AI Voice Transcription (II): accountability, rights and transparency
Continuing with the analysis begun in the previous article on the data protection implications of AI voice transcription services, this second article explores in greater depth the allocation of responsibilities under the General Data Protection Regulation (GDPR) framework, errors arising in the course of transcription, and the management of data subjects’ rights in light of the technical particularities of these tools.
Photo by Egor Komarov on Unsplash
The integration of artificial intelligence into automated transcription processes represents a significant advance in organisational efficiency, yet it also introduces new challenges relating to compliance with data protection legislation. In this regard, its technical and legal implementation should be approached on the basis of accountability and respect for individual rights.
When an organisation decides to incorporate an AI voice transcription service into its processes (such as for the transcription of minutes or customer support, for example), it will be converting those processes into personal data processing operations and — regardless of whether the tools used are proprietary or third-party — will act as the controller, since it is the organisation that determines the purposes and means of personal data processing activity.
The controller and the processor must exercise due diligence when selecting which AI products, services and applications are appropriate for voice transcription, having regard to the risks arising from their use. This choice must be limited solely to those that demonstrate their capacity to enable informed decision-making and to offer sufficient guarantees, through the proper implementation of appropriate technical and organisational measures, that GDPR compliance will be ensured. Such diligence must not be confined to the procurement phase, but must be maintained throughout the entire lifecycle of the processing. A passive adoption of the technology is not sufficient; both the controller and the processor must take the right to data protection into account when involved in the development and design of these products, services and applications, assessing — prior to their adoption and on an ongoing basis — the specific risks associated with automatic voice transcription, such as systematic errors, linguistic biases or the possible inference of special categories of personal data, and verifying that the provider offers adequate mechanisms for managing them.
A transcription is not a neutral text; it is a representation attributed to a specific individual within a processing operation in which the controller is obliged to comply with all the principles set out in Article 5 of the GDPR, including the principle of accuracy. A case may arise where the system transcribes a surname incorrectly (for example “Hitler” instead of “Schindler”), whether due to accent, words in another language, speed of speech, or simply a matter of individual speech patterns, thereby substantially altering the content and meaning of the information attributed to an identified or identifiable individual.
Such inaccuracy is not a mere technical failure; it is a situation with direct legal implications. Where an incorrect transcription attributes to an individual information that does not correspond to what was actually said, the controller’s obligation is triggered to ensure its rectification without undue delay, in accordance with Article 16 of the GDPR, including statements attributed to or ascribed to the individual, erroneous identifying data, or declarations that do not correspond to what was actually expressed.
Since the technical limitations of transcription systems are known and foreseeable, the accountability principle requires the controller not to wait for an error to occur before taking action. The controller must take a proactive approach, adopting appropriate measures to prevent, detect and correct inaccuracies. These measures may include informing data subjects of the system’s possible limitations and inaccuracies, human oversight of transcriptions, the implementation of clear and effective review and correction procedures, and the provision of accessible mechanisms enabling data subjects themselves to exercise their right of access and right to rectification.
With regard to the right of access (Article 15 of the GDPR), the data subject must be guaranteed effective access to the personal data concerning him or her, without restrictions being imposed on the basis of technical difficulties or the existence of third-party data (which may be necessary for the context of the meeting or conversation, where the data subject’s information may be intrinsically linked to third-party data, since the questions, comments and responses of other participants are essential for understanding the context and meaning of what was expressed) where the data of those third parties can be adequately protected. The right of access is guaranteed by providing the content of the information. The AEPD has indicated that it is not consistent with the GDPR to deny access to video recordings in a generalised manner solely because third parties appear in them, since technical means exist that allow those third parties’ rights to be protected — for example, through anonymisation or image-blurring techniques. In this regard, there are AEPD decisions that analyse and define the scope of this right where personal data are presented in complex formats, such as audiovisual recordings or events recorded on devices.
This principle is consistent with the express recognition of the right of access to data generated by connected devices established by the Data Act (Regulation (EU) 2023/2854). Indeed, its Article 4 recognises users’ right to access data produced through the use of connected products, including operational data, performance data and event logs, where they do not have direct access to them.
Furthermore, the transparency principle requires data subjects to receive clear, accessible and comprehensible information about the processing of their data. In the context of AI voice transcription, this information must include not only the standard elements provided for in Articles 12, 13 and 14 of the GDPR, but also, in line with Recital 39, an adequate explanation of the relevant risks of the processing.
Transparency in the context of voice recording is not limited to a one-off prior notification; indeed, enhanced transparency is key to managing risk in this type of processing. Data subjects must be aware that their data are being processed while the processing is taking place, and one way of achieving this is through a visible and active indicator — whether an on-screen notice, a light signal, a periodic audible tone or another equivalent mechanism — providing continuous information that the recording is in progress throughout the entire session.
The controller must ensure that information about the recording and its purposes reaches all participants effectively before the session begins, and that such information is reinforced by a perceptible mechanism for as long as the recording remains active. In this regard, in PS/00342/2023, the AEPD has rejected the mere fact of attendees joining a session after having been warned that “by joining they give their consent” as sufficient to satisfy the requirement of a freely given, specific, informed and unambiguous indication of the data subject’s wishes.
Consent given for recording a specific conversation cannot be interpreted as generic or open-ended consent for future recordings. Consent must be specific to each recording activity and must therefore be considered no longer valid at the end of the particular session for which it was given. The controller must implement mechanisms that ensure the automatic cancellation of the recording status upon conclusion of the activity (whether through session closure, disconnection of the transcription system, or otherwise), and it is not permissible to keep voice capture active beyond the temporal scope for which the legal basis was obtained.
The existence of an automated system does not exempt the controller from fulfilling these obligations. Furthermore, the controller must inform data subjects of the retention period for the data — both the voice recording and the transcription — and of the mechanisms available for exercising their rights of access and rectification.
This blog post is related to other materials published by the AEPD’s Innovation and Technology Division, including:
- Blog post AI Voice Transcription: implications for data protection [Jan 2026]
- Audit Requirements for Personal Data Processing Activities involving AI [Jan 2021]
- GDPR compliance of processing that embed Artificial Intelligence. An introduction [Feb 2020]
- Blog post Consent receipt: A tool for transparency and proactive accountability [Feb 2020]
