Right of access to call recordings: the Vodafone (GR) case, 2026
On 11 February 2026, the Hellenic DPA fined Vodafone-Panafon for obstructing access rights and breaching GDPR Articles 12, 15 and 18. Key takeaway: deliver a usable copy of recordings within one month.
Right of access to call recordings: the Vodafone (GR) case sends a strong signal for 2026. On 11 February 2026, the Hellenic DPA fined Vodafone-Panafon for obstructing access to recordings and mishandling data subject requests (GDPR Articles 12, 15, 18). Key takeaway for organisations in Luxembourg: your access-rights workflows must deliver usable copies within one month. For a local overview of obligations, see GDPR compliance in Luxembourg.
The case
On 11 February 2026, the Hellenic Data Protection Authority imposed a €30,000 fine on Vodafone-Panafon S.A. (telecom) for several violations of data subject rights, including:
- refusing or creating obstacles to access recorded conversations,
- providing inadequate information about the procedure,
- failing to facilitate and to respect deadlines,
- breaching processing restriction duties while a request was under review.
Legal basis: GDPR Articles 12(1)–12(4) (transparency, facilitation, one‑month deadline, and information in case of inaction), Article 15 (right of access, including a copy of the data), and Article 18 (right to restriction). The authority also ordered corrective measures, including procedures and training to handle requests “properly and in due time,” with evidence to be provided within six months. Official source: publication by the Hellenic DPA with decision No 2/2026 and detailed summary; the EDPB relayed the case in its National News. See: Hellenic DPA, “Επιβολή προστίμου σε πάροχο υπηρεσιών τηλεπικοινωνίας (2/2026)” and link to the PDF; EDPB, “Imposition of fine on a telecommunications company for violations of data subject’s rights” (Background: Date of final decision 11/02/2026; Controller: Vodafone-Panafon; Articles 12, 15, 18; €30,000). (dpa.gr)
Legal reasoning
- GDPR Article 12: controllers must provide “concise, transparent, intelligible and easily accessible information” and “facilitate the exercise of rights.” Standard timeline: one month from receipt, extendable by two months in complex cases, provided the extension is duly notified and justified within the first month; in case of refusal or inaction, the controller must inform about reasons and redress. Official text: EUR‑Lex (Chapter III, Art. 12). (eur-lex.europa.eu)
- GDPR Article 15 (right of access): the data subject is entitled to confirmation, access, and “a copy of the personal data undergoing processing,” which includes—where relevant—call/video recordings insofar as they contain identifiable personal data. Official text: EUR‑Lex (Art. 15). The EDPB clarified scope, formats, and limits in Guidelines 01/2022 — final version. (edpb.europa.eu)
- GDPR Article 18 (restriction of processing): during the assessment of certain requests (e.g., accuracy challenges, objections), processing must be restricted. The Hellenic DPA found this freeze was not properly applied. References: EUR‑Lex and EDPB thematic reminders. (eur-lex.europa.eu)
For a practical recap of Articles 12, 15 and 18, see the GDPR (Chapter III) essentials.
Authorities’ position
- EDPB: Guidelines 01/2022 stress the need to provide a faithful “copy” of the data processed, in a format the data subject can understand, and confirm that the right of access also covers relevant excerpts (e.g., audio segments) where personal data is embedded in broader content. (edpb.europa.eu)
- CNPD (Luxembourg): regularly communicates on the effectiveness of access rights and provides guidance (templates, deadlines, exceptions). Helpful to Luxembourg DPOs: the page “Le droit d’accès” summarises expectations and practical modalities. (cnpd.public.lu)
What this changes in practice
The Vodafone-Panafon case directly applies to Luxembourg and cross-border organisations that:
- record calls (contact centres, banks/insurers, helpdesks, quality/training functions),
- retain video meetings (boards, committees, sales calls, support),
- process quality logs/listening, transcripts, or AI summaries containing personal data.
In practice, this requires:
- Industrialised access-rights workflow: acknowledgment, proportionate ID verification, request qualification, collection across sources (CRM, ACD/CTI, recorder, video SaaS), extraction of relevant segments and third-party checks, response within one month (Art. 12(3)). (eur-lex.europa.eu) To design and operate this capability, rely on a structured DPO mandate.
- Delivering a “usable copy”: for audio, provide the corresponding segment (or a faithful transcript) with necessary explanations; for video, same. A mere “call summary” is insufficient when the data subject asks for the copy. The EDPB expressly states the copy must reflect the data actually processed, not a synthesis. (edpb.europa.eu)
- Fair and consistent information: portals, “Exercise your rights” pages and agent scripts must clearly describe channels, deadlines, limits and redress (Art. 12(1)–(4)). (eur-lex.europa.eu)
- Restriction during disputes (Art. 18): for example, freeze quality scoring or training use of the call while a related rectification/erasure request is under review, unless a legal exception applies. (eur-lex.europa.eu)
Concrete example
A customer requests “the copy of the 3 May call at 10:14 with agent 123.” The company must:
- locate the call (ACD metadata), extract the audio segment, check for third parties, redact where strictly necessary only third-party data that is not relevant, then deliver the copy (audio or transcript) with the information under Art. 15(1)(a)–(h).
- if processing must be restricted (e.g., accuracy is contested), apply Art. 18 during verification.
- if the request is complex (multiple calls), it may extend by two months, but must notify and justify the extension within the first month (Art. 12(3)). (edpb.europa.eu)
To align practices with CNPD expectations and EDPB guidance, underpin your programme with a GDPR Chapter III baseline tailored to Luxembourg.
Common pitfalls
- Replacing the “copy” with a mere “summary.” Not compliant if the data subject asked for a copy of their data (Art. 15). EDPB guidance states the copy must reflect the data actually processed; a summary is not enough. (edpb.europa.eu)
- Forgetting the silos. Call recordings may sit outside CRM (ACD/CTI, recorder, video SaaS). Your access workflow must cover all sources and include AI-generated transcripts when they contain personal data. (edpb.europa.eu)
- Mishandling the one-month deadline. Many organisations notify extensions after the deadline—too late. The extension (up to +2 months) must be justified and communicated within the first month (Art. 12(3)). (eur-lex.europa.eu)
- Contradictory customer service scripts. In Vodafone, the authority noted conflicting information about the access process. Harmonise templates, FAQs, IVR and agent scripts. (edpb.europa.eu)
- Failing to activate restriction (Art. 18) during a dispute. Retain and “freeze” the minimum necessary while deciding; document the freeze and any legal derogations. (eur-lex.europa.eu)
Official sources
- Hellenic DPA — Decision 2/2026 (Vodafone-Panafon): summary, legal basis, fine, orders; decision PDF. https://www.dpa.gr/el/enimerwtiko/prakseisArxis/epiboli-prostimoy-se-paroho-ypiresion-tilepikoinonias
- EDPB — “Imposition of fine on a telecommunications company for violations of data subject’s rights” (National News), 4 June 2026, confirming decision date (11/02/2026), controller, breached articles and fine. https://www.edpb.europa.eu/news/imposition-of-fine-on-a-telecommunications-company-for-violations-of-data-subjects-rights_en
- EDPB — Guidelines 01/2022 “Right of access” (final): scope of the copy, format, third-party handling, timelines. https://www.edpb.europa.eu/documents/guideline/guidelines-012022-on-data-subject-rights-right-of-access_en
- GDPR on EUR‑Lex — Chapter III, notably Articles 12, 15, 18. https://eur-lex.europa.eu/legal-content/en/LSU/?uri=CELEX%3A32016R0679
- CNPD (Luxembourg) — “Le droit d’accès”: practical note, templates, timelines and exceptions. https://cnpd.public.lu/fr/particuliers/vos-droits/droit-acces.html
Bottom line
The Vodafone-Panafon case confirms that European regulators now scrutinise the operational side of rights handling: delivering a true copy of recordings, on time and with consistent information, is non-negotiable. For executives, DPOs and CISOs in Luxembourg, the priority is equipping an end-to-end access workflow—identification, multi-silo collection, third-party redaction, processing freeze, delivery—and keeping evidence of compliance.
Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.
A question on this topic?
Our team usually replies within one business day. Configure your quote or write to us.
Build my quote →