Data Protection in Call Centers


Feb 23, 2014 (4 years and 3 months ago)


Data Protection in Call Centers

Data protection refers to the information relating to an identified or identifiable data subject whose
identity can be determined directly or indirectly (see the definition of personal data in Act No.
101/2000 Coll. On the
Protection of Personal Data). A person as a data subject shall be considered
identified or identifiable if it can be identified mainly by number, code or specific elements such as its
physical, psychological, economic, cultural or social identity. In addit
ion to general personal data, the
law also defines so
called sensitive data, such as those revealing racial or ethnic origin, sex life and
other sensitive issues of an individual's life. Biometric information allowing the direct identification or
ation of the data subject, who came into public awareness in the context of biometric features
in passports, is also considered as sensitive data.

Given that the treatment of personal data is undoubtedly one of the activities of call centers, a question
ises as to what could possibly be considered personal data in relation to their activities. One of the
most fundamental questions asked in this context is the nature of telephone numbers. This question has
already been answered by the Office for Personal D
ata Protection (the "Office") when solving the case
of the Prague Public Transport Company (PPTC), which stores telephone numbers obtained through
SMS ticket purchases. According to the Office, the phone numbers are stored in order to identify
individual p
assengers who, at a given time, have traveled in a vehicle operated by the PPTC. In most
cases, various institutions, including call centers, retain telephone numbers in order to identify a
specific person. Thus, it is possible to conclude that a telephone

number is a personal figure and
should be treated accordingly.

Another important issue in terms of call centers’ practices is the recording of calls. Today, almost
every call center records phone calls for various reasons. For such cases, the Office concl
uded that if
the called person communicates specific information within a call, which in conjunction with his/her
voice and the date and time of the recording would enable his/her identification, the record should be
considered as personal data. Again, it
is therefore necessary to determine whether it is possible to
specifically identify any person described in the call. There have been cases when callers have, often
inadvertently, identified themselves or a third person during the call. This issue is close
ly linked with
the question of consent of the caller with the recording of the given call. Given that the processing of
personal data requires the consent of data subjects, and given that the processing of personal data
means its collection, disclosure, mo
dification and storage, such consent is also necessary in relation to
the recording of calls.

Generally, personal data may only be processed in accordance with the purpose for which it was
collected and to which the data subject has given his/her consent.
When giving consent, the data
subject must be informed about the purpose of the processing, as well as to which data the consent is
given, to which controller and for what period of time. The controller of personal data is further
obliged to inform the dat
a subject in advance about his/her right of access to the processed information
and his/her rights in cases where he/she considers that the processing is not being carried out in
accordance with the law. The processing of personal data of minors is possibl
e only with the consent
of their guardian since, due to their age, they are often unable to determine with certainty the degree of
threat to their privacy.

In connection with the practice in call centers, it is necessary to carefully distinguish between th
controller and a mere processor of personal data. If a client (customer) orders a telemarketing
campaign at a call center and for this purpose provides the call center with a database (such as a
database of its customers) that it properly manages, then t
he customer is in the position of the
controller, the call center is in the position of the processor, and they should conclude between them a
contract on personal data processing. Only the controller has yet to notify the Office about the
processing of pe
rsonal data.

The issue of unsolicited calls is also linked with telemarketing campaigns. This issue is partly covered
in the Electronic Communications Act. The relevant sections of this act enable subscribers, whose
numbers are listed in a so
called publi
c list, to ask the publishers of such lists to include information
that the subscribers wish to not be contacted in relation to telemarketing. However, there are cases
when some subjects do administer lists of cell phone numbers which are not public, but n
included in such lists may be verified upon a payment. This issue is legally quite vague and it would
be necessary in each case to examine the specific conditions of the acquisition, management and
provision of such information. Call centers should

obtain databases that include personal information
from their clients or other providers only based on a contract in which the database provider declares
that it is entitled to its disclosure for that purpose, i.e. contacting the person listed in the data
base. Such
permission to pass the database should in itself include the appropriate data subject's consent, or a
notation that the personal data of the subjects are being processed without their consent on the basis of
the so
called marketing exception, an
d the subjects have been informed in advance about the
transmission of data.

When examining the marketing exception, it must be emphasized that it only applies to personal data
in the range of names and addresses, which is a rather small range for telemark
eting. The good news
here is that the term "address" can be used for workplace phone numbers (or business phone numbers).
As for the transmission of data that is subject to the marketing exception for another controller, it may
only be transmitted if it wa
s obtained in connection with the activities of a controller, or it is published
personal data. These data may be used only for the purpose of commercial offers or offering services,
and the data subject must be informed of this procedure in advance by the

controller and must not
disagree with it.

A controller of a personal data database is obliged to ensure that no unauthorized access to personal
data, its alteration, destruction or loss, unauthorized transfer or processing, as well as its other misuse
l occur. A fine of up to CZK 5 million may be imposed on the controller for breaching these
obligations. However, Czech law does not generally oblige database controllers to inform the Office
about breaches of protection of personal data. The only exceptio
n is the reporting requirement for
businesses that provide publicly available electronic communications services, which was imposed in
January 2012. These entrepreneurs are often just call center operators. If a violation of personal data
occurs (e.g. ther
e is unauthorized access to the system), the entrepreneur must immediately notify the
Office or the person concerned if such a violation seriously undermines the person's privacy. A fine of
up to CZK 20 million may be imposed on the public services provide
r for violations of these
obligations. More details on these reports, including the reporting forms, are available on the Office's
website under the heading Notification pursuant to Act No. 127/2005 Coll.