you are being redirected

You will be redirected to the website of our parent company, Schönherr Rechtsanwälte GmbH: www.schoenherr.eu

17 May 2017
newsletter

Call Recording by Customer Services under Montenegrin Law

As customer service call recording concerns personal data protection, under what conditions is it allowed in Montenegro?

Legal framework

Two laws regulate call recording: the Electronic Communications Act (Zakon o elektronskim komunikacijama) ("Official Gazette of Montenegro" no. 40/13, 56/13 and 2/17) (the "ECA") and the Personal Data Protection Act (Zakon o zaštiti podataka o ličnosti) ("Official Gazette of Montenegro" no. 79/09, 70/09 and 44/12) (the "PDPA"). The laws complement each other, as the ECA prohibits unconsented call recording in general, while the PDPA prohibits unconsented data processing, which encompasses call recording. Interestingly, neither of these laws specifically regulates the opt-out approach, ie announced subsequent monitoring, if a user does not disagree. In line with general principles this would be considered noncompliant with the local data protection regulations, although it is tolerated by the Data Protection Agency (the "Agency"). 
Rules on call recording under the ECAThe ECA prohibits call recording without the user's consent, but does not state whether consent should be given in written or verbal form and does not regulate customer service notifications about recording. Since call recording is deemed data processing under the PDPA, the provisions of the PDPA will also be applied.
 
Rules on data processing (call recording) under the PDPAUnder the PDPA, data processing (ie call recording) may only be performed with the written or verbal consent of the data subject (verbal consent must be recorded in the form of minutes). In principle, bearing in mind the currently restrictive framework, before the call is recorded the data subject should be notified (usually in Montenegrin, except for foreigners) of particular details relating to the processing of data: (i) the (business) name and address of the person processing the data; (ii) the purpose and legal grounds for the data processing; (iii) the third party, ie user of the processed data and the legal grounds for enabling the usage of data; (iv) whether providing the personal data is mandatory or voluntary and the consequences of not providing the data; and (v) the right to access and amend the personal data. This is difficult to implement in any case of call recording.

The above legally defined manner of granting consent excludes the possibility of the opt-out approach, even though it is tolerated by the Agency. Interestingly, the PDPA allows video surveillance for safety purposes with a mere notification. As a call recording differs from video surveillance, however, these provisions cannot be applied to call recording, implying that written consent would be required.

 

Exceptions

 

The PDPA envisages some exceptions to the above prohibition of unconsented data processing. For instance, the data subject's consent is not required when the data processing is due to obligations arising from a concluded agreement or when certain actions have to be taken prior to concluding an agreement as required by the data subject.
 
Non-official stance of the Data Protection AgencyAlthough this does not follow clearly from the law, which should be interpreted restrictively as it refers to a sensitive matter, the Agency's unofficial stance is that the opt-out approach is allowed and that a notification informing the data subject about the recording is sufficient. Therefore, the Agency tolerates call recording if the user has been notified. Practice confirms this, as most customer services use an automated voice message to inform callers that the call will be recorded. However, the opt-out approach should be considered on a case-by-case basis depending on the type of data and, in the Agency's opinion, on whether the data is being provided by an identified user or a user who could be identified indirectly. Some lawyers, though, claim that even the user's voice could be considered personal data, since the user can be unmistakeably identified by his or her voice.

ConclusionAlthough the Agency tolerates the opt-out approach, this issue will surely be raised in the future, especially as despite being verbally notified, users were not given the option to (dis)agree, meaning that they must either accept call recording by continuing the call or end the call without obtaining the desired help or service. Therefore this area should be closely monitored and each case should be carefully assessed before implementing call recording, as the Agency's practice could change.

This article was written by Marija Zdravkovic