We’re currently implementing call recording in our UK based call centre, I’m content we’re doing all we need to do to comply with UK laws. However, I’d be interested to get thoughts about this scenario – the UK based call centre also takes calls from callers in different countries who are purchasing our products, etc. Given laws in other countries differ on whether the consent of the caller is required or not, does this apply if the call centre is UK based? We will have a recorded message at the start of the call stating call recording takes place – would this suffice for an international caller to inform our staff that the call must not be recorded as they don’t have their consent?
You are a UK domiciled company, you have to treat all data the same, i.e. if it was UK resident data.
Consent isn’t the only legal basis for recording calls, and it would only work if the system can actually stop the recording of individual calls on request and can identify that the call is from a country that requires consent. Remember that an automated system might decide that a call from Germany requires consent but it is actually a caller from the UK on holiday in Germany so it wouldn’t.
For instance: saying ‘we record calls for training and monitoring purposes’ when you do nothing with them and using legitimate interest as your legal basis doesn’t stand up.
So before going down the rabbit hole of trying to discover which countries have different rules, I would investigate whether you have a system capable of dealing with the outcome of your investigations and whether indeed you have a real purpose for recording calls in the first place.
Thanks Helen. We’ve already established our purposes for call recording (training; quality; fraud prevention; etc). My concern is that the goods we sell are targetted to a wider audience than just the UK. We have international buyers and we specifically target a large number of countries. My own thinking has been that we need to comply with the laws in the countries we are targetting, some require consent of the caller and some don’t. Unfortunately the call recording system the organisation has chosen isn’t sophisticated enough to automatically stop recording if it is a caller from a country that does require consent.
In which case you either need to change your system or you need to stop recording – neither is going to be easy or cheap.
Or you run systems in parallel, one that records and one that doesn’t. Still not easy.
If target the services and to a foreign market and you process the data of these foreign individuals you need to do this in line with the applicable legislation. I would assume if you have e.g. a German phone number it is a VOIP number so, you could just at the back end channel these calls around the recording system.
If you are dealing with banking activities MiFID II requires you anyway to record the calls so you do not need consent as you have that as your legal reason. If you take card payments over the phone you are required by PCI DSS to have a system to stop the recording when taking the card details. If you have that system in place you could set up a system that you can tell the customers who call if they are not happy with the recording they should tell the operator as soon as they connected. That opt-out is still not compliant in all countries but still better than not giving the option at all. It could reduce the potential fine from the German regulator.