Recording Meetings: What's Legally Allowed in Germany? (Complete Legal Guide 2026)

Disclaimer: This article does not constitute legal advice. For your specific situation, we recommend consulting a lawyer specializing in data protection law.

You want to record meetings so you don't miss any important information? That's perfectly possible – but only legally compliant if you know and follow a few clear rules. Germany has particularly strict regulations around recording conversations: making the wrong decisions puts you at risk of fines in the millions, criminal consequences, or serious loss of trust within your team.

This article gives you a complete overview of the current legal situation, explains step by step what you need to consider – and shows you how to record meetings in a compliant and efficient way.

The Most Important Points at a Glance

• Consent is mandatory: You must inform all participants before recording and obtain their agreement.
• § 201 StGB always applies: Secret recordings are a criminal offense in Germany – even in a business context.
• GDPR governs everything else: Recordings and all derived data (transcripts, summaries) are personal data.
• Works council has co-determination rights: In companies with a works council, its approval is mandatory.
• Your tool choice matters: Only GDPR-compliant tools with European data storage are legally safe to use.

The Legal Foundations: Three Laws You Need to Know

Recording meetings touches on several areas of law simultaneously in Germany. That makes the topic complex – but easy to navigate with the right overview.

§ 201 StGB – The Wiretapping Prohibition

The most important law first: § 201 of the German Criminal Code makes the unauthorized recording of non-publicly spoken words a criminal offense. In concrete terms, this means:

• Any recording of a conversation without the knowledge and consent of those involved is a criminal act.
• It doesn't matter whether you use the recording internally or publish it.
• The penalty is up to three years imprisonment or a fine.
• The law applies to video conferences too – including Zoom, Teams, Google Meet, and all other platforms.

Bottom line: A secret recording is never legally permissible in Germany. No exceptions.

GDPR – General Data Protection Regulation

As soon as a recording contains personal data – which is almost always the case in meetings with employees, customers, or partners – the GDPR applies in addition. And it's not just the recording itself: all derived data such as transcripts, AI summaries, speaker attributions, and exported action items are also subject to GDPR. The relevant articles:

• Art. 6 GDPR: Recordings require a legal basis – typically explicit consent (para. 1a) or legitimate interest (para. 1f).
• Art. 13/14 GDPR: Participants must be informed in advance about the purpose, duration, and storage location of the recording.
• Art. 17 GDPR: The right to erasure applies – recordings must be deleted after defined retention periods.
• Art. 28 GDPR: If you use an external tool, you need a Data Processing Agreement (DPA).

An important point often overlooked in practice: GDPR obligations don't end with the recording. They extend across the entire data lifecycle – from the recording itself through to transcripts, AI-generated summaries, search indices, and backups.

If you want to go further: Here's a GDPR Checklist for you.

BDSG & Employee Data Protection

The German Federal Data Protection Act (BDSG) supplements the GDPR for the German legal context and contains specific rules for employment relationships. § 26 BDSG governs data processing in employment contexts: recordings of employee meetings are only permissible if they are necessary for the performance of the employment relationship – or if clear consent has been given. The bar for valid consent in an employment context is deliberately set high, since genuine voluntariness is hard to demonstrate within a hierarchical relationship.

What Exactly Gets Recorded – and Why That's Legally Relevant

A modern AI meeting assistant records more than just audio. The typical processing stages are:

1. Audio stream (possibly video and screen sharing)
2. Meeting metadata (participants, time, meeting title)
3. Chat messages and shared files
4. Derived data: transcripts, summaries, speaker attributions, action items

Each of these stages constitutes a separate processing operation under the GDPR – with its own requirements for legal basis, purpose limitation, and deletion. Anyone who only thinks about "the recording" and forgets the downstream processing has only fulfilled GDPR requirements halfway.

Particular caution is warranted when meeting content touches on special categories of personal data under Art. 9 GDPR – such as health data, trade union-related information, or similar content. This can quickly arise in HR meetings, medical consultations, or negotiations, even if the tool was not "designed" for that purpose.

When Are You Allowed to Record a Meeting?

The answer is clearer than many people think: you may record when all participants have been informed and have given their consent. What that looks like in practice depends on the context.

Scenario 1: Internal Meetings with Employees

Checklist for internal meeting recordings:

• ✓ All participants are explicitly informed before the meeting begins (verbally or in writing)
• ✓ The option to decline is clearly communicated – without any disadvantage for those who refuse
• ✓ The purpose is defined (e.g. minutes replacement, follow-up)
• ✓ A retention period is established and documented
• ✓ The works council has been involved (if applicable)
• ✓ A DPA with the tool provider has been concluded
• ✓ A Data Protection Impact Assessment (DPIA) has been reviewed

Note on legal basis: In an internal context, employee consent is often legally fragile, because genuine voluntariness is hard to demonstrate in a hierarchical relationship. The safer alternative: a works agreement that sets out binding rules on usage, access rights, and deletion periods.

Scenario 2: External Meetings with Customers or Partners

The same principles apply to external participants – but consent must be obtained explicitly. Automated notices such as "This meeting is being recorded" at the start of a call are legally considered sufficient information, provided participants have the opportunity to object to the recording.

The key point: if declining the recording is not a realistic option – because the meeting wouldn't take place otherwise – then that "consent" will not withstand data protection scrutiny.

Practical tip: Use AI meeting assistants that automatically send a join notification as soon as recording starts. This creates demonstrable transparency.

Scenario 3: Confidential Conversations (HR, Legal, Medical)

For conversations with heightened confidentiality – such as employee discussions about performance issues, client meetings at law firms, or medical consultations – particularly high standards apply. Here, the GDPR, professional secrecy obligations (§ 203 StGB), and potentially sector-specific regulations all overlap. In these contexts, recording without explicit, documented individual consent is strongly inadvisable.

The Role of the Works Council

For companies with a works council, this section is especially important: under § 87 para. 1 no. 6 of the German Works Constitution Act (BetrVG), the works council has a mandatory co-determination right when introducing technical devices that are capable of monitoring the behavior or performance of employees.

AI meeting tools with transcription and speaker analytics are objectively capable of monitoring behavior and performance – even if that is not the employer's stated intention. That alone is sufficient to trigger the co-determination requirement.

What this means in practice:

• No meeting recording tool may be introduced without the works council's approval.
• Typically, a works agreement is concluded that sets out rules on usage, data storage, and deletion periods.
• Violations of co-determination rights can render recordings inadmissible and have employment law consequences.

Recommendation: Involve the works council early and work together to draft a works agreement. Make sure the tool you choose offers technical options to exclude monitoring functions – for example, by disabling performance analytics. This creates both acceptance and legal certainty.

Recording on Zoom, Teams & Co. – What Applies to Video Conferencing Tools?

The question "Am I allowed to record a Zoom meeting?" is one many companies grapple with. The fundamental legal rules are the same as for in-person conversations. That said, there are important technical specifics to be aware of.

The Problem with US-Based Providers

All major video conferencing tools offer native recording functions. The problem from a data protection perspective: with US providers like Zoom and Microsoft, data is stored and processed in American data centers.

This is legally relevant because US companies are subject to the CLOUD Act: US authorities can request access to this data – without the knowledge of the affected European company, and potentially bypassing MLAT legal channels. The EU-US Data Privacy Framework (DPF) has improved the situation since 2023 and survived an initial legal challenge in 2025. However, an appeal has been filed – meaning the DPF is not a "set and forget" checkbox, but an actively monitored transfer risk that you should factor into your planning for 2026.

Bottom line: "EU region hosting" is not enough on its own. Anyone who truly wants to be on the safe side needs to ask: where is data being processed? Who has support access? Who holds the encryption keys?

You can find a further comparison of German Servers vs. servers in the US here.

Red Flags When Choosing a Tool

• Vague statements about server location without clear information on sub-processors
• No clear deletion mechanisms for transcripts, summaries, and backups
• Unclear statements about whether customer data is used for AI training
• No DPA, or only a generic click-through addendum
• Recording enabled by default with no configurable option to disable it

Transparency – The Four Levels That Regulators Expect

The DSK (German Data Protection Conference) has made clear in its guidance on video conferencing systems that transparency must not be a paper exercise. In practice, four levels have established themselves as what authorities consider "effective transparency":

1. Policy level: An internal policy or external privacy notice explains the tool and its purposes.
2. Invitation level: The meeting invitation includes a note about the planned recording.
3. Meeting level: At the start of the call, an automatic system notification or verbal announcement is made.
4. Post-meeting level: Participants receive a link to the transcript along with information on retention periods and access rights.

Data Storage and Deletion Obligations

Recording is one thing – what happens to the data afterwards is equally critical. The GDPR sets no fixed retention periods, but requires the principle of storage limitation (Art. 5 para. 1e): data may only be retained for as long as necessary for the original purpose.

Retention period guidance:

German supervisory authorities have actively pursued deletion violations: Hamburg imposed substantial fines for the absence of effective deletion concepts. Recordings and transcripts create the same "retention trap" if no automated deletion is in place.

Recommendation: Use tools that support automated deletion schedules and document deletions across recordings, transcripts, summaries, search indices, and backups.

Consequences of Violations

The legal consequences of violations in meeting recording are significant.

Criminal law (§ 201 StGB)

• Up to three years imprisonment or a fine for unauthorized recording
• Criminal proceedings can be initiated by individual employees
• Also applies to using and sharing existing illegal recordings

GDPR fines

• Up to €20 million or 4% of global annual turnover
• German supervisory authorities are increasingly active: fines have been imposed for, among other things, missing deletion concepts, inadequate third-party provider oversight, and improper documentation of sensitive employee data
• There is no lower threshold – small businesses are affected too

Civil law

• Damages claims from affected individuals (Art. 82 GDPR)
• Cease-and-desist letters from competitors or consumer protection associations
• Employment law consequences for responsible employees

FAQ – Frequently Asked Questions

Am I allowed to record a meeting without announcing it?

‍No. This is a criminal offense under § 201 StGB – regardless of the intended use and regardless of whether it is a physical or digital meeting.

Is it enough if I say "I'm recording this" at the start of the meeting?

‍It is sufficient if all those present hear it and have the opportunity to object or leave the meeting. For legally secure documentation, an additional written confirmation or automatic system notification is recommended.

What applies to international teams with participants outside Germany?

‍The law of the country in which the recorded individuals are located applies. For teams that include German employees, German rules must always be observed – even if the company is headquartered abroad.

Do I need to conclude a Data Processing Agreement (DPA)?

‍Yes, if you are using an external tool for recording, transcription, or storage. A DPA is mandatory under Art. 28 GDPR and must be in place before the tool is used for the first time.

Does this apply to purely internal meetings with only employees?

‍Yes. Internal recordings are also subject to GDPR employee data protection rules and the works council's co-determination rights. A works agreement is the most efficient path to legal certainty here.

Do we need a Data Protection Impact Assessment (DPIA)?

‍Very likely yes. If an AI tool systematically records, transcribes, and evaluates communications, new technologies and the systematic processing of employee data are involved – two factors that typically make a DPIA mandatory under Art. 35 GDPR. The DSK explicitly recommends this in its AI guidance.

Conclusion: How to Get It Right

Meeting recordings are legally permissible in Germany and enormously valuable in day-to-day business – but only when the legal framework is consistently followed. The three most important principles:

1. No secret recordings – never, under any circumstances.
2. Obtain and document consent – before recording, across multiple levels.
3. Choose a GDPR-compliant tool – with a DPA, European data storage, and clear deletion mechanisms.

Companies that follow these principles and use the right tool benefit from all the advantages of automated meeting documentation – without taking on any legal risk.

Record Meetings Securely with Sally AI

Sally.io is an AI meeting assistant headquartered in Germany – built with the conviction that GDPR compliance is a core feature, not an afterthought:

• ✓ GDPR-compliant | Servers in Germany | DPA included
• ✓ Automatic consent notification for all participants
• ✓ Configurable deletion periods for recordings, transcripts, and summaries
• ✓ No use of customer data for AI training
• ✓ Transcription, summarization & information management in one tool

PS: You can try Sally for free. Start today!

Disclaimer: This article does not constitute legal advice. For your specific situation, we recommend consulting a lawyer specializing in data protection law.