Spain AEPD Issues GDPR Guidance on AI Voice Transcription Tools in April 2026

On April 20, 2026, the Spanish Data Protection Agency (Agencia Española de Protección de Datos — AEPD) published the second part of its guidance on AI-powered voice transcription services, titled "AI Voice Transcription (II): Accountability, Rights and Transparency." The document is final guidance, not a consultation draft, and takes effect as a published interpretive position of the AEPD under its supervisory authority over GDPR compliance in Spain. It builds directly on the first part, published in January 2026, which addressed the legal bases and special-category data risks of voice transcription.

The controlling authority is Regulation (EU) 2016/679 (GDPR), specifically Article 5 (principles relating to processing), Article 15 (right of access), Article 16 (right to rectification), and Articles 12–14 (transparency obligations). The AEPD also references Recital 39 on transparency and Article 4 of Regulation (EU) 2023/2854 (Data Act) on users' right to data generated by connected devices. The guidance reaffirms that any organisation deploying a third-party or proprietary AI transcription tool acts as the data controller because it determines the purposes and means of processing — regardless of whether the underlying model belongs to a vendor.

Controllers and processors deploying AI transcription tools must conduct continuous due diligence from procurement through the full lifecycle of the tool. They must proactively adopt measures to prevent, detect, and correct transcription errors, since inaccurate transcripts directly implicate Article 16 rectification rights. The AEPD specifies that withholding access to transcripts on the grounds that third-party data appears in them is inconsistent with GDPR, provided technical anonymisation or blurring measures are available. Consent obtained for one recording session does not extend to future sessions; controllers must implement automatic mechanisms that cancel recording status at session end. These obligations apply to meeting-minute tools, customer support systems, and any other operational context that converts voice into stored text.

One open question concerns the interaction between this AEPD guidance and the EU AI Act (Regulation (EU) 2024/1689), which entered its first compliance phase in February 2025. AI voice transcription systems that process biometric or inferred health data may qualify as high-risk AI systems under Annex III, point 1 of the AI Act, triggering conformity assessments and registration obligations. The AEPD guidance addresses GDPR accountability but does not map its requirements against AI Act obligations; companies operating dual-purpose systems should assess both regimes independently.

Our firm advises clients on GDPR compliance, AI Act obligations, and data protection law across European and international jurisdictions, including data controller/processor structuring, consent mechanisms, and supervisory authority engagement. We maintain a dedicated network of specialist partners in Spain and the EU for matters requiring local regulatory representation. Clients with AI-driven voice products, transcription services, or employee monitoring tools operating in Spain or under the GDPR are encouraged to contact us. Areas of work include: GDPR data controller analysis, AI Act compliance mapping, voice data processing assessments, biometric data governance, consent architecture, and data subject rights management.

Source: Agencia Española de Protección de Datos (AEPD), "AI Voice Transcription (II): Accountability, Rights and Transparency," published 20 April 2026. Official URL: https://www.aepd.es/en/press-and-communication/blog/ai-voice-transcription-ii-accountability-rights-and-transparency. Confirmed 24 April 2026.

The information provided is not legal, tax, investment, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your own legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be automatically generated. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information.