European Union

GDPR & PECR Guide for Contact Centres

How GDPR and PECR apply to outbound calling, SMS campaigns, call recordings, and data subject rights in the EU and UK.
Last updated: June 25, 2026

Key Rule

You must have a lawful basis under GDPR (consent or legitimate interest) before making outbound marketing calls to EU/UK residents. Individuals registered on the Telephone Preference Service (TPS/CTPS) cannot be called without specific prior consent.

Overview

The General Data Protection Regulation (GDPR) applies to any organisation processing personal data of EU/EEA residents — regardless of where the organisation is based. For UK operations, the UK GDPR (post-Brexit) and the Privacy and Electronic Communications Regulations (PECR) govern outbound calling and SMS. Contact centres must establish a lawful basis for processing, manage consent, respect data subject rights, and secure call recordings appropriately.

In-Depth Guidance

Compliance Checklist

  • Document lawful basis (consent or LIA) for every outbound calling campaign targeting EU/UK residents Required
  • Screen against TPS and CTPS before any UK consumer outbound campaign Required
  • Inform call recipients that calls may be recorded at the start of every recorded call Required
  • Implement data subject rights response process (30-day window for all requests) Required
  • Store call recordings securely with defined retention periods documented in your data map Required
  • Honour opt-out requests (right to object to marketing) immediately — same-call suppression Required
  • Complete a DPIA (Data Protection Impact Assessment) for high-risk large-scale processing
  • Appoint a DPO (Data Protection Officer) if processing at large scale or special categories of data
  • Verify third-party data processors (CRM, dialer) have signed Data Processing Agreements (DPAs)

Penalties & Fines

Serious GDPR infringement (e.g., unlawful processing, no lawful basis)

Whichever is higher — imposed by national data protection authorities

Up to €20M or 4% global annual turnover

PECR violation (ICO enforcement, UK)

ICO actively enforces PECR against contact centres and lead generators

Up to £500,000

Secure Call Recording & Opt-Out Management

Klozer.io provides encrypted call recording storage, granular access controls, automatic opt-out propagation, and data retention configuration to support GDPR/PECR compliance.