How recording telephone conversations is affected by the GDPR
Under the General Data Protection Regulation (GDPR), recording telephone conversations is considered a form of processing personal data. As such, it is subject to the GDPR’s data protection rules.
In general, if you wish to record a telephone conversation, you must have a lawful basis for doing so. This means you must have a legitimate reason for recording the conversation, aligning with the GDPR’s transparency, fairness, and proportionality principles.
Several lawful bases may apply to recording telephone conversations, including:
-
- Consent: You can obtain explicit consent from the individual before recording the conversation. However, it’s important to note that consent may not be a sufficient lawful basis in some cases, such as in an employment relationship.
-
- Legitimate interests: If you have a legitimate interest in recording the conversation, such as for quality assurance or training purposes, you may be able to do so. However, you must ensure that the individual’s privacy rights do not outweigh your legitimate interests.
-
- Contract: If the recording is necessary for the performance of a contract with the individual, you may be able to record the conversation without their explicit consent.
-
- In addition to having a lawful basis for recording the conversation, you must also provide the individual with certain information, such as the purpose of the recording and how long it will be kept. You must also ensure that the individual’s rights under the GDPR are respected, such as the right to access their personal data and the right to have it erased.
-
- It’s important to note that different countries may have specific rules and regulations regarding recording telephone conversations, so it’s important to check local laws and regulations before recording any conversations.
A customer’s right to be forgotten under GDPR regulations.
The right to be forgotten, known as the right to erasure, is one of the data subject rights provided by the General Data Protection Regulation (GDPR). This right allows individuals to request that their personal data be erased in certain circumstances.
Under the GDPR rules, individuals have the right to ask for their personal data be deleted if:
-
- The data is not or is no longer necessary for the purpose for which it was collected.
-
- The individual withdraws their consent to process the data; there is no other lawful basis for processing it.
-
- The individual objects to processing of their data, and there are no overriding legitimate grounds for the processing.
-
- The data was unlawfully processed.
-
- The data has to be erased to comply with a legal obligation.
If a person requests that their data be deleted, the data controller must respond without undue delay and no later than one month from the date of the request. The data controller must verify the identity of the individual making the request and then assess whether the request is valid.
If the request is valid, the data controller must erase the personal data without delay unless there is a legitimate reason for keeping the data, such as to comply with a legal obligation.
It’s important to note that the right to be forgotten is not absolute, and there may be situations where an individual cannot exercise it, for example, if the data processing is necessary to exercise their right to freedom of expression and information or for the establishment, exercise, or defence of legal claims.