Regulator rules consent is required for call recordings
Published on Wednesday, May 1, 2019 - 10:40 by Camilla Winlo
The Danish Data Protection Authority, Datatilsynet, ruled on 8 April that calls can only be recorded for internal training purposes with the consent of the caller. It has ordered YouSee A/S to temporarily stop recording calls until it is able to implement a technical solution enabling it to collect consent before recording calls.
We would recommend that any organisations that record calls review the ruling and consider whether it may impact their use of call recording technology. In particular, organisations should understand whether they will need to collect consent and, if so, whether their current technology is capable of this.
Organisations providing call recording technology should consider whether they are able to manage consent appropriately and ensure that they have taken reasonable steps to confirm that their systems are being used lawfully.
Where consent is required, it must be collected before the processing starts – so the call recording can only begin once consent has been provided.
Consent must be fully informed, freely given and explicit – Datatilsynet has specifically said that allowing the call to continue is not sufficient – and evidenced in an audit trail.
Fully informed consent and the principle of Purpose Limitation mean that call recordings cannot be used for any purposes that the caller did not consent to, unless the purpose is compatible with the reasons that were explained to the caller. If the organisation does decide to process the recording in a new way, they will either need to document and demonstrate why the new purpose was compatible, or seek fresh consent
The information provided must include information about how long the data will be retained, who will have access to it and the rights the caller has in respect of it.
The caller must be able to withdraw consent as easily as they gave it, at any time, and the audit trail will also need to demonstrate this.
Any call recordings that are made could later fall in scope of a Subject Access Request.
Points to consider
There are some specific circumstances that apply to this case that DPOs should review:
First, Datatilsynet does state that in some circumstances it may be possible to demonstrate a legitimate interest in recording calls but that YouSee did not establish this. It is possible that measures to reduce the potential harm, such as using sampling techniques rather than recording all calls, may have changed the decision. DPOs in organisations that are currently relying on Legitimate Interest may wish to revisit their Legitimate Interest Assessments in light of this ruling.
Second, it also appears that YouSee only gave ‘internal training purposes’ as a reason for recording the calls. In our experience call recordings can be used for a number of other reasons, such as providing non-repudiable evidence to support the investigation of a complaint. It is possible that Datatilsynet might have made a different decision where the recordings were made for a different reason. DPOs may wish to revisit the information provided to callers, ensure it accurately reflects all the purposes that the call recordings may be used for, and ensure that they have an appropriate lawful basis for those purposes.
Nonetheless, it is clear that the starting assumption in relation to call recordings should be that consent will be required and that the technology used should be capable of collecting consent and allowing callers to object to the recording.