Blog

Many companies provide telephone assistance in Hungary. The lessons learned from the recent epidemiological emergency might even upgrade their significance. Regarding the operation of telephone assistance services, the companies have to meet both consumer protection and data protection requirements. This year, the former bears particular significance because the Hungarian Consumer Protection Authority is continuously monitoring between April and August whether the consumer assistance services are operated in accordance with the rules.

In our article we aim to outline the most important regulations of consumer and data protection, trusting that it will serve as a crutch to all those who decide to seek help via telephone assistance.

1. Consumer Protection Rules

The companies which operate customer services via phone can be classified into two major groups: (i) the ones which are obliged to do so and (ii) those ones which opted for setting up one voluntarily. Category (i) contains those companies which provide public services (such as central heating suppliers or chimney sweeping companies), and the companies which are required to uphold telephone assistance set out by other laws (e.g. electronic communication service providers).

Act CLV of 1997 on Consumer Protection (“Consumer Protection Act”) requires only the companies in category (i) to apply the so-called „five minutes rule” as it is generally referred to by the public. This rule sets a reasonable timeframe for answering the call and handling the case. It starts from the instant the connection between the consumer and the company has been established. Those cases might be exceptions when the company cannot answer the call due to an unavoidable cause outside its sphere of activity. In these cases the burden of proof is on the company.

Apart from the “five minutes rule”, the Consumer Protection Act sets out further requirements for the companies in category (i). For example, the company shall make the live voice answering available as the first option in its menu without identifying the consumer. Furthermore, the company is obliged to record all the complaints submitted via phone and the conversations taking place between the company and the consumer. All the voice records shall be assigned to an identification number of which the consumers have to be informed. Beside the voice recording, it is also compulsory to keep record except for the cases when the voice records include all the relevant and necessary information which the record needs to contain and the consumer consents to the omission of the record.

The companies belonging to category (ii) are not expected to comply with the afore-mentioned rules but they may take it into consideration in order to handle complaints efficiently.

2. Data Protection Rules

Upon providing telephone customer services, data processing occurs regardless of whether or not a voice record is made. Accordingly, it is important that the data controller informs the data subject of the forthcoming data processing. The data controller shall also provide the data subject the opportunity to meet the data protection policy of the company in advance. This does not mean the “five minutes rule” requires the companies belonging to category (i) to rattle off the entire data protection policy at the beginning of the conversation. However, it might be reasonable to brief the fundamental information, especially when the conversation is recorded. Such information could include the name of the data controller, the fact of making a voice record and the duration of its keeping, and the access to further information (e.g. aspecific menu option on the company’s website or the concerning part of the contract between the consumer and the service provider).

The legal basis of data processing is also an important issue. Where a sectoral law stipulates the making of voice records, the legal basis shall only be the compliance with a legal obligation or the performance of a task carried out in the public interest [Article 6 (1) (c) or (e) of the GDPR]. The service providers providing telephone assistance voluntarily need other legal grounds to process data lawfully. Such a legal ground could be the legitimate interests of the data controller [Article 6 (1) (f) of the GDPR]. The legitimate interests shall be determined by the data controller who needs to support them through the balance of interests test. The prior consent of the consumer [Article 6 (1) (a) of the GDPR] could also serve as a legal basis for data processing in the case of voluntary operation. The mentioned legal grounds could also be applied by service providers obliged by the law to record only certain conversations (e.g. complaint handling) but wishing to record other telephone calls too (e.g. requests for information).

Whenever a voice record is made, the questions of the term and manner of storing arise. The relevant sectoral laws either regulate the term of storing of all types or focus only on a specific sphere of voice records. For example, the Consumer Protection Act obliges public service companies to keep voice records for five years. As regards electronic communication service providers, Act C of 2003 on Electronic Communications sets a one-year-long storing term for voice records related to fault reports. In case of service providers – whether from category (i) or (ii) – for which the law does not determine a compulsory storing term, it is the data controller’s duty to do so.

It is also a data protection requirement to make the voice record available to the data subject and, if the conditions are met, the data subject may also request for its erasure (the latter cannot be asked for in case of compulsory data processing).

Telephone assistance can serve as an efficient tool of assisting consumers. If, however, the service providers do not meet their obligations set out by the law, the consumers can turn to the Consumer Protection Authority and/or the Hungarian Data Protection Authority. Administrative fines may be imposed for infringements of both data protection and consumer protection rules. The Consumer Protection Authority reported that last year fines due to such infringements were imposed in the value of more than HUF 2.500.000.  Pursuant to the GDPR, the Data Protection Authority may impose fines that surpass the above-mentioned sum in any single case (the GDPR determines the upper limit in EUR 20,000,000).

Dr. Aliz Póczek

Translation: Máté Szili

Photo credit: pexels.com