Before you start recording
According to Art. 6 (1) of the Directive 95/46/EC Member States must provide that personal data must be processed fairly and lawfully; collected for specified, explicit and legitimate purposes and not further process in a way incompatible with those purposes. With the appropriate safeguards historical, statistical or scientific purposes shall not be considered as incompatible. The processing must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. The data must also be accurate and kept up to date and kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.
Art. 7 of the Directive states that Member States shall provide that personal data may only be processed if
a) the data subject has unambiguously given his consent
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
c) processing is necessary for compliance with a legal obligation to which the controller is the subject
d) processing is necessary in order to protect the vital interests of the data subject
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection of the fundamental rights and freedoms of natural persons, and in particular their rights to privacy with respect to the processing of personal data.
The Member States are according to Art.8 (1) prohibited of processing personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning health and sex life. In Art. 8 (2) follows the exceptions to 8 (1). The exceptions are when the data subject has given his explicit consent to the processing of those data, when processing is necessary for the purposes of carrying out the obligations and specific rights of the controller, processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent.
One should also bear in mind that the data subject has the right of access to data, according to Art. 12. The data subject has also the right to object to the processing of data in some cases (Art. 14)
Another important matter is the security of processing. According to Art. 17 of the Directive the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access in particular where the processing involves transmission of data over a network, and against all other unlawful forms of processing.
The Directive also contains an article on liability, which states that the data subject which have suffered any damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this directive is entitled to receive compensation.
Examples of recording applications
The following is a run-through of some of the different areas of call recording applications in the light of the data subjects need to give his or hers consent.
Legal compliance – According to the Directive 2002/58/EC preamble 23, where necessary and legally authorized, communications can be recorded for the purpose of providing evidence of a commercial transaction. Parties should be informed prior to the recording about the recording, its purpose and the duration of its storage. The recorded communication should be erased as soon as possible and in any case at the latest by the end of the period during which the transaction can be lawfully challenged. Consent is not needed.
Voice Contracts – Considering the strong need for consent from the data subject in general. The recording of voice contracts’ must need the data subject’s consent.
Data verification – The fact that it is stored only for a short time does not change that there will be a need to have the data subject’s consent, unless the verification is regarded as an exception.
Quality assurance – consent will be needed.
Best Practice Training – consent will be needed
Settle customer complaints – In regard of 7 (f) must be decided whether the data subject’s integrity or the company’s interest in recording the calls is greater.
Legally protect – consent shall not be needed
Criminal investigations/collect evidence – According to what has been mentioned above there seems to be a possibility within the member states to record calls without the consent of the data subject.
Capture telephone threat – Seems that consent may not be needed when recording the actual threat. This is a matter of Art. 7 (f) where it has to be decided which interest is the greater.