The General Data Protection Regulation (GDPR) is set to expand on current data protection laws whilst introducing a range of new penalties. These regulations will affect how businesses use data, and call centers, which handle personal data in vast volumes, will especially be affected by these changes.

Will Cold Calling be permitted?

Fortunately, yes. But in order to cold call, you will likely need to conduct “balancing tests”.

Direct marketing calls will reiterate the regulations that are already in place in the PECR such as following rules regarding TPS, presenting a valid CLI, and the requirement to identify clearly the organisation for which you are making the call.

Wholesale AZ VoIP Termination: Legal Basis for Consumer Data

An organisation must now satisfy requirements to be able to use personal data for business activities. For example, noting down a customer’s phone number in a book to call them later is classed as processing personal data; storing a CV in a filing cabinet is also classed as processing personal data.

Personal data counts as anything that can be used to identify someone, including names, email addresses, home addresses and phone numbers. This means that GDPR has implications for almost all data that is included in everyday operations within a call center.

The six reasons a business can legally use personal data are:
  1. If you are given explicit consent to use an individual’s data, you may use it for that purpose.
  2. If you are entering into a contract and must use their data to fulfill the contract.
  3. If you are legally bound to use an individual’s personal data.
  4. If processing is necessary to protect an individual’s vital interests, such as well-being or health.
  5. If using the data is vital for carrying out a task to benefit the public interest.
  6. You can demonstrate legitimate interests are not overridden by their fundamental freedoms and rights.

Consent is specific to the particular use of an individual’s data. If the way you plan to use the data significantly differs to the use they have consented to, then the consent is void and does not apply to this use. For example, if an individual gives their consent to contact them by e-mail, you cannot call them instead. They must fulfill one of the other five criteria for consent to do so.

How can you Cold Call?

Assuming your data lists contain individuals for whom you do not have explicit consent to call, and the criteria above are not met, how can you legally use their personal data, such as phone number, to make calls?

This is listed in the criteria for GDPR, number 6, which states that “legitimate interests” of your business are not disregarded by the fundamental freedoms and rights or interests of the person you are calling. This comparison of interests is called the “balancing test”, and all employees within a call center environment must become familiar with this before 25th May.

Legitimate Interests Clause

The clause for “legitimate interests” is not an easy or back-door option that allows businesses to apply personal data without further consideration.

The GDPR contains balances and built-in checks to ensure that you have considered your business’ legitimate interests and how you impact each individual concerned if you are relying on this clause. These balances and checks also require documentation as proof that you have completed the necessary steps. There are substantial fines if you do not adequately complete these checks.

Legitimate interest can be defined as the benefit your business is looking to achieve by utilizing the personal data, such as creating employment, generating profit or providing high-quality services and goods. They must comply with the law, generally benefit society and there must be no attempt to deceive or mislead customers.


In cases where both sides of the balancing test are equal, GDPR requires that “safeguards” be provided to minimize the risk when using an individual’s personal data. Some safeguards are optional, whereas some are mandatory, such as:

  • People can opt-out easily from further use of their personal data, ensuring registration with TPS, which means no cold calls are made to these numbers. Third party opt-ins are also no longer valid.
  • Documented, strict limitations are placed on the quantity of data collected and the length of time it is kept, known as data minimization.
  • For example, if you do not need an individual’s date of birth, there is no need to ask for it. If you no longer need details within a database then ensure they are deleted.
  • Data Protection Impact Assessment are conducted regularly.
  • The provision of staff training to ensure that affected team members know how to manage requests for information, correction and deletion of data.