22 May 2023

GDPR compliant call tracking: a 4-step plan

Call Tracking in the world of the GDPR

In an increasingly digital world, data protection has become a keyword. Customer data is valuable and can help optimize business processes and increase revenue. However, it is essential for companies to comply with data protection regulations when collecting and processing this data. In Europe in particular, the General Data Protection Regulation (GDPR) has far-reaching implications for the way companies are allowed to handle customer data. In this context, it is particularly relevant how technologies such as call tracking (CT), which are used by many companies, can be brought into line with the GDPR. This blog post highlights the interplay between the GDPR and call tracking and provides a 4-step plan to make call tracking GDPR compliant.

A definition: What is the GDPR?

The General Data Protection Regulation (GDPR), which came into effect in May 2018, is a European regulation that governs the protection of personal data of EU citizens. It ensures that companies meet certain requirements when collecting, storing and processing data.

The GDPR aims to ensure the protection of personal data in our increasingly digital world. It sets out clear rules on how data is to be handled and obliges companies to be transparent about their data processing operations. It also strengthens the rights of individuals by giving them control over their data, for example through the right to erasure or the right to data portability.

Why is the GDPR important? First and foremost, because the protection of personal data is a fundamental right. In addition, there are significant fines for violations of the GDPR – up to 4% of annual global turnover or 20 million euros, whichever is greater. Therefore, it is essential for any company operating in the EU or processing data of EU citizens to comply with the requirements of the GDPR.

 A definition: What is call tracking?

Call tracking is a first party cookie technology that allows companies to collect information about how and from what source/campaign phone calls are generated. This is typically done by assigning unique phone numbers to different marketing campaigns or channels to identify which ones generate the most calls.

Get a deeper insight into the issues surrounding first and third party cookies in our in-depth blog article.

In practice, it works like this: when a customer calls a dedicated phone number assigned to a specific marketing channel, the call tracking system records data about that call. This data can include, for example, the duration of the call, the time of the call, or the source of the call.

We distinguish between two types of call tracking:

  • Static call tracking uses a unique phone number for each marketing campaign or medium. Callers who dial this number are put through directly to the company, and the call tracking system records which number was used for which call. 
    • Typical use cases for static CT are: Off-site tracking such as out-of-home (OOH), directories, print ads in magazines or Google My Business profiles. 
    • In terms of the GDPR, there is a low hurdle for this type of call tracking: thus, the method can be used on websites without the use of cookies. However, companies then only receive raw statistical data such as “calls per week to website”. In addition, care must be taken to ensure that the telecommunications provider supplying the numbers for static call tracking is itself GDPR-compliant. An AVV must also be concluded with this provider.  
  • Dynamic call tracking, on the other hand, works with a pool of phone numbers and dynamically assigns a unique phone number to each website visitor when they access the page, in order to be able to build the bridge between what happens on the website and the “offline” call. This allows for even more accurate tracking of call origin, as each call can be associated with a specific website visit.
    • However, for GDPR compliance, more measures need to be taken with this method, as scripts and cookies are needed on the website, which need to be considered in a company’s privacy policy. We’ll clarify what exactly needs to be considered in this regard further down in this post.  

The benefits of call tracking for businesses are many. First, it allows for more accurate measurement of the performance of various marketing channels, as telephone interactions are also taken into account. This allows marketing budgets to be better targeted and campaign effectiveness to be improved. Second, call tracking provides valuable insights into customer behavior and can help improve customer service. Finally, it can also contribute to lead generation and qualification by enabling potential customers to be identified and their interactions with the company to be tracked. Technology thus pays into the entire lead management process and helps to massively improve marketing ROI.

The following comments, tips and advice are based solely on our best practice experience as a SaaS and MarTech company. They are not legal recommendations and are explicitly not to be understood as legal advice! For the concrete implementation, it is always recommended to consult an official legal advisor to guarantee a 100% legally compliant configuration!

GDPR vs. call tracking: where is the problem?

Call tracking is an effective tool to optimize marketing strategies and customer service processes. However, the technology also requires that additional points regarding the GDPR guidelines must be taken into consideration! After all, call tracking in most cases means that personal data is collected, and therefore the provisions of the GDPR apply.

One of the main concerns is the obligation to inform. According to the GDPR, individuals whose data is collected must be clearly informed of this fact, the purpose of the data collection, and their rights in relation to this data. For call tracking, this could mean that callers must be informed at the beginning of a call that the call is being tracked.

Another issue may be the need for consent for data collection. In many cases, explicit consent must be obtained from the data subject to process their personal data. Here, the question might arise whether and how this consent can be obtained in a telephone interaction process.

The GDPR also requires the security of the processed data and the principle of data minimization, which means that only the most necessary data may be collected. In the context of call tracking, it is therefore necessary to ensure that the data collected is stored securely and that only the data that is really necessary for the stated purpose is collected.

These are just some of the challenges that can arise when reconciling the GDPR and call tracking. It becomes clear that compliance with the GDPR requires careful planning and implementation when using call tracking.

How to make call tracking GDPR compliant: A 4-step plan

Step 1: Cookie consent and consent management in dynamic call tracking.

The foundation for data protection-compliant implementation of dynamic call tracking is transparent consent management that is based on the principles of the GDPR. This involves anchoring the tools used in the privacy policy. Every website user must agree to this at the beginning of their session (cookie banner).  

The following two points are highly relevant here:

  • Consent Management: Callers must explicitly give their consent to data processing. A consent management platform can be used for this purpose, which obtains and documents the consent of website visitors when they first visit a website. 
    • For dynamic CT, this means that dynamic call tracking can only take place and the data can only flow into a web analytics / marketing platform if the user has given his consent to the processing of his data for the purpose of web analytics or marketing optimization. If he does not do so, no data can be collected and integrated from dynamic CT. 
    • Conclusion: CT tools should be integrated into the consent management in order to be able to operate in compliance with the GDPR. 

Privacy policy: the privacy policy should provide callers with detailed information about the processing of their data as part of call tracking. Get inspired by thousands of websites using our technology here: Google Search – “matelso privacy policy”

Step 2: Ensuring data security

Ensuring data security is an indispensable part of implementing call tracking in compliance with the GDPR. Here, the focus is on both technical and organizational measures to effectively protect the collected data.

In summary, this includes:

  • Technical measures:
    • Encryption of the collected data
    • Use of secure servers and networks
    • Regular security updates of the systems used
    • Setting up firewalls and implementing intrusion detection systems
  • Organizational measures:
    • Implementation of data security policies and procedures
    • Training of employees to comply with data security guidelines
    • Regular audits to review data security measures
    • Restricting access to data only to employees who really need it

These measures play a crucial role in ensuring the security of the data collected as part of call tracking, and thus in complying with the GDPR requirements.

Step 3: Storage limitation and data minimization

The third step in the process of implementing call tracking in compliance with the GDPR relates to storage limitation and data minimization. These principles are central to the GDPR and ensure that only the necessary data is collected and that it is only stored for as long as it is needed.

Specifically, this means:

  • Storage limitation: data should only be kept for as long as is necessary to fulfill the purpose for which it was collected. After that, they must be deleted. The storage limit must be clearly defined and adhered to.
  • Data minimization: Only the data that is really necessary for the purpose in question should be collected. This reduces the risk of data breaches and ensures that the privacy of callers is respected.

By following these principles, you ensure that your call tracking is in line with GDPR requirements and that callers’ right to privacy of their personal data is respected.

Step 4: Provide data subjects with rights

In the fourth step to setting up GDPR-compliant call tracking, it is essential to ensure callers’ rights. Here, the rights to information, access, rectification, erasure, objection, restriction of processing, and data portability are crucial.

In addition, it should be ensured that it is always clear to users that no personal data beyond the specified content is transferred to integrated third-party systems such as Google Analytics 4 or other marketing tools.

matelso’s call tracking solutions: GDPR compliance meets efficiency

matelso offers innovative call tracking solutions specifically designed to help companies optimize their marketing while complying with data protection regulations. Our solutions provide a comprehensive overview of your phone calls, so you can track exactly which marketing activities led to which calls.

Compliance with the GDPR is of utmost importance to us. Our call tracking solutions are designed to be fully GDPR complian.

We ensure that callers are sufficiently informed and give their consent to data collection. In addition, we make sure that data is processed and stored securely, that the amount of data is limited to what is necessary, and that the rights of data subjects are protected.

Thus, with our call tracking solutions, you can not only optimize your marketing efforts and gain valuable insights, but also be sure that you comply with the requirements of the GDPR. If you have any questions or would like more information, please do not hesitate to contact us.


In summary:

  • Data protection is essential in the digital world, and call tracking can be implemented in a GDPR-compliant manner.
  • Our 5-step plan includes: Informing callers, ensuring data security, obtaining consent, limiting storage and minimizing data, and guaranteeing data subjects’ rights.
  • Paying attention to these aspects ensures that call tracking is GDPR compliant and that its benefits can be maximized.
  • GDPR compliance and call tracking are not contradictions, but can go hand in hand to support business goals and respect customer privacy.

Want more information about our innovative call tracking technology? This way:

    May 22, 2023

    Andere Beiträge
    Related Posts
    Telephone Tracking – 8 methods for tracking calls
    Telephone Tracking – 8 methods for tracking calls

    Before you decide on a specific form of Call Tracking (telephone tracking) and integrate it into your online marketing campaign, it makes sense to analyse the various options and their respective advantages and disadvantages. We are big fans of phone tracking,...

    Möchten Sie mit uns in das Lead Management von morgen starten?

    Überzeugen Sie sich selbst davon, wie die matelso platform for a communication based lead management Plattform Ihr Kundenerlebnis verändern wird.

    Do you want to start into the lead management of the future with us?
    See for yourself how the matelso platform for a communication based lead management will change your customer experience.