Is Recording Phone Calls Legal in EU countries?
Companies or organizations operating in European Union member states are required to follow the rules outlined in the European Union’s General Data Protection Regulations (GDPR). The GDPR was established on May 25, 2018, to control the processing of data (including calls) owned by EU citizens by companies that have access to such data regardless of whether or not the companies are established within the EU.
The GDPR was implemented to consolidate the different data protection laws implemented by EU countries into a single source that dictates the data protection guidelines for all EU countries.
What are the Call recording Laws Under the GDPR?
Under the GDPR, clear and unambiguous consent must be sought before a call recording or any other audio recording is made. The law also requires the recordings to be justifiable under the GDPR’s guidelines. According to Article 6 of the GDPR, before a company decides to start recording phone calls, they have to ensure the following requirements are met:
Parties to the conversation or call have consented to recording for one or more specific purposes.
- The recording is necessary for the fulfilment of a contract to which the party is involved.
- The recording is done for the fulfilment of legal obligations.
- The recording is necessary to protect the interests of one or more parties.
- The recording is in the public’s interest or done in the exercise of official authority.
- The recording is in the legitimate interests of the recorder as long as such interests are not overridden by the interests of the other parties to the call or conversation.
Protection Requirements for Call Recordings
The GDPR requires organizations that collect and store call recordings to ensure adequate security measures are put in place to protect the stored recordings from unauthorized access. The measures outlined in Article 32 include:
- Pseudonymisation and encryption of personal data. Note: Pseudonymisation refers to the processing of personal data in such a way that data cannot be linked to a specific individual.
- The confidentiality, integrity, availability and resilience of processing systems and services should be ensured.
- In case of a physical or technical incident, the availability and access to personal data in a timely manner should be guaranteed.
- A process for regularly testing, assessing and evaluating the effectiveness of security measures put in place should be established.
Call Recordings Retention Rules
According to the GDPR Article 5 1(e), call recordings can only be stored for as long as it is necessary to fulfil the purposes for which the data were collected or processed. Call data can be stored for longer periods for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Right to Access
Article 15 of the GDPR states that participants to a call or audio recording have the right to request access to call data concerning them or call data concerning them that is being processed. If the call data is being processed, they have a right to request more information including:
- The purpose of the processing.
- Categories of personal data concerned.
- The parties who will have access to the call data through disclosure.
- If possible the period length for which the data will be stored or if not possible, the criteria used to determine that period.
- The ability to request rectification, erasure, or restriction of processing of the call data or objection to the processing of such data.
- The right to lodge a complaint with the relevant authority.
- The source of the data if the data is not collected from the data subject.
- The existence of automated decision-making, including profiling and meaningful information about the logic involved, significance and possible consequences of such processing for the data subject.
Right to Erasure
Article 17 allows data subjects to request the erasure of call data concerning them and the same be done without undue delay if:
- The data is no longer needed for the purposes for which they were collected or processed.
- The data subject withdraws consent for the processing as long as there is no other legal ground for the processing.
- The data subject objects to the processing and there are no legal overriding legitimate grounds for the processing, or the objection is done pursuant to Article 21.
- The call data have been illegally processed.
- The erasure is necessary to comply with a legal obligation in Union or Member State law to which the organization is subject.
- The personal data collected involves children under Article 8.