https://www.babelforce.com The Insight will go through the essential factors for EU business and data protection, focusing on a business process which is often affected: call recording.

1. © 2016 babelforce GmbH 1
Insight
DATA PROTECTION AND
CALL RECORDING IN THE
EUROPEAN UNION

2. © 2016 babelforce GmbH 1
DATA PROTECTION AND
CALL RECORDING IN THE EU
INSIGHT:
The transmission and storage of personal data is a sensitive issue, perhaps nowhere more so than in
the European Union. Its impact on European business is felt through data protection compliance, which
affects a large amount of business-customer interactions.
The spread of cloud technologies and Software-as-a-Service (SaaS) has meant that SMBs and mid-market
companies are able to interact with customers in ever more innovative ways. With these developments
come new challenges when businesses tackle data protection.
This babelforce Insight paper will address the essential factors for EU business and data
protection, focusing on a business process which is often affected: call recording.
This text should under no circumstances be taken as legal advice, and will not examine data protection
legislation of Member States in exhaustive detail. What it will do, however, is:
• Inform you of important data protection legislation in the EU, and how it can vary and change.
Simply put, if your interaction with customers involves processing their data in or via the European
Union, these changes and national variance affect the way you do business.
• Demonstrate how these laws pertain to call recording as carried out for business.
• Help you to understand these challenges and how they can be solved. Non-compliance should
clearly be avoided, and to conclude we will explore how with babelforce’s flexible call-recording
solutions these challenges can be met head-on.

3. © 2016 babelforce GmbH 2
TOOLKIT: FACTS & TERMS
Some basic knowledge of appropriate terms and legal definitions will be helpful, and allow a deeper
understanding of the area.
Knowledge:
• EU Data Protection Directive 1995 (DPD) – this landmark European Commission (EC) Directive
established a definition of personal data for the internet age, judging whether the processing of
data is permissible depending on its transparency, purpose and proportionality. All data currently
processed inside the EU falls under interpretations of this directive.
• EU General Data Protection Regulation (GDPR) – due to the huge technological changes of the 21st
century, the EC revealed plans in 2012 for legislation to replace the DPD. Implementation is expected
to begin in 2016, and be completed by 2020.
Terms:
• Directive – a set of principles defined by the European Commission. It is then transposed into national
law by Member States with their own means, which must conform with the Directive’s principles.
• Regulation – a law imposed and implemented multilaterally by all member states.
• Data subject – the individual who is the subject of any given personal data, for example a caller whose
interaction is recorded.
• Processing – almost any conceiveable action upon data, direct or indirect, falls under this category.
• Controller – the authority, whether a person or group of people, which is responsible and thus liable
for the conditions under which data is processed. In the following examples, this could be the call
center manager, or even certain functions of the business itself.

4. © 2016 babelforce GmbH 3
RECORDING CONDITIONS
By now the 1995 DPD is embedded in the normal business practice of EU companies, but it is important
to remember that as a European Commission Directive it is used as a set of principles, with which the
data protection laws of every Member State must comply. This means that there is space for the wording
of the Directive to be disputed and interpreted, resulting in dozens of differing transpositions within the
EU.
What does this mean for call recording?
According to the precise wording of the DPD, the recording of personal data with telephony falls under
the definition of ‘processing’. For the purposes of this paper, the processor will usually be an individual
agent, and the controller would be the call center manager or company who controls the processing
conditions.
With this in mind, the necessary conditions for the processing of data in EU are:
• Transparency - call recording processes must be open to scrutiny, i.e. disclosable to your state’s
relevant Data Protection Authority
• Legitimate purpose - recordings can only be processed if there is a legally valid purpose for doing so
• Proportionality - the amount or type of data recorded must be proportional to the purpose
Transmission to other Member States and ‘third countries’
If a call is recorded in the EU, it could be processed in more than one state. For example a call is made to
a business in Switzerland, but switched by them to a call center in Finland. In this instance, the processing
must be compliant with the relevant data protection laws in both countries. This is because the DPD does
not pertain to individuals or businesses directly, but to national governments who must enforce their
own laws.
If data is processed involving states outside the EU (called ‘third countries‘ by the EC) Member States
must ensure that the relevant third country has a sufficient level of legal protection. Article 29 Working
Party is an advisory body established by the European Commission to guide Member States on the
implementation of the DPD. It provides information about data protection concerning third countries.
The processing of
data must comply
with the relevant
data protection
laws of ALL states
involved.

5. © 2016 babelforce GmbH 4
THE CHALLENGES
The severity and wording of each Member State’s transposition of the DPD varies. This has a concrete
effect on businesses processing data via call recordings, depending on which Member States are involved.
Furthermore, data protection legislation is altered and updated regularly, meaning that businesses must
be aware of the changes and how they will affect best practice. Two examples should clarify these points.
Consent and national variance: UK/France
A business processing payments and support requests (i.e. personal data) from customers in the UK
must, in accordance with the UK Data Protection Act 1998 (DPA), comply with basic principles of data
subject rights, including the concept of consent prior to data processing.
Best practice regarding data protection in the UK is determined to a large extent by the Information
Commissioner’s Office (ICO), who help interpret the DPA for business.
In line with the DPA, compliant practice requires the data subject must be given notice of any potential
recording – usually an automated message along the lines of: ‘Please be aware that we record some calls
for training and quality purposes.’ The ICO advises that if the customer simply continues with the call,
there is sufficient consent to commence processing.
France’s transposition of the DPD - Act No. 78-17 on Information Technology, Data Files and Civil Liberties
- stipulates clearly that data controllers must provide the data subject concerned with the following
information: ‘whether replies to the questions are compulsory or optional; the possible consequences
for [the data subject] of the absence of a reply’ (Article 32, I. 3&4).
If a business begins telephony operations in France, a customer would be given the same kind of consent
notice as in the UK. In addition, however, the customer would have to be told what the consequences
of continuing with the call were. This would also entail a new routing configuration and applications to
handle callers who do not want to be recorded. How does the French call center add these small but
important options into the customer experience without an expensive new telecoms deployment?
1)

6. © 2016 babelforce GmbH 5
Law changes: Germany
Let’s say your company set up a contact center in Germany in 2011. Telecommunications law in Germany
at this time prohibits data processing without a consent notice, much as the UK DPA states. You use a
simple audio prompt to address this.
The following year, however, developments in legislation tighten the law regarding consent. It is required
that companies processing personal data via telephony must provide an opt-out for data subjects. This
means going a step further than fair notice: providing callers with a clear input option to take their call
down another route, i.e. one where it will not be recorded.
This illustrates the need to be in a position to adapt telephony processes in a proactive way. Changes
like this will be needed in order to to account for changing data protection legislation between 2016 and
2020.
Integrations
There is the additional challenge of connecting contact center services across borders. With different
practices and deployments for each country, scaling support and sales operations to move abroad
means maintaining service quality and having central control, as well as open integrations with other
business processes.
If this flexibility is not built into your communications provider’s service, data protection law will be a
factor which increases time-to-deployment. When you need to scale quickly, how do you ensure that
cross-border data protection measures can be configured on the fly?
THE CHALLENGES
2)
3)

7. © 2016 babelforce GmbH 6
Flexible IVR
IVR audio files can be recorded for any use case imaginable, then
implemented in any combination of call queues and groups of
agents. This means at a basic level that an inbound call can be
switched from an inbound number to territory-specific support
lines based on its place of origin. Then, compliance recordings and
applications can be implemented differently at any stage in the
call flow.
When moving into France, a business will need to expand and
reconfigure their IVRs to remain compliant. Audio prompts are
required to inform the customer of the consequences of recording,
as well as is the ability to offer routing based on the call’s country
of origin, so that services can be offered in a different language.
With babelforce, this is as simple as uploading the new
recordings to the platform, then configuring them to play
if certain call attribute conditions are met.
When German data protection law was updated, there had to be an
application which offered an opt-out route to serve customers who
were not happy to be recorded. If customers did not understand
the options or entered an invalid option, there had to be further
audio files and input options.
On the babelforce platform this takes the form of an
IVR menu, where the caller is able to select options via
DTMF input (pressing dialpad buttons). This function
works in conjunction with prompts to provide the caller
with consent information, and guide them through the
options.
Integrations
Eventually, all of these territory-specific processes have to be
brought together into one telephony system, able to be accessed
anywhere and at any time. They have to be integrated with help
desk, CRM and KPI dashboard services, so that data protection
elements can be measured and agent availability optimized.
A core aspect of our philosophy is call process integration.
Our platform integrates with your CRM or help desk
software of choice through visible API queries.
You should not be restricted in setting up call processes, so we
enable any ticket- or support case interaction which your setup
supports. This extends to open API data streams, so that no matter
the complexity of your call-handling process, it can be made visible
for BI reporting and KPI dashboards.
THE BABELFORCE SOLUTION

8. © 2016 babelforce GmbH 7
IN BRIEF
babelforce gives you the means to lighten the burden of data protection compliance. Its
built-in structures get you up and running with basic call events to help you comply, such
as an opt-out and conditional control of call recording. A unique feature of ours is the
ability and guidance we give you to completely customize the entire customer experience.
The upcoming EC General Data Protection Regulation is scheduled for implementation
between 2016 and 2020, and with it will come a raft of implications for contact centers.
Despite its evolving nature, we believe that data protection shouldn’t be just another
obstacle to cross-border growth. We give you the tools to tackle compliance and mobilize
your call recording processes.

9. © 2016 babelforce GmbH 8
About babelforce:
babelforce offers the most powerful and flexible cloud call & contact center. We have
customers across the world using our global IP telephony infrastructure and multi-
carrier telecommunications platform. The babelforce platform is revolutionizing how
telephones work with the rest of your business solutions. We make it possible to
integrate phones with everything and allow your people to work on any device. You can
create a call center, a PBX, a unified communications solution - anything you need to do
with telephony you can do with the platform.
William ConnorWriting:
babelforce GmbH - Str. der Pariser Kommune 12-16 - 10243 Berlin - Germany - Registration - Amtsgericht Berlin Charlottenburg - HRB 150717 B
Phone +49.30.920 373 300 - Fax +49.30.920 373 301 - Email sales@babelforce.com - Web www.babelforce.com