In a recent decision, the Icelandic Data Protection Authority (DPA), Persónuvernd, upheld the legitimate interest of companies sending customer satisfaction surveys and cross-referencing caller information. The case involved the insurance company VÍS and one of its customers and addressed whether a data controller could lawfully cross-check a (anonymous) caller’s phone number with its customer database and send a post-call survey without explicit consent.

Background of the Case

The situation occurred when a customer contacted VÍS to inquire about car insurance. During the call, the customer did not mention their identity and asked a general question. Following the call, the customer received a survey from VÍS, which aimed to assess and improve their customer service. This survey triggered a complaint from the customer, who argued that:

  • They had not consented to their phone number being cross-referenced with the customer database.
  • The interaction lacked an option for anonymous communication.
  • Their phone number was being used for a purpose beyond the original call intention.

The customer’s complaint raised questions about data controllers’ reliance on legitimate interest under Article 6 para. 1 lit. f of the GDPR, touching on balancing an organisation’s interests in improving customer service with individual rights regarding data processing and transparency.

The Controller’s Position on Processing Data for Service Improvement

In response, VÍS clarified that their practice of cross-referencing a caller’s phone number with their customer database served multiple purposes. First, it allowed for prompt identification, ensuring more efficient service. Additionally, this identification enabled VÍS to send a follow-up survey to customers, gathering feedback to enhance their overall service quality.

According to VÍS, this processing relied on their legitimate interest under Article 6 para. 1 lit. f of the GDPR. They argued that it was a reasonable approach for a company aiming to optimise customer service, aligning with the GDPR’s framework on legitimate interest where processing is necessary and minimally invasive.

Dismissal of the complaint by the Icelandic DPA

Upon reviewing the case, the Icelandic DPA ultimately dismissed the complaint, supporting the controller’s position on the grounds of legitimate interest. Key factors in the decision included:

1. Legitimate Interest Justification:

The DPA acknowledged that VÍS had a legitimate interest in identifying callers, using the customer database for efficiency, and sending surveys to measure and improve customer service. This use case aligned with the GDPR’s permissible grounds for processing, as long as it was transparent and minimally intrusive.

2. Transparency and Customer Expectations:

The DPA pointed out that VÍS’s privacy policy clearly informed customers of the possibility of receiving follow-up surveys. Because this was explicitly stated in the policy, customers could reasonably expect such interactions, and VÍS had fulfilled the transparency requirement.

3. Adequate Privacy Policy and Right to Object:

The email containing the survey also provided a reference to the privacy policy and instructions on how to object to this type of data processing. This approach reinforced the controller’s purpose of processing by allowing the customer to exercise their rights under the GDPR if they objected to receiving future surveys.

Takeaways for using legitimate interest in sending customer satisfaction surveys

This ruling has displayed three essential practices for data controllers when relying on Art. 6  para. 1 lit. f GDPR for processing:

1. Transparency in Privacy Policies:

It’s critical for privacy policies to explicitly state when and how customer data may be processed, including post-interaction surveys. Customers should have a clear understanding of any follow-up communication they might receive and its purpose.

2. Reference to Privacy Policies in Communications:

When sending out surveys or other follow-ups, referencing the privacy policy directly in the email (as VÍS did) is an effective way to ensure transparency and uphold compliance. This approach provides an easy route for customers to access information on data processing and understand their rights.

3. Providing Options to Object:

A clear path for customers to opt-out of future surveys or object to data processing is essential. This option respects individual rights under the GDPR and builds trust with customers by giving them control over their data.

Clear Privacy Policies as a prerequisite to Compliance

For companies striving to balance customer satisfaction means with data privacy rights, the importance of clear and accessible privacy policies is a must. Privacy policies should transparently outline all processing activities, including post-interaction surveys and the possibility of cross-referencing a caller’s data with customer databases. Including such specifics can establish customer expectations upfront and reduce the likelihood of misunderstandings or complaints.

Furthermore, referencing the privacy policy directly in follow-up communications, such as surveys, offers customers immediate access to processing details and a reminder of their rights, such as opting out. In the end, a reliable privacy policy acts as both a compliance tool and a means of fostering trust with customers.