{"id":2396,"date":"2019-06-25T16:15:25","date_gmt":"2019-06-25T15:15:25","guid":{"rendered":"https:\/\/staging.techgdpr.com\/?p=2396"},"modified":"2024-02-22T17:39:20","modified_gmt":"2024-02-22T16:39:20","slug":"personal-data-cold-calling-gdpr","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/personal-data-cold-calling-gdpr\/","title":{"rendered":"Personal data and cold calling under the GDPR"},"content":{"rendered":"\n

A personal data focused analysis of how to practice cold calling in compliance with the GDPR.<\/strong><\/h2>\n\n\n\n

Cold calling individuals is like throwing a rock in a pond with the hope of catching a fish. Obviously, the success rate is high enough to justify manning the phone with a single person all the way up to outsourcing a floor\u2019s worth of call center advisers. But how can you continue making cold calls when you have purchased personal data?<\/span><\/span><\/p>\n\n\n\n

With lots being said about the GDPR signalling death of sales and marketing as we know it, it\u2019s hard to make sense of how much room remains for your organisation to call up an unsuspecting prospect in a compliant way. <\/span>While you can\u2019t avoid raising suspicion as to where the data subject\u2019s number originated from, there is a wide spectrum of practices ranging from downright non-compliance data collection to the fully-fulfilled duty to inform. <\/span>Though it is limiting to approach the Regulation with a single use case it remains the best way to avoid opening the floodgates to exceptions. For the purposes of this post, I\u2019ll cite the following example:<\/span><\/p>\n\n\n\n

\n

Having been called out of the blue by a company offering her to learn online trading, a good friend of mine inquired as to her data protection rights. When she asked the sales agent on call where he had found her number, he was quick to answer <\/span>his boss had provided it<\/span><\/i>. Concerned that having registered as a job candidate on several job sites in the past, her phone number might have been communicated to the company making the call that day, she also wanted help determining her rights as regards the company to whom she had initially entrusted her phone number.<\/span><\/p>\n<\/div>\n\n\n\n

Can personal data be sold and bought under the GDPR?<\/b><\/h2>\n\n\n\n

Inheriting personal data sets from a third party with no proper documentation (e.g.: legal basis for initial collection, records of the duty to inform being fulfilled by the initial controller, recorded consent or readily available consent matrix) is a liability for both the personal data broker and the purchaser. <\/span>At the very least, records of processing activities should establish a trace of the transaction since personal data sold to a third party is a data <\/span>transfer<\/b> to a <\/span>recipient<\/b>. Additionally, your organisation will need t<\/span>o prove that subjects were informed this transfer would take place or that you informed them within a month of purchasing their personal data that your organisation now processes it. More on this further on. <\/span><\/p>\n\n\n\n

Failing to document what information was communicated and what legal base apply violates both the data protection principles of lawfulness and transparency and that of purpose limitation, exposing you to the heaviest of fines: 4% of annual turnover.\u00a0If your organisation had purchased personal data from a third party source, don\u2019t hide that information. Should your staff turn down a data subject request to know what the origin of that data is, make sure the staff has been trained to recognize the request as a genuine data subject request<\/strong>. Article 14.2.f<\/a>) makes it compulsory for organisations to inform data subjects if requested as to the source of the data that was not collected from them directly.<\/span><\/p>\n\n\n\n

\n
\n

The worst scenario on your call-center floor is for an agent to downplay that request and respond that the subject\u2019s phone number was communicated by their line manager.\u00a0You may need to review your processes, knowledge base and staff training as to how to handle data subject requests<\/strong>. You would be surprised how many people use built-in or third party app call recorders on their phones<\/span><\/p>\n<\/div>\n\n\n\n

\n
\"\"<\/figure>\n<\/div><\/div>\n<\/div>\n\n\n\n

<\/span><\/p>\n\n\n\n

While you can sell and purchase personal data, you have to be very clear about it. Unlike the CCPA, the GDPR does not make it a requirement to disclose that the data will be sold, instead it makes it a requirement to disclose who<\/em> will be receiving<\/strong> it.<\/span><\/p>\n\n\n\n

In that respect, the CCPA more explicitly acknowledges the commercial uses of personal data. It makes it a requirement to disclose such uses, to provide subjects to opt their data out of the sale. To that respect, it allows for slightly more traceability in the data supply chain than the GDPR does. Keep in mind that small print at the end of a 10-page privacy policy will not impress authorities. Requirements of concision and clarity can be found in Article 12.1<\/a>.<\/span><\/p>\n\n\n\n

Can our organisation cold call data subjects?<\/b><\/h2>\n\n\n\n

Yes, it can.<\/span><\/p>\n\n\n\n

Central to data protection is your duty to inform. <\/span>Fulfilling it puts your organisation in line with GDPR’s principle of lawfulness, fairness and transparency (GDPR Art.5.1<\/a>).<\/span><\/p>\n\n\n\n

It is likely that the applicable legal basis for processing personal data in your case is legitimate interest<\/a>. Yet having determined an applicable legal base is not compliant unless the purpose and the legal base are formally communicated to the data subject.<\/span><\/p>\n\n\n\n

Can data subjects refuse to be the target of your direct marketing?<\/b><\/h2>\n\n\n\n

Yes, under Article 21.1<\/a> of the GDPR, an individual has the Right to Object. While, typically this right designed to put the burden of proof on the controller that its processing of personal data is done in the controller\u2019s legitimate interest, the data subject also has the right to outright object to the use of data for direct marketing. <\/span>This means that your company will have to <\/span>mark<\/b> the personal contact data to prevent it from being used for that purpose. This is one of the only technical and organisational measures<\/strong> explicited in the GDPR. Apply it if the data is nonetheless required to serve other purposes such as the performance of a contract. Should the data serve no other purpose, the best practice principles of data minimization and purpose limitation dictate the complete deletion of the personal data.<\/span><\/p>\n\n\n\n

As hinted above, do <\/span>not<\/span><\/i> expect the data subject to officially formulate a deletion or objection request via your data protection officer. Treat their request on the phone as officially as you can. Which naturally increases expectation on staff compliance training.<\/span><\/p>\n\n\n\n

Must I perform my duty to inform during the call?<\/b><\/h2>\n\n\n\n

Where the CCPA does not makes it compulsory for organisations to disclose having transferred or sold their data unless the subject requests to know<\/em>, the GDPR makes it a requirement to inform <\/span>proactively<\/span><\/i> about the transfer of personal data to a third party or <\/span>recipient<\/b>.<\/span><\/p>\n\n\n\n

While a strict reading of the GDPR might lead you to believe that you should read your complete privacy policy<\/strong> on the phone, in reality the situation is not that extreme but needs to be broken down at little.<\/span><\/p>\n\n\n\n

If, prior to the call, you have collected the contact information from the data subject, you will have already informed them, and collected consent (if such is your legal basis), on the purpose of processing. On the call itself, you might be inclined to remind the data subject of the legal base on which you are currently operating but there is no GDPR provision making this a requirement other than building trust and plain courtesy.<\/span><\/p>\n\n\n\n

If you have not collected data from the data subject but amassed their contact details from a different source, or <\/span>third party<\/b>, then, you should inform data subjects of your full identity and contact details<\/strong>, what data you have collected, under what legal base(s) you have done so, what retention period governs that data processing and what rights the data subjects can exercise. GDPR. Art.14.3a<\/a>) sets the duty to inform time frame to <\/span>within a reasonable period after obtaining the personal data<\/span><\/i> and no more than one month<\/strong>.<\/span><\/p>\n\n\n\n

Should you place a call to the data subject before having informed them of the above, you should understandably be prepared to read this information out to them and facilitate the exercise of their data subject rights (GDPR Art.12<\/a>).<\/span><\/p>\n\n\n\n

A full list of elements your communication should include is available in Articles 12 to 14<\/a>.<\/span><\/p>\n\n\n\n

What if the data subject actually consents to their data being used when on call?<\/b><\/h2>\n\n\n\n

Technically, you could record the call to document consent but consent for that form of data collection -audio recording- would first be needed. Recording a call is nothing short of collecting<\/strong> biometric<\/strong> and personal data<\/strong> and, in many cases, transferring<\/strong> that data to servers or cloud services across the Atlantic. If your cloud provider is not listed under the EU-US \/ Swiss-US Privacy Shield<\/strong> and no other legal instrument<\/strong> allows for that transfer, the call recording would fail the compliance test on many levels.<\/span><\/p>\n\n\n\n

A best practice often witnessed involves sending an opt-in email<\/strong> immediately after the call which recaps the essence of your phone conversation, what you agreed to share, the data the subject consented to disclosing and which were the purposes stated. You might want to consider including the date at which the conversation took place in the body of the text, i.e.: not relying on the email client\u2019s automated time stamp.<\/span><\/p>\n\n\n\n

Yes, your organisation can sell or purchase persona data and place cold calls.<\/strong><\/p>\n\n\n\n

The GDPR only prohibits both forms of personal data processing unless they are done unlawfully.
Unlawful data processing in the case of direct unsolicited marketing by phone is characterized by depriving data subjects of their rights, violating data protection principles of fairness, transparency and accountability, failing to inform them upon acquisition or collection of their data, depriving them of information when you first come in contact with a subject’s personal data and not supporting them in the exercise of their rights. If you have these items under control, you’re good to proceed with a fair degree of confidence in your compliance.<\/span><\/p>\n\n\n\n

If you need help with reviewing your data protection practices<\/strong>, your data flows, your compliance documentation and call center staff or management training,<\/span> get in touch<\/span><\/a>.
<\/span><\/p>\n\n\n\n

TechGDPR specialises in digitised environments and products including AI, machine-to-machine \/ IoT transactions and Blockchain applications. We offer consulting packages, hourly support, staff training and workshops<\/a>.
<\/span><\/p>\n\n\n\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

A personal data focused analysis of how to practice cold calling in compliance with the GDPR. Cold calling individuals is like throwing a rock in a pond with the hope of catching a fish. Obviously, the success rate is high enough to justify manning the phone with a single person all the way up to […]<\/p>\n","protected":false},"author":10,"featured_media":2403,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[10,11,7,23],"tags":[42,34,40,43,35,38],"class_list":["post-2396","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-beyond-eu","category-data-subjects","category-privacy-by-design","category-workshop","tag-call-center","tag-ccpa","tag-cold-calling","tag-compliance","tag-gdpr","tag-marketing"],"acf":[],"featured_image_urls":{"full":["https:\/\/techgdpr.com\/wp-content\/uploads\/2019\/06\/Photo-by-NeONBRAND-on-Unsplash.jpg",1401,934,false],"thumbnail":["https:\/\/techgdpr.com\/wp-content\/uploads\/2019\/06\/Photo-by-NeONBRAND-on-Unsplash-150x150.jpg",150,150,true],"medium":["https:\/\/techgdpr.com\/wp-content\/uploads\/2019\/06\/Photo-by-NeONBRAND-on-Unsplash-300x200.jpg",300,200,true],"medium_large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2019\/06\/Photo-by-NeONBRAND-on-Unsplash-768x512.jpg",640,427,true],"large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2019\/06\/Photo-by-NeONBRAND-on-Unsplash-1024x683.jpg",640,427,true],"1536x1536":["https:\/\/techgdpr.com\/wp-content\/uploads\/2019\/06\/Photo-by-NeONBRAND-on-Unsplash.jpg",1401,934,false],"2048x2048":["https:\/\/techgdpr.com\/wp-content\/uploads\/2019\/06\/Photo-by-NeONBRAND-on-Unsplash.jpg",1401,934,false],"image-200-200":["https:\/\/techgdpr.com\/wp-content\/uploads\/2019\/06\/Photo-by-NeONBRAND-on-Unsplash.jpg",200,133,false]},"post_excerpt_stackable":"

A personal data focused analysis of how to practice cold calling in compliance with the GDPR. Cold calling individuals is like throwing a rock in a pond with the hope of catching a fish. Obviously, the success rate is high enough to justify manning the phone with a single person all the way up to outsourcing a floor\u2019s worth of call center advisers. But how can you continue making cold calls when you have purchased personal data? With lots being said about the GDPR signalling death of sales and marketing as we know it, it\u2019s hard to make sense of…<\/p>\n","category_list":"Beyond EU<\/a>, Data Subjects<\/a>, Privacy by Design<\/a>, Workshop<\/a>","author_info":{"name":"Alex Carroll","url":"https:\/\/techgdpr.com\/blog\/author\/alex\/"},"comments_num":"0 comments","featured_image_urls_v2":{"full":["https:\/\/techgdpr.com\/wp-content\/uploads\/2019\/06\/Photo-by-NeONBRAND-on-Unsplash.jpg",1401,934,false],"thumbnail":["https:\/\/techgdpr.com\/wp-content\/uploads\/2019\/06\/Photo-by-NeONBRAND-on-Unsplash-150x150.jpg",150,150,true],"medium":["https:\/\/techgdpr.com\/wp-content\/uploads\/2019\/06\/Photo-by-NeONBRAND-on-Unsplash-300x200.jpg",300,200,true],"medium_large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2019\/06\/Photo-by-NeONBRAND-on-Unsplash-768x512.jpg",640,427,true],"large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2019\/06\/Photo-by-NeONBRAND-on-Unsplash-1024x683.jpg",640,427,true],"1536x1536":["https:\/\/techgdpr.com\/wp-content\/uploads\/2019\/06\/Photo-by-NeONBRAND-on-Unsplash.jpg",1401,934,false],"2048x2048":["https:\/\/techgdpr.com\/wp-content\/uploads\/2019\/06\/Photo-by-NeONBRAND-on-Unsplash.jpg",1401,934,false],"image-200-200":["https:\/\/techgdpr.com\/wp-content\/uploads\/2019\/06\/Photo-by-NeONBRAND-on-Unsplash.jpg",200,133,false]},"post_excerpt_stackable_v2":"

A personal data focused analysis of how to practice cold calling in compliance with the GDPR. Cold calling individuals is like throwing a rock in a pond with the hope of catching a fish. Obviously, the success rate is high enough to justify manning the phone with a single person all the way up to outsourcing a floor\u2019s worth of call center advisers. But how can you continue making cold calls when you have purchased personal data? With lots being said about the GDPR signalling death of sales and marketing as we know it, it\u2019s hard to make sense of…<\/p>\n","category_list_v2":"Beyond EU<\/a>, Data Subjects<\/a>, Privacy by Design<\/a>, Workshop<\/a>","author_info_v2":{"name":"Alex Carroll","url":"https:\/\/techgdpr.com\/blog\/author\/alex\/"},"comments_num_v2":"0 comments","yoast_head":"\nPersonal data and cold calling under the GDPR - TechGDPR<\/title>\n<meta name=\"description\" content=\"A personal data focused analysis of cold calling, and how to do sales (and cold calling) it in a GDPR compliant manner.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/techgdpr.com\/blog\/personal-data-cold-calling-gdpr\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Personal data and cold calling under the GDPR - TechGDPR\" \/>\n<meta property=\"og:description\" content=\"A personal data focused analysis of cold calling, and how to do sales (and cold calling) it in a GDPR compliant manner.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/techgdpr.com\/blog\/personal-data-cold-calling-gdpr\/\" \/>\n<meta property=\"og:site_name\" content=\"TechGDPR\" \/>\n<meta property=\"article:published_time\" content=\"2019-06-25T15:15:25+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-02-22T16:39:20+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/techgdpr.com\/wp-content\/uploads\/2019\/06\/Photo-by-NeONBRAND-on-Unsplash.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1401\" \/>\n\t<meta property=\"og:image:height\" content=\"934\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Alex Carroll\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Qual2Privacy\" \/>\n<meta name=\"twitter:site\" content=\"@techgdpr\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Alex Carroll\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/personal-data-cold-calling-gdpr\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/personal-data-cold-calling-gdpr\\\/\"},\"author\":{\"name\":\"Alex Carroll\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/person\\\/c2bece665e6d3fdd4a8d10c5f7c2a26a\"},\"headline\":\"Personal data and cold calling under the GDPR\",\"datePublished\":\"2019-06-25T15:15:25+00:00\",\"dateModified\":\"2024-02-22T16:39:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/personal-data-cold-calling-gdpr\\\/\"},\"wordCount\":1672,\"publisher\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/personal-data-cold-calling-gdpr\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2019\\\/06\\\/Photo-by-NeONBRAND-on-Unsplash.jpg\",\"keywords\":[\"call center\",\"CCPA\",\"Cold calling\",\"compliance\",\"GDPR\",\"marketing\"],\"articleSection\":[\"Beyond EU\",\"Data Subjects\",\"Privacy by Design\",\"Workshop\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/personal-data-cold-calling-gdpr\\\/\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/personal-data-cold-calling-gdpr\\\/\",\"name\":\"Personal data and cold calling under the GDPR - TechGDPR\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/personal-data-cold-calling-gdpr\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/personal-data-cold-calling-gdpr\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2019\\\/06\\\/Photo-by-NeONBRAND-on-Unsplash.jpg\",\"datePublished\":\"2019-06-25T15:15:25+00:00\",\"dateModified\":\"2024-02-22T16:39:20+00:00\",\"description\":\"A personal data focused analysis of cold calling, and how to do sales (and cold calling) it in a GDPR compliant manner.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/personal-data-cold-calling-gdpr\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/techgdpr.com\\\/blog\\\/personal-data-cold-calling-gdpr\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/personal-data-cold-calling-gdpr\\\/#primaryimage\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2019\\\/06\\\/Photo-by-NeONBRAND-on-Unsplash.jpg\",\"contentUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2019\\\/06\\\/Photo-by-NeONBRAND-on-Unsplash.jpg\",\"width\":1401,\"height\":934},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/personal-data-cold-calling-gdpr\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/techgdpr.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Personal data and cold calling under the GDPR\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#website\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/\",\"name\":\"TechGDPR\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/techgdpr.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#organization\",\"name\":\"TechGDPR\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/staging.techgdpr.com\\\/wp-content\\\/uploads\\\/2018\\\/04\\\/TGDPR_logo_500px.png\",\"contentUrl\":\"https:\\\/\\\/staging.techgdpr.com\\\/wp-content\\\/uploads\\\/2018\\\/04\\\/TGDPR_logo_500px.png\",\"width\":501,\"height\":334,\"caption\":\"TechGDPR\"},\"image\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/techgdpr\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/techgdpr\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/person\\\/c2bece665e6d3fdd4a8d10c5f7c2a26a\",\"name\":\"Alex Carroll\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/Alex_OF_5121_700-150x150.jpg\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/Alex_OF_5121_700-150x150.jpg\",\"contentUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/Alex_OF_5121_700-150x150.jpg\",\"caption\":\"Alex Carroll\"},\"description\":\"Alex\u2019s consulting experience in data protection and information security is supported by a decade in adult training and course design. Specialised in normative frameworks and quality management he has developed decision-making tools and guidance for process management for numerous organisations. In 2018, he joined TechGDPR with the intention of helping organisations through risk-based security management, accountability and the GDPR compliance lifecycle. He has since then acquired 5 data protection and security certifications, supporting a variety of clients in privacy program development, auditing, ISO 27001 implementation support, delivering data protection training and privacy engineering.\",\"sameAs\":[\"https:\\\/\\\/techgdpr.com\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/wgp01\\\/\",\"https:\\\/\\\/x.com\\\/Qual2Privacy\"],\"url\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/author\\\/alex\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Personal data and cold calling under the GDPR - TechGDPR","description":"A personal data focused analysis of cold calling, and how to do sales (and cold calling) it in a GDPR compliant manner.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/techgdpr.com\/blog\/personal-data-cold-calling-gdpr\/","og_locale":"en_US","og_type":"article","og_title":"Personal data and cold calling under the GDPR - TechGDPR","og_description":"A personal data focused analysis of cold calling, and how to do sales (and cold calling) it in a GDPR compliant manner.","og_url":"https:\/\/techgdpr.com\/blog\/personal-data-cold-calling-gdpr\/","og_site_name":"TechGDPR","article_published_time":"2019-06-25T15:15:25+00:00","article_modified_time":"2024-02-22T16:39:20+00:00","og_image":[{"width":1401,"height":934,"url":"https:\/\/techgdpr.com\/wp-content\/uploads\/2019\/06\/Photo-by-NeONBRAND-on-Unsplash.jpg","type":"image\/jpeg"}],"author":"Alex Carroll","twitter_card":"summary_large_image","twitter_creator":"@Qual2Privacy","twitter_site":"@techgdpr","twitter_misc":{"Written by":"Alex Carroll","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/techgdpr.com\/blog\/personal-data-cold-calling-gdpr\/#article","isPartOf":{"@id":"https:\/\/techgdpr.com\/blog\/personal-data-cold-calling-gdpr\/"},"author":{"name":"Alex Carroll","@id":"https:\/\/techgdpr.com\/#\/schema\/person\/c2bece665e6d3fdd4a8d10c5f7c2a26a"},"headline":"Personal data and cold calling under the GDPR","datePublished":"2019-06-25T15:15:25+00:00","dateModified":"2024-02-22T16:39:20+00:00","mainEntityOfPage":{"@id":"https:\/\/techgdpr.com\/blog\/personal-data-cold-calling-gdpr\/"},"wordCount":1672,"publisher":{"@id":"https:\/\/techgdpr.com\/#organization"},"image":{"@id":"https:\/\/techgdpr.com\/blog\/personal-data-cold-calling-gdpr\/#primaryimage"},"thumbnailUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2019\/06\/Photo-by-NeONBRAND-on-Unsplash.jpg","keywords":["call center","CCPA","Cold calling","compliance","GDPR","marketing"],"articleSection":["Beyond EU","Data Subjects","Privacy by Design","Workshop"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/techgdpr.com\/blog\/personal-data-cold-calling-gdpr\/","url":"https:\/\/techgdpr.com\/blog\/personal-data-cold-calling-gdpr\/","name":"Personal data and cold calling under the GDPR - TechGDPR","isPartOf":{"@id":"https:\/\/techgdpr.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/techgdpr.com\/blog\/personal-data-cold-calling-gdpr\/#primaryimage"},"image":{"@id":"https:\/\/techgdpr.com\/blog\/personal-data-cold-calling-gdpr\/#primaryimage"},"thumbnailUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2019\/06\/Photo-by-NeONBRAND-on-Unsplash.jpg","datePublished":"2019-06-25T15:15:25+00:00","dateModified":"2024-02-22T16:39:20+00:00","description":"A personal data focused analysis of cold calling, and how to do sales (and cold calling) it in a GDPR compliant manner.","breadcrumb":{"@id":"https:\/\/techgdpr.com\/blog\/personal-data-cold-calling-gdpr\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/techgdpr.com\/blog\/personal-data-cold-calling-gdpr\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/techgdpr.com\/blog\/personal-data-cold-calling-gdpr\/#primaryimage","url":"https:\/\/techgdpr.com\/wp-content\/uploads\/2019\/06\/Photo-by-NeONBRAND-on-Unsplash.jpg","contentUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2019\/06\/Photo-by-NeONBRAND-on-Unsplash.jpg","width":1401,"height":934},{"@type":"BreadcrumbList","@id":"https:\/\/techgdpr.com\/blog\/personal-data-cold-calling-gdpr\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/techgdpr.com\/"},{"@type":"ListItem","position":2,"name":"Personal data and cold calling under the GDPR"}]},{"@type":"WebSite","@id":"https:\/\/techgdpr.com\/#website","url":"https:\/\/techgdpr.com\/","name":"TechGDPR","description":"","publisher":{"@id":"https:\/\/techgdpr.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/techgdpr.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/techgdpr.com\/#organization","name":"TechGDPR","url":"https:\/\/techgdpr.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/techgdpr.com\/#\/schema\/logo\/image\/","url":"https:\/\/staging.techgdpr.com\/wp-content\/uploads\/2018\/04\/TGDPR_logo_500px.png","contentUrl":"https:\/\/staging.techgdpr.com\/wp-content\/uploads\/2018\/04\/TGDPR_logo_500px.png","width":501,"height":334,"caption":"TechGDPR"},"image":{"@id":"https:\/\/techgdpr.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/techgdpr","https:\/\/www.linkedin.com\/company\/techgdpr"]},{"@type":"Person","@id":"https:\/\/techgdpr.com\/#\/schema\/person\/c2bece665e6d3fdd4a8d10c5f7c2a26a","name":"Alex Carroll","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/techgdpr.com\/wp-content\/uploads\/2024\/03\/Alex_OF_5121_700-150x150.jpg","url":"https:\/\/techgdpr.com\/wp-content\/uploads\/2024\/03\/Alex_OF_5121_700-150x150.jpg","contentUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2024\/03\/Alex_OF_5121_700-150x150.jpg","caption":"Alex Carroll"},"description":"Alex\u2019s consulting experience in data protection and information security is supported by a decade in adult training and course design. Specialised in normative frameworks and quality management he has developed decision-making tools and guidance for process management for numerous organisations. In 2018, he joined TechGDPR with the intention of helping organisations through risk-based security management, accountability and the GDPR compliance lifecycle. He has since then acquired 5 data protection and security certifications, supporting a variety of clients in privacy program development, auditing, ISO 27001 implementation support, delivering data protection training and privacy engineering.","sameAs":["https:\/\/techgdpr.com\/","https:\/\/www.linkedin.com\/in\/wgp01\/","https:\/\/x.com\/Qual2Privacy"],"url":"https:\/\/techgdpr.com\/blog\/author\/alex\/"}]}},"_links":{"self":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts\/2396","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/comments?post=2396"}],"version-history":[{"count":23,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts\/2396\/revisions"}],"predecessor-version":[{"id":8138,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts\/2396\/revisions\/8138"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/media\/2403"}],"wp:attachment":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/media?parent=2396"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/categories?post=2396"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/tags?post=2396"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}