With a continued focus on Personal Data, how companies handle it, and compliance with GDPR laws, you may ask yourself is Freespee GDPR compliant?
Well, the short answer is yes, we are. Within the context of GDPR, Freespee is the data processor, while each of Freespee's customers are data controllers. The people communicating with the data controller (our customers) are data subjects.
As data controllers, Freespee customers get to decide what personal data should be stored and how long it should be retained. They should also manage any requests from data subjects for access to their personal data, or for their personal data to be deleted.
On the other hand, as data processor, Freespee instead acts on behalf of the data controller when it comes to handling data coming to our side. Freespee stores and processes personal data securely and prevents unauthorised access, and we implement our data controllers’ instructions for storing and retaining personal data. We also process any data subject requests that are approved by the data controller or alternatively we offer the data controller facilities to implement those requests.
Freespee can collect and store the following personal data:
- Home telephone or mobile number
- Email address
- Device type
- Text message content
- Online form content
- Voice recordings
Freespee does not store full IP addresses. The only way Freespee data can be used to identify a person’s online activity is via the phone number they used to call a Freespee number.
Data controllers decide how long personal data should be retained, after considering how long personal data is needed:
• To allow communications with that person by phone or SMS
• To comply with legal requirements
After the retention period, Freespee automatically and irreversibly anonymises phone numbers, and deletes call recordings, voicemails, and SMS text messages.
We continue to store metadata for an extended period to support historical statistical analysis of customer behavior. After phone numbers have been anonymised this metadata is no longer personally identifiable.
Freespee recommends customers to not record calls where there is an expectation that sensitive personal information might be recorded such as, but not limited to, medical, ethnic, or credit card information.
Lawful Grounds for Personal Data Processing
Data controllers are responsible for deciding the lawful grounds for processing personal data.
For example, data controllers may decide:
• Data controller has a legitimate reason to store phone numbers and call data to facilitate further communications, for example, to return a call.
• Data subjects need to give consent, and how that consent should be obtained. • Before recording a call, Freespee plays an audio file provided by the data controller explaining that the call is being recorded. Then, callers can choose to accept or decline the call being recorded.
All personal data including call metadata and recordings are stored in encrypted databases. Data is encrypted at rest and in transit. Freespee databases are not directly accessible externally and all access points are secured.
To add to your peace of mind, we are proud to announce Freespee is ISO 27001 Certified, as testament of our data handling and security.