Privacy policy: Recording of calls

Administer Plc is committed to processing personal data collected in connection with call recordings in accordance with this Privacy Policy and applicable data protection laws. We encourage our customers, service users, and partners to review this Privacy Policy.

1. Data Controller

This privacy policy applies to the recording of calls carried out as part of the customer and stakeholder services provided by the companies within Administer Plc’s (“Administer”) accounting services business. The following companies act as joint data controllers:

  • Administer Plc
  • Administer Oy Jämsä
  • Fin/Admin Oy
  • Fin/Liksa Oy
  • Serveria Oy
  • WaBuCo Financial Services Oy

Administer Plc is responsible for IT maintenance and acts as the central point of contact for data protection matters.

Administer Plc
Konepajankuja 3
00510 Helsinki
Business ID: 0593027–4
Phone: 020 703 2000

Inquiries regarding the registry

Administer Plc’s customer service is available Monday to Friday from 9:00 to 15:30. You can contact customer service:

Administer Plc’s Data Protection Officer: Anja Hänninen
Phone: +358 40 5220 621
Email: tietosuoja@administer.fi

2. Purposes of processing and legal basis

Purpose of processing personal data

Calls are recorded at Administer to ensure customer service and service quality, as well as to improve operations. The recordings are used, among other things, to monitor the quality of customer service, for staff training and supervision, and to develop service processes. In addition, call recording is necessary to verify the content of customer requests and orders, to investigate potential errors or misunderstandings, and to handle complaints, customer grievances, and other requests for clarification.

Call recordings also play a significant role in the preparation, presentation, and defense of legal claims when the recording serves as essential evidence, for example, in cases of disputes or complaints. Recording also serves security purposes, such as investigating misconduct, harassment, or threatening situations, as well as handling information security and data protection breaches.

The data subject is informed of the recording at the beginning of the call via an announcement.

Legal basis for processing

The recording of calls is primarily based on Administer’s legitimate interest (GDPR Article 6(1)(f)). This legitimate interest covers customer service, ensuring and systematically improving service quality, staff training and supervision, documenting operations, and resolving errors and ambiguities. Recordings may also be used in the preparation, presentation, and defence of legal claims when the content of the call serves as evidence, for example, in complaint or dispute situations. Administer has assessed the impact of the processing on the data subject’s rights and conducted a legitimate interest balancing test to ensure that the processing is necessary, proportionate, and in line with the data subject’s expectations.

To the extent that the call relates to a contract or assignment with the customer or their employer, the processing of personal data is also necessary for the performance of the contract or the fulfilment of related obligations (GDPR 6.1 b). Such situations may include, for example, ordering a service, clarifying the details of an assignment, resolving issues related to the assignment, or handling matters related to billing. In such cases, the recording serves as a means of verifying the content of the call and ensuring the proper fulfilment of obligations under the contract.

3. Personal Data Processed

The personal data contained in the recordings depends on what the parties to the call disclose during the call and what technical data the telephone system generates in connection with the call. Call recording applies to numbers starting with 020 703.

Data processed in connection with recording

The audio recording of the call contains:

  • the voices of the parties to the call
  • the names, positions, and employers of the parties to the call, if these are mentioned during the call
  • other personal data discussed during the call, such as information related to the service, assignment, payroll, accounting, or other customer matters that the caller or an Administer employee brings up during the conversation

Technical and identification data of the call (metadata):

  • the caller’s or recipient’s phone number
  • the time of the call (date and time)
  • the duration of the call
  • information on call routing (e.g., which customer service number the call was routed to)

Customer relationship data, when available and linked to the call:

  • company name, business ID
  • customer number or other unique identifier
  • information on ongoing services or assignments
  • notes related to complaints, requests for clarification, or customer support that are necessary for handling the matter

The data subject can decide for themselves what information they provide during the call. The data subject is advised to avoid disclosing sensitive personal data during the call unless its processing is necessary for handling the matter.

4. Regular Sources of Information

Personal data processed in connection with call recording is primarily obtained directly from the data subject.

When the content of a call relates to an existing customer relationship or assignment, an Administer employee may, during the call, view customer-related information from the systems used by Administer. In these situations, personal data originating from these systems is included in the recording to the extent that it was part of the conversation and necessary for handling the matter. During the call, information may also have been processed that originates from registers maintained by public authorities or that was obtained during a call with a public authority.

Technical identification data related to the call, such as the phone number, time, and duration, are automatically generated by the telephone and recording systems used by Administer.

5. Disclosure and Transfer of Data

Administer complies with data protection legislation regarding the disclosure and transfer of personal data. Call recordings are generally processed within Administer, and data is not disclosed outside the company except when necessary to use the systems and services of technical service providers acting on Administer’s behalf. These service providers include, for example, entities that provide telephone switchboard and call management services, call recording systems, and IT and data center services, whose solutions are required for the processing, recording, and secure storage of calls. Administer enters into data processing agreements with these service providers and requires that personal data be processed only in accordance with Administer’s instructions and the purposes of this privacy policy.

If required by law or a competent authority, personal data may be disclosed to authorities, for example, to investigate misconduct or to address legal claims.

Transfer of Personal Data Outside the EU/EEA

Personal data will not be transferred outside the EU or the EEA.

6. Retention period for personal data

Call recordings are retained only for as long as necessary to fulfil their intended purposes or for the period required by applicable law.

As a general rule, call recordings are retained for a maximum of 3 years from the date of the call. Recordings may be retained for a longer period if necessary, due to an ongoing complaint, dispute, or other investigation; to prepare, file, or defend a legal claim; or in situations where legislation requires a longer retention period.

When the retention period ends, the recordings are deleted in accordance with secure information security practices.

7. Protection of Personal Data

Administer has implemented appropriate technical and organizational measures to protect personal data against accidental or unlawful loss, disclosure, misuse, alteration, destruction, or unauthorized access. Personal data is protected using firewalls and encryption solutions, and the equipment rooms in use are monitored and protected by access control. System data is backed up regularly and Administer adapts its security measures to keep pace with the continuous development of technology and the operating environment. Administer also ensures that service providers processing personal data on its behalf have appropriate security measures in place and that a contract required by the GDPR has been entered into regarding such processing.

Staff involved in the processing of personal data have signed a security and data protection commitment and have received the guidance and training required for their duties. Access to the registry is restricted by user permissions so that only those employees who have the right and need to access the records based on their job duties can do so. Access rights are assigned on a tiered basis and are subject to continuous monitoring with respect to their granting and use. Access rights that are not necessary for the performance of duties are revoked.

8. Automated Decision-Making and Profiling

Call recordings and the personal data they contain are not used for automated decision-making or profiling.

9. Rights of the Data Subject

You have rights regarding the processing of your personal data in accordance with the EU General Data Protection Regulation. The administrator will process all requests submitted by the data subject without undue delay and no later than one month after receiving the request. If necessary, this period may be extended by up to two months due to the complexity or volume of the request. Administer may request additional information to verify your identity before disclosing the data.

Data subject rights regarding call recordings

  • Right of access to data (right to inspect): You have the right to access the call recording concerning you or information related to it.
  • Right to rectification: If you notice an error in your personal data, you have the right to request that it be corrected. The audio recording cannot be technically edited, but a corrective note can be attached to the incorrect information.
  • Right to erasure (“right to be forgotten”): You may request the erasure of your personal data in certain situations, for example, when the data is no longer necessary for its original purpose. However, the recording cannot always be deleted, for example if its retention is necessary to process a legal claim.
  • Right to restrict processing: You may request that the processing of the recording and your personal data contained therein be restricted, for example, when you dispute the accuracy of the data or the lawfulness of the processing. The restriction remains in effect while the matter is being investigated.
  • Right to object to processing: When the processing of personal data is based on a legitimate interest, you have the right to object to the processing based on your specific personal circumstances. The controller may continue the processing only if it can demonstrate a compelling and legitimate reason for the processing. You always have the right to object to the processing of your personal data for direct marketing purposes.
  • Right to withdraw consent: To the extent that the processing of personal data is based on your consent, you may withdraw your consent at any time.
  • Right to data portability: This right applies to personal data that you have provided to Administer yourself and that is processed automatically on the basis of consent or a contract. Regarding call recordings, this right is limited in practice.

Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates applicable data protection regulations.

The contact details for the national supervisory authority, the Data Protection Ombudsman, are:

Office of the Data Protection Ombudsman
P.O. Box 800, Lintulahdenkuja 4, 00531 Helsinki
Tel. 029 56 66700
tietosuoja@om.fi / https://tietosuoja.fi/en/home

You can report any issues regarding the processing of personal data on the Data Protection Office’s website: https://tietosuoja.fi/en/report-of-fault-in-personal-data-processing.

10. Contact Information

For all questions regarding the processing of personal data and the rights of data subjects, please contact the parties listed at the beginning of this privacy policy.