The French data protection supervisory authority, Commission Nationale de l’Informatique et des Libertés (CNIL), recently published a Guide (25.04.2022) about call recording to prove the formation of a contract.
When to record?
The rule of thumb is to record calls that are necessary because there are no other means of proving that the data subject has entered into a contract. In such a situation, the processing is based on Art. 6 Para. 1 Lit. b, GDPR.
What should be avoided?
- Controllers should not carry out permanent or systematic recording unless permitted by the law (e.g., Article L. 533-10-5 of the French Monetary and Financial Code regarding investment service providers or Article L. 122-2-2 of the French Insurance Code concerning insurance distributors canvassing).
- Recordings should not be carried out by default. The CNIL recommends establishing a mechanism to manually trigger the recording.
- Controllers should take into consideration the local laws applicable to the concerned contract. For instance, some contracts are required by law to be signed on paper (e.g., L. 221-16 of the French Consumer Code). When contracts cannot be concluded during a call (e.g., they must be signed on paper), the recording is not deemed necessary.
- Controllers should not record the entire call. The recording should only start when it clearly relates to the conclusion of a contract. Also, if bank data is also entered by the controller in a secure payment platform, the recording of these data is not necessary for the proper execution of the payment. Thus, the recording should be interrupted or deleted quickly when the consumer provides these data.
Obligations when recordings are carried out
The details about the processing activity should be entered in the record of processing activities.
Information to data subjects
Controllers must provide the concerned data subjects with all the information referred to in Art. 13, GDPR.
The CNIL recommends that this information is provided in two stages:
- Oral statement at the beginning of the call informing the following:
a. Mention of the recording system;
b. The purpose of the call;
c. The possibility of concluding the contract by other means that do not involve recording the call (e.g., online platform, by post); and
d. The right to access the conversation.
- Indication of the way in which data subjects can obtain all the relevant information about the processing of their personal data (e.g., legal notice on a website or pressing a button on the telephone).
Indication of the way in which data subjects can obtain all the relevant information about the processing of their personal data (e.g., legal notice on a website or pressing a button on the telephone).
Technical and organizational measures to protect the personal data
The authority emphasizes the need to implement security measures for the protection of personal data and to prevent unauthorized access, including computerized traceability of actions on the recordings (e.g., date and person accessing them).
Storage of the recordings
The CNIL recommends having a retention period and a policy for archiving and deleting data in line with the legal requirements for challenging the contract.
Recording for other purposes
When calls are recorded for several purposes, additional rules may apply: A retention period and access rights must be differentiated according to the purpose pursued, and technical measures must be implemented to ensure the separation of the databases.