Spain Recording Laws: One-Party Consent, Art. 197 & GDPR (2026)

Quick Answer: Is Spain One-Party Consent?

Spain is a one-party consent country for recording. Any participant in a private or telephone conversation may record it without informing or obtaining the agreement of the other party. No beep tone, notice, or advance disclosure is required.

This rule applies to phone calls, in-person meetings, video conferences, and any other medium where you are a genuine participant in the conversation being recorded. The rule traces directly to Sentencia 114/1984 of the Spanish Constitutional Court (Tribunal Constitucional), decided November 29, 1984, which held that recording your own conversation does not violate Article 18.3 (secrecy of communications) or Article 18.1 (right to personal and family privacy) of the Spanish Constitution.

Third-party recording is treated entirely differently. A person who is not part of the conversation and intercepts it commits a criminal offense under Codigo Penal Article 197.1, carrying 1 to 4 years in prison and a fine of 12 to 24 months.

For businesses operating in Spain, the one-party consent rule under criminal law does not replace GDPR obligations. A company that records customer calls must still have a valid legal basis under GDPR Article 6 and must inform callers that recording is taking place. Criminal consent and GDPR consent are separate legal concepts.

For international visitors, Spain's framework is more permissive than Germany (two-party consent under § 201 StGB) and broadly comparable to the United Kingdom and France. Within the European Union, Spain's one-party rule does not override the GDPR, which applies uniformly across member states.

Constitutional Foundation: Article 18.3

Article 18.3 of the Spanish Constitution (Constitucion Espanola, 1978) guarantees the secrecy of communications. Postal, telegraphic, and telephone communications are inviolable except pursuant to a judicial order.

This constitutional right shields conversations from external intrusion. A police officer cannot tap your phone without judicial authorization. Your employer cannot bug your private office conversations without meeting the high threshold set by LOPDGDD Article 89.3. Your neighbor cannot surveil your home telephone without a court order.

The constitutional protection runs between the parties to a communication and the outside world. It does not run between one participant and another. This is the critical structural point. Each party to a conversation already has full access to the content being communicated. Recording that content, while remaining a participant, does not constitute an intrusion from outside.

Article 18.1, also constitutionally protected, covers the broader right to personal honour, personal and family intimacy, and personal image. This is where Ley Organica 1/1982 enters the picture as the civil-law instrument for enforcing image and privacy rights short of criminal prosecution (addressed in its own section below).

STC 114/1984: The Ruling That Settled One-Party Consent

On November 29, 1984, the Constitutional Court issued Sentencia 114/1984. The case involved a recording made by one participant in a conversation, without the knowledge of the other party.

The court held that recording your own conversation, even without informing the other person, is a lawful act. It does not violate the constitutional right to secrecy of communications under Article 18.3 and does not violate the right to personal and family intimacy under Article 18.1.

The reasoning rests on the concept of intromision from outside. Article 18.3 protects against interference by a third party who is not part of the communication. A participant in the conversation is not a third party. That participant already has complete access to what is being said. Choosing to preserve that content through a recording does not constitute an intrusion from outside the protected sphere.

STC 114/1984 also confirmed that participant-made recordings are admissible as evidence in judicial proceedings. A recording does not become unlawfully obtained evidence simply because the other party was unaware of it. The court found no constitutional obstacle to submitting such a recording before a tribunal, provided the recording has not been altered or manipulated.

This ruling has been consistently applied by the Tribunal Supremo (Supreme Court) in subsequent decades. In employment disputes, the Supreme Court has affirmed the same principle: an employee who records a disciplinary hearing or a meeting with their employer does so lawfully and the recording is valid evidence in labor proceedings, as long as the recorder was a participant and the recording is submitted in unedited form.

Codigo Penal Article 197: The Criminal Privacy Statute

The Codigo Penal, enacted by Ley Organica 10/1995 and last amended in 2026, dedicates its Title X (Articles 197 through 201) to crimes against privacy, the right to one's own image, and the inviolability of the home. Article 197 and its sub-articles define the core criminal offenses relevant to recording.

Article 197.1: Core Prohibition

Article 197.1 punishes anyone who, without consent, seizes papers, letters, emails, or other documents, or intercepts telecommunications, or uses technical devices for the recording, transmission, or reproduction of sound, image, or communication signals, in order to discover the secrets or violate the privacy of another.

Penalty: 1 to 4 years in prison and a fine of 12 to 24 months.

The key limiting elements are "without consent" and "of another." A participant recording their own conversation has consent by definition and is recording content they are already party to. Article 197.1 targets the outsider: the person who plants a recording device in a room they do not occupy, the individual who taps a phone line they are not on, or anyone who intercepts digital communications between other people without their knowledge.

The statute also requires that the purpose be to "discover secrets or violate the privacy" of the target. This purpose element distinguishes surreptitious surveillance from incidental recording (for example, a security camera that happens to capture a conversation without targeting any individual's secrets).

Article 197.2: Unauthorized Data Access

Article 197.2 covers the unauthorized seizure, use, or modification of personal or family data stored in files, databases, or electronic systems, without the consent of the person to whom the data belongs and causing harm to that person.

Penalty: 1 to 4 years in prison and a fine of 12 to 24 months.

Article 197.3: Dissemination of Intercepted Material

If a person disseminates, reveals, or transfers to third parties data, facts, or images discovered through the acts described in Articles 197.1 or 197.2, the penalty increases.

Penalty: 2 to 5 years in prison.

This distinction is practically important. Recording a conversation you participate in is lawful. But sharing that recording in a way that damages the other person's privacy or reputation can cross into criminal territory, depending on the content and the manner of distribution.

Article 197.4: Aggravated Offenses

When offenses under Articles 197.1 or 197.2 are committed by persons responsible for files, computer systems, or records, or through unauthorized use of personal data belonging to the victim, the penalties increase.

Penalty: 3 to 5 years in prison.

Article 197.6: Profit Motive and Sensitive Data

When any acts described in Articles 197.1 through 197.4 are committed for financial gain, penalties are imposed in their upper half. When the offense involves especially sensitive personal data (health information, sexual orientation or behavior, political beliefs, religious or ideological convictions, or trade union membership), the penalty jumps substantially.

Penalty: 4 to 7 years in prison for sensitive data offenses committed for profit.

Article 197 bis: Unauthorized Computer System Access

Article 197 bis, introduced by Ley Organica 1/2015, addresses two distinct digital offenses. The first paragraph punishes anyone who, without authorization and in violation of security measures, accesses or remains within a computer system or any part of it. The second paragraph punishes the interception of non-public transmissions of computer data to, from, or within a computer system, including electromagnetic emissions carrying that data.

Penalty: 6 months to 2 years prison. Penalties increase to 2 to 5 years when the attack is directed at critical infrastructure, information systems of particular public interest, or is carried out as part of a criminal organization.

This provision is relevant to recording law because it criminalizes digital interception even without physical device placement. Intercepting a WhatsApp or Signal message stream without authorization falls under Article 197 bis, not merely Article 197.1.

Article 197 ter: Facilitating Tools

Article 197 ter punishes the production, acquisition, importation, or possession of computer programs, codes, or equipment primarily designed to facilitate the offenses in Articles 197 or 197 bis.

Penalty: 6 months to 2 years prison.

Article 197 quinquies: Corporate Criminal Liability

Article 197 quinquies establishes that legal persons (companies, organizations) can be held criminally liable when offenses under Articles 197 through 197 quater are committed on their behalf or in their interest, by their legal representatives, administrators, or employees, without adequate compliance controls. Corporate penalties follow the general framework of Article 31 bis of the Codigo Penal and can include substantial fines and operational restrictions.

Article 197.7: Intimate Images, Organic Law 10/2022, and Deepfakes

Article 197.7 addresses non-consensual distribution of intimate images and recordings. The provision punishes anyone who, without authorization, distributes, reveals, or transfers to third parties images or audiovisual recordings obtained with the subject's consent in a private setting, when the disclosure seriously harms the subject's personal privacy.

Penalty: 3 months to 1 year in prison, or a fine of 6 to 12 months.

Organic Law 10/2022 (Ley Organica de Garantia Integral de la Libertad Sexual) significantly expanded the provision. Before the amendment, only the original collector of intimate images faced liability. After the reform, anyone who subsequently shares such images without the subject's consent faces the same criminal liability. If you receive intimate images from someone else and forward them, you can be prosecuted.

Aggravating circumstances increase penalties to the upper half of the range when:

• The victim is a minor or a person with a disability requiring special protection.
• The offender is or was the victim's spouse, intimate partner, or ex-partner, regardless of cohabitation.
• The distribution was carried out for profit.

Deepfakes and AI-Generated Intimate Imagery

Article 197.7 was written for recordings of real acts. A legal question arises with AI-generated or AI-manipulated content: does distributing a photorealistic deepfake image of a person in an intimate scenario without their consent fall under Article 197.7?

The provision's text requires that the imagery was "obtained with [the subject's] consent in a private setting." AI-generated imagery was never obtained from the person at all. This gap has been widely recognized by Spanish legislators.

A parliamentary proposal registered in the 15th legislature of the Congreso de los Diputados (BOCG-15-B-23-1) sought to create specific new Penal Code offenses for non-consensual AI-generated intimate imagery. The proposal documented that between 90 and 95 percent of deepfakes can be classified as pornographic content, and that 90 percent impersonate the identity of women. As of May 2026, this proposal had not been enacted into law.

In the interim, prosecutors have pursued AI-generated NCII cases under existing provisions including Article 197.7 (for AI-manipulated versions of real imagery), Article 197.1 (where the AI process itself constituted an unauthorized invasion of privacy), and Article 173 (degrading treatment). The legal basis remains unsettled pending specific legislation.

Ley Organica 1/1982: Civil Remedies for Privacy and Image Rights

Alongside the criminal provisions of the Codigo Penal, Ley Organica 1/1982 (Ley Organica de Proteccion Civil del Derecho al Honor, a la Intimidad Personal y Familiar y a la Propia Imagen) provides a distinct civil-law remedy for violations of the rights to honour, personal and family intimacy, and personal image. A victim of an unlawful recording does not need to file a criminal complaint; they can pursue a civil action under this law independently.

Article 7: What Constitutes an Illegitimate Intrusion

Article 7 of Ley Organica 1/1982 lists eight categories of illegitimate intrusions. Those most relevant to recording law are:

Article 7.1: The placement of listening, filming, optical, or any other recording device in any location for the purpose of capturing the intimate life of a person.

Article 7.2: The use of such devices or means to acquire knowledge of a person's intimate life or of their private statements not intended for the user of those devices, including their recording, registration, or reproduction.

Article 7.5: The capture, reproduction, or publication of the image of a person in places or moments of their private life, even when the location is a public space. This provision covers situations where a person is in a technically public location but is in a moment that is inherently private (for example, capturing someone in a moment of distress, a medical episode, or an intimate conversation in a park).

These provisions operate alongside the one-party consent framework. A participant in a conversation who records it does not violate Article 7.2 (because they are not a third party acquiring knowledge of a conversation they are not party to). But a third party who records a private conversation, photographs a person in a private moment in a public space, or uses surveillance equipment to capture intimate activity violates Article 7 even if criminal charges are not pursued.

Article 9: Civil Remedies

Article 9 of Ley Organica 1/1982 specifies the judicial protection available to victims of illegitimate intrusions:

• Cessation and restoration. The court can order an immediate stop to the intrusion and restoration of the prior state, at the defendant's expense. This includes ordering the deletion or destruction of recordings.
• Publication of the judgment. In cases involving media or public disclosure, courts can order publication of the judgment at the defendant's expense.
• Prevention. Courts can prohibit imminent or future intrusions.
• Damages. Victims can recover compensatory damages for both material and moral harm. Importantly, moral damages are presumed upon proof of the intrusion. The victim does not need to prove the extent of emotional suffering.
• Disgorgement of profits. Where the defendant profited from the intrusion (for example, selling images or recordings), the victim can recover the defendant's profits in addition to any personal damages.

A four-year statute of limitations applies from the date the victim became aware of the intrusion and its author.

The civil route is often faster and more accessible than criminal prosecution for individuals whose privacy has been violated. It does not require the state to pursue prosecution and allows direct victim-controlled litigation.

Recording Phone Calls in Spain

Phone call recording in Spain follows the same one-party consent principle established by STC 114/1984. If you are a party to the call, you may record it without telling the other person. This applies to landline calls, mobile calls, and VoIP calls through platforms such as WhatsApp, Signal, Zoom, or Teams. No statute requires you to announce the recording or play a beep tone during personal calls.

The Tribunal Supremo has reaffirmed this principle in multiple rulings. STS 145/2023 of March 2, 2023 confirmed that a recording made by one interlocutor does not violate secrecy of communications. STS 753/2024 further clarified the procedural rules for submitting participant-made recordings as judicial evidence.

Encrypted messaging applications deserve a note. The interception prohibition in Article 197.1 and the digital interception offense in Article 197 bis apply regardless of whether communications are encrypted. If you are not a party to a WhatsApp conversation between two other people, intercepting it, even without breaking the encryption, is a criminal offense. End-to-end encryption does not create a legal right to intercept; it simply raises the technical difficulty.

Third-party recording of phone calls remains criminal. Intercepting a call between two other people without judicial authorization falls squarely under Article 197.1.

In-Person Recording

Face-to-face conversations follow the same one-party consent rules. If you are present and participating in the conversation, you may record it. If you are not part of the conversation, recording it is an interception under Article 197.1.

A hidden voice recorder in your pocket during a meeting you attend is lawful under the Codigo Penal one-party consent framework. A recorder placed in a room where a meeting occurs without you present is not. Spanish courts have drawn this line consistently, treating the medium of communication as irrelevant. What matters is whether the recorder is a genuine participant.

In employment litigation, this rule has been applied regularly. The Tribunal Supremo has held in multiple labor cases that employee-made recordings of workplace meetings, disciplinary hearings, and HR conversations are admissible as evidence when the employee was a participant and the recording is submitted unedited.

Recording in Public Places

Spain does not impose a blanket prohibition on recording in public spaces. Filming or photographing streets, parks, plazas, and other open public areas is generally permitted.

Privacy expectations shift based on context. A person addressing a crowd in a public square has limited privacy expectations for their public statements. A private conversation between two individuals on a park bench, or a person in a moment of distress or medical difficulty in a public space, retains greater protection.

Ley Organica 1/1982, Article 7.5, specifically prohibits the capture, reproduction, or publication of a person's image in moments or places of their private life, even when the physical location is public. This means the civil-law prohibition follows the private character of the moment rather than the location. Recording a public performance is permissible; recording a private conversation in a park without participation in that conversation can give rise to civil liability.

Commercial photography or filming in public spaces may additionally require permits under local municipal regulations, separate from the privacy analysis.

Recording Police Officers

Recording police in Spain has a complicated legal history shaped by Ley Organica 4/2015 (Ley de Proteccion de la Seguridad Ciudadana), commonly known as the "Ley Mordaza" (Gag Law).

Original Article 36.23 and the "Unauthorized" Provision

Article 36.23 of the original Ley Mordaza classified as a serious offense the "unauthorized" use of images or personal data of security force members when such use could endanger the personal or family safety of officers, the safety of protected facilities, or the success of an operation.

Fine: 601 to 30,000 euros.

This provision drew intense criticism from press freedom organizations and civil liberties groups, who argued it gave police an effective veto over documentation of their conduct.

STC 172/2020: The Constitutional Court's Ruling

On November 19, 2020, the Constitutional Court issued STC 172/2020. The court struck down the word "unauthorized" from Article 36.23, holding that requiring authorization before recording police action was unconstitutional. The effect was to remove the prior authorization requirement entirely.

After STC 172/2020, recording police action does not require permission. Recording itself is not an offense. The remaining offense is disseminating footage in a manner that creates a concrete risk to officer safety, the safety of their families, protected facilities, or active operations.

You can film a traffic stop, record an arrest, or video a police checkpoint. You can retain the footage and use it as evidence in a complaint or judicial proceeding. What you cannot do is publish footage in a manner that specifically endangers an identifiable officer or compromises an ongoing undercover operation.

Ley Mordaza Reform Status

As of May 2026, proposals to reform Ley Organica 4/2015 were before the 15th legislature of the Congreso de los Diputados. Multiple parliamentary groups had submitted proposals seeking structural reform of the citizen security framework. No enacted amendment to Article 36.23 had been published in the Boletin Oficial del Estado. The version of Article 36.23 as modified by STC 172/2020 remained the operative law.

Police officers cannot legally order you to delete recordings. A demand to erase footage has no legal basis after STC 172/2020. Officers who confiscate recording devices without judicial authorization may face disciplinary or criminal consequences. Confrontations over recording rights do occur in practice; knowing the framework and remaining calm is advisable.

Workplace Recording

Workplace recording in Spain involves the intersection of criminal law, labor law, and data protection regulation.

Employees Recording Conversations

An employee who participates in a workplace conversation may record it under the one-party consent rule. This includes meetings with supervisors, disciplinary hearings, salary negotiations, and conversations with HR representatives. Spanish labor courts (Jurisdiccion Social) regularly admit such recordings as evidence in wrongful dismissal and workplace harassment cases.

The Tribunal Supremo has affirmed that participant-made recordings are valid evidence when the employee is exercising their right to defend legitimate interests. Two conditions apply: the employee must have been a genuine participant in the conversation, and the recording must be submitted in unedited form. Courts will reject recordings showing signs of editing, and presenting manipulated evidence can itself constitute a criminal offense.

Employer Surveillance of Employees

Employer surveillance is governed primarily by LOPDGDD Article 89 and the GDPR.

Video surveillance in the workplace is permitted if: employees are informed that cameras are present (the AEPD requires visible signage); the monitoring serves a legitimate purpose such as security or verifying compliance with labor obligations; cameras are not placed in rest areas, changing rooms, bathrooms, or dining areas (Article 89.2 LOPDGDD); and recorded images are kept for a maximum of one month unless needed as evidence of a specific incident.

Audio surveillance faces much stricter limits. LOPDGDD Article 89.3 permits sound recording only when the workplace activities generate relevant risks to the safety of facilities, goods, or people. The AEPD has interpreted this as a high bar. Routine audio monitoring of office conversations does not meet the threshold.

Spanish labor courts apply a proportionality test. The employer must demonstrate that the surveillance measure was necessary, that less intrusive alternatives were inadequate, and that monitoring was proportional to the identified risk.

Right to Digital Disconnection

LOPDGDD Article 88 establishes the right to digital disconnection for workers. Employers must adopt and publish an internal policy on the use of digital devices and define employees' right not to be contacted outside working hours. Workplace monitoring policies, including those covering recording of calls or meetings, must be consistent with this right. Systematic recording of communications that extends beyond working hours would likely conflict with Article 88.

AEPD Guidance on AI Voice Transcription

In April 2026, the AEPD published guidance specifically addressing AI voice transcription tools used in workplace and business settings. The guidance requires controllers who deploy AI transcription to:

• Carry out due diligence to select tools with demonstrated GDPR compliance capacity.
• Provide transparent, continuous notice during active recording (visible on-screen indicators, indicator lights, or audible signals), not merely a one-time disclosure at the start of a session.
• Obtain specific, session-by-session consent rather than blanket authorization for future recordings.
• Automatically deactivate recording upon session conclusion.
• Proactively correct inaccuracies in transcriptions rather than waiting for complaints.
• Inform data subjects of specific retention periods.

GDPR and Data Protection (LOPDGDD)

Spain implements the EU General Data Protection Regulation through Ley Organica 3/2018 (LOPDGDD). The Agencia Espanola de Proteccion de Datos (AEPD) is the national supervisory authority with broad enforcement powers.

Voice Recordings as Personal Data

The AEPD has confirmed that voice recordings constitute personal data under the GDPR because a voice can identify an individual. Any organization that records, stores, or processes voice recordings must comply with GDPR requirements, including having a valid Article 6 legal basis.

Biometric Data: Voice Used for Identification

When voice recordings are processed for the purpose of uniquely identifying a natural person (for example, voice authentication, biometric verification, or speaker recognition systems), they constitute special-category biometric data under GDPR Article 9. Processing special-category data requires both a valid Article 6 legal basis and one of the Article 9(2) grounds, most commonly explicit consent. This is a significantly higher threshold than ordinary personal data processing.

The AEPD fined biometric age-verification company Yoti a total of €950,000 on March 10, 2026. The breakdown: €500,000 for unlawful processing of biometric data under GDPR Article 9; €200,000 for invalid consent under Article 7; and €250,000 for excessive data retention under Article 5.1(e). Yoti has appealed to the Spanish High Court. The case illustrates that the AEPD actively pursues violations involving biometric and special-category data.

Legal Basis Requirements for Ordinary Voice Recording

Under GDPR Article 6, processing voice recordings (not used for biometric identification) requires one of the following bases:

• Consent: The data subject freely and specifically agrees to the recording. Consent must be as easy to withdraw as to give.
• Contractual necessity: The recording is needed to perform a contract with the data subject.
• Legal obligation: A law or regulation requires the recording.
• Legitimate interest: The controller's legitimate interest outweighs the data subject's rights. The AEPD has confirmed this basis for call-center quality assurance recording, provided the caller is notified and given the option to object.

One-party consent under criminal law and GDPR consent are different legal concepts. You can legally record your own conversation without the other party's knowledge under the Codigo Penal. But if your organization processes that recording, you still need a separate GDPR-compliant legal basis.

Business Call Recording Obligations

Businesses recording customer or client calls in Spain must:

• Inform callers at the start of the call that recording is taking place.
• State the purpose of the recording.
• Identify the data controller.
• Explain the caller's rights: access, rectification, erasure, portability, and the right to object.

AEPD Enforcement Record

The AEPD is one of Europe's most prolific data protection enforcement authorities. GDPR fines can reach 20 million euros or 4 percent of global annual turnover, whichever is higher. The AEPD issued 683 resolutions with financial sanctions in 2024, making Spain consistently among the top three EU member states by volume of GDPR enforcement action. Organizations processing voice recordings without adequate legal documentation and transparency face real enforcement risk.

EU AI Act, Deepfakes, and AI-Generated Content

EU Regulation 2024/1689 (the EU AI Act) entered into force in August 2024. Its Article 50 transparency obligations apply from August 2, 2026, imposing disclosure requirements on deployers of AI systems that generate synthetic audio, video, or image content.

Article 50: What Deployers Must Disclose

Under Article 50(4) of the AI Act, deployers must ensure disclosure when content is artificially generated or manipulated as a deepfake. For AI-generated audio, the obligation requires audible disclaimers. For AI-generated or AI-manipulated video and images, deployers must use persistent visual indicators. For AI-generated text published to inform the public on matters of public interest, disclosure is required unless the content has been editorially reviewed by a responsible party.

The disclosure must be provided in a clear and distinguishable manner. The European Commission issued a draft Code of Practice on AI-generated content transparency in December 2025 proposing a standardized EU-wide icon and modality-specific labeling standards. The final code was expected in June 2026 ahead of the August 2, 2026 effective date.

Exemptions include: content serving artistic, creative, satirical, or fictional purposes where disclosure would be unreasonable; uses authorized for law enforcement purposes; and AI tools that constitute minor assistive editing not substantially altering original content.

Spain's Pending Deepfake Legislation

A Proposicion de Ley Organica on regulating AI-generated simulations of persons' images and voices (registered in the 15th legislature as BOCG-15-B-23-1) sought to create specific new Penal Code offenses for non-consensual AI-generated intimate imagery. The proposal's explanatory memorandum identified that 90 to 95 percent of deepfakes can be classified as pornographic content, with 90 percent targeting the identity of women. As of May 2026, this proposal had not been enacted. Prosecutors have pursued some AI-generated NCII cases under existing provisions of Articles 197.7 and 173 of the Codigo Penal on a case-by-case basis.

Cross-Border Recording

Recording conversations that cross international borders raises questions about which country's laws apply.

Criminal Law: Territorial Jurisdiction

Spain's Codigo Penal applies Spanish criminal law to conduct occurring on Spanish territory and to conduct that produces effects in Spain, under Articles 23 and 24 of the Ley Organica del Poder Judicial. A person in France who intercepts a phone call between two people in Spain, without judicial authorization, commits an offense cognizable under Spanish criminal law to the extent Spanish authorities have jurisdiction over the actor or the Spanish victim pursues the matter in Spain. Conversely, a person in Spain who intercepts a call between two people in Germany is subject to German law as well.

Within the European Union, cross-border criminal cooperation for electronic communications offenses is governed by the European Investigation Order framework (Directive 2014/41/EU), which Spain has implemented.

GDPR: Data Controller Establishment and Data Subject Location

For GDPR purposes, Regulation (EU) 2016/679 Article 3 applies to organizations established in Spain and to organizations outside the EU that process personal data in the context of offering goods or services to individuals in Spain, or that monitor behavior of individuals in Spain. A US-based company that records Spanish residents' calls on a platform marketed in Spain falls within the GDPR's territorial scope regardless of where the company is incorporated.

Where a Spain-side controller is involved, the AEPD is the lead supervisory authority for one-stop-shop cases under GDPR Article 56.

Practical Guidance for Cross-Border Scenarios

If you are calling someone in Spain from another country: Spanish criminal law applies to the Spain-side participant's conduct. If you are a participant, Spain's one-party consent rule covers recording from your side. If you are a third party intercepting that call, Spanish criminal law can reach you.

If you are a multinational business recording calls involving Spanish customers: GDPR and LOPDGDD obligations apply. The AEPD is your competent supervisory authority for Spanish data subjects.

Penalties Summary

Business Compliance Checklist

Companies operating in Spain that record communications should address the following.

Identify your GDPR legal basis. Before recording any call or meeting, determine which Article 6 basis applies. If recording involves voice used for biometric identification, document an Article 9(2) ground as well. Record your determination in your Records of Processing Activities (ROPA).

Provide clear notice. Inform all parties at the start of a call or meeting that recording is occurring. State who is recording, why, and how long the recording will be retained. The AEPD's April 2026 guidance requires ongoing visible indicators during recording, not just an opening announcement.

Limit retention. Define retention periods and automate deletion. The LOPDGDD caps workplace video retention at one month in most circumstances. Apply equivalent discipline to audio recordings. Yoti's five-year retention of geolocation data drew a €250,000 fine in March 2026.

Restrict access. Only authorized personnel should access stored recordings. Maintain access logs and review them periodically.

Honor data subject requests. Individuals have the right to access, correct, erase, and port their personal data under the GDPR. Build processes to respond to these requests within the one-month statutory deadline.

Conduct a DPIA where required. If your recording activities involve systematic monitoring of individuals, a Data Protection Impact Assessment is mandatory under GDPR Article 35. The AEPD has published a list of processing activities triggering this requirement; systematic audio recording and AI transcription are included.

Train employees. Staff involved in recording, storing, or handling recordings should understand the legal framework and your policies. Document this training.

EU AI Act readiness. If your organization uses AI-based transcription, voice analytics, or synthesis tools, verify that you will meet the Article 50 disclosure obligations by August 2, 2026. AI-generated audio or video produced by your systems must include clear disclosures. Review the European Commission's Code of Practice on AI-generated content for labeling guidance as the final code is published.