The EU Data Protection Directive (95/46/EC) defines personal data as follows;
“Personal data shall mean any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
Within the enterprise messaging ecosystem, personal data means anything that addresses or uniquely identifies the Data Subject (the consumer), including:
- MSISDN and IMSI numbers, which are used to identify a mobile phone number, operator and consumer
- Email address
- OTT address (e.g. a user’s Skype or Facebook username or address)
- IP address (which identifies any device that uses Internet Protocol for communication)
- A combination of communications metadata, e.g. time of a message combined with the sender of a message (e.g. a bank) that could uniquely identify an individual
However in addition to this, GDPR covers the personal data that could be contained within a message, including:
- A user’s name
- Bank account and credit card numbers
- Driver’s license and car registration numbers
- National Insurance or other ID numbers
- Policy numbers and booking references
- A combination of identification elements e.g. physical characteristics, place, occupation etc.
GDPR also defines Sensitive Data, which requires additional safe guards and explicit permission to be stored:
- Racial or ethnic origin, religious or philosophical beliefs and political opinions
- Sex life, health and genetic data
- Biometric data
- Criminal records
Under GDPR, the collection and processing of personal data must be for “specified, explicit, and legitimate purposes”, and have a legal basis. A Data Controller or Processor needs to have at least one of the legal reasons listed below to have the right to store and process personal data.
What is the legal basis for CPaaS providers to process and store message data?
CPaaS providers in their capacity as a Data Processor or Sub-Processor, do not require consent from the Data Subject to store and process their Personal Data.
CPaaS providers typically have two reasons for lawful processing – They have a legal basis, because they have to fulfil the contract with the Data Controller to store and process the messages sent to them by the Data Controller. They also have a legal obligation to comply with telecommunications legislation, requiring the storage of communications logs for a period.
This period differs from country to country, but should be considered as a legal basis for storing some data. The legal reasons to store and process personal data are:
- Consent - the data subject has freely given their consent for their information to be stored and processed for a specific purpose
- The performance of a contract - the most likely reason that messaging aggregators and CPaaS providers will store personal data
- Legal obligations - common in communications such as legal intercept legislation and criminal investigations
- To protect a person’s vital interests – e.g. a hospital trying to save an individual’s life
- It’s in the public interest / public tasks – e.g. tax collection, passport, driver’s license processing
- Legitimate interests – e.g. fraud prevention or credit checks
Originally Published by CLX Communications