Under the terms of the General Data Protection Regulation (GDPR), recording a telephone conversation is a means of collecting personal data and therefore the data must be processed ‘lawfully, fairly and in a transparent manner’.
First layer of information
The data controller is required to give the caller/data subject certain information at the point the data is collected (at the start of the call). It is not appropriate to give all the information on the call and therefore it is recommended that the first layer of information should include the following:
• The identity and contact details of the controller.
• The intended purposes of, and the legal basis for, the processing. There are six options in all but this is likely to be one of two:
- either the data subject must give the data controller their consent to process their personal data. Should the message at the start of the call be automated, then it is advised that it may be acceptable for the data subject to press a particular number on the keypad or record ‘yes’ when requested to indicate consent; or
- the data controller must be able to justify the processing of the data subject’s personal data is necessary for the purposes of legitimate interests, although this does not apply when the interests are overridden by the interest or fundamental rights and freedoms of the data subject. Should a data controller decide to rely on ‘legitimate interests’, they will need to think about what might constitute a ‘legitimate interest’, be able to justify that processing the personal data is necessary to achieve it and balance it against the data subject’s interests, rights and freedoms. For instance, recording calls for training purposes would be difficult to justify as a ‘legitimate interest’ but recording calls because it is a legal requirement to do so is justifiable.
• Who the recipients of the personal data are (is the data transferred to third parties?).
• Details regarding data subjects’ rights: right of access, right to rectification, right to erasure, restriction of processing, right to object to processing, right to data portability and the right to lodge a complaint with the supervisory authority.
Second layer of information
The remaining information is to be provided to the data subject as a ‘second layer’ and can be done by: (a) giving the caller/data subject options to listen to further information, (b) sending a copy of the privacy policy by email or (c) sending the data subject a link to an online privacy statement.
The second layer of information may consider points such as:
• The contact details of the data protection officer (if applicable).
• The period for which the data is stored or the criteria used to determine that period.
• Where the data is stored.
• How the data is disposed of once the period of storage has expired.
This information can be set out as a section in a privacy policy or can be set out in a separate recording policy (which may be useful if there are a number of recording devices – telephones, Skype, video conferencing, etc).
Should you have any queries regarding data protection, please do not hesitate to contact Thomas Newlyn in our Corporate and Commercial team on tel: 01892 515022 or by email: [email protected]