Ugrás a tartalomhoz
← Back to the journal
callcenter11 May 2026EN

Legal recording and disclosure — a GDPR-compliant framework for the AI voice agent

GDPR-compliant disclosure script in the first 5 seconds, AES-256-GCM storage, 90-day retention default, 30-day right-to-erasure SLA.

Legal recording and disclosure — GDPR-compliant framework

Legal compliance for an AI voice agent is not optional, it's existential. Get the recording wrong, get the disclosure wrong, or store the audio wrong, and one GDPR fine can wipe out the entire ROI. This piece walks through the framework Nortinia AI Call Center ships by default, and the jurisdictions where we haven't gone live yet.

The mandatory disclosure script

Every inbound and outbound call's first 5-8 seconds must include the following disclosure. This isn't optional, it's default-on:

"Hello, this call is being recorded for service-quality and training purposes. Your participation is voluntary, and you may request deletion of the recording at any time."

In Hungarian: 5.2 seconds. English and German versions are similar in length. The tenant can customise the wording, but four mandatory elements cannot be removed:

  1. The fact of recording
  2. The purpose of recording
  3. The voluntary nature
  4. The right to deletion (right-to-erasure reference)

If the customer tries to interrupt at second 6, the agent finishes the disclosure before responding. The ordering is not flexible.

Recording storage

All voice recordings are stored with AES-256-GCM encryption. Keys are tenant-specific and Vault-managed on Nortinia infrastructure. Encryption applies both at-rest and in-transit.

Default retention: 90 days. Each tenant can override:

  • 30 days — minimum, not recommended (audit and dispute resolution need more)
  • 90 days — default, good for most industries
  • 365 days — for regulated industries (healthcare, finance)
  • Custom — bespoke, after legal review

When retention expires, recordings are automatically purged from hot storage; cold backups follow 7 days later.

Right-to-erasure SLA: 30 days

If a customer requests deletion of recordings about them (GDPR Article 17), Nortinia completes the deletion within 30 calendar days. The process:

  1. Request received — by email, phone, or via the tenant's customer portal
  2. Identification — phone number + name match, ID verification if disputed
  3. Recording lookup — every call the customer was on
  4. Deletion — from hot storage + cold backup + transcription + derived data (vector embeddings, if any)
  5. Confirmation — email back confirming completion

In six months we received 47 right-to-erasure requests and completed all 47 within the 30-day SLA. Median time to completion was 8 days.

The disclosure isn't only formal; real legal logic sits behind it. If the customer says "I don't want this recorded" or "I want to withdraw my consent" mid-call, the following automatic flow kicks in:

  • Recording stops immediately
  • The audio captured so far is flagged "pending-erasure"
  • Within 24 hours the recording is deleted (unless overriding regulation applies)
  • The tenant audit log captures the event
  • The AI hands the call to a human at the end (because operating without recording from this point introduces operational risk)

On outbound calls, a hang-up also counts as revocation automatically; no extra word recognition needed.

Two jurisdictions where we aren't yet live

Two regions where Nortinia AI Call Center is currently not available for regulatory reasons:

1. USA — two-party-consent states. California, Florida, Pennsylvania and 9 other states require all-party consent for recording, meaning both parties must explicitly agree to be recorded. The default "silent recording" disclosure isn't enough; a separate yes-response must be captured.

This is a concrete compliance feature we plan to ship in 2026 Q3: a mandatory "do you agree?" question after the disclosure, with the call only continuing on a yes-response.

2. Switzerland — strict-consent regime. Swiss data protection (revFADP) is stricter than GDPR, especially around automated decision-making. Operating an AI voice agent on Swiss customers without legal review is currently risky. The door is open, but each tenant needs a bespoke legal opinion.

The audit trail

Every call, every disclosure, every consent event, and every deletion goes into an immutable audit log. Tenant-specific, exportable, and stored in a format accepted by Hungarian NMHH and EU data-protection authorities during audits.

In six months we've had two regulatory data-protection audits at tenants. In both cases the Nortinia audit log was sufficient to prove compliance. No additional report or intervention required.

Let's talk about your project

Tell us what you are building — we will figure out how to help.

ContactRequest a quote