“Personal data means any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
Within the corporate messaging ecosystem, personal data means anything that uniquely addresses or identifies the data subject (the consumer), including:
- MSISDN and IMSI numbers, used to identify a mobile phone, operator and consumer number
- Email address
- OTT address (e.g. username or a user's Skype or Facebook address)
- IP address (which identifies any device that uses the Internet protocol for communication)
- A combination of communication metadata, e.g. time of a message combined with the sender of a message (such as a bank) that could uniquely identify an individual
However, beyond that, the GDPR covers personal data that may be contained in a message, including:
- The name of a user
- Bank account and credit card numbers
- Driver's license and car registration numbers
- National insurance or other ID numbers
- Policy numbers and booking references
- A combination of identifying elements, e.g. physical characteristics, place, occupation, etc.
The GDPR also defines Sensitive Data, which requires additional secure protections and explicit authorization to be stored:
- Racial or ethnic origin, religious or philosophical beliefs and political views
- Sex life, health and genetic data
- Biometric data
- Criminal record
Under the GDPR, the collection and processing of personal data must be for "specific, explicit and legitimate purposes" and have a legal basis. A Data Controller or Data Processor must have at least one of the legal grounds listed below to have the right to store and process personal data.
What is the legal basis for providers of CPaaS to process and archive message data?
CPaaS providers, acting as data processors or sub-processors, do not require the data subject's consent to store and process their Personal Data.
CPaaS providers typically have two legitimate grounds for processing: they have a legal basis, as they must fulfill the contract with the data controller to store and process the messages sent by the data controller. They also have a legal obligation to comply with telecommunications legislation, which requires the retention of communications logs for a specified period.
This period differs from country to country, but should be regarded as a legal basis for storing some data. The legal reasons for storing and processing personal data are:
- Consent: the interested party has freely given his consent to the storage and processing of information for a specific purpose
- Performance of a contract – the most likely reason why messaging aggregators and CPaaS providers will store personal data
- Legal obligations - common in communications such as lawful wiretapping and criminal investigation legislation
- To protect a person's vital interests, e.g. a hospital trying to save an individual's life
- It is in the public interest / public tasks – e.g. tax collection, passport, driving license processing
- Legitimate interests - eg. fraud prevention or credit checks
