When AI Meets GDPR: Supervisory Approaches to Workplace Voice Data in Greece and Germany

AI-based voice transcription tools are increasingly used in business settings, including meeting documentation, customer support and compliance processes. While efficient, these tools raise significant data protection concerns, as voice data may qualify as personal data under the GDPR.

Voice Data as Personal Data

In both Greece and Germany, an employee’s voice generally constitutes personal data where it enables the direct or indirect identification of a natural person, taking into account the context, available means and the state of the art.

Because voice recordings are usually combined with metadata (like phone numbers or IP addresses), usage data, and the content of communications, the ability to identify an individual must be considered together with these factors when assessing GDPR compliance.

German Perspective

In Germany, AI-based speech recognition is generally treated as highly sensitive from a data protection perspective. Both supervisory authorities and courts apply a strict and risk-oriented interpretation of the GDPR.

However, in its decision of 24 September 2020 (VK Berlin, 24.09.2020 – VK-B1-10/19), the Berlin Public Procurement Chamber held that voice recordings were not personal data where the speakers were not identifiable and no additional information enabling identification was available. The decision highlights that the qualification of voice data depends on a context-specific assessment of identifiability, although supervisory authorities tend to apply a more cautious approach in employment settings.

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) highlights the following practical recommendations:

1. Privacy by design and by default as a core requirement for AI systems;
2. Early risk assessment through data protection impact assessments under Article 35 GDPR, where applicable;
3. Clear allocation of responsibilities between controllers and processors through contractual arrangements under Art. 28 GDPR;
4. Alignment with evolving, interconnected regulatory frameworks, including the EU AI Act.

In practice, this requires voice transcription systems to be carefully configured to prevent unnecessary recording, storage or secondary use of voice data. Best practices for handling speech data stress the importance of transparency, consent and clear purposes for processing. Technical and organisational safeguards, such as strong encryption, access controls and anonymisation where feasible, are recommended to limit unnecessary exposure of speech data.

Greek Perspective

The Hellenic Data Protection Authority (HDPA) applies the GDPR in line with EU-wide standards, although its interpretation and enforcement tends to be in certain instances less expansive than in Germany.

While the HDPA has not issued guidance specific to AI voice transcription, it consistently enforces core GDPR principles, including

• lawfulness, fairness and transparency;
• accountability of data controllers;
• effective protection of data subject rights.

This principle-based approach is reflected in investigations into AI applications, such as DeepSeek, where the HDPA determined that the non‑EU operator fell within the GDPR’s territorial scope and had failed to appoint an EU representative as required under Article 27 GDPR. The case was resolved only after the representative was designated, highlighting the authority’s proactive enforcement, emphasis on accountability, and focus on practical corrective action.