HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

What are the GDPR Rules for Recording Calls?

Many companies record telephone calls for ‘quality and training purposes’ and to help resolve customer disputes, but since May 25, 2018 GDPR Rules for recording calls must be followed.

GDPR Rules for Recording Calls

Any company, regardless of its location, must comply with GDPR Rules for recording calls if the company has dealings with EU residents.

Call recording can continue under GDPR, as recording telephone conversations is not prohibited, but there are now additional requirements to protect the rights and freedoms of data subjects under GDPR. As with the use of cookies on websites and other forms of data collection, it can only take place if the data subject gives their consent (GDPR Article 7).

Previously, in order to comply with existing regulations, companies would advise people that the calls may be recorded for a particular purpose and consent was obtained when the customer continued with the telephone call. The customer’s silence or lack of action was taken to mean that consent was being provided. However, GDPR Rules for recording telephone calls require consent to be provided by an affirmative action. Silence or inactivity is no longer sufficient.

An unambiguous action is now required, such as pressing a specific key on the telephone or providing verbal consent. A recording of consent should be retained by the company.

GDPR Rules for recording calls involve more than consent. The recording of telephone conversations is only possible if there is a valid and legal reason for that information to be collected.

For all companies, at least one of the following criteria must be met in addition to obtaining consent:

  • Recording is required to comply with a contract
  • Recording is required to satisfy legal requirements
  • Recording is required to protect the interests of one or more participants
  • Recording of calls is necessary for safety or is in the public interest
  • Recording is in the legitimate interests of the recorder, provided those interests are not overwritten by the interests of the participants in the calls.

Other GDPR Rules for recording calls are detailed below:

Data Protection Requirements

As with all other forms of data collection, call recordings must be stored securely and appropriate security controls applied to prevent stored call data from being accessed by unauthorized individuals. Organizations must conduct a risk analysis to determine the level of risk involved, and apply policies, physical, and technical safeguards to reduce risk to an acceptable level.

Data Retention Rules

Article 5 (e) of the GDPR explains that data can only be retained for the length of time that it is required to fulfil the purpose for which the data were collected. Recital 30 of the GDPR requires time limits to be applied for how long data can be retained. When call recordings are no longer required, data must be disposed of securely.

Right to Access Personal Data

Data subjects have the right to access their personal data (GDPR Article 15), which extends to recordings of telephone calls. If a request is received from a data subject to access their personal data, it is necessary to comply with that request within 30 days. A company must therefore have the ability to be able to search for call recordings and provide copies as necessary.

Right to be Forgotten

A mechanism must be implemented that allows all personal data of an EU subject to be deleted if a request to do so is received from a data subject (GDPR Article 17). When an EU resident exercises their right to be forgotten, all data – including call recordings – must also be deleted, provided that the deletion of such information does not violate state or federal laws and the data are no longer necessary for the purpose for which the information was originally collected. The right to erasure similarly doesn’t apply for the establishment, exercise or defense of legal claims, for archiving purposes in the public interest, or to exercise the right of freedom of expression and information.

If GDPR Rules for recording calls are not followed, stiff financial penalties can be issued. It is important that employees are provided with GDPR training so they are aware of GDPR requirements. The maximum fine is €20 million or 4% of global annual turnover, whichever is the greater.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.