500.000 euro fine for GDPR breaches in call centers

“Hello sir, are you responsible for the energy supply in your company?” About GDPR and privacy in call centers …

At Sirius Legal, we emphasize to all our GDPR clients using call centers that special attention is required for the use of telemarketing and cold calling under GDPR.

This was recently confirmed by the French data protection authority CNIL, which imposed a fine of 500,000 euros on a company called Futura Internationale precisely for non-compliance with the rules of the General Data Protection Regulation in the context of telemarketing.

GDPR fine call centers

High fine for a small company

Futura Internationale is anything but a multinational. It is a medium-sized French company with barely 100 employees that supplies heat pumps and insulation materials.  To market its products, the company uses a call center for telemarketing to consumers.

One of those consumers lodged a complaint with the CNIL in February 2018 because, despite repeated requests to delete her data, she still received phone calls advertising the products and services of Futura Internationale. The customer in question stated in her complaint to the CNIL that despite her repeated oral and written requests, the unsolicited phone calls continued for months.

Where did Futura Internationale go wrong?

During the subsequent investigation, the CNIL established that Futura International called via various call centers. The company forwarded prospect lists to each of these call centers, with the contact details of the same prospects returning on different lists. These people were therefore called by different call centers.  

Our personal consideration is that this is a particularly customer-unfriendly and inefficient way of working, since the same people are repeatedly called with the same message, which is very counterproductive. Business owners in Belgium undoubtedly know the relentless flow of phone calls that inquire about “the person in charge of the energy supply in your company” … 

From a purely legal perspective under GDPR, however, the CNIL established that Futura Internationale did not respect the fundamental rights of data subjects and in particular the right to object to further processing. The company did not have a centralized CRM tool or prospect list. As a result, it was unable to track who had asked not be be called in the future through one call center and the company was thus unable to pass those requests on to all other call centers. As a result, the same people who had already requested the deletion of their data continued to be called again and again. 

Whole series of additional infringements

A common finding during GDPR compliance checks is that a complaint about one specific topic leads to a more extensive audit, which very often reveals many other infringements.

In the case of Futura Internationale, the CNIL ultimately identified 4 serious breaches of the General Data Protection Regulation:

  • The CRM tool of Futura Internationale kept records of telephone conversations, including data on the state of health of those involved (and also regular descriptions of those involved in very offensive language). However, health data may only be processed under the very specific conditions that the GDPR imposes on “sensitive data”. This necessarily means that prior and explicit permission is always required.
  • Moreover, the call centers were mostly located in Morocco. The latter often happens for the French-speaking market in particular. In principle, the use of Moroccan call centers is not necessarily a problem, but the observation is that in this way personal data is exported outside the EU. Data export is subject to strict conditions and to countries that, such as Morocco, cannot guarantee an equivalent level of data protection as the EU can only export data if there are very strict contractual guarantees given by the recipient on the basis of the so-called EU Standard Contract Clauses. The latter were not put in place here and the use of the call centers in question was therefore contrary to the GDPR because there was no adequate level of security for the personal data in question.
  • Finally, it turned out that all conversations were recorded, but that data subjects were not aware of this (nor of any other processing of their personal data, incidentally).
  • To make the picture complete it also turned out that the company in question did not cooperate spontaneously with the investigation of the CNIL, which only increased the fine.

What do you need to know when you want to use call centers?

  • Make sure you work with call centers within the EU or seek legal advice if you nevertheless want to work with call centers outside the EU.
  • Ensure good Data Processor Agreements with your call center, in which they guarantee that they process your data in accordance with GDPR and in accordance with your instructions and in which they guarantee that your data is safe with them.
  • Make sure that you can delete data permanently and integrally within 30 days after a data subject has requested so and make sure that erasure is ensured from all your databases and with all your partners (at all call centers).
  • Ensure that you only collect and process absolutely relevant and required data about people. Medical data is not absolutely required in most cases. Neither are insulting descriptions of people.
  • In relation to the previous point: don’t forget that people can also request access to their data and that in that case you should also release those abusive descriptions, which is a disaster for your brand image.
  • know that there is a difference between the do-not-call-me list on the one hand and the correct application of GDPR on the other. If a data subject asks you to remove his data from your database, he or she relies on GDPR. He or she has the right to request such removal, without justification and without restriction if it concerns a marketing database. You cannot simply refuse to delete data and reply that the person concerned “must then register on the do-not-call-me list”. It may well be that someone only wants to be deleted from your database, but still wants to be available to others.
  • Make sure your call center works transparently. Make sure that they identify themselves, that they do not make recordings without permission, that they mention your privacy policy and the place where people can become acquainted with it. After all, you have a legal obligation to provide information and transparency.

Above all, show respect for your customer

We have recently talked about the importance of trust in building a long-term relationship with your audience as a marketer in a number of presentations and articles. Consumer confidence translates into a willingness to enter into a long-term relationship and a willingness to share data.  

This applies just as well to telemarketing. You irrevocably damage your company image by spamming your audience over the telephone through different call centers, each with the same question (“Are you responsible for the energy in your company …?). Apart from the countless legal issues that such spamming entails, you will harm your brand and company image in the long term …

Want to know more about GDPR, direct marketing or telemarketing?

Feel free to contact us via bart@siriuslegal.be or via 0486901931