Is my Company allowed to record a conversation?
Like any lawyer would say, it depends!
The answer is YES; however, it depends. As a Data controller, a company must take into consideration the lawfulness of recordings and how this can be achieved and protected with strong cybersecurity mechanisms. It is the Company’s obligation to ensure which devices may be used and to consider the implementation of additional safeguards on a best effort basis.
Call Recording under the GDPR
Rules for recording calls encompass more than consent. The recording of audio conversations is only possible if there is a valid and legal reason for that relevant information to be collected.
Call/ Audio Recording is allowed under the GDPR, as recordings of conversations are not prohibited, but there are applicable additional requirements to protect the rights and freedoms of data subjects under the GDPR.
With the GDPR in place, all Companies recording conversations need to justify their purpose for recording a call. Such justification would need to fulfil one of the following:
- Person/s which are call participant/s have given their consent to be recorded. Such consent has to be specific and unambiguous and may take different forms such as oral acceptance;
- The purpose of recording a call is to fulfil a contract to which the individual taking part in the call is a party thereto;
- The call recording is required to fulfil a legal obligation to which the company recording the call is subject to;
- Recording is required to protect the interests of one or more participants of the call;
- Recording is being made in the interest of the public;
- Recording is in the recorder’s interest given that such interest is ‘less’ important than the interest of the participant in the call.
As a data subject you need to know that you have the right to be informed on the gathering pf personal data and the processing thereof. Also, as the data subject you need to understand that you have the right to access data relating to you, be informed about the existence and processing of such data, rectify incorrect personal data and oppose further processing given that there are serious and legitimate grounds.
To read more about the Lawfulness of Processing click here: https://gdpr-info.eu/art-6-gdpr/.
Right of Information
The GDPR gives individuals the right to be informed about the collection and use of their personal data, which leads to a variety of information obligations.
Recorders must be able to recall any audio files and/or data gathered during a recorded call upon request, and thus should be able to provide customers with the requested information within one month of the request.
A request can be made for a copy of the recording under data protection legislation- known as a subject access request.
A subject access request (SAR) is simply a written request made by or on behalf of an individual for the information which he or she is entitled to ask for. A SAR maybe in any form. The Company having the information has one month within which it is to provide the requested information, in line with the GDPR.
Is an audio recording personal data?
YES!
The context in which voice data is being obtained is not what classifies it as personal data. Voice is legally defined as a persona data despite the context and/or support that the data originates from.
The GDPR applies because recording calls are generally considered as ‘personal data’ and, potentially, ‘special categories’ of personal data. The GDPR strives to find a balance between having a strong Regulation which gives data subjects clear protection and being flexible from businesses perspectives. For this reason, the GDPR delves into defining personal data.
The likelihood that calls will involve special category personal data depends on the context. For instance, a company within the health industry that records its call/s with the customers will be recording and handling special category personal data – in the form of health information. However, for most companies, it should in general be unlikely that any given call will involve special category personal data.
Use of video conferencing tools
In view of the general rise in the use of video conferencing tools, it is worthwhile to invest in an efficient cybersecurity management system as part of the Company’s risk management. One needs to also make sure that GDPR rules are adhered to when satisfying certain legal obligations.
Use case – If your company is a subject person under the Implementing Procedures, your Company may be making use of video conferencing tools, especially during these times. Such tools allow you to verify the identity using different online tools.
When carrying out such verification, compliance with the Implementing Procedures should be demonstrated and for this reason records should be kept. As per the FIAU’s requirements, which are binding on all persons carrying out relevant financial business or relevant activity, a subject person should keep at least an audio recording of the video call or the entire video call itself, which shall also include the entire conversation between the subject person and the customer.
Read more here: https://www.fiumalta.org/implementing-procedures
Conclusion
As users of digital technology, we all have the right to privacy, and thus what is important to note is that personal data shall remain secure and protected. For every processing of personal data there needs to be a compliance process which complies with the GDPR. If you are interested to know more, contact us on gdprcompliance@drwerner.com.
Disclaimer: The above-mentioned article is simply based on independent research carried out by Dr. Werner and Partner and cannot constitute any form of legal advice. If you would like to meet up with any of our representatives to seek further information, please contact us for an appointment.