Recording a client call in France: what the law really allows

Recording a client call is possible, provided it’s justified by a legitimate and proportionate purpose. The CNIL is clear: you don’t record “for security” or “just in case,” but for an identified need — for example, keeping proof of a commitment made over the phone, or handling a complaint.

This logic is that of the GDPR: data processing must serve a defined objective. Recording is no exception to the rule. Before setting up any system, the first question to ask is therefore: why do I need to record, and is this recording proportionate to that need?

This is non-negotiable: the person whose call is being recorded must be informed of it. The CNIL distinguishes between information given at the start of the call and fuller information, available elsewhere. The caller must know that the call may be recorded, for what purpose, and where to find the details of their rights.

A recording made without the caller’s knowledge is unlawful processing. Informing them isn’t a courtesy: it’s a condition of lawfulness. Good practice is to announce clearly, at the start of the call, what is done with the data.

A stubborn idea holds that you can record every conversation, continuously. That’s false. The CNIL states that permanent, systematic recording of calls isn’t allowed. Recording must be targeted at the calls and the moments where it’s genuinely necessary.

In other words, a compliant system can justify each recording rather than archiving the entire stream by default. That’s the difference between a tool designed for compliance and general surveillance, which has no place here.

On duration, the CNIL gives a benchmark for call recordings: six months at most, unless a legal obligation requires keeping them longer. Beyond that period, the recording must be deleted.

This cap stems from the GDPR’s storage limitation principle: you don’t keep data longer than necessary. Six months is a maximum, not a target. If the purpose is met within a few weeks, you have to purge it sooner.

Not everything has to go through an audio recording. Many use cases rely on a written transcript of the call — useful for keeping a record of the request without retaining the voice. A transcript is still processing of personal data, subject to the same principles: purpose, information, limited duration.

Working from transcripts rather than raw recordings can in fact be more proportionate in many cases: you keep the useful information — who called, about what, which appointment — without going beyond what’s necessary.

Tinos is a voice agent that answers professionals’ phones and keeps a clear record of every request. Compliance is built into its design: the caller’s information is handled at the start of the call, the agent announces itself as an AI, data is hosted within the European Union, and retention periods follow the CNIL’s benchmarks rather than indefinite archiving.

The idea isn’t to turn you into a lawyer, but to spare you the subject: capture every call and every appointment, within a sound framework, without having to decide for yourself what the law does or doesn’t allow.

• CNIL — Listening to and recording calls in the workplace
• CNIL — Recording conversations to establish proof of a contract
• EUR-Lex — GDPR, Article 5 (principles relating to processing)