Call centres usually use comprehensive IT systems for support, customer service or marketing in order to guarantee a high quality and efficiency of the telephone services. However, when selecting and operating such call centre systems, the data protection requirements must be strictly observed.
Attention: The following statements regularly also apply to call centres outside the European Union (EU) if they target with their products or services people who are in the EU. For further information see our guide on the applicability of the General Data Protection Regulation (GDPR) to non-EU businesses.
Data protection challenges for call centres
In call centre operations, efficiency means handling as many calls as possible in a short time in such a way that follow-up calls and unanswered questions are avoided as much as possible. To achieve this, it is necessary for service staff to have access to comprehensive information relevant to the conversation.
In case of outgoing calls, the content of the call is known to call centre staff in advance. However, this is not always the case with inbound calls, because the customer can make the call for different purposes – be it technical support, ordering a new product or questions about the invoice. Based on various criteria, modern call management systems have long been able not only to identify customers by their telephone number, but also to automatically recognise the call category. This allows relevant information to be selected and provided to call centre staff.
Recently, call centres have also been making increasing use of artificial intelligence (AI). These tools are designed to either simplify and optimise internal processes in the call centre or to communicate directly with the customer so that a conversation with a call centre employee is unnecessary at best.
The AI-based tools that are increasingly being used in call centres include, in particular:
- Conversational Interactive Voice Response: This is a conversation-driven human-machine interaction in which AI decodes the customer’s voice input and answers the questions. The goal is to answer simple customer queries without the involvement of a call centre employee. If a conversation with an employee is necessary, the tool can use the information provided to connect the customer with a suitable call centre employee.
- Intelligent call forwarding: With AI-supported intelligent call forwarding, the customer can be connected to the call centre employee who can best help them. The tool uses a wide range of data, such as the call list (if the customer has contacted the call centre recently, the same employee can best help them), the order history (forwarding to the relevant department) and the location (forwarding to a call centre in the proximity of the customer).
- AI as a tool for call centre employees: AI-supported tools can follow the conversation between the employee and the customer and provide the employee with recommendations in real time.
- Analysis of customer behaviour and satisfaction, and process optimisation.
The data protection challenge is to design the call centre system in a way that the provision of extensive customer data and suitable tools enables efficient work and at the same time meets the requirements of the GDPR.
Legal basis for data processing in the call centre
The GDPR generally prohibits the processing of personal data unless a legal basis is given that allows or even requires the processing. Which legal basis is relevant largely depends on the function that the call centre performs (acceptance of orders, technical customer service, etc.).
For example, in the case of incoming calls made for the purpose of ordering products, the call centre operator may rely on Art. 6(1)(b) GDPR (precontractual measures at the request of the data subject).
When contacting customers by telephone for advertising purposes, the call centre operator shall verify whether explicit consent of the data subject is required. According to the ePrivacy Directive, EU Member States are free to decide whether consent must be sought in such cases, or opt-out is sufficient. For example, in Germany, explicit consent is required for marketing phone calls to consumers. On the other hand, if such a call is made to other market participants – i.e. those who are not consumers – presumed consent is sufficient.
If systems are used that analyse customer behaviour – for example, analysis of customer satisfaction based on reactions or the voice of the customer – consent must generally be obtained for this processing. The same applies whenever the call is to be recorded. Consent must be given voluntarily, i.e., the customer may not be denied assistance should he or she not give consent.
It is important to note that there must be a legal basis for all data processing activities that occur in the context of call management. Any processing of personal data beyond this is not permitted. The processing of personal data should be strictly limited to what is necessary to achieve the predefined purposes of processing. Data collected for a specific purpose may not be processed for another purpose, unless the conditions for a permissible change of the processing purposes are fulfilled.
For example, billing data that is stored due to legal retention periods may not be mixed with other data, such as marketing data, and used for different purposes. The marketing department is therefore not allowed to access billing data without a separate legal basis.
The same applies to the merging of data collected for different purposes. A customer may not be concerned if a small amount of data, such as title, surname and e-mail address, is used to send a newsletter they have requested. Elsewhere, they may have provided the same company with other information, such as telephone number and details of their private interests, for example, as part of a prize competition. However, this does not mean that the customer has no objection if this information is combined with other information – for example, surfing behaviour or purchase history – to form a detailed profile.
Another special case is using automated decision-making tools. According to Art. 22 (1) GDPR, companies that want to use automated decision-making and/or profiling are subject to strict limits. If, on the basis of existing data, decisions are made in an automated way that have a legal effect on data subjects or can significantly affect them in a similar way, this is only possible under strict conditions.
Fulfilment of information obligations
According to Art. 13 GDPR, data controllers must inform data subjects about the data processing before or upon the collection of personal data. This poses particular challenges for call centre operators. According to the Guidelines of the Article 29 Working Party, a so-called multi-layered approach is permissible in such a case. Thereby, the controller may only provide the most important information upon the beginning of the call, whereas the rest of the information required under Art. 13 GDPR is provided in a different way, e.g., by referring to the company website, or by sending the information letter by e-mail or by post.
Data protection impact assessment
Art. 35 GDPR requires that a data protection impact assessment (DPIA) be carried out in cases where the data processing is likely to result in a high risk to the rights and freedoms of natural persons. With regard to call centres, a DPIA might be necessary in particular in the event of a systematic and comprehensive assessment of personal aspects of natural persons. For example, in Germany, conducting a DPIA is always required if the call centre intends to use AI to control interaction with the data subject or to evaluate personal aspects of the data subject. The data protection officer should be consulted when conducting a DPIA.
Outsourcing the call centre activity
Call centre activities are increasingly being outsourced to specialised companies, e.g., to ensure better accessibility. In such a case, it is usually necessary to conclude a data processing agreement in accordance with Art. 28 GDPR.
Ensuring information security
When contacting customers by telephone, it is particularly important to sufficiently verify their identity. This is to prevent personal data from being disclosed to unauthorised persons or being modified by them without authorisation. Thereby, the identity of the customer can often only be verified with considerable effort.
In particular, if to identify the customer, only the name in connection with another element such as the date of birth or the address is used, misuse can easily occur, because this information is not only known to the customer, but usually also to a large number of other persons from the customer’s environment. Therefore, asking for the aforementioned data is not sufficient to clearly identify the caller.
In one such case, a substantial fine has been imposed on a German telecommunications provider. After a subsequent consultation by the Federal Commissioner for Data Protection and Freedom of Information (BfDI), many German call centres are now changing their authentication mechanisms for telephone customer care. By requesting a personal customer identification number or a PUK (personal unblocking key), they have considerably improved the security of the data.
Conclusion: Review of the processing operations is urgently advised
Call centre operators are well advised to regularly check the processes in the call centre for compliance with the GDPR and to adapt them if necessary. As the latest decisions of the supervisory authorities and courts show, care must also be taken to ensure that data is protected by adequate technical and organisational measures.
Furthermore, special caution is always required when call centres want to use innovative, AI-supported solutions.
