The Denmark Data Protection Authority (DPA) ruled on April 11, 2019 that affirmative consent is required when companies record customer telephone calls. Because voice recordings constitute personal data under the European Union’s (EU) General Data Protection Regulation (GDPR), international companies that communicate via telephone with EU customers will need to take steps to ensure GDPR compliance. 

In this case, Denmark’s largest telecommunications company, TDC A/S, provided disclosures to its customers that calls may be recorded for training purposes, but the company offered no mechanism for customers to opt-in or opt-out of the recording. During one such call, the customer requested that the call not be recorded, but the service agent said there was no way to turn off the recording. The Denmark DPA rejected the company's arguments that its recording practices served a legitimate interest, such as the improvement of its customer service, and concluded that the company's telephone recording practices violated the GDPR.

The Denmark DPA's ruling could open the door to more legal challenges to customer service call recordings. A company must obtain the customer's consent to the recording unless the company is able to demonstrate that the recording is necessary to fulfill a contract requirement or legal obligation, is in the vital interest of the customer, or there is some other GDPR purpose for the recording.

This ruling makes clear that training purposes are not a lawful basis to process these recordings. Under the GDPR, consent must be freely given, specific, informed, and unambiguous. Tacit consent no longer will be enough. Companies should re-evaluate their internal practices with regard to call recordings, update any policies and procedures as needed, and train customer service agents on these new legal requirements under the GDPR.

Ballard Spahr's Privacy and Data Security Group provides a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors. The Group also assists in drafting privacy policies, third-party vendor agreements, and information security policies and procedures.


Copyright © 2019 by Ballard Spahr LLP.
www.ballardspahr.com
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

People

Related Areas

Privacy & Data Security
Litigation

CyberAdviser | Privacy and Data Security

Visit CyberAdviser, our blog on developments in privacy and data security law.

Subscribe to the blog >


Share