What you need to know.

Many aspects of GDPR are increasingly being seen as excessive regulation having little to do with the concrete protection of data subjects. However, this is different when it comes to the rights of data subjects. If someone wishes to unsubscribe from a newsletter or wants to know if his or her address is still correct, there is indeed little to discuss. Here, the commercial interest of the company goes hand in hand with the GDPR interests. From a commercial point of view as well, a company has every interest in meeting such wishes and alleviating such concerns of its customers.

Experience has taught us that customers often first turn to the customer service department of the company involved (or any other service that can be contacted according to the privacy statement). Incidentally, in some member states, including Belgium, the Netherlands and France, the data protection authority requires the data subject to first contact the company before filing an official complaint. As a result, the customer service of companies is often a customer’s first point of contact for his or her questions and concerns.   

Customers can request to access their personal data, delete their personal data, unsubscribe from direct marketing, etc. In addition, they can also express more general concerns (whether justified or not) regarding the processing of their personal data. If these requests or concerns are not answered correctly, or only incompletely (or even go entirely without response), this is absolutely undesirable from a commercial point of view, and there is a real chance that the customer will turn to the data protection authority in second instance. Conversely, good communication can strengthen the commercial relationship with customers, and in this way a complaint to the authority can in many cases be avoided.

When a customer chooses to file a complaint, and the data protection authority then decides to launch an investigation, it is often the start of much more than one would initially expect. After all, the data protection authority will often not limit itself to an investigation into the response from customer service. For example, if the complaint concerns several fruitless attempts to unsubscribe from direct marketing, the investigation could examine how the company involved collects customer data, what data it collects, with whom it collaborates for this purpose, whether processing agreements have been concluded, whether the register and privacy statement are complete, if appropriate technical and organisational measures have been taken, etc. In short, correctly handling a (relatively simple) request is therefore desirable not only from a purely commercial point of view, but also from a prudent legal perspective, given the far-reaching powers of the data protection authorities.

What you need to do.

Make sure that your customer service team is aware of the importance of GDPR compliance and its key role as the first point of contact for complaints. As a company, you should thus organise training courses on GDPR for your employees who are responsible for customer service (or who are mentioned as a point of contact in the privacy statement). During the training it is important to map out a number of basic rules. For example, your employees must be able to respond adequately to simple requests from data subjects, but should also be able to sense when a referral to e.g. a legal department or DPO is necessary. Amongst other things, this means that they should be aware of the period of (in principle) one month to respond to requests, that they know when to ask for (additional) identification, that in the event of a rejection they inform the customer of his or her right to contact the data protection authority, etc. As support, you can provide schemes and models to your employees that they can use when handling customer requests. That said, you should be careful with such standard procedures and documents. Often the customer expresses a particular concern and wishes to exercise a specific right as a result. Certainly, if that concern is in fact unjustified, it is highly recommended not only to provide the standard answer with regard to the exercised right, but to concretely remove the customer's concern.

Even if your company works with an external customer service, you must check that this external partner is taking sufficient organisational measures, including with regard to the training of its employees. As a controller, you are responsible for your processor. Therefore, the use of an external customer service does not relieve you of your obligations under the GDPR. So, at a minimum ensure that adequate GDPR training for employees is explicitly anchored in the data processing agreement. In addition, it is advisable to spell out the matters for which the external customer service is responsible in (an appendix to) the agreement and to agree that a monthly report will be drawn up on them. Based on this report, your company can then perform a spot check from time to time to find out how the customer service has specifically handled particular matters.

Finally, it is best to document all measures taken in the context of your customer service. After all, the obligation to keep track of organisational measures follows from, amongst other things, the accountability obligation imposed by the GDPR.

Would you like to know more about training courses for your customer service? This topic is covered in our GDPR compliance programme.