Фото: Daniel Romero on Unsplash

The holidays always represent an opportunity for sales companies to conduct various marketing campaigns for their products. So, they will often call “by random choice” potential customers to offer vouchers and attractive discounts. But it isn’t clear how they manage to find the subscribers’ private mobile numbers.

The people who conduct this type of marketing, and with whom Meta.mk spoke, had no concrete answer about where they found the number they called. Sometimes they are so confused on hearing this, that they hang up instantly.

Their supervisors also keep numb, but sometimes they try to convince the interlocutors that some of their friends have likely mentioned them during the product or service public presentations that are usually hold in restaurants. But when trying to go deeper, however, they also do not divulge as to who was the friend that mentioned the names nor do they tell when the actual product presentation took place.

They would also say that there is a possibility that they came across the telephone number on some of the advert webpages. But they cannot provide any proof for that, either.

Apart from the inconvenience those telephone calls create for many people, this practice also is an unauthorized use of personal data.

Meta.mk asked the biggest two mobile telephony providers in North Macedonia, the Macedonian Telekom and A1, about their privacy policies for the numbers of their subscribers and whether it is possible for a company to buy a list with mobile phone numbers. We got a reply only from the Macedonian Telekom prior to the publishing of this article.

Telekom says that the users’ personal data is of top priority for the company and that it is diligently taking care of its user base data.

“Our user personal databases are protected with technical and organizational instruments in order to provide maximum protection of the data and it is processed only for goals determined by law or for goals that we have approval for from the subscribers (given at the signing of the subscriber agreement)” Macedonian Telecom said.

The company additionally explained that for marketing goals, the company is processing data only for the users that have given consent for direct marketing and profiling.

“Furthermore, the approvals for direct marketing that we gather from the users are utilized only for the advertising services offered by the Macedonian Telecom. The company isn’t selling its databases to third parties nor third parties have access to our databases in unauthorized manner,” stressed the Macedonian Telecom, which also added that the company doesn’t have any control over where its users are leaving their telephone numbers and who is collecting those and for what purposes this data will be used by third parties.

Accordingly, Macedonian Telecom state that the company cannot be held responsible for the manner of utilization of personal data databases from third parties.

Also, the company says it cannot have control over where its customers are leaving their telephone numbers and who collects the data and from where this data is taken, and for what purposes the personal data is used by third parties. In accordance with the previous statement, Macedonian Telecom says it cannot be held responsible for the ways third parties are using their collections of personal data.

As the Personal Data Protection Agency (PDPA) clarifies, according to the Law on Personal Data Protection, the processing of data owner’s telephone number (the citizen) for direct marketing is allowed only if the personal data is processed after the personal data owner has given clear consent for data processing.

“For these reasons, the consent is the only possible legal basis for the direct marketing. The controller (the legal entity) is obliged to allow the citizen to cancel the once-given consent at any time and in a simple manner,” stressed PDPA.

According to the personal data protection expert Elena Stojanovska, who also considers that all personal data that one company plans to use for the goal of direct marketing and sale, must be obtained only after an explicit consent from the person whose data is used. The approval as a legal basis for processing personal data is specific for various reasons.

“What is most important for the companies to know is that the consent applies to a specific goal (in this case it’s about marketing and telephone sale). A concrete answer to the question would be that the company that is conducting telephone sales could only use telephone numbers that are part of a public telephone book i.e. numbers of people who have given their consent for their numbers to be publicly available to everyone,” Stojanovska said.

But she is doubtful that in this case we have the aforementioned situation, as the phone calls are mostly to mobile phones, while the public telephone book in over 90% of the cases contains landline numbers.

Stojanovska said there is a legal possibility for trading this type of personal data, but only if the company can prove that the people whose telephone numbers it has and uses, have agreed to this. In order to prove the given consent for use, it has to have either a written approval, electronic, SMS, email or a recorded conversation, but only if the recording of the conversations was previously approved by the Personal Data Protection Agency.

Additionally, according to the rules related to personal data processing, which are determined in the enactments in the Law on Personal Data Protection, the companies have to have evidence how they got a certain private telephone number that is used for marketing goals.

But, as she pinpoints, the companies have to be able to prove that the people whose telephone numbers it has and uses have explicitly agreed to this.

“In order to prove it has got an approval, there has to be either a printed approval, electronic, SMS approval or by e-mail, or with recorded conversations, but only if the recording of the conversations was previously approved by the Personal Data Protection Agency,” explained Stojanovska who also said that it should’ve taken into account the fact that the data processing rarely ends at the moment of sale.

“The activities that the companies undertake are also connected with profiling and targeting according to the habits and the needs of the customers, but for that they need new specific consent,” Stojanovska said.

In case of misuse of personal data, PDPA can also audit the processing of personal data that was collected for direct marketing goals i.e. whether the legal entities are working in accordance with the articles relating to personal data protection during direct marketing.

The companies that are conducting sales through direct telephone marketing, due to the specific legal basis for use of personal data, must always have proof also in the cases when they they received the phone numbers of the future clients from their friends or relatives. They also cannot be using numbers that were published in various adverts.

“If a relative or a friend has given a telephone number, it is impossible for the company to prove that the person whose telephone number was used had been informed and had given her or his approval. The telephone numbers that the people have published in an advertisement were published with the goal to be contacted regarding the concrete, and not to be contacted for all kinds of purposes. In this case, explicit consentl was given only for the goals of the advert,” said Stojanovska.

In order to protect their personal data in case of misuse, the people have the right to ask for concrete information from where their personal data was taken, the company’s identity, the ways the company is using their data, and whether it is shared with another legal entity, how long it is keeping them, including who is the officer for the protection of personal data from whom one solicit personal data removal.

Stojanovska stressed that what is most important is the right to withdraw the given consent (if this was the case) at any time, in an easy and simple manner, and the company has to take care that at any point, any of their clients can request to be removed from their database and request to not be contacted in the future.

“Upon such request, the company has to respond immediately and without delay, and to remove them from the database in order to prevent any further illegal processing,” said Stojanovska.

PDPA also advises the people to use their right to be informed about the processing of their personal data by the legal entity that is processing their personal data, as well as to use the right to be erased, which is apiplied:
– when the personal data is no longer needed;
– when the person is withdrawing the consent that is providing the basis for the processing/has submitted a complaint about the processing;
– when the controller is processing personal data for direct marketing goals;
– in case of illegal processing;
– in case of obligation determined by law; and
– when personal data is collected for an offer for IT services.

The agency also said that if the controller doesn’t act on the request for direct marketing consent withdrawal from the people, they citizen the right to submit a request for determining a violation of the right to protection.

Nevertheless, despite the legal regulations, the issue of whether there is a successful formula that will protect us from misuse of our personal data, including the misuse of our mobile phone numbers, remains open.

“I’m not certain whether there is one successful formula that will protect us, but I’m certain that we can be more careful whenever we leave our personal data. We should have a habit of asking for information, reading Privacy Policies, becoming aware of what is actually happening after we give our personal data to someone, to find to whom we can address in case of a problem,” Stojanovska said.