Recording Teams meetings and data protection: where the meeting ends and privacy begins

share-icon.jpg
executive-members-videocall

The digital office also has boundaries

Companies no longer use videoconference meetings as an exceptional tool. In many organisations, these meetings now provide the ordinary space for decision-making, team coordination, project negotiation, performance review and corporate communication.

Microsoft Teams, Zoom, Google Meet and similar platforms have taken over a space that previously belonged to the meeting room, the office or the corridor. This technological transformation has not eliminated employees’ fundamental rights. It has moved them into an environment where boundaries are harder to define.

In an in-person meeting, boundaries are usually intuitive. The meeting begins when people enter the room. It ends when they stand up, leave or stop dealing with the professional matter at hand.

In the digital environment, that boundary can become more blurred. A camera may remain on. A microphone may stay connected. A recording may continue after the formal farewell. A participant may also remain connected without realising it. In any of these situations, the system may capture private conversations involuntarily.

Judgment No. 1713/2026 of the High Court of Justice of the Basque Country, of 11 May 2026, appeal 738/2026, addresses precisely that difficulty. The case does not simply ask whether a company may record a Teams meeting.

The issue goes further. Can the use of a corporate tool allow the company to appropriate conversations that take place after the professional purpose of the meeting has ended? At that point, the employee no longer knows that the recording continues. The communication has also left the employment context that justified its capture.

Why this judgment matters for companies

The court’s answer has particular relevance for companies, HR departments, compliance teams, legal departments and IT managers. Corporate digital tools do not make everything that happens through them available to the company. They also do not eliminate the employee’s legitimate expectation of privacy.

A virtual meeting may take place through a corporate channel. Even so, the company cannot automatically treat everything captured after its formal conclusion as part of its power of control.

This case operates as a warning. A company may have a legitimate interest in recording meetings for organisational, documentary or evidentiary reasons. That interest must coexist with clear rules on information, consent where applicable, purpose limitation, data minimisation, retention, access, security and respect for fundamental rights.

In the digital environment, transparency is not a courtesy. It is a condition of validity.

A meeting that ended, but a recording that continued

The litigation arose from a claim brought by an employee with more than twenty years’ service in the company. She requested the compensated termination of her employment contract under Article 50 of the Spanish Workers’ Statute and alleged serious breaches by the employer.

The dispute concerned several work meetings held through Microsoft Teams. After those meetings had formally ended, the recording continued.

As a result, the system recorded conversations that the employee held outside the strictly professional sphere. According to the facts described in the judgment, she did not know that another participant’s device was still capturing her image and voice.

From her perspective, the work meeting had ended. From a technical perspective, the recording remained active.

The company later used extracts from those recordings to question the trust placed in the employee and to justify certain business actions. In other words, the company did not simply store the material by mistake. It did not treat the recording as a technical incident to correct or delete. It incorporated the material into its strategy against the employee.

At first instance, the Employment Court dismissed the claim. The court considered that the company had made the recordings within a corporate environment and could therefore use them as evidence. It also imposed a financial penalty of EUR 4,500 on the claimant for bad faith and procedural recklessness.

That initial reading placed the case within a logic of company tool and admissible evidence.

The High Court of Justice of the Basque Country fully overturned that approach. It held that the conclusion of the virtual meeting generated a legitimate expectation of privacy for those who had participated in it.

From that moment onwards, the company could not appropriate conversations held outside the professional purpose of the meeting. It also could not use them later without the express consent of the person concerned and without an adequate basis of prior information.

The difference between the two decisions is significant. The first focused on the channel used: a corporate platform. The second focused on purpose, expectation of privacy and fundamental rights. In the digital workplace, that second perspective matters increasingly.

A corporate meeting does not turn everything captured into company evidence

The company does not lose its powers of organisation and control by using digital tools. It may establish policies on the use of technological means. It may also regulate meeting recordings, protect corporate information, verify compliance with employment obligations and retain certain records where it has a legitimate purpose.

However, the power of control is not absolute. Above all, it does not extend without limits to any content that a work device may capture.

A meeting recording has a specific purpose. It may document agreements, support minutes, help people who could not attend, preserve evidence of training or ensure traceability in certain decisions.

That professional purpose may justify recording image and voice during the meeting, where appropriate. But when the meeting ends, the reason that legitimised the recording also ends.

At that point, the expectation of privacy emerges. An employee who participates in a virtual meeting may accept, if properly informed, that the company will record their professional intervention during the session.

That does not mean the employee consents to the recording of later conversations. It also does not mean they consent to the capture of comments unrelated to the meeting or communications made after they reasonably understand that the meeting has ended.

The boundary does not depend only on the technical button to “stop recording”. It also depends on the employment purpose that justified the capture.

Technical availability is not legal validity

Another participant’s failure to close the application properly cannot become a tacit waiver of the employee’s fundamental rights. The same applies when someone remains connected by mistake.

This idea is central. In the digital environment, technical errors, connection oversights or deficient settings cannot automatically benefit the company when they lead to the capture of private communications.

A company that receives or retains that material must ask itself what it is really processing. If the system captured a private conversation by mistake after the meeting ended, its disciplinary, evidentiary or reputational use may violate fundamental rights.

A corporate channel does not cleanse the acquisition. Technical availability does not amount to legal validity.

Privacy, secrecy of communications and data protection

The court identifies a violation of three fundamental rights: the right to personal privacy, the right to secrecy of communications and the right to the protection of personal data.

This accumulation is not accidental. A Teams recording may involve image, voice, conversation content, context, participant identity and metadata linked to the use of the tool.

The company is not dealing merely with a computer file. It is processing personal data and, potentially, capturing protected communications.

The right to privacy protects an area of personal life against unjustified interference. At work, this right does not disappear. The company’s powers of organisation and control may shape its scope, but the employee retains a private sphere even when using corporate tools.

This is especially true where the company has not provided clear information about monitoring and recording conditions.

Secrecy of communications

The secrecy of communications adds another dimension. If people do not know that a conversation continues to be recorded, and if that conversation later reaches the company for use against one of them, the problem goes beyond abstract privacy.

The company is then using a communication that had left the professional framework that justified the meeting.

Recording as data processing

Data protection completes the analysis. Both voice and image constitute personal data. Recording, storing, reviewing, extracting fragments and later using that material constitute data processing.

Any data processing requires an appropriate legal basis, a specific purpose, sufficient prior information, proportionality, minimisation and security safeguards.

If the company did not properly inform employees about the possibility of continued capture, the processing can hardly be sustained. The same applies where the company failed to explain recording conditions, later uses and monitoring criteria for digital devices.

The court highlights precisely that lack of sufficient prior information. The company cannot rely solely on the fact that Teams is a corporate tool. Nor can it rely solely on the fact that the meeting took place in a professional environment.

If meetings are to be recorded, the company must establish clear rules and communicate them. And if the system records conversations after the meeting by mistake, the company should not use them.

From a compliance perspective, it should treat them as an incident affecting fundamental rights.

The legitimate expectation of privacy after the meeting

The concept of legitimate expectation of privacy helps define digital working environments. Not everything that happens on a corporate device is private. But not everything automatically becomes accessible to the company either.

The expectation depends on the context, the prior information provided, internal policies, the purpose of the tool and the moment at which the communication takes place.

In a Teams meeting, the expectation of privacy changes over time. While the meeting is active, and if participants know that the company is recording, that expectation is limited. The person knows that the company may record their professional intervention.

Once the meeting ends, that expectation changes. The purpose of the call has closed. The person no longer has reasonable grounds to believe that recording continues. What they say afterwards may therefore belong to a different sphere, even if the technical channel remains open.

Why internal protocols matter

This idea has enormous practical relevance. Many companies have normalised meeting recordings without designing precise protocols for starting, ending, storing and accessing them.

Sometimes, teams record meetings out of convenience. Sometimes, they do it by routine. But a recording is not an innocuous notepad. It involves personal data processing. It may capture sensitive information, opinions, informal comments, mistakes, private expressions or communications not intended for the company.

The use of a corporate tool does not destroy the expectation of privacy. If the company wishes to limit that expectation, it must do so through prior information, clear policies and proportionate rules.

Even then, there are limits. A technical error cannot become an unlimited window of access to private conversations.

By recognising that expectation once the meeting has ended, the court sends a clear message: the digitalisation of work cannot erode fundamental rights by default.

This distinction requires the company to separate legitimate control from the improper use of accidental capture.

Illicit evidence and its effect in employment proceedings

One of the most relevant effects of the judgment is the declaration that the company obtained the recordings unlawfully. If their acquisition violated fundamental rights, the court should not have admitted or assessed those recordings as evidence.

This conclusion completely alters the company’s procedural position.

In employment proceedings, as in other jurisdictions, evidence is not valid at any cost. A company may have an interest in proving certain facts, but it cannot use material obtained in breach of fundamental rights.

When the evidentiary source is contaminated, the court may exclude it. The same material may also expose the employer to liability.

This is one of the major lessons of the case. In that scenario, the company does not merely lose the evidentiary value of the recordings. Its use of those recordings becomes the serious breach that justifies compensated termination of the contract.

In other words, the material that the company sought to use to question trust in the employee ends up revealing an employer breach sufficiently serious to activate Article 50 of the Spanish Workers’ Statute.

The distinction is substantial. This is not merely a discussion about the admission of evidence. It concerns employer conduct affecting privacy, secrecy of communications and data protection.

Because of its seriousness, that conduct allows the employee to terminate the contract with entitlement to compensation equivalent to unfair dismissal.

The risk for companies is clear. An improper recording may have a boomerang effect. Instead of strengthening the company’s position, it may allow the employee to bring a claim for violation of fundamental rights, compensation for moral damages and compensated termination of the employment contract.

Article 50 of the Spanish Workers’ Statute: when employer breach breaks the contract

Article 50 of the Spanish Workers’ Statute allows the employee to request compensated termination of the contract where the employer commits a serious breach of its obligations.

Its logic is clear: if the company breaches its obligations in a sufficiently serious manner, the employee does not have to remain in the employment relationship. They may also obtain compensation equivalent to unfair dismissal.

Traditionally, this route has been associated with situations such as unpaid wages, continuous delays, substantial modifications that undermine dignity or serious breaches of health and safety obligations.

However, it may also apply where the company violates fundamental rights. In such cases, the breach is not measured only by its economic impact. It is also measured by the harm caused to dignity, privacy, trust and the basic guarantees that must be respected in the employment relationship.

In the case analysed, the High Court of Justice of the Basque Country concluded that the company’s use of unlawfully obtained recordings constituted a serious and culpable breach. That breach justified compensated termination.

The financial impact of unlawful recording

The amount awarded is particularly significant: EUR 328,491.62 for the contractual termination, equivalent to unfair dismissal compensation, and an additional EUR 7,501 for moral damages arising from the violation of fundamental rights. In total, the company had to pay EUR 335,992.62.

The figure matters because it illustrates the real cost of poor digital management. This is not merely an administrative sanction in data protection matters. Nor is it only a judicial warning about good practices.

A violation of fundamental rights in the use of corporate tools may have direct and very significant employment consequences. This is especially true where it affects employees with long service and relevant salaries.

The court also set aside the EUR 4,500 penalty imposed at first instance for alleged bad faith and procedural recklessness. The employee’s claim, far from being reckless, was fully founded.

The procedural reversal is notable: a claim initially dismissed and sanctioned ultimately became a high-impact employer liability decision.

The mistake of confusing corporate tools with total availability

Many companies operate under an implicit premise: if the tool is corporate, everything that happens on it belongs to the company.

That premise is legally dangerous. Ownership of the device or platform does not eliminate the employee’s rights. The company may establish conditions of use, but only in an informed and proportionate manner. It must also respect fundamental rights.

Organic Law 3/2018 on the Protection of Personal Data and the guarantee of digital rights expressly recognises rights in the digital workplace.

The employer may access content derived from the use of digital means made available to employees only for specific purposes. These purposes are monitoring compliance with employment or statutory obligations and ensuring the integrity of the devices. Even then, the employer must establish criteria of use that respect minimum standards of privacy protection.

Employees must also receive information about those criteria.

The role of internal policies

This rule is fundamental in relation to videoconferences. If the company allows or promotes meeting recordings, it must indicate when recording may take place, who may record, for what purpose, how participants receive information, where the recording is stored, who may access it, how long retention lasts and what procedure applies if the system captures content unrelated to the professional purpose by mistake.

Without such a policy, the company is exposed. That exposure does not arise only from the initial recording. It also arises from later use.

Mistaken recordings may occur. What matters is how the company acts when it detects the incident. If it deletes the content, limits access and documents the incident, it may mitigate the risk. If it extracts fragments and uses them against an employee, the problem intensifies.

The corporate tool does not create a rights-free zone. Teams is not an exception to the Constitution, data protection law or digital employment rights.

What companies should do before recording meetings

The company should no longer treat the recording of virtual meetings as an informal decision by the meeting organiser. In many organisations, any participant with sufficient permissions can activate the recording without a consistent criterion.

Although this practice may appear efficient, it multiplies risks. The company should define a clear policy on when recording is permitted, who may authorise it and which purposes are legitimate.

Companies do not need to record every meeting. Minutes may document some meetings more appropriately. Other meetings may require recording for training, regulatory or traceability reasons.

The principle of minimisation

From a data protection perspective, the company must apply the principle of minimisation: capture only what is necessary for the intended purpose. Recording all meetings by default may prove disproportionate, especially where participants discuss personal matters, evaluations, internal conflicts, occupational health or sensitive information.

Companies must also reinforce the information provided to participants. The visual signal that Teams is recording may not be sufficient if there is no prior policy explaining the conditions of processing.

In practical terms, the company must provide understandable information about the purpose, legal basis, recipients, retention, rights of the individuals concerned and access criteria. In the employment context, this information must also connect with policies on the use of digital devices.

The end of the recording must become a critical point in the protocol. Whoever convenes or moderates the meeting must ensure that the recording stops when the session concludes. They should also communicate this clearly.

If the meeting ends, the recording must end. And if it continues by mistake, an internal procedure must allow the company to report, block, review and delete non-relevant content without using it for different purposes.

In employment technology matters, prevention is usually less expensive than judicial defence.

The evidentiary dimension: recording does not always help

Many companies record meetings for evidentiary reasons. They want to leave a record of what was discussed, avoid future discrepancies or have evidence in the event of possible conflicts.

That purpose may be legitimate in certain circumstances, but evidence should not be confused with security. A recording obtained or used improperly may not only prove useless. It may become harmful.

Digital evidence requires a chain of lawfulness. The existence of a file is not enough. The company must obtain it lawfully, store it properly, link it to a legitimate purpose and use it within the limits previously communicated.

If any of these elements fails, the company may face excluded evidence and an additional claim for violation of fundamental rights.

This risk is especially high when the recording captures more than necessary. Virtual meetings may record side conversations, later comments, personal data of third parties, family information, images of the home, informal expressions or elements unrelated to the professional purpose.

The risk of excessive capture

The broader the capture, the greater the company’s responsibility for its processing.

For that reason, before recording, it is advisable to ask whether the recording is truly necessary. If it is, the company must limit it to the strictly necessary time and purpose.

If it is not, minutes, an email confirmation or a shared document may offer a less intrusive and legally safer alternative.

A business culture of “recording just in case” fits poorly with data protection principles.

Privacy as part of the company’s digital governance

The judgment of the High Court of Justice of the Basque Country should not be read as an isolated decision arising from a Teams malfunction. More importantly, it belongs to a broader legal discussion about how companies must protect fundamental rights within an increasingly digitalised organisation.

Today, companies operate through videoconferencing tools, instant messaging systems, cloud storage, productivity software, timekeeping platforms, collaborative environments and monitoring applications. Yet internal employment policies have not always evolved at the same speed as the technology they are meant to govern.

Digitalisation has unquestionably increased the traceability of professional activity. Even so, traceability cannot slide into diffuse or permanent surveillance. Corporate tools need clear rules of use. Data processing requires a defined purpose. Control measures must remain proportionate to the legitimate aim pursued.

Employees must also know, in advance and in understandable terms, what to expect when they use corporate digital tools.

Governance requires structure

For that reason, privacy should not be treated as an obstacle to business management, but as one of the organising principles of sound digital governance. A company that defines the scope of its tools, explains the purpose of monitoring and sets operational limits on access and retention is in a far stronger position than one that relies on the mere technical availability of information.

Privacy as a condition of legitimacy

Privacy is not an obstacle to business management. It is a condition of legitimacy. A company that properly regulates its digital tools reduces conflict, protects its evidence, limits nullity risks and generates a more solid internal culture.

By contrast, a company that relies on the technical availability of information may end up using data it should never have processed.

Managing the boundary between work and privacy

The boundary between work and private life will not always be perfect in a digital environment. But precisely for that reason it must be governed. No organisation should wait for conflict to arise before deciding what rules apply to Teams, recordings or corporate devices.

The meeting ends when its purpose ends

The judgment recalls a simple but decisive idea: a virtual meeting cannot be understood as indefinite authorisation to capture voice and image. The professional purpose that justifies the communication also marks the limit of the recording.

When that purpose ends, the company must respect the legitimate expectation of privacy of those who participated.

Technology allows more than necessary to be recorded. The law requires the company not to record more than necessary. And, if that happens by mistake, the law requires the company not to use it.

That distinction summarises many of the current risks in the digital workplace. Companies must not only ask what they can technically capture. They must ask what the law allows them to process and for what purpose.

The case analysed shows that the improper use of a Teams recording may become a violation of fundamental rights with highly relevant economic consequences. It also confirms that corporate tools do not eliminate privacy, secrecy of communications or personal data protection.

The digital office remains an office, but it remains subject to limits.

For companies, the conclusion is clear: recording meetings requires policy, information, purpose, control and closure. Without these elements, a tool designed to improve coordination may become the source of a serious employer breach.

At Suárez de Vivero, we advise companies, international groups and HR departments on the review of digital tool use policies, meeting recordings, data protection in the employment context, digital rights, internal investigations and the management of technological evidence in employment proceedings.

Frequently asked questions on recording Teams meetings and data protection

Can a company record Teams meetings?

Yes, but not indiscriminately. The company must have a legitimate purpose, inform participants in advance, limit the recording to what is necessary and regulate who may record, access, retain and use the content.

Recording meetings involves the processing of personal data, especially where voice and image are captured.

Is it enough for Teams to indicate that the meeting is being recorded?

Not always. The technical notice provided by the platform may be useful, but it does not replace a clear company policy or the prior information required in relation to data protection and digital employment rights.

The company must explain the purposes, conditions of use, retention, access and rights of the persons concerned.

Can the company use a recording that continued after the meeting had ended?

The judgment discussed considers that it cannot, where the recording captures subsequent conversations unrelated to the professional purpose of the meeting and the employee was not aware that they were still being recorded.

Once the meeting has ended, there is a legitimate expectation of privacy that the company must respect.

What rights may be affected by an improper recording?

An improper recording may affect the right to personal privacy, secrecy of communications and the right to the protection of personal data.

In addition, if the company uses the recording against the employee, it may generate a violation of fundamental rights with employment and compensation consequences.

Can a recording obtained improperly be used as evidence?

The court should not admit or assess a recording if its acquisition violates fundamental rights. Digital evidence must be obtained and processed lawfully.

An unlawful recording may be excluded from the proceedings and may also serve as the basis for a claim against the company.

Can a privacy violation justify compensated termination of the contract?

Yes, if the employer’s conduct constitutes a serious breach of its obligations.

In the case analysed, the High Court of Justice of the Basque Country recognised compensated termination of the contract under Article 50 of the Spanish Workers’ Statute, in addition to compensation for moral damages.

What should a company policy on recording meetings include?

It should regulate who may record, in which circumstances, for what purpose, how participants receive information, where recordings are stored, who may access them, how long retention lasts, how deletion takes place and what procedure applies if the system records content unrelated to the professional purpose by mistake.

What should companies do if a meeting continues to be recorded by mistake?

They should block access to the content, review the incident in a limited manner, delete what is not relevant, document what happened and avoid using fragments unrelated to the professional purpose of the meeting.

Using that material against an employee may significantly increase the legal risk.

Related posts

Single-parent families and birth leave: are they entitled to ten additional weeks?

READ MORE

Can a company offset a collective bargaining increase against individual improvements?

READ MORE

Sick leave due to medical incapacity: is it compatible with high-intensity sport?

READ MORE