How we legalized marketing calls from the client’s call center for 10 new countries
Launching marketing calls simultaneously in 10 new jurisdictions presents international business with an extremely complex challenge: how to comply with each country’s unique and sometimes contradictory requirements without creating operational chaos. In this case study, we demonstrate how our consultants managed to transform fragmented personal data laws into a unified system of legal bases that ensures the legality of every contact.
Request
An international company expanding into new markets approached us. To attract potential clients and partners, they decided to conduct direct marketing calls. However, they faced a problem: is it possible to make “cold” calls in these markets, and if so, how should it be done?
Our solution
- Analyzed requirements for marketing calls in all new jurisdictions.
- Delineated and minimized risks to the personal data of potential users and partners arising from the call itself and its recording.
- Prepared specific scripts for call center operators and automated systems to help notify subscribers, collect their consents, and provide information about personal data processing.
- Did all this in a way that wouldn’t complicate business operations.
Leading consultant of a project
Siarhei Varankevich,
CIPP/E, CIPM, CIPT, MBA, FIP, Founder of DPO Europe.
How did the project start?
The company proposed their own version of wording to inform users, but it wasn’t relevant for all jurisdictions. For example, in some countries, it’s not enough to simply notify the subscriber. You must also obtain an active action, such as verbal consent or pressing a button (“If you don’t want your call to be recorded, press button 2”).
Additionally, some laws require explaining not only the purpose of data processing (the call and recording), but also who is calling (company information), where they got the contact, whether there’s cross-border transfer, and other details.
In short, a single template cannot be used: each of the 10 new countries for the business may have its own requirements for personal data processing.
And here’s how we solved it ⬇️
What did we do?
Conducted research
Consultants conducted in-depth research on each country where activity was planned. As part of the project, they analyzed various communication scenarios:
- Calls to existing or potential partners.
- “Cold” and “warm” calls to potential partners.
- Data transfer issues.
Based on this, a large table was created describing the legal bases for each possible processing scenario in each jurisdiction.
Systematized consent collection rules in each jurisdiction
Many jurisdictions required collecting consent for processing. However, each law provides its own rules on how consent for this or that processing must be obtained. Therefore, based on research across all legislations, our team also developed a list of possible scenarios for collecting consent from users.
The only safest option that would suit all jurisdictions looks like this:
Consent: Informed + Affirmative action + Granular.
Informed
The person is informed about the processing of their data (purpose, company name, where information is transferred, rights, etc.).
Quote from Art. 4(11) GDPR
“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Affirmative Action
For consent to be valid, a clear active action from the person is necessary. Inaction does not constitute consent. The action must have a single meaning—to express consent.
Granular
It is prohibited to obtain consent for two processing operations (the call itself and its recording) expressed through one action.
Quote from Art. 7(2) GDPR
“If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding”.
Two other scenarios required fewer actions but could be used in not all jurisdictions.
Consent: Informed + Without Affirmative action + Granular
Consent: Informed + Without Affirmative action + Non-Granular
We systematized the rules for collecting consents
After researching which jurisdictions could use one type of consent or another, we prepared a table. It helps understand on what legal basis people can be called in different countries and how to process their personal data in the process.
Table columns:
- Country — the country for which the specified rules apply.
- Cold/Warm outreach — legal basis for “cold” (to strangers) and “warm” (to those already contacted) calls.
- Recording of the conversation — whether the conversation can be recorded and on what basis.
- International transfer — rules for data transfer abroad.
- Requirements for consent — what type of consent is needed (informed, with affirmative action, etc.).
The cells indicate whether consent (Consent) is required, whether a contract (Contract) is sufficient, or whether “do not disturb” lists need to be checked. Call center operators look at the subscriber’s country and immediately understand which script to use and what actions to take for lawful personal data processing.
Example table:
Country | Cold outreach to business representative by marketing | Warm outreach to business representative | Warm calls to ordinary data subjects (potential drivers or consumers) | Cold calls to ordinary data subjects | Recording of the conversation | International transfer | Requirements for consent |
|---|---|---|---|---|---|---|---|
A | Consent | Consent | Consent | Consent | Consent | Consent | Consent 1: informed, affirmative |
B | 1) Check the contacts in the Do not Disturb List, then 2) call to obtain Consent (later possibly Contract) | No consent if data is collected from public sources | Opt out for marketing (later possibly Contract for b2b) | 1) Check the contacts in the Do not Disturb List, then 2) call to obtain Consent | Consent | The same legal bases as for the calls (because currently transfer is the type of data processing) | Consent 1: informed, affirmative |
C | Consent | Contract | Contract | Consent | Consent | Authorization (DPA) / Information (data subject) | Consent 1 |
And so on for 10 countries into whose markets the business was expanding. As a result, a large summary table was created that allows the team to navigate: what actions need to be taken before or during a call to avoid violating local legislation.
Many jurisdictions to comply with? Not a problem for us
We help companies enter new markets and combine the requirements of multiple jurisdictions at once. Write to our manager to learn how the DPO Europe team can help your business.
Developed text variations (wording)
To keep personal data processing transparent to the user during calls, our team developed text variations (wording) for call center operators and bots.
The texts were not developed universally, but for specific business processes and recipient categories. We created different texts for:
- “Cold” and “warm” calls to potential partners.
- Calls to business partners.
- Processes related to data transfer to third parties.
Each scenario included its own script to help call center employees properly convey information about the call’s purpose and data processing.
For bots, the texts also had to be as clear as possible and include understandable instructions for tone-dial actions (button pressing) so the system could correctly record the user’s choice.
Script example
Bot Text:
Hello, this is [company name]. We record our calls to improve the quality of our service. If you do not want your call to be recorded, press “2”. To learn more about your privacy, press “3”. Otherwise, please stay on the line to continue the call.
[If button “3” is selected the following message is played]:
Please listen to the privacy notice regarding this call with [company name].
The main reason for recording calls is to help resolve disputes. By recording conversations, we can make sure that we have an accurate record of what was said between people, in case there are any arguments later on.
In addition, listening to recorded calls is very helpful for training agents. By reviewing previous calls, we can find ways for our agents to improve and give them helpful advice to better help our customers.
Recorded information may be shared with call centers and other companies in our group to conduct marketing campaigns in the USA, Russia, and [List of countries].
You have the right to withdraw your consent at any time. This will not affect the service we provide to you.
To exercise your right, you can opt out by either telling us during the conversation or sending an email to our privacy team at [email of privacy team]. We’ll process your request quickly and confirm that you withdrew your consent.
For more detailed information on how we collect, use, and protect your data, please visit our website at [company website] and read the privacy policy.
If you agree to data processing and audio recording, please press “1”. If you prefer to continue without the audio recording, please press “2”. Alternatively, stay on the call to listen to our privacy information one more time.
Script for human operator:
Hello, this is [company name]. I’m calling to … [information about the purpose of the call]. May I record this call?
Developed text variations (wording)
The logic of obtaining consent through IVR (interactive voice response) using keypad input is used to technically record the user’s decision and ensure the legality of processing their data.
Based on sources, the following key aspects of this logic can be identified:
- Process separation: In IVR logic, it’s important to separate two different actions: the fact of making the call (marketing communication) and recording that conversation. These are two different data processing purposes, and each may require a separate user decision.
- “Press a key” mechanism: To record consent, the bot scenario (wording) includes direct instructions. For example, the phrase is used: “If you agree, press 1”. Such user action is interpreted by the system as granting consent.
- Right to refuse recording: The user must have a choice. If a person doesn’t want their conversation recorded, the IVR logic must provide a corresponding button: “If you don’t want your call to be recorded, press button 2“.
- Action logging: All user key presses in response to consent requests are recorded (logged) in the system. This is necessary so the company can prove the existence of consent in case of supervisory authority checks or subject complaints.
- Automation for bots: This logic is most relevant for cases when calls are made by a bot, as it allows fully automating the collection and storage of confirmations without live operator participation.
Thus, the use of buttons in IVR turns verbal interaction into a legally significant action that can be technically confirmed by extracting system logs.
Prepared automated Privacy Notice
If a user wants to receive more detailed information about how the company processes their personal data, we provided the ability to listen to an automated Privacy Notice.
Example of automated Privacy Notice:
Please listen to the privacy notice regarding this call with [company name].
The main reason for recording calls is to help resolve disputes. By recording conversations, we can make sure that we have an accurate record of what was said between people, in case there are any arguments later on.
In addition, listening to recorded calls is very helpful for training agents. By reviewing previous calls, we can find ways for our agents to improve and give them helpful advice to better help our customers.
Recorded information may be shared with call centers and other companies in our group to conduct marketing campaigns in the USA, Russia, and [List of countries].
You have the right to withdraw your consent at any time. This will not affect the service we provide to you.
To exercise your right, you can opt out by either telling us during the conversation or sending an email to our privacy team at [email of privacy team]. We’ll process your request quickly and confirm that you withdrew your consent.
For more detailed information on how we collect, use, and protect your data, please visit our website at [company website] and read the privacy policy.
Why couldn't it be simpler?
Because we help businesses comply with personal data protection laws in many jurisdictions simultaneously, and we must guarantee that none of them received more attention than the others. This approach allowed us to accomplish an initially difficult task, considering the specifics of 10 countries at once while not overloading the business with the maximum possible and strict requirements.
We help enter new markets and be compliant in current ones
Sign up for a free consultation with our expert to assess the current compliance level of your international project and learn how to improve it.
