July 4, 2020

Volume X, Number 186

July 03, 2020

Subscribe to Latest Legal News and Analysis

July 02, 2020

Subscribe to Latest Legal News and Analysis

July 01, 2020

Subscribe to Latest Legal News and Analysis

Denmark DPA Rules on How GDPR Applies to Voice Recordings

The Denmark Data Protection Authority (DPA) ruled on April 11, 2019, that affirmative consent is required when companies record customer telephone calls. Because voice recordings constitute personal data under the European Union’s (EU) General Data Protection Regulation (GDPR), international companies that communicate via telephone with EU customers will need to take steps to ensure GDPR compliance. 

In this case, Denmark’s largest telecommunications company, TDC A/S, provided disclosures to its customers that calls may be recorded for training purposes, but the company offered no mechanism for customers to opt-in or opt-out of the recording. During one such call, the customer requested that the call not be recorded, but the service agent said there was no way to turn off the recording. The Denmark DPA rejected the company's arguments that its recording practices served a legitimate interest, such as the improvement of its customer service, and concluded that the company's telephone recording practices violated the GDPR.

The Denmark DPA's ruling could open the door to more legal challenges to customer service call recordings. A company must obtain the customer's consent to the recording unless the company is able to demonstrate that the recording is necessary to fulfill a contract requirement or legal obligation, is in the vital interest of the customer, or there is some other GDPR purpose for the recording.

This ruling makes clear that training purposes are not a lawful basis to process these recordings. Under the GDPR, consent must be freely given, specific, informed, and unambiguous. Tacit consent no longer will be enough. Companies should re-evaluate their internal practices with regard to call recordings, update any policies and procedures as needed, and train customer service agents on these new legal requirements under the GDPR.

Copyright © by Ballard Spahr LLPNational Law Review, Volume IX, Number 108


About this Author

Kim Phan, Ballard Spahr Law Firm, Washington DC, Business and Finance Law Attorney
Of Counsel

Kim Phan writes and speaks frequently about privacy and data security issues for a variety of industries, including consumer financial services, retail, hospitality, higher education, and utilities. Ms. Phan counsels clients on privacy and data security law in areas including the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), the Telephone Consumer Protection Act (TCPA), and other federal and state privacy and data security statutes and regulations. Her work in this area encompasses strategic planning and guidance for companies to incorporate...