"Personal data means any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable person is a person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. "
Within the corporate messaging ecosystem, personal data means anything that uniquely addresses or identifies the data subject (the consumer), including:
- MSISDN and IMSI numbers, used to identify a mobile phone, operator and consumer number
- Email address
- OTT address (e.g. username or a user's Skype or Facebook address)
- IP address (which identifies any device that uses the Internet protocol for communication)
- A combination of communication metadata, e.g. time of a message combined with the sender of a message (such as a bank) that could uniquely identify an individual
However, beyond that, the GDPR covers personal data that may be contained in a message, including:
- The name of a user
- Bank account and credit card numbers
- Driver's license and car registration numbers
- National insurance or other ID numbers
- Policy numbers and booking references
- A combination of identifying elements, e.g. physical characteristics, place, occupation, etc.
The GDPR also defines Sensitive Data, which requires additional secure protections and explicit authorization to be stored:
- Racial or ethnic origin, religious or philosophical beliefs and political views
- Sex life, health and genetic data
- Biometric data
- Criminal record
Under the GDPR, the collection and processing of personal data must be for "specific, explicit and legitimate purposes" and have a legal basis. A Data Controller or Data Processor must have at least one of the legal grounds listed below to have the right to store and process personal data.
What is the legal basis for suppliers of CPaaS to process and archive message data?
CPaaS suppliers in their capacity as Data Processors or Sub-Processors, do not require the consent of the interested party to store and process their Personal Data.
CPaaS providers generally have two reasons for legitimate processing: they have a legal basis, because they must fulfill the contract with the Controller to store and process the messages sent by the Controller. They also have a legal obligation to comply with telecommunications legislation, which requires archiving of communications logs for a period.
This period differs from country to country, but should be regarded as a legal basis for storing some data. The legal reasons for storing and processing personal data are:
- Consent: the interested party has freely given his consent to the storage and processing of information for a specific purpose
- Execution of a contract - the most likely reason that messaging aggregators and CPaaS providers will store personal data
- Legal obligations - common in communications such as lawful wiretapping and criminal investigation legislation
- To protect a person's vital interests, e.g. a hospital trying to save an individual's life
- It is in the public interest / public tasks - eg. tax collection, passport, driving license processing
- Legitimate interests - eg. fraud prevention or credit checks
