The short answer: Under GDPR, recording a research interview constitutes personal data processing from the moment you press record.
EU researchers need a valid lawful basis under Article 6, informed consent from each participant before recording begins, and a signed data processing agreement (DPA) with any third-party transcription service they use.
The rule applies whether the interview is in person, on Zoom, or by phone.
This article is intended for informational purposes and does not constitute legal advice. Researchers with questions about specific jurisdiction requirements should consult their institutional research ethics office and, where necessary, a qualified legal professional.
Why GDPR applies the moment you press record
An interview recording is personal data.
The moment a recording captures someone's voice alongside their name, job title, or any other identifying detail, it falls under the GDPR's definition of personal data under Article 4(1).
That makes the researcher the data controller, the interview participant the data subject, and any external service that handles the recording, including a cloud transcription tool, a data processor.
| Role | Who it is in a research context | Key obligation |
|---|---|---|
| Data controller | The researcher or their institution | Determines the purpose and means of processing; bears primary compliance responsibility |
| Data processor | The transcription service or other third party | Processes data only on the controller's instructions; requires a signed data processing agreement (DPA) |
| Data subject | The interview participant | Holds rights: access, rectification, erasure, and withdrawal of consent |
The GDPR's extraterritorial scope (Article 3) means these obligations apply regardless of where the researcher or their institution is based.
If the participants are EU residents, the regulation applies.
This includes research teams based in the United States, Australia, or anywhere else.
📌 Important:
Note that GDPR only governs data protection obligations toward EU participants; separate state-level wiretapping and consent laws may also apply if you're recording from the US. See our guide to recording consent laws in the US for researchers for more details.
In April 2026, the European Data Protection Board (EDPB) published draft Guidelines 1/2026 on the processing of personal data for scientific research purposes. It's the most detailed regulatory statement to date on how the GDPR applies to research activities. The guidelines are still open for public consultation, so they aren't final yet.
They don't single out interview transcription by name. But they cover areas that matter directly to researchers in this position.
That includes consent for studies whose full scope isn't known up front, how responsibility splits between controllers and processors, and what transparency obligations apply when data is collected directly from participants. One of the EDPB's own worked examples even covers interviews.
Together, these signal closer supervisory attention to how research institutions manage consent and data-processor relationships.
Remember, for researchers doing qualitative research transcription, compliance is not a separate administrative task that happens before the research begins. It’s part of the research design itself.
Choosing your lawful basis: Consent or public interest?
Many researchers default to consent because it feels like the safest option.
But in reality, consent is not always the most appropriate lawful basis for research interviews under Article 6, and in some situations it is legally invalid.
Article 6 provides six lawful bases for processing personal data. Three are most relevant to research interviews:
1. Consent: Article 6(1)(a)
Article 6(1)(a) requires a clear affirmative agreement that is freely given, specific, informed, and unambiguous.
Under GDPR Recital 43 and the EDPB's consent guidelines, consent is not considered "freely given" where there is a clear imbalance of power between the data subject and the controller.
It creates a direct problem when a researcher is also a manager, supervisor, or lecturer in relation to the participant: the power imbalance can render consent legally invalid from the outset.
2. Public interest: Article 6(1)(e)
Article 6(1)(e) covers processing that’s necessary for a task carried out in the public interest, authorized by EU or national law. University-funded research with a published protocol often qualifies.
This basis doesn't eliminate the obligation to inform participants.
But because public interest isn't built on consent, participants have no consent to withdraw. They retain the right to object under Article 21, which the controller can override if the processing is necessary for performance of a public-interest task.
Article 21(6) makes this override explicit for research specifically. That's what makes public interest sturdier for longitudinal research than consent, which a participant can withdraw outright, stopping all future processing immediately.
3. Legitimate interests: Article 6(1)(f)
Available to private organizations but generally not to public authorities. It requires a balancing test and is harder to justify for interview research involving personal data.
The EDPB's 2026 draft guidelines confirm that broad consent is permissible for scientific research where specific future uses cannot be fully defined at the time of data collection, provided that researchers clearly describe the research area and apply safeguards such as pseudonymization.
Use the following framework to decide which basis fits your project:
| Situation | Recommended lawful basis | Reason |
|---|---|---|
| Independent researcher, clear single-use purpose | Consent (Art. 6(1)(a)) | Transparent; gives participants clear control |
| University-funded research in the public interest | Public interest (Art. 6(1)(e)) | Protects research integrity; participants retain the right to object (Art. 21), which can be overridden for public-interest research |
| Clear power imbalance (employer-employee, lecturer-student) | Public interest (public institutions) or legitimate interests (private institutions) | Consent may not be "freely given" under GDPR Recital 43 and EDPB consent guidelines |
| Longitudinal or archiving research, purposes partially unknown | Broad consent with defined research area | Permitted under EDPB Guidelines 1/2026 with additional safeguards |
📌 Important:
The lawful basis under GDPR and the ethical consent required by an institutional review board (IRB) or ethics committee are separate things.
IRB consent is an ethical and institutional obligation. GDPR lawful basis is a legal one.
A project can satisfy IRB ethics requirements while failing GDPR compliance, and vice versa. Both need to be addressed independently before data collection begins.
If you are unsure which basis applies to your project, consult your institution's data protection officer (DPO). Under GDPR, public universities and large-scale research processors are usually required to appoint a DPO.
What happens when your interviews touch special categories of data?
Standard GDPR consent is not sufficient when an interview captures what the regulation calls "special categories" of personal data under Article 9. These are data types that carry heightened risk of discrimination or harm if mishandled.
Special categories that GDPR Article 9 explicitly protects include:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Data concerning health (including mental health, disability, medical history)
- Data concerning sexual orientation
- Genetic data
- Biometric data processed for the purpose of uniquely identifying a person
Research interviews can surface special category data even when the researcher doesn’t intend to collect it.
For instance, a participant describing their working conditions might mention a disability. Someone discussing community experiences might disclose their ethnicity or religion.
If there’s any reasonable likelihood that your interview could elicit this type of data, you need to plan for it before the recording begins.
For special category data, Article 9 requires either:
a. Explicit consent: Article 9(2)(a)
A stricter standard than standard consent. The participant must make a clear, specific affirmative statement that names the sensitive data category being processed.
A general tick-box saying "I agree to participate in this study" does not meet this standard. You need a separate, specific consent element that states something like: "I consent to the recording and processing of information about my health status as part of this research."
b. Scientific research exemption: Article 9(2)(j)
Processing for scientific research purposes, provided it is authorized by national law and accompanied by appropriate safeguards under Article 89(1), including pseudonymization wherever possible.
The availability of this route depends on your member state's national GDPR implementation.
Germany, France, the Netherlands, and others have enacted enabling legislation, but the specific conditions vary.
📌 A practical approach:
If your topic area could plausibly generate special category data, design your consent form to obtain explicit consent for those categories specifically, and build pseudonymization into your transcription workflow from the start.
What a GDPR-compliant consent form for research interviews must include
A GDPR consent form for research interviews is not a formality. Under Article 7(1), the researcher must be able to demonstrate that consent was given, which means the form (or a record of verbal consent) becomes part of the research's audit trail.
Each element below corresponds to a specific GDPR obligation.
1. Identity of the data controller: Article 13(1)(a)
The researcher's full name and institutional affiliation. If the institution is the controller, name it and provide a point of contact.
2. Purpose of processing and legal basis: Article 13(1)(c)
A specific description of the research purpose, plus the legal basis you're relying on (consent, public interest, etc.).
"Academic research" is not sufficient; state what the recording will be used for: analysis, publication of anonymized quotes, archiving, or a combination.
If you’re seeking broad consent for a defined research area, you must clearly describe that area.
3. Who will access the recording and transcript: Article 13(1)(e)
Name the categories of people with access: the principal investigator, co-researchers, a transcription service, a supervisor.
If you’re using a third-party transcription tool, participants must be informed before the recording starts.
4. Retention period: Article 13(2)(a)
Refers to how long recordings and transcripts will be kept and when they will be deleted.
If retention is tied to a project end date or publication timeline, say so.
5. Participant rights: Articles 13(2)(b)–(d)
Refers to participants’ rights to access their data, the right to erasure, and the right to withdraw consent at any time without penalty, with a point of contact for exercising these rights.
In case your lawful basis is public interest rather than consent, note instead that participants have the right to object under Article 21.
6. Transfers outside the EU/EEA: Article 13(1)(f))
Required if your transcription service's servers or sub-processors are based outside the EU or EEA. State the transfer mechanism relied upon, such as Standard Contractual Clauses.
Alternatively, you can use a European transcription service that keeps your data within the EU.
Refer to Art. 13 GDPR for more details.
7. Granular consent for each processing activity
Recording, third-party transcription, publication of direct quotes, and data archiving each require a separate consent element. A single "I agree to participate" checkbox does not satisfy GDPR's specificity requirement.
Verbal consent is permissible under GDPR, but the researcher must retain evidence of it, generally the recording itself, with the verbal consent captured at the start.
For audit trail purposes, written or email-based consent is strongly recommended, particularly for projects that will go through an ethics approval process.
Uploading interviews to a transcription service? Here’s what you need to check first
When you upload a research interview recording to a cloud transcription platform, you’re transferring personal data to a third party.
Article 28 of the GDPR requires that this relationship be governed by a written data processing agreement (DPA) between you (the data controller) and the transcription provider (the data processor).
A DPA is not optional. Without one, you are processing personal data outside a lawful framework regardless of how robust the provider's own security practices are.
For a transcription context, the DPA must specify:
- The purpose and legal basis for the provider's processing of your audio files
- Where data is stored (EU/EEA or an approved transfer country)
- Security measures in place (encryption in transit and at rest, access controls)
- A list of sub-processors the provider uses, including any third-party AI models
- The provider's breach notification obligations: under Article 33(2), the processor must alert the controller without undue delay upon becoming aware of a breach, so the controller can meet its own 72-hour window for notifying the supervisory authority
- Deletion obligations: how and when the audio file and any intermediate processing data will be deleted after transcription is complete
Use this checklist before uploading interview recordings to any platform:
- Does the provider offer a DPA?
- Is data stored in the EU/EEA?
- Does the provider publish its sub-processor list?
- What are the default data retention and deletion settings?
- Is encryption in transit and at rest confirmed?
- Does the provider hold SOC 2 Type II or equivalent certification?
- Can you request deletion of the audio file after transcription?
Use HappyScribe for transcribing research interviews
HappyScribe is a transcription tool, based in Barcelona, that turns audio and video into text, offering both AI transcription and human-reviewed options. Researchers use it for interview transcripts, focus groups, and fieldwork recordings.
Here's how HappyScribe holds up against the GDPR consent requirements we discussed so far:
1. EU data residency: HappyScribe runs its servers in the European Union, inside a Tier IV, ISO 27001 and PCI DSS-compliant data center. Data doesn't leave the EEA for processing.
2. SOC 2 Type II certification: Independent auditors review the platform's security controls under SOC 2 Type II. University ethics committees and institutional review boards increasingly require this documentation as part of ethics approval.
3. Data processing agreement: Institutional and enterprise users can reach out to the team directly to request a DPA. It sets out the controller-processor relationship, processing purposes, security obligations, and deletion timelines in writing, as Article 28 requires.
4. Human proofreading for 99% accuracy: For projects where accuracy on sensitive interview content is non-negotiable, HappyScribe's human proofreading service puts transcripts in front of native-speaking expert linguists, who sign an NDA before reviewing any content. The workflow stays within the DPA-governed processing framework throughout.
5. File deletion on request: Researchers can permanently delete audio files from the platform once transcription is complete. This supports data minimization and makes it easier to comply with participant erasure requests.
Sign up to HappyScribe and start transcribing, or contact sales for a tailored plan.
Anonymizing your transcripts and what GDPR says about it
Once a transcript exists, the key distinction is between pseudonymization and anonymization, because they carry very different implications under GDPR.
| Point of differentiation | Pseudonymization | Anonymization |
|---|---|---|
| Definition | Replacing direct identifiers (names, job titles, employer names) with codes (P1, P2) | Removing all information that could, even combined with other data sources, identify the participant |
| GDPR status | Still personal data. Re-identification remains possible using the key that maps codes to real identities | Falls outside GDPR's scope, if achieved correctly |
| Ongoing obligations | Must be stored securely, processed under your lawful basis, and deleted according to your stated retention period | None, once genuinely anonymized; but reaching this standard is harder than it looks |
| Risk in qualitative research | Codes alone don't protect against context-based re-identification | Contextual details, like a participant's role at a specific organization, a distinctive professional background, or a described event, can re-identify someone even with names removed |
| Common mistake to avoid | Treating pseudonymization as if it removes GDPR obligations | Assuming name replacement alone counts as anonymization |
Follow these practical steps for pseudonymizing transcripts:
- Assign participant codes (P1, P2) at the point of transcription, before the transcript is shared with any team member
- Remove employer names, specific locations, dates, and job titles where they would narrow identification. Generalize rather than delete where possible, since this preserves analytical value: replace an exact date with a quarter or year, replace a named employer with its sector, replace a specific town with a region
- Store the re-identification key (code-to-name mapping) separately from transcripts, with access limited to the principal investigator
- Treat the re-identification key itself as personal data: it must be protected and retained under the same security and retention rules as the rest of your dataset
- If a participant exercises their right to erasure, assess whether the pseudonymized transcript still allows re-identification; if it does, it must be deleted or further anonymized
If you're researching outside the EU or working with mixed-jurisdiction participant pools, our broader guide on consent requirements for recording and transcribing research interviews covers what changes outside GDPR.
Build compliance into your research workflow
GDPR compliance for interview research comes down to a few decisions made early: the right lawful basis, a consent form that actually holds up, and a transcription partner that won't become your weakest link.
Get these right before you press record, and the rest, anonymization, pseudonymization, retention, and participant rights, follow naturally.
HappyScribe handles the infrastructure side: EU data residency, SOC 2 Type II certification, and a DPA on request, so you can focus on the research design decisions only you can make.
FAQs on GDPR consent for recording and transcribing interviews
Do you need consent to record a research interview under GDPR?
You need a valid lawful basis under Article 6, but that basis does not have to be consent. Consent is one option; public interest (Article 6(1)(e)) is often more appropriate for university-funded research. What you always need, regardless of basis, is to inform participants before recording about who is recording, why, and what will happen to the data. This obligation under Articles 13 and 14 applies to every research recording.
Is verbal consent sufficient for a GDPR-compliant interview recording?
Verbal consent is permissible. The requirement is that you retain a record of it (Article 7(1)). Capturing verbal consent at the start of the recording itself satisfies this, provided the participant has already received the required information. Written or email-based consent is recommended for projects going through institutional ethics review, as a signed form is a cleaner audit trail.
Can I use AI transcription tools for research interviews under GDPR?
Yes, provided you have a signed DPA with the provider, the data is processed in the EU/EEA or under an approved transfer mechanism, and participants are informed in their consent form that a third-party transcription service will handle their recordings. The consent form should name the service or describe the category of processor: "a GDPR-compliant transcription service with EU data storage."
What should a consent form for recording research interviews include?
At minimum: the data controller's identity, the specific research purpose, who will access the recording and transcript, the retention period, participant rights, and whether data transfers outside the EU/EEA are involved. Consent must be granular: recording, third-party transcription, publication of quotes, and archiving each need a separate element.
What happens if a participant withdraws consent after the interview has been transcribed?
If consent is your lawful basis, withdrawal means you must delete the recording and any transcript in which the participant remains identifiable, including pseudonymized versions where re-identification is still possible. Processing that occurred before the withdrawal remains lawful, but you can't continue to hold or use the data once consent is withdrawn, unless another lawful basis applies.
This is one practical reason public interest can work better for longitudinal research: there's no consent to withdraw in the first place. Participants retain the right to object under Article 21, but the controller can override that objection when the processing is necessary for a public-interest task. Article 21(6) makes this override explicit for research.
So data already processed on this basis isn't disturbed by a later objection, unlike a consent withdrawal, which stops all future processing outright.
Does GDPR apply if my transcription service is based outside the EU?
Yes. GDPR applies to any service that processes EU residents' personal data, regardless of where it is based (Article 3(2)). A non-EU provider must rely on an approved transfer mechanism: Standard Contractual Clauses, an adequacy decision, or binding corporate rules. This must be addressed in the DPA and disclosed to participants in the consent form.
Does GDPR apply if my interview participants are in the UK?
Not exactly. When the UK left the EU, it converted GDPR into standalone domestic law now called UK GDPR, enforced by the ICO instead of EU supervisory authorities. Lawful basis, consent standards, and data subject rights work largely the same way, but consent requirements for recording research interviews in the UK differ on specifics like research exemptions and post-Brexit transfer rules, which are important if you're drafting a consent form for UK participants.
Rodoshi Das
Rodoshi helps SaaS brands grow with content that converts and climbs across SERPs and LLMs. She spends her days testing tools and turns her experience into interesting narratives to help users make informed buying decisions. Off the clock, she trades dashboards for detective novels and garden therapy.