requires that processing on your behalf be governed by a binding contract. The ICO confirms that every processor relationship requires a separate, current DPA at ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/processors/.

Step 4 — Configure Retention and Deletion Policies

GDPR Article 5(1)(e) requires personal data to be kept for no longer than necessary for the purpose for which it was collected — the storage limitation principle. For call quality evaluation, "necessary" typically means the period needed to complete the evaluation cycle and any related coaching follow-up.

Configure retention at three levels: raw call recordings (financial services often require 6–7 years under MiFID II; standard consumer calls may require only 6 months); AI evaluation scores and scorecards (align with your employment law obligations for performance records); coaching reports (may be retained longer under legitimate interest, but this requires separate lawful basis documentation).

Insight7 stores data on AWS and Google Cloud in the customer's region and maintains documented data deletion capabilities. Configure retention periods and deletion workflows in platform settings after confirming your lawful basis in Step 6.

Decision point: Automated deletion (simpler, requires confidence in your policy) versus manual deletion review (more control, creates bottlenecks). For most contact centers, automated deletion with a manual override for legal hold is the most defensible approach.

Step 5 — Run a Privacy Impact Assessment for AI Scoring

GDPR Article 35 requires a Data Protection Impact Assessment (DPIA) where processing "using new technologies" is "likely to result in a high risk to the rights and freedoms of natural persons." AI-based call evaluation using automated scoring triggers this requirement in most contact center contexts.

A DPIA for AI call evaluation should address: the nature of processing (systematic evaluation of employee or customer communications), the risk to individuals (what adverse consequences could result from an incorrect AI score), and mitigation measures (how inaccurate scores are corrected and how data subjects can request review).

Common mistake: Completing the DPIA template but not reviewing it with a qualified Data Protection Officer before deployment. A DPIA requires sign-off, not self-certification.

Step 6 — Document the Legal Basis for Recording and Evaluating Calls

GDPR Article 6 requires a lawful basis for every personal data processing activity. Recording and AI evaluating calls are two separate processing activities; each requires a documented lawful basis.

The three most commonly applicable lawful bases are:

  1. Legitimate interests (Article 6(1)(f)): Most common basis for employee call monitoring in commercial contact centers. Document the legitimate interest assessment (LIA).
  2. Legal obligation (Article 6(1)(c)): Applies where regulatory requirements mandate quality monitoring. Reference the specific legal obligation in your documentation.
  3. Consent: Rarely appropriate for employee monitoring because consent must be freely given, which is difficult to establish given the workplace power imbalance.

Insight7 is GDPR compliant and documents its security framework to support customers' own GDPR documentation requirements. Insight7 has had no security incidents in 3+ years of operation.

The ICO's full guide to lawful bases is at ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/.

How do I make AI call analytics software GDPR compliant?

Confirm EU data residency for any calls involving EU data subjects. Sign a current DPA with your AI vendor naming quality evaluation as a permitted processing purpose. Document your lawful basis under GDPR Article 6 for both recording and AI scoring as separate processing activities. Complete a DPIA before deployment and configure retention policies matching your legal obligations.

What Good Looks Like

A GDPR-compliant call center evaluation program produces a documented compliance posture within 60–90 days:

  • Data map covering every processing point from recording to scorecard storage
  • Written data residency confirmation from all vendors in the processing chain
  • Current DPAs signed with all processors, explicitly naming AI evaluation
  • Retention and deletion policies configured and documented
  • DPIA completed and reviewed by DPO before AI scoring deployment
  • Lawful basis documented for both recording and AI evaluation as separate activities

FAQ

Does GDPR apply to phone calls?

Yes. Call recordings are personal data under GDPR when they identify an individual by voice, name, or phone number. Article 4(1) covers any information relating to an identified or identifiable natural person. Every recorded call involving an EU or UK data subject is subject to lawful basis requirements, retention limits, and data subject rights.

Does AI have to comply with GDPR?

Yes. AI systems processing personal data — including call recordings used to score agent performance — must comply with GDPR. The controller (your organization) ensures lawful processing; the AI vendor is a processor under Article 28 and must operate under a binding DPA. Insight7 holds SOC 2, HIPAA, and GDPR certifications and does not train on customer data.

What is the lawful basis for call center quality monitoring under GDPR?

For employee call monitoring, legitimate interests under Article 6(1)(f) is the most common lawful basis, provided monitoring is proportionate and employees are informed. For regulated industries, legal obligation under Article 6(1)(c) applies where conduct rules mandate recording. Consent is rarely appropriate for employee monitoring due to the workplace power imbalance. See the ICO's full guide to lawful bases for processing for current guidance.

Compliance or IT manager building GDPR-compliant call evaluation processes? See how Insight7 handles data residency and security for contact centers — see it in 20 minutes