Consent Required by Danish DPA for Customer Service Call Recording under GDPR
The Danish DPA declared in an April ruling that a disclosure to customers of call recording for training purposes was insufficient to establish a lawful basis for processing voice recordings under the European Union (EU) General Data Protection Regulation (GDPR). The DPA also rejected claims by the company that the improvement of its customer service by the recordings was a legitimate interest.
The result of the decision is that companies need to carefully examine their use of the legitimate interest basis for lawful processing and may need to increase their use of consent. Consent is defined by Article 4 as any freely given, specific, informed and unambiguous indication of the data subject’s wishes signifying agreement to the processing of personal data. The requirement for affirmative opt-in consent has been one of the most discussed changes initiated by the EU through GDPR. Last year, we discussed on our website the possibility of gaining verbal consent over the phone and the necessary documentation.
Customers of the company at issue in the decision here were given notice that the call would be recorded for training purposes but were not asked to affirmatively consent. An individual reportedly asked for the recording to be stopped and was told it was not possible.
The Danish DPA considered the voice recordings of customers a form of personal data and declared its processing without a lawful basis a violation of GDPR. The DPA ordered a temporary ban on recording calls for internal training until a system of consent is put in place.
The legitimate interest basis has been called by the Information Commissioner’s Office of the United Kingdom as “the most flexible lawful basis”. However, in this case the Dutch DPA did not believe it to be the appropriate basis. The DPA considered it possible that exceptional circumstances may warrant lawful processing using the legitimate interest basis but did not find those circumstances in the standard case before it.
The decision is written in Danish and it is not entirely clear the basis of the rejection of the legitimate interest basis. It may have been because the company was able to gain the consent of the user and the DPA rejected the company’s claim that it was not technically possible to obtain consent.
Further guidance on legitimate interest is expected from the European Data Protection Board (EDPB) in the short term as there has been discussion of guidance on its use by advertising companies. This guidance could provide further insight into the appropriate interpretation of this lawful basis and help further interpret the Dutch DPA decision.
In the meantime, companies that record phone calls with individuals located in the EU for training or internal education purposes should evaluate the decision carefully to determine their next steps. Implementation of a consent management system may be appropriate to give customers additional control over their data processing.
If your organization is considering consent management software, contact Clarip at 1-888-252-5653 for a demo of our consent management software for GDPR.
Other Relevant Posts:
EDPB Releases GDPR Guidance on Contractual Necessity Lawful Basis
Poland and Denmark Issue First GDPR Fines (covering Transparency and Data Minimization)
Third-Party Data Sharing In Focus Again with Finland DPA Investigation
Dutch DPA Issues Policy on GDPR Fines
EDPB Issues Opinion on Intersection of GDPR and ePrivacy
Dutch DPA Says No Cookie Walls Because of GDPR Consent
Summary of Ireland’s Data Protection Commission Annual Report
EU Issues Third Proposal of ePrivacy Regulation Changes in February
Romanian Presidency Offers ePrivacy Regulation Compromises
CNIL Releases Data Sharing Guidance for Third-Party Marketing under GDPR – Requires Informed Consent