With the prohibition notice, the Danish DPA maintains its long-serving practice that recording and storing of phone conversations for training purposes shall as a general rule always be based on consent from the persons in question being recorded.
The GDPR contemplates that a consent must be specific, informed, freely given and unambiguous. The two latter requirements imply that the caller must actively give his/her consent that a conversation may be recorded, and that if the caller should choose to reject recording, the phone call will not be disconnected. As a caller to youSee's customer service you will be met by information that the phone call may be recorded for in-house training purposes, hence, this is not a real and active additional option that the conversation may be recorded.
As the owner of youSee, TDC was on these grounds given a prohibition notice by the DPA against recording phone conversations until implementation of a technical solution enabling the collection of consent had been made. This could, for example, be by pressing a key in connection with placing the phone call.
Read the entire decision from the DPA here (in Danish).
The Italian DPA has imposed a financial penalty of EUR 50,000 on the online platform Rousseau, which is used for various in-house votes in the political party Movimento 5 Stelle.
The fine is a result of a former decision upon which the platform was ordered to process data on users in accordance with the GDPR, i.a. by implementing sufficient technical and organisational measures within a fixed date.
Although Rousseau initiated certain improving measures, such were deemed insufficient according to the DPA. As an example, the DPA made it an issue that system administrators were using the same account when logging into the platform and in that way accessed far more data than necessary in relation to their functions. The data accessed i.a. contained information about political opinions, which according to the GDPR shall be subject to specific protection.
Read the enitire decision of the Italian DPA here (in Italian).
The British company Avalon, which sells funeral plans, has been issued with a monetary penalty of GBP 80,000 by the British Information Commissioner’s Office (the ICO) after having rung more than 50,000 individuals despite such individuals having renounced unsolicited calls for direct marketing purposes. In order for a company legally to ring individuals about marketing and advertising, prior consent must as a general rule have been obtained.
Avalon had gained access to phone numbers through a third party who could not, however, verify that the individuals had given their specific consent for letting Avalon approach them. As illustrated by former decisions (e.g. the decisions about Vote leave and Grove Pension Solutions), a company cannot transfer its responsibility that consent has been obtained by outsourcing such collection to a third party.
It is interesting that the ICO has taken into consideration when assessing the penalty, the fact that the calls have been placed to elderly (vulnerable) individuals, and the fact that two managers in the company were clearly aware about their obligations under the GDPR and ePrivacy legislation. The monetary penalties have been assessed on the grounds of former ePrivacy regulations, which are expected soon to be replaced by an ePrivacy regulation with the same penalty rates as the GDPR.
Read the entire decision from the ICO here (in English).