The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

Frequently Asked Questions - FAQ

12. Contacting Customers

12.1  I want to circulate an email to a number of recipients, what are the data protection considerations?

In certain circumstances an email address can be considered "personal data" and subject to the provisions of the Data Protection Acts 1988 & 2003. Section 2(1)(d) sets out that "appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing".

While there is no 'best practice' guide on mailing lists this Office advises that where an email is being sent by an organisation to a number of email addresses outside of the organisation, that it should be done using the BCC (Blind Carbon Copy) field. This is particularly important when sending the email to recipients personal email address as opposed to a company email address.  Using the BCC field for mass mailings prevents the unnecessary disclosure of all the intended recipients email addresses to others.

12.2 Can I carry out market research with my own customers?

The Data Protection Acts do not preclude contact with customers for market research purposes once other requirements in the Acts are met.  At the time at which the customer data is collected, it is advisable that they be informed of the possibility of future market research contact.  They should be given an opportunity to object to this.  A key issue in this area is that personal data may only be retained for as long as the purpose for which it was collected is still valid.  This would not extend to retaining the data for market research purposes only. 

Accordingly, market research must be conducted while there is still a primary purpose for holding the personal data.  In such circumstances, market research should only be carried out on personal data where there has been contact with the customer in the previous twelve months.
It is also permissible to contract a third party company to carry out market research for your company.  Such a contract should stipulate that the personal data supplied can only be used for the purpose supplied, must be held securely and deleted or returned at the conclusion or termination of the contract.  In addition, it should be made clear to recipients of the survey that it is being carried out on behalf of your company.

Finally, a market survey should not be used as a pretext for engaging in direct marketing activity with any persons contacted unless a separate consent is in place to contact those persons for this purpose.

12.3 When I contact my customers by phone can I ask them security questions to verify the identity of the person with whom I am speaking?

This Office receives frequent queries from individuals who have been contacted by organisations and told that they will not proceed with the call unless the individual first responds to a number of security questions.  Given that individuals are generally advised never to provide their personal information to callers who they do not know or cannot readily identify or verify, this type of practice can give rise to concerns for individuals.  While we appreciate that the company is seeking to take all measures to only discuss matters with the correct individual, from a data protection perspective, when companies are making such calls, it would be sufficient for them to use the contact details which have been supplied to them by their customers and confirm that they are speaking to the correct person.

12.4 Can I send our clients text messages with notifications/reminders?

The issue that arises from such a system is that the company would have to ensure that the purpose for which the phone numbers were originally collected is compatible with this texting service. At the time the company collects these numbers it needs to inform clients that it will be providing a texting service to notify them of appointments.

In addition to this, where individuals have been informed of the use as outlined above, the company would need to have procedures in place to ensure that the phone numbers it has are accurate and up-to-date. We would expect a practice to be in place to verify on a regular basis that the number given by an account holder remains valid, e.g. if there is a gap since the last contact with the account holder their number should be verified again, to ensure that texts are only issued to the intended recipient. Failure to follow these procedures runs the risk of sending notifications/reminders to the wrong person, either by virtue of a changed mobile phone or the number held does not relate solely to the account holder.  We recommend that the text of the SMS message to be sent to individuals should contain minimal information and not include any account or medical information.

12.5 What are the considerations when using an automated calling machine?

According to the ePrivacy Regulations (SI 336 of 2011), an automated calling machine means an automatic calling machine or system which, when activated, operates to make calls without human intervention. This definition covers autodiallers.

SI 336 of 2011 replaced SI 535 of 2003. Even under the previous Regulations it was unlawful to send an unsolicited marketing communication by means of an automated calling machine without the consent of the individual concerned. That continues to be the case under the new Regulations and nothing has changed in that specific regard (see Reg 13(1)(a)).

In addition, the new Regulations (see Reg 13(10)(b)) place a requirement on marketers using automated calling machines to include in every call made the name, address and telephone number of the person making the communication and, if applicable, the name, address and telephone number of the person on whose behalf the communication is made. Failure to comply with this requirement is a criminal offence.

The reason for the introduction of this requirement was that several companies were using autodiallers to make marketing calls but they did not have sufficient agents to handle the calls when the phones were answered by the customers being called. This led to a huge number of "silent calls" as the autodialler dropped the call without giving any indication of what company was calling. A significant fear factor arose amongst the public, many of whom thought they were being targeted by criminals or stalkers.

Under the new Regulations, if an agent is not available to continue with the call made by the autodialler, the autodialler must play a message of some sort which tells the customer on whose behalf they are calling. Obviously, the marketer can convey other script on that message if they wish, but the main thing is to identify themselves by name, address and telephone number.

12.6 What are the data protection requirements for organisations recording telephone calls?

Under data protection legislation it is accepted that there can be a legitimate business interest basis for the recording of calls in business critical areas in certain sectors, subject to the provision that callers should be clearly informed, whether it is incoming or outgoing calls, that recording is taking place and that the caller can either choose to continue with the call or to terminate it.  Section 2A(1)(a) allows the processing of personal data where the data subject has given his/her consent.

As the Data Protection Acts state that a person's information should only be collected for specific purposes of which they should be pre-advised, the purpose(s) for which the calls are being recorded should be pointed out to callers before any personal data is collected.  For inbound calls, your organisation may wish to consider having a pre-recorded message.  Any pre-recorded message should reflect the exact purposes for recording the call, i.e. training purposes, dispute resolution purposes etc.  The purpose(s) for which the calls are being recorded should be pointed out to callers before any personal data is collected.  If the purpose is not obvious, each purpose must be outlined.

For outbound calls it is more difficult to find a justification for recording these calls.  The data controller has to be able to demonstrate that a data subject, upon first contact, will be supplied with the required information as outlined above. 

An individual has a right to get a copy of any such recording made of her/his call. The copy could be provided in audio or transcript format.