Most workplace disputes are not really about what happened. They are about what someone remembers happening. A customer is certain they were promised free delivery. The salesperson is equally certain they were not. Two versions, no evidence, and an afternoon spent untangling something a single recorded call would have settled in thirty seconds.
That is why more and more organisations want to record their calls. And it is why the same question comes up every time: are you actually allowed to? The answer is yes, more often than people assume, but with conditions worth understanding before you press record. Here is what the law says, what GDPR requires, and how to record customer calls without ending up on the wrong side of either.
Is it legal to record phone calls in Sweden?
In Sweden you may record a phone call that you take part in yourself. It does not count as unlawful eavesdropping, because you are one of the parties to the conversation. Secretly recording or listening in on a call you are not part of is a different matter and is illegal, carrying a fine or up to two years in prison under the Swedish Criminal Code.
For a business, that means an employee recording their own customer calls is on solid ground as far as criminal law goes. Two things still apply, though. Passing the recording on to someone who was not part of the call can raise issues of confidentiality, and as soon as an organisation records calls systematically, data protection rules come into play. That is where GDPR enters.
This is general information, not legal advice. If you are unsure about your specific situation, check with a lawyer before you begin.
Can businesses record customer calls under GDPR?
Yes, businesses may record customer calls under GDPR, but a recording is processing of personal data and therefore needs both a legal basis and a clear purpose. In other words, you should be able to answer two questions before recording starts: why are we recording, and on what legal grounds?
The most common legal bases for call recording are legitimate interest and consent. Legitimate interest might cover quality assurance, training staff, or being able to establish what was said in a dispute, provided that interest outweighs the individual's privacy. In some cases, such as parts of banking and finance, recording is even a legal requirement under rules like MiFID II. The processing must comply with GDPR and the Swedish supplementary data protection act, and the purpose you state then governs everything else: which calls you record, who may listen, and how long you keep them.
Do you have to tell people you are recording them?
Yes, you have to inform the person being recorded. Even though criminal law lets you record a call you take part in without saying so, the GDPR transparency principle requires your organisation to tell the data subject anyway. The simplest place to do this is at the start of the call, or in a message before the call connects.
The notice does not need to be a reading of your entire privacy policy. It is enough to say that the call is being recorded, why you are doing it, and where anyone who wants to know more can read about how you handle the data. Treat it as a courtesy as much as a requirement. Most people are entirely relaxed about a call being recorded for quality or training. What sours the mood is finding out afterwards.
How long can you keep recorded calls?
You may keep recorded calls for as long as the purpose requires, and no longer. The GDPR principle of storage limitation means a recording should be deleted or anonymised once it is no longer needed for the purpose you originally stated. If you record for quality monitoring, you rarely need to keep the call for years, whereas a regulatory requirement such as MiFID II may set a specific retention period.
So decide on a retention period tied to the purpose, document it, and make sure recordings actually disappear when the time is up. In lynes, you set the retention period yourself, and recordings are deleted automatically when it expires. The point is that deletion should not be something you remember to do by hand. It should happen on its own.
Where are the recordings stored?
In lynes, recordings are stored in Sweden, encrypted, in a service that is built in Sweden and that we operate ourselves. For organisations that want control over where customer data ends up, that is a meaningful difference from services that spread recordings across data centres in several countries. Encryption is built in, and access is governed by permissions so that only the right people reach the right recordings.
One thing worth being straight about: in order to transcribe calls, data may, depending on the provider, need to be sent outside Sweden, but within the EU. Anyone with strict data residency requirements should therefore look at transcription separately. For the recording and storage themselves, the data stays in Sweden.
How to record calls the GDPR way with lynes
The nice thing about a built-in feature is that the requirements above become settings rather than extra work. call recording in lynes is developed in-house and fully integrated into the platform, so you avoid a separate third-party service with its own rules and its own data handling to keep track of. Most of what GDPR asks for is already there as controls, and these are the ones that matter in practice.
- A retention period on every recording. You set the retention period yourself, and recordings are deleted automatically when it expires, which is exactly what storage limitation requires.
- Automatic or up to the agent. Choose to record all calls automatically, or leave it to the employee. An agent can be given permission to start and stop recording during a live call, for instance if a customer wants to raise something that should not be recorded.
- A recording announcement at the start of the call. You can add a message that tells the caller the call is being recorded before it connects, so the transparency requirement is met from the first second.
- Control by number, answer group and permission. Decide exactly which numbers or answer groups are covered, and who may listen. An employee reaches their own calls, while a manager reaches the group's.
- Transcription and follow-up with Conversation Intelligence. Turn on Conversation Intelligence and every call is transcribed automatically and tagged with auto-labels, making recordings searchable and easy to follow up without anyone listening through them by hand.
It all happens in a Swedish, encrypted service that we operate ourselves. We have also covered how the feature works in practice, and why sales teams in particular benefit from it, in separate posts on the lynes blog.
Checklist: recording calls the GDPR way
Before you start recording customer calls, run through this list. It works as a quick check that you have the basics in place.
- Establish a legal basis and purpose. Decide why you are recording and which legal grounds you rely on, for example legitimate interest or consent.
- Inform the person being recorded. Say at the start of the call that recording is taking place, why, and where to find more information.
- Limit access. Make sure only those who need the recordings for their work can listen to them.
- Set a retention period and delete on time. Tie retention to the purpose and let recordings be deleted or anonymised automatically once the time is up.
- Store securely and within the EU or Sweden. Use encrypted storage and keep track of where data actually goes, including during transcription.
Frequently asked questions
Can you record phone calls without saying so?
Under criminal law you may record a call you take part in without announcing it, since it does not count as unlawful eavesdropping. But if you record as an organisation, GDPR requires you to inform the data subject anyway. In practice you should therefore always say that the call is being recorded.
Is it legal to record customer calls in Sweden?
Yes, it is legal to record customer calls in Sweden as long as the person recording takes part in the call and you meet GDPR. That means a legal basis, a clear purpose, informing the customer, and a defined retention period.
Do I need the customer's consent to record?
Not always. Consent is one of several legal bases, but many businesses rely instead on legitimate interest for quality and training. Which basis fits depends on the purpose, and the choice should be documented before recording starts.
How long can recorded calls be kept?
For as long as the purpose requires, and no longer. Storage limitation applies, and the recording should be deleted or anonymised once it is no longer needed. In lynes, you set the retention period yourself, and recordings are deleted automatically when it expires.
Where are recordings stored in lynes?
In Sweden, encrypted, in a service built in Sweden. To enable transcription, data may be sent within the EU depending on the provider, but the recording and storage themselves stay in Sweden.
TL;DR
Back to the dispute over free delivery. With a recorded call it becomes a non-issue, and that is really the whole point of call recording: not having to guess what was said. The law in Sweden lets you record calls you take part in yourself, and GDPR does not say no to businesses recording customer calls. It says you should have a purpose, a legal basis, inform the person you are recording, and not keep the recording longer than necessary. Get those pieces in place and recording is both lawful and fairly straightforward.
If you want to record calls in a Swedish, encrypted service built for exactly this, book a demo or talk to our sales team, and we will show you what it looks like in practice.
This is general information about the rules, not legal advice. Check your own handling with a lawyer before you set your routines.
