Datatilsynet (Denmark) - 2023-431-0018
From GDPRhub
| Datatilsynet - 2023-431-0018 | |
|---|---|
 | |
| Authority: | Datatilsynet (Denmark) |
| Jurisdiction: | Denmark |
| Relevant Law: | Article 6(1)(c) GDPR Article 6(1)(f) GDPR Article 9 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 27.06.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | IDA Forsikring Forsikringsformidling F.M.B.A. |
| National Case Number/Name: | 2023-431-0018 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Danish |
| Original Source: | Datatilsynet (Denmark) (in DA) |
| Initial Contributor: | wp |
The DPA found the controller did not obtain valid consent for transcription and subsequent processing of customer service recordings of conversation. The controller should then implement appropriate changes to the processing activities.
English Summary
Facts
IDA Forsikring Forsikringsformidling F.M.B.A. (a controller) is a Danish insurance company.
To improve the controller’s customer services, including their quality, as well, to assess the employees’ performance, the controller was recording incoming telephone calls of customer service.
The audio files with recordings were analysed and converted into a text by a data processor. For this purpose, the processor used a speech recognizing software. The software was developed by the processor for past 8 years to optimize the analysis. According to the processor, the conversation recordings were not used in order to train the software.
In order to analyse the employees’ conduct during calls with customers, the software picked up the word used by the employees. This was because the controller implemented a dedicated policy (“conversation tree”) to standardize contact with their customers. Hence, once the analysis was done, the call was assigned with a quality score. Consequently, the controller created and developed a list of positive and negative words (a dictionary) based on experience from approximately 30 million calls. However, according to the processor, the conversation recordings were not used in order to train the software.
Additionally, the analysis of call let the controller to create a statistics on number of inquiries regarding specific topics. The statistical data allowed the controller to improve the customer service (for example by updated the FAQ section). Moreover, using the statistical data the controller was able to better know the clients behaviour and accordingly adapt their marketing and customer services, for example change the content of the newsletter bearing in mind the actual interest of the customers.
The controller claimed they did not use the software to profile employees or customers, since the controller was analysing the conversation, not the individual.
Due to the subject of services provided by the controller, the conversation included various personal data of customers, inter alia, identification data, financial data, details on the insurance policy and in some cases data related to health. For the employees the basic scope of personal data processed covered name, surname, e-mail address, voice.
The abovementioned data processing attracted the attention of media. For that reason, the controller reviewed the processing activities related to the analysis of conversation. Regarding the legal basis of data processing for that purpose, the controller indicated on the consent under Article 6(1)(a) GDPR for the customers, and Article 6(1)(f) GDPR for the employees.
The Danish DPA (Datatilsynet) proceedings were started ex-officio.
Holding
The DPA found the controller processed the data stemming from the recordings of conversations as a part of their daily operations. Yet, the scope of investigation covered only the matter of phone conversations’ recordings. The DPA stood on the position that the controller collected and stored the phone conversations’ recordings for the purposes of training and quality improvement. It was apparent that the controller relied on the artificial intelligence software to perform the analysis.
The DPA noted the controller scrutinised the processing activity at hand and, as a result, changed its legal basis. Although the consent under Article 6(1)(a) GDPR was a suitable legal basis for collecting and processing the recordings of conversation, the controller failed to obtain the consents in compliance with the GDPR. The consent obtained at the beginning of each phone conversation between the controller and a customer encompassed many different purposes, leaving no choice for the customer. Hence, the consent was not lawfully obtained, because it was lacking with the granularity requirement (not freely given). Nevertheless, the DPA agreed with the controller that Article 6(1)(f) GDPR was a proper legal basis for processing of employees’ data.
Furthermore, the DPA emphasised the analysis of conversations’ recordings, performed by the processor, was not a separate purpose of processing. The application of Article 9 GDPR was excluded as well, since the data was not processed to uniquely identify the customer or the employee.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Skip the main navigation Search Do you have two minutes? Let us know what you think of the website and our guide. We would love to hear from you, regardless of whether you are here as a private person or a professional. IDA Forsikring's use of artificial intelligence for the analysis of recorded telephone conversations Date: 27-06-2024 Decision Private companies No criticism Supervision / self-operating case GDPR's scope of application In a case of its own initiative, the Norwegian Data Protection Authority investigated IDA Forsikring's use of artificial intelligence for the analysis of recorded telephone conversations. Journal number: 2023-431-0018. Summary On 1 March 2023, the Norwegian Data Protection Authority started an investigation of IDA Forsikring's own operation of artificial intelligence to analyze the company's telephone conversations with people who call IDA Forsikring's customer service. IDA Forsikring has stated that incoming telephone calls are recorded, after which the audio files from the recordings are sent for analysis by a data processor, which converts the files into text using self-developed speech recognition. The speech recognizer is a generic model that has been developed and optimized by the data processor over the past 8 years with the aim of partly being able to identify the most relevant elements from the sound file as a basis for further analysis, and partly to make the sound files searchable. The purpose of the analysis of the conversations is to improve IDA Forsikring's member service, ensure quality and give employees insight into their conversations in order to strengthen the service to members. The Danish Data Protection Authority found in the case that IDA Forsikring, within the framework of the data protection rules, can record and analyze incoming telephone calls. However, the Norwegian Data Protection Authority found that the current process for obtaining consent from the person calling in does not meet the data protection rules. Decision The Danish Data Protection Authority hereby returns to the matter, where on 1 March 2023 the Danish Data Protection Authority initiated an investigation of its own operations into IDA Forsikring Forsikringsformidling F.M.B.A.'s (IDA Forsikring) use of artificial intelligence to analyze the company's telephone conversations with people who call IDA Forsikring's customer service. The Danish Data Protection Authority has now completed processing the case. In this connection, the case has been submitted to the Data Council. 1. Decision The Danish Data Protection Authority finds that IDA Forsikring can record and analyze incoming telephone calls within the framework of the data protection rules. However, the Danish Data Protection Authority finds that the process, as it is currently set up, for obtaining consent from the person calling in, is not within the scope of the data protection rules. The question of the obligation to provide information does not give the Data Protection Authority reason to take any further action. Below follows a closer review of the case and a rationale for the Data Protection Authority's decision. 2. Case presentation IDA Forsikring has stated that incoming telephone calls are recorded, after which the audio files from the recordings are sent for analysis by a data processor, which converts the files into a text basis using self-developed speech recognition. The speech recognizer is a generic model that has been developed and optimized by the data processor over the past 8 years with the aim of partly being able to identify the most relevant elements from the sound file as a basis for further analysis and partly to make the sound files searchable. IDA Forsikring's conversations are not used to train the speech recognizer. If subject-specific words are not already in the dictionary, which consists of negative and positive words, these can be added via the platform so that the dictionary is updated. In this connection, IDA Forsikring has stated that the list of negative and positive words has been prepared on the basis of experience from more than 30 million calls. The analysis of the conversations takes place with the aim of improving IDA Forsikring's member service, quality assurance and assisting the individual employee with insight into their own conversations and understanding of the opportunities to do better in servicing the members. Within these purposes, the system is used in the following ways: Firstly, IDA Forsikring works with a standard to ensure a constant and uniform level of service to members, including a conversation tree to ensure that a welcome is given, that words that are considered positive are predominantly used, and that politely in the conversations with the members. Based on this standard, it is possible in the system to configure an indicative scoring feature of the conversation, whereby the conversation is analyzed for given words related to the individual parts of the standard, including a welcome greeting, positive words and polite end of the conversation carried out by the employee, in order to could give the interview an indicative quality score based on whether the standard has been followed. The quality score is used to support the employees in their work and to monitor whether the standard is being followed. Secondly, an automated breakdown of call reasons is carried out in order to keep statistics on how many inquiries IDA Forsikring receives on specific subjects, and ensure a relevant focus for the members in the servicing on the subjects that take up the most space, including by improving the servicing when updating of FAQ and self-service solutions as well as the communication about the same. The automatic division of the call reasons will thus be able to show what the call is about. Based on these subject divisions, the system will be able to be used to create "root cause" analyzes for the individual subjects. The statistics and root cause analyzes are used to develop and adapt IDA Forsikring's ongoing service, e.g. know for sure when and why members start talking about ski holidays, so that the website and newsletter can be adapted accordingly and thereby improve the service to members both in terms of time and content on the right channels. The technology is not used for profiling, and the purpose of the processing is not to acquire knowledge about individuals or about the individual employee. It is the conversation that is the subject of the recordings and the subsequent analysis, and not the individual, just as the system does not analyze tone of voice, gender or dialects in the conversation. About the employees, the technology means that information about name, work email, voice and possibly other personal data from dialogue with the member/policy holder is processed. Regarding members/policy holders, the personal data that the person provides during the interview is processed. This will most often be voice, name, address, telephone number, e-mail address, bank details (reg. no. and account number), salary details and information about membership of IDA. In addition, there may be information about medical conditions, if it is relevant for the insurance or in the event of a dispute. In addition, the social security number may be disclosed for identification purposes. IDA Forsikring has also stated that the company – as a result of the media coverage of the use of the system – has reviewed its processing activities. With regard to the processing basis for the processing of personal data about members/policyholders and employees respectively, IDA Forsikring has stated that the processing of information about members/policyholders for the purpose of documenting verbally concluded agreements and for the purpose of securing and improving the quality of the offered services and training (now) takes place on the basis of their consent in accordance with the data protection regulation, article 6, subsection 1, letter a, and Article 9, subsection 2, letter a. Processing of information about employees takes place on the basis of Article 6, subsection of the data protection regulation. 1, letter f. IDA Forsikring has informed about the obligation to provide information that people who call in are (now) greeted by the following speak: “We want to record this conversation to improve our member service and for documentation purposes. The recording is saved for up to 5 years and is automatically transcribed so that we can, for example, keep statistics on topics that are called about. Read more in the privacy policy at idaforsikring.dk. Can you approve it, press 1, otherwise please wait. If you wish to withdraw your consent later, you can call again and ask to have the conversation deleted.” As far as employees are concerned, they are informed about the recording of the interview at the employment interview. In addition, new employees receive direct training in – and gain access to – the system. New employees are also involved in the work on improving IDA Forsikring's member service, where the system is used. Existing employees are involved in the implementation of the system. 3. Reason for the Data Protection Authority's decision 3.1. Processing is in accordance with the data protection regulation[1] article 6, subsection 1, only legal if and to the extent that at least one of the following conditions applies: The data subject has given consent to the processing of his personal data for one or more specific purposes. Processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of measures taken at the data subject's request prior to entering into a contract. Processing is necessary to comply with a legal obligation owed to the data controller. Processing is necessary to protect the vital interests of the data subject or another natural person. Processing is necessary for the performance of a task in the interest of society or which falls under the exercise of public authority, which the data controller has been tasked with. Processing is necessary for the controller or a third party to pursue a legitimate interest, unless the data subject's interests or fundamental rights and freedoms requiring the protection of personal data take precedence, in particular if the data subject is a child. According to the data protection regulation, article 9, subsection 1, a prohibition applies to the processing of special categories of personal data, including, for example, health information. However, this prohibition does not apply if one of the exceptions in the data protection regulation, Article 9, subsection 2, or provisions implementing Article 9 of the regulation, are met. The prohibition does not apply, for example, if the data subject has given express consent to processing, cf. the data protection regulation's article 9, subsection 2, letter a. 3.2. What is the matter about? IDA Forsikring processes personal data about members/policy holders etc. as part of the association's daily activities. This processing of personal data must have a processing basis in Article 6 of the Data Protection Regulation. If IDA Forsikring processes information covered by Article 9 or other categories of information which are regulated separately, including social security number, cf. Section 11 of the Data Protection Act, these provisions will also have to be met. However, the case does not concern IDA Forsikring's general processing of personal data as part of the association's day-to-day operations, and the Danish Data Protection Authority has therefore not taken a position on this with this decision. The case, on the other hand, concerns the fact that IDA Forsikring records (and stores) telephone conversations for documentation and quality assurance purposes (training), respectively, and that IDA Forsikring uses artificial intelligence – as part of this quality assurance – to analyze (the recorded) telephone conversations. In addition, the case concerns the information that IDA Forsikring provides in this regard. In this connection, the Danish Data Protection Authority has noted that IDA Forsikring has had the opportunity to reconsider its processing activities and, on that basis, has changed the basis for processing personal data. With this decision, the Norwegian Data Protection Authority has only dealt with how IDA Forsikring's practice is currently set up. The Danish Data Protection Authority also notes that with this decision the authority has only dealt with the issues that the decision deals with. The Danish Data Protection Authority has thus not dealt with other questions, including impact analysis etc. 3.3. Recording of telephone conversations 3.3.1. People who call IDA insurance In the Norwegian Data Protection Authority's guidance on the recording of telephone conversations[2], the Danish Data Protection Authority has explained in more detail when - and under what conditions - in the Danish Authority's opinion, telephone conversations can be recorded without the consent of the data subject. IDA Forsikring has – after reviewing its processing activities – assessed that the recording and storage of telephone conversations for documentation and quality assurance purposes (training), respectively, should be done on the basis of consent in accordance with Article 6, paragraph 1 of the Data Protection Regulation. 1, letter a, and 9, subsection 2, letter a, from the person calling in. IDA Forsikring has also assessed that the recording and storage of information about employees can take place on the basis of the balancing of interests rule in Article 6, subsection 1, letter f. It is (primarily) the data controller – IDA Forsikring – who must assess which legal basis(s) is the most appropriate. In the following, the Danish Data Protection Authority therefore only considers the basis(s) that IDA Forsikring has provided, and the Danish Data Protection Authority therefore does not take a position on whether processing could (also) take place on another basis. The conditions for a valid consent appear from Article 4, No. 11, and Article 7 of the Data Protection Regulation, and a valid consent therefore presupposes, among other things, that it is voluntary, specific, informed and an expression of an unequivocal expression of will. The requirement of voluntariness implies that the data controller must give the data subject a free choice and control over personal data about the person concerned. Consent will not be given voluntarily if the data subject does not have a real free choice. This means, among other things, that a consent cannot be considered voluntary if the procedure for obtaining consent does not give the data subject the opportunity to give separate consent for different processing purposes regarding personal data, and the data subject is thus forced to consent to all purposes. A consent must therefore be granulated (divided)[3]. The Danish Data Protection Authority can ascertain that in connection with a person calling IDA insurance, only one overall consent is obtained for both documentation and quality assurance purposes (training). The person who calls is thus not given the opportunity to choose to consent to only one of the purposes. The fact that personal data is collected by telephone does not change the requirements for a valid consent. It is against this background that the Danish Data Protection Authority's assessment is that the consent obtained by IDA Forsikring is not sufficiently granular, and therefore cannot be considered voluntary. The consent is therefore not valid, and therefore cannot constitute a basis for processing. Since the Norwegian Data Protection Authority has not previously dealt with how consent is obtained by telephone when you as a data controller have several purposes, the Norwegian Data Protection Authority does not find any concrete reason to express criticism. However, IDA Forsikring must (going forward) ensure that IDA Forsikring's process in connection with the recording of telephone conversations takes place in accordance with the data protection rules. In this connection, IDA Forsikring can – with the inclusion of the Danish Data Protection Authority's guidance on telephone conversations – consider whether the recording and storage of telephone conversations can take place for one or both of the purposes mentioned on the other basis of consent. If this is not the case, IDA Forsikring must organize its acquisition of consent in another way, e.g. by requesting "two taps". 3.3.2. Employees The Danish Data Protection Authority finds no basis for overriding IDA Forsikring's assessment that the recording and storage of the information about employees that appears from the recording can be done on the basis of Article 6, paragraph 1 of the Data Protection Regulation. 1, letter f. The Danish Data Protection Authority has hereby emphasized that the employee participates in the conversation in a work-related context, that the information that may be processed about the employee in connection with the recording of the telephone conversation must be assumed to be of a limited and harmless nature, as well as the fact that training of employees is a valid and legitimate purpose. 3.4. Use of artificial intelligence to analyze the recorded telephone conversations IDA Forsikring has stated that the recordings – as part of the quality assurance – are sent for analysis by a data processor, which transforms the files into a text basis using self-developed speech recognition. In this connection, the Danish Data Protection Authority is of the opinion that the analysis of the recorded telephone conversations for use in quality assurance should not be considered an independent purpose. IDA Forsikring can thus base the analysis on the same basis as the recording of the conversation itself – in this case consent, which IDA Forsikring has assessed as the most appropriate basis. As mentioned above, however, IDA Forsikring must ensure that IDA Forsikring's process for obtaining consent takes place in accordance with the data protection rules. In relation to employees, refer to it in section 3.3.2. stated the basis for processing information. In addition to having a legal basis, any processing of personal data must be done in accordance with the principles for processing personal data in the data protection regulation, Article 5, subsection 1, letter a - c. This means, among other things, that personal data according to letter a of the provision must be processed legally, fairly and in a transparent manner in relation to the registered person, and according to letter c must be sufficient, relevant and limited to what is necessary in relation to the purposes for which they are processed. When these conditions can be considered fulfilled depends on the specific circumstances surrounding a treatment, including its purpose. The Danish Data Protection Authority notes in this connection that the analyzes of the recorded telephone calls do not in themselves appear to be covered by the prohibition in Article 9, paragraph 1 of the Data Protection Regulation. 1. This is because the purpose of processing the information is not to uniquely identify either the person calling or IDA Forsikring's employees. This applies regardless of the fact that the information in question may be biometric data according to the regulation's Article 4, No. 14.[4] IDA Forsikring has stated that the technology is not used for profiling and that the purpose of the processing is not to acquire knowledge about individuals or individual employees. It is thus the conversation that is the subject of the recordings and analysis, and not the individual. IDA Forsikring has also stated that the system used is speech recognition only and does not use voice recognition technology, including that the system does not analyze intonation, gender or dialects in the conversation[5]. The fact that the system in the present case does not take into account, for example, tone of voice, including sarcasm and irony, but only analyzes "pure text", can primarily be seen to lead to "false positives" in relation to the conversation, so that the conversation receives a higher quality score than intended. Based on an overall assessment of the above, the Danish Data Protection Authority finds that IDA Forsikring's analysis using artificial intelligence takes place within the framework of the aforementioned principles. The Danish Data Protection Authority notes that if a "failure to take into account" tone of voice etc. in another situation could entail a risk of consequences for the data subject, measures must be taken to address this risk. 3.5. Information about the recording and analysis of telephone conversations The Danish Data Protection Authority can ascertain that IDA Forsikring in its speech draws attention to the fact that the conversation is recorded and transcribed. In addition, IDA Forsikring refers to the association's personal data policy. In this connection, the Danish Data Protection Authority can ascertain that IDA Forsikring's personal data policy essentially provides the information that appears in Article 13 of the Data Protection Regulation. IDA Forsikring has also stated that employees are informed about the recording of interviews during the employment interview. In addition, new employees receive direct training in and gain access to the system. New employees are involved in the ongoing work in the team to improve IDA Forsikring's member service, where the system is used. Based on the above, the question of the obligation to provide information does not give the Data Protection Authority reason to take any further action. [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general regulation on data protection). [2] The Norwegian Data Protection Authority's guidance of April 2024 on the recording of telephone conversations [3] European Data Protection Board Guidelines 5/2020 on consent under Regulation 2016/679 (version 1.1, adopted on 4 May 2020), page 13. [4] See also the Danish Data Protection Authority's statement to the Alexandra Institute in the case with j.nr. 2023-211-0004: https://www.datatilsynet.dk/afgoerelser/afgoerelser/2024/jan/establering-og-deling-af-datasaet [5] The Danish Data Protection Authority notes in this connection that voice recognition technology is a more intrusive form of processing, which there must be (more) weighty reasons for using. The Norwegian Data Protection Authority Carl Jacobsens Vej 35 2500 Valby Tel. 33 19 32 00 dt@datatilsynet.dk About us About the Norwegian Data Protection AuthorityPresseHome pagePrivacy policyAvailability statement Shortcuts Guidance on GDPRCall usNewsletterThe National Whistleblower Scheme Follow us The Norwegian Data Protection Authority on LinkedIn IDA Forsikring's use of artificial intelligence for the analysis of recorded telephone conversations Date: 27-06-2024 Decision Private companies No criticism Supervision / self-operating case GDPR's scope of application In a case of its own initiative, the Norwegian Data Protection Authority investigated IDA Forsikring's use of artificial intelligence for the analysis of recorded telephone conversations. Journal number: 2023-431-0018. Summary On 1 March 2023, the Norwegian Data Protection Authority started an investigation of IDA Forsikring's own operation of artificial intelligence to analyze the company's telephone conversations with people who call IDA Forsikring's customer service. IDA Forsikring has stated that incoming telephone calls are recorded, after which the audio files from the recordings are sent for analysis by a data processor, which converts the files into text using self-developed speech recognition. The speech recognizer is a generic model that has been developed and optimized by the data processor over the past 8 years with the aim of partly being able to identify the most relevant elements from the sound file as a basis for further analysis, and partly to make the sound files searchable. The purpose of the analysis of the conversations is to improve IDA Forsikring's member service, ensure quality and give employees insight into their conversations in order to strengthen the service to members. The Danish Data Protection Authority found in the case that IDA Forsikring, within the framework of the data protection rules, can record and analyze incoming telephone calls. However, the Norwegian Data Protection Authority found that the current process for obtaining consent from the person calling in does not meet the data protection rules. Decision The Danish Data Protection Authority hereby returns to the matter, where on 1 March 2023 the Danish Data Protection Authority initiated an investigation of its own operations into IDA Forsikring Forsikringsformidling F.M.B.A.'s (IDA Forsikring) use of artificial intelligence to analyze the company's telephone conversations with people who call IDA Forsikring's customer service. The Danish Data Protection Authority has now completed processing the case. In this connection, the case has been submitted to the Data Council. 1. Decision The Danish Data Protection Authority finds that IDA Forsikring can record and analyze incoming telephone calls within the framework of the data protection rules. However, the Danish Data Protection Authority finds that the process, as it is currently set up, for obtaining consent from the person calling in, is not within the scope of the data protection rules. The question of the obligation to provide information does not give the Data Protection Authority reason to take any further action. Below follows a closer review of the case and a rationale for the Data Protection Authority's decision. 2. Case presentation IDA Forsikring has stated that incoming telephone calls are recorded, after which the audio files from the recordings are sent for analysis by a data processor, which converts the files into a text basis using self-developed speech recognition. The speech recognizer is a generic model that has been developed and optimized by the data processor over the past 8 years with the aim of partly being able to identify the most relevant elements from the sound file as a basis for further analysis and partly to make the sound files searchable. IDA Forsikring's conversations are not used to train the speech recognizer. If subject-specific words are not already in the dictionary, which consists of negative and positive words, these can be added via the platform so that the dictionary is updated. In this connection, IDA Forsikring has stated that the list of negative and positive words has been prepared on the basis of experience from more than 30 million calls. The analysis of the conversations takes place with the aim of improving IDA Forsikring's member service, quality assurance and assisting the individual employee with insight into their own conversations and understanding of the opportunities to do better in servicing the members. Within these purposes, the system is used in the following ways: Firstly, IDA Forsikring works with a standard to ensure a constant and uniform level of service to members, including a conversation tree to ensure that a welcome is given, that words that are considered positive are predominantly used, and that politely in the conversations with the members. Based on this standard, it is possible in the system to configure an indicative scoring feature of the conversation, whereby the conversation is analyzed for given words related to the individual parts of the standard, including a welcome greeting, positive words and polite end of the conversation carried out by the employee, in order to could give the interview an indicative quality score based on whether the standard has been followed. The quality score is used to support the employees in their work and to monitor whether the standard is being followed. Secondly, an automated breakdown of call reasons is carried out in order to keep statistics on how many inquiries IDA Forsikring receives on specific subjects, and ensure a relevant focus for the members in the servicing on the subjects that take up the most space, including by improving the servicing when updating of FAQ and self-service solutions as well as the communication about the same. The automatic division of the call reasons will thus be able to show what the call is about. Based on these subject divisions, the system will be able to be used to create "root cause" analyzes for the individual subjects. The statistics and root cause analyzes are used to develop and adapt IDA Forsikring's ongoing service, e.g. know for sure when and why members start talking about ski holidays, so that the website and newsletter can be adapted accordingly and thereby improve the service to members both in terms of time and content on the right channels. The technology is not used for profiling, and the purpose of the processing is not to acquire knowledge about individuals or about the individual employee. It is the conversation that is the subject of the recordings and the subsequent analysis, and not the individual, just as the system does not analyze tone of voice, gender or dialects in the conversation. About the employees, the technology means that information about name, work email, voice and possibly other personal data from dialogue with the member/policy holder is processed. Regarding members/policy holders, the personal data that the person provides during the interview is processed. This will most often be voice, name, address, telephone number, e-mail address, bank details (reg. no. and account number), salary details and information about membership of IDA. In addition, there may be information about medical conditions, if it is relevant for the insurance or in the event of a dispute. In addition, the social security number may be disclosed for identification purposes. IDA Forsikring has also stated that the company – as a result of the media coverage of the use of the system – has reviewed its processing activities. With regard to the processing basis for the processing of personal data about members/policyholders and employees respectively, IDA Forsikring has stated that the processing of information about members/policyholders for the purpose of documenting verbally concluded agreements and for the purpose of securing and improving the quality of the offered services and training (now) takes place on the basis of their consent in accordance with the data protection regulation, article 6, subsection 1, letter a, and Article 9, subsection 2, letter a. Processing of information about employees takes place on the basis of Article 6, subsection of the data protection regulation. 1, letter f. IDA Forsikring has informed about the obligation to provide information that people who call in are (now) greeted by the following speak: “We want to record this conversation to improve our member service and for documentation purposes. The recording is saved for up to 5 years and is automatically transcribed so that we can, for example, keep statistics on topics that are called about. Read more in the privacy policy at idaforsikring.dk. Can you approve it, press 1, otherwise please wait. If you wish to withdraw your consent later, you can call again and ask to have the conversation deleted.” As far as employees are concerned, they are informed about the recording of the interview at the employment interview. In addition, new employees receive direct training in – and gain access to – the system. New employees are also involved in the work on improving IDA Forsikring's member service, where the system is used. Existing employees are involved in the implementation of the system. 3. Reason for the Data Protection Authority's decision 3.1. Processing is in accordance with the data protection regulation[1] article 6, subsection 1, only legal if and to the extent that at least one of the following conditions applies: The data subject has given consent to the processing of his personal data for one or more specific purposes. Processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of measures taken at the data subject's request prior to entering into a contract. Processing is necessary to comply with a legal obligation owed to the data controller. Processing is necessary to protect the vital interests of the data subject or another natural person. Processing is necessary for the performance of a task in the interest of society or which falls under the exercise of public authority, which the data controller has been tasked with. Processing is necessary for the controller or a third party to pursue a legitimate interest, unless the data subject's interests or fundamental rights and freedoms requiring the protection of personal data take precedence, in particular if the data subject is a child. According to the data protection regulation, article 9, subsection 1, a prohibition applies to the processing of special categories of personal data, including, for example, health information. However, this prohibition does not apply if one of the exceptions in the data protection regulation, Article 9, subsection 2, or provisions implementing Article 9 of the regulation, are met. The prohibition does not apply, for example, if the data subject has given express consent to processing, cf. the data protection regulation's article 9, subsection 2, letter a. 3.2. What is the matter about? IDA Forsikring processes personal data about members/policy holders etc. as part of the association's daily activities. This processing of personal data must have a processing basis in Article 6 of the Data Protection Regulation. If IDA Forsikring processes information covered by Article 9 or other categories of information which are regulated separately, including social security number, cf. Section 11 of the Data Protection Act, these provisions will also have to be met. However, the case does not concern IDA Forsikring's general processing of personal data as part of the association's day-to-day operations, and the Danish Data Protection Authority has therefore not taken a position on this with this decision. The case, on the other hand, concerns the fact that IDA Forsikring records (and stores) telephone conversations for documentation and quality assurance purposes (training), respectively, and that IDA Forsikring uses artificial intelligence – as part of this quality assurance – to analyze (the recorded) telephone conversations. In addition, the case concerns the information that IDA Forsikring provides in this regard. In this connection, the Danish Data Protection Authority has noted that IDA Forsikring has had the opportunity to reconsider its processing activities and, on that basis, has changed the basis for processing personal data. With this decision, the Norwegian Data Protection Authority has only dealt with how IDA Forsikring's practice is currently set up. The Danish Data Protection Authority also notes that with this decision the authority has only dealt with the issues that the decision deals with. The Danish Data Protection Authority has thus not dealt with other questions, including impact analysis etc. 3.3. Recording of telephone conversations 3.3.1. People who call IDA insurance In the Norwegian Data Protection Authority's guidance on the recording of telephone conversations[2], the Danish Data Protection Authority has explained in more detail when - and under what conditions - in the Danish Data Protection Authority's opinion, telephone conversations can be recorded without the consent of the data subject. IDA Forsikring has – after reviewing its processing activities – assessed that the recording and storage of telephone conversations for documentation and quality assurance purposes (training), respectively, should be done on the basis of consent in accordance with Article 6, paragraph 1 of the Data Protection Regulation. 1, letter a, and 9, subsection 2, letter a, from the person calling in. IDA Forsikring has also assessed that the recording and storage of information about employees can take place on the basis of the balancing of interests rule in Article 6, subsection 1, letter f. It is (primarily) the data controller – IDA Forsikring – who must assess which legal basis(s) is the most appropriate. In the following, the Danish Data Protection Authority therefore only considers the basis(s) that IDA Forsikring has provided, and the Danish Data Protection Authority therefore does not take a position on whether processing could (also) take place on another basis. The conditions for a valid consent appear from Article 4, No. 11, and Article 7 of the Data Protection Regulation, and a valid consent therefore presupposes, among other things, that it is voluntary, specific, informed and an expression of an unequivocal expression of will. The requirement of voluntariness implies that the data controller must give the data subject a free choice and control over personal data about the person concerned. Consent will not be given voluntarily if the data subject does not have a real free choice. This means, among other things, that a consent cannot be considered voluntary if the procedure for obtaining consent does not give the data subject the opportunity to give separate consent for different processing purposes regarding personal data, and the data subject is thus forced to consent to all purposes. A consent must therefore be granulated (divided)[3]. The Danish Data Protection Authority can ascertain that in connection with a person calling IDA insurance, only one overall consent is obtained for both documentation and quality assurance purposes (training). The person who calls is thus not given the opportunity to choose to consent to only one of the purposes. The fact that personal data is collected by telephone does not change the requirements for a valid consent. It is against this background that the Danish Data Protection Authority's assessment is that the consent obtained by IDA Forsikring is not sufficiently granular, and therefore cannot be considered voluntary. The consent is therefore not valid, and therefore cannot constitute a basis for processing. Since the Norwegian Data Protection Authority has not previously dealt with how consent is obtained by telephone when you as a data controller have several purposes, the Norwegian Data Protection Authority does not find any concrete reason to express criticism. However, IDA Forsikring must (going forward) ensure that IDA Forsikring's process in connection with the recording of telephone conversations takes place in accordance with the data protection rules. In this connection, IDA Forsikring can – with the inclusion of the Danish Data Protection Authority's guidance on telephone conversations – consider whether the recording and storage of telephone conversations can take place for one or both of the purposes mentioned on the other basis of consent. If this is not the case, IDA Forsikring must organize its acquisition of consent in another way, e.g. by requesting "two taps". 3.3.2. Employees The Danish Data Protection Authority finds no basis for overriding IDA Forsikring's assessment that the recording and storage of the information about employees that appears from the recording can be done on the basis of Article 6, paragraph 1 of the Data Protection Regulation. 1, letter f. The Danish Data Protection Authority has hereby emphasized that the employee participates in the conversation in a work-related context, that the information that may be processed about the employee in connection with the recording of the telephone conversation must be assumed to be of a limited and harmless nature, as well as the fact that training of employees is a valid and legitimate purpose. 3.4. Use of artificial intelligence to analyze the recorded telephone conversations IDA Forsikring has stated that the recordings – as part of the quality assurance – are sent for analysis by a data processor, which transforms the files into a text basis using self-developed speech recognition. In this connection, the Danish Data Protection Authority is of the opinion that the analysis of the recorded telephone conversations for use in quality assurance should not be considered an independent purpose. IDA Forsikring can thus base the analysis on the same basis as the recording of the conversation itself – in this case consent, which IDA Forsikring has assessed as the most appropriate basis. As mentioned above, however, IDA Forsikring must ensure that IDA Forsikring's process for obtaining consent takes place in accordance with the data protection rules. In relation to employees, refer to it in section 3.3.2. stated the basis for processing information. In addition to having a legal basis, any processing of personal data must be done in accordance with the principles for processing personal data in the data protection regulation, Article 5, subsection 1, letter a - c. This means, among other things, that personal data according to letter a of the provision must be processed legally, fairly and in a transparent manner in relation to the registered person, and according to letter c must be sufficient, relevant and limited to what is necessary in relation to the purposes for which they are processed. When these conditions can be considered fulfilled depends on the specific circumstances surrounding a treatment, including its purpose. The Danish Data Protection Authority notes in this connection that the analyzes of the recorded telephone calls do not in themselves appear to be covered by the prohibition in Article 9, paragraph 1 of the Data Protection Regulation. 1. This is because the purpose of processing the information is not to uniquely identify either the person calling or IDA Forsikring's employees. This applies regardless of whether the information in question may be biometric data according to Article 4, No. 14 of the regulation.[4] IDA Forsikring has stated that the technology is not used for profiling and that the purpose of the processing is not to acquire knowledge about individuals or individual employees. It is thus the conversation that is the subject of the recordings and analysis, and not the individual. IDA Forsikring has also stated that the system used is speech recognition only and does not use voice recognition technology, including that the system does not analyze intonation, gender or dialects in the conversation[5]. The fact that the system in the present case does not take into account, for example, tone of voice, including sarcasm and irony, but only analyzes "pure text", can primarily be seen to lead to "false positives" in relation to the conversation, so that the conversation receives a higher quality score than intended. Based on an overall assessment of the above, the Danish Data Protection Authority finds that IDA Forsikring's analysis using artificial intelligence takes place within the framework of the aforementioned principles. The Danish Data Protection Authority notes that if a "failure to take into account" tone of voice etc. in another situation could entail a risk of consequences for the data subject, measures must be taken to address this risk. 3.5. Information about the recording and analysis of telephone conversations The Danish Data Protection Authority can ascertain that IDA Forsikring in its speech draws attention to the fact that the conversation is recorded and transcribed. In addition, IDA Forsikring refers to the association's personal data policy. In this connection, the Danish Data Protection Authority can ascertain that IDA Forsikring's personal data policy essentially provides the information that appears in Article 13 of the Data Protection Regulation. IDA Forsikring has also stated that employees are informed about the recording of interviews during the employment interview. In addition, new employees receive direct training in and gain access to the system. New employees are involved in the ongoing work in the team to improve IDA Forsikring's member service, where the system is used. Based on the above, the question of the obligation to provide information does not give the Data Protection Authority reason to take any further action. [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general regulation on data protection). [2] The Norwegian Data Protection Authority's guidance of April 2024 on the recording of telephone conversations [3] European Data Protection Board Guidelines 5/2020 on consent under Regulation 2016/679 (version 1.1, adopted on 4 May 2020), page 13. [4] See also the Danish Data Protection Authority's statement to the Alexandra Institute in the case with j.nr. 2023-211-0004: https://www.datatilsynet.dk/afgoerelser/afgoerelser/2024/jan/establering-og-deling-af-datasaet [5] The Danish Data Protection Authority notes in this connection that voice recognition technology is a more intrusive form of processing, which there must be (more) weighty reasons for using.
