When designing Over.ai, we planned in advance for complying with applicable privacy laws and call recording laws. Our service is here to ensure your customers’ privacy and does not share the contents of their calls with any person. It only allows you to access information you already have, and that you have received consent to use.
This guide is meant to assist you in integrating Over.ai and using it in the most compliant manner with EU privacy laws.
We’ll go over some of the material principles of the GDPR, the General Data Protection Directive, and provide you the proper tools.
Please note that we are solely a platform; this means that we are indifferent to the data types stored on our service, and we are agnostic of whether data stored is considered as Personal Data under the GDPR or is plain data.
The first and foremost purpose of the GDPR is only to process data if you have obtained the data subject (the person whose data is stored) consent or is otherwise permitted under Article 6.
Article 6 provides a short list of places where data may be processed without consent, which includes : “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; processing is necessary for compliance with a legal obligation to which the controller is subject; processing is necessary in order to protect the vital interests of the data subject or of another natural person; processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.
Therefore, we require that you either obtain consent from the people whose calls you allow us processing, or be under one of the other items.
How Do We Recommend That You Obtain Consent?
Another method to obtain consent is to enter a clause in the agreements you may have with your clients, who call you, that lets them know.
Please make sure that the consent that is provided is specific and not wide, and that it is not implied, but that it is specific, explicit and free.
Legal And Lawful Purpose
Using Over.ai’s services in meant for a lawful purpose and according to the data subject’s expectations.
The data should not be used for a purpose that is wider than originally intended. If you received data for the purpose of scheduling a doctor appointment, for example, you may not use it later on for marketing efforts. You should avoid using vague statements such as “we use your contact information to provide you with the service and to contact you with promotional offers”. Your purposes should be limited to the services you provide.
In that manner, for example, you cannot analyze your caller information for purposes that you did not receive consent, and you cannot ask for consent for a wider scope than needed.
Review and Amend
The GDPR requires that data subjects shall have the right to review all personal data that is stored. We provide this option by giving end-users a copy of their call recordings, transcripts or other data that might be stored. You can automate this process with our filters.
You may also contact us directly if you receive such a request from one of your data subjects and we will manually assist you.
Right To Be Forgotten
The right to be forgotten, or the right to be removed from databases when such information is no longer relevant, is a feature we allow our customers. If you wish to allow your data subjects to remove data, you need to make sure that you have no legal obligation to continue to keep such records.
This means that if the statute of limitations in your jurisdiction is five years, and a data subject made a call today complaining about bad cable service, you need to keep this record for the duration of the statute of limitation in case you receive a claim based on such complaint.
We allow removal based on both manual requests or automated calls you make via our API.
We provide data breach notification both in severe cases, immediately, and in minor cases, where we believe it may affect people in any form. We require that all our customers maintain the same policy.
Data Protection Officers
We employ a local data protection officer that is meant to inspect, instruct and deal with all privacy issues. We have a team of experts who assist us in developing our product in a privacy-basing method.