Any company anywhere in the world that records calls from EU residents needs to follow the GDPR rules for recording calls. Recording telephone conversations is allowed under the GDPR, but there are requirements that must be followed to protect data subjects’ privacy.
GDPR Article 7 classifies telephone recordings like cookies on websites and other means of data collection, which are only allowed if the data subjects give their consent. Prior to the introduction of GDPR, it was possible to advise the caller that the call may be recorded, and by proceeding with the call consent for the recording was being given.
Under the GDPR rules, an affirmative action is necessary before telephone calls can be recorded. Silence or inactivity is not enough to count as consent. A specific action such pressing a key on the telephone or giving verbal consent is necessary under the GDPR. A record of consent being given must also be recorded.
The GDPR Rules for recording calls require more than just consent to be obtained. There must be a valid and legal reason for recording the call. In general, companies must see to it that at least one criteria in the list below is met aside from getting the consent:
- There is a contract allowing the recording
- Recording is necessary for legal purposes
- The recording protects the interests of at least one participant
- Recording is necessary to maintain public safety
- Recording the call satisfies the legitimate interest of the recorder and does not overwrite the interest of the participant in the call
In addition, the following GDPR Rules for recording calls must be observed:
Stored call recordings must be secured with appropriate controls preventing unauthorized persons from accessing the recordings. Companies must also conduct a risk analysis, and implemented policies and procedures to manage the risk.
Rules on Data Retention
GDPR Article 5 states that data are to be kept only as long as it fulfills a valid purpose for collecting the data. When the call recordings are not needed anymore, they must be disposed of properly.
Right to Access Personal Data
GDPR Article 15 explains the right of data subjects to access their personal data, including recordings of phone calls. The data subject’s request to access his personal data must be honored within 30 days.
Right to be Forgotten
GDPR Article 17 explains the right of a data subject to request the deletion of his/her personal data. If an EU resident chooses to exercise this right, all data and call recordings must be deleted unless state or federal laws forbid it. This right does not apply when the recordings are required for the defense of legal claims or when archiving is in the public interest.
The GDPR Rules for recording calls must be followed or strict penalties can be issued. Violators may be penalized up to €20 million or 4% of global annual turnover, whichever is higher.