We had a question from a client we’re supporting through their journey to GDPR compliance and our GDPR Practitioner had developed a view on the solution, so we checked it with the ICO (Information Commissioner’s Office) and they agreed with us. We thought we’d share it with you here as many of you may well come across a similar concern.
This company is a large service provider who have existing clients and new clients usually ring in to request their services. Calls are normally received by reception staff and, the personal details and contact information are passed to the appropriate member of staff for them to contact the prospective client in order to discuss their requirements.
Once the prospective client becomes a formal client they [the client] receive a large pack of legal documents laying out the terms and conditions of the relationship in line with their [the company’s] legal obligations, currently within those documents there is a privacy notice about what happens with their data, but the pack is quite hefty, and it is understood that clients do not read all the information they are given.
GDPR requires under Article 13 that the data subject receives a ‘clear and obvious’ privacy notice laying out all the requirements under Article 13. Article 13 also states that the data subject should receive all the required information in Article 13 ‘at the point of data collection’; that is technically in this scenario, when the reception staff takes the information.
Our client is concerned that at the point their prospective client calls in, when the reception staff have taken their personal and contact details, that the reception staff ought to be stating verbally what is required in Article 13 which clearly would be quite lengthy.
Also, our client was asking if an additional Article 13 privacy notice should be given separately or within the pack of legal documents.
We had formed the View on the obligation on our client and how this should be implemented and checked it with the ICO who confirm the approach which is as follows:
If the reception staff receiving the call takes the enquiry and personal contact data, etc. on an enquiry pad, that is not directly into a CRM (Customer Relationship Management) system and simply acknowledges at the end of the call to the prospective client that “…your details will be passed to the appropriate person in the organisation for them to come back to you [the client] to discuss your requirements, and should no further service be required after that discussion the information you have provided will simply be destroyed by shredding”. It is important to note that this statement from the reception staff would be a courtesy because in the guidance, it would not be required for the reasons that will become clear shortly.
Once the correct person in the organisation has received the paper information and has made contact with the prospective client, if the prospective client then becomes a formal client, a ‘clear and obvious’ Article 13 privacy notice should be provided to them at the front of the legal pack (our view is it should be on a different coloured paper to make it more distinctive).
If the prospective client chooses not to engage our client, the appropriate person within our client who has been discussing the prospective client’s needs, would simply state to the prospective client, “…that because they [the client] are not moving forward with the company, the information they have provided so far would simply be destroyed”. This statement and the original statement from the reception staff goes to transparency under GDPR (Article 5, 1a).
The interesting view here is that whilst their personal data was in paper form and not inputted into a CRM system or email system or formal filing system, it did not come under GDPR as in Article 2 material scope because at that point it was not being processed ‘wholly or partly by automated means… or …processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system’ (Article 2, 1).
At the points between receiving the call by reception staff and the engagement of the company [our client] by their prospective client, their personal data was not intended to be part of a formal filing system as that would not happen until the prospective client engaged our client. As it is not in scope of GDPR, no privacy notice is therefore required at that point.
However, once the prospective client engaged our client, they would have to issue a formal Article 13 Privacy Notice which, whilst it can be provided with the other required legal documents, it MUST be ‘clear and obvious’, so it ought to be at the front and as we also suggest, on a different coloured paper to make it stand out.
The above is useful to know for all organisations that receive telephone enquiries for which the information is then passed to a sales person for them to follow up and are concerned with whether a full Article 13 privacy notice explanation should be given by the reception staff receiving the enquiry.
The above information is provided in good faith and should not be considered finite for your situation without confirming with your own legal department or confirming your situation with an ICO advisor.