Blog

GDPR and meeting transcription — what actually matters

Meeting audio is personal data. If the meeting touches health, legal matters or union business, it can be special-category data under Article 9 — the strictest tier the GDPR knows. Here's what that means in practice when you transcribe, without the legalese. (This is product information and general orientation, not legal advice.)

The three questions a DPO will ask

  • Who processes the audio? With a cloud notetaker, the vendor becomes a processor. That means a data-processing agreement, a vendor assessment, and an entry in your records of processing.
  • Where does it go? Most popular notetakers process audio on US servers. Since Schrems II, transfers outside the EU/EEA need a legal mechanism *and* a transfer impact assessment — real paperwork with real uncertainty attached.
  • What's the lawful basis — and did participants consent? This one never goes away. You need a lawful basis to record, and participants must know. No tool, local or cloud, does this part for you.

What on-device processing changes

When transcription runs on your own computer, the first two questions collapse:

  • There is no processor. The audio never reaches a vendor, so there is no DPA to negotiate and no vendor to assess for that processing.
  • There is no transfer. Data that never leaves the device never crosses a border. No transfer mechanism, no impact assessment.
  • Article 9 gets simpler. Special-category data is still special — but "processed on hardware we control, never transmitted" is the strongest position you can start an assessment from.

What stays exactly the same: consent and notice, retention (delete recordings you no longer need), and access control on the machine itself. On-device tools shrink the problem; they don't make diligence optional.

"But the vendor says they're GDPR-compliant"

Every vendor says that. The useful question is *verifiable*: what leaves the machine, when, and can you check? LocalTranscript publishes a version-stamped network disclosure listing every connection the app can make — licensing and update checks — and the switch that turns each one off, including a Hard Offline Mode that blocks everything. Your security review reads the list instead of trusting a badge.

Who feels this most

The short version: consent is your job, architecture is the tool's job — and the right architecture means most of the GDPR conversation never has to happen.