Call records, location data, and browsing history — telecoms process some of the most intrusive personal data of any sector.
Originally published at app.custodia-privacy.com/blog/gdpr-telecoms
Telecoms companies and internet service providers occupy a uniquely sensitive position under European privacy law. Unlike a retailer that collects a name and address, or a SaaS platform that logs user behaviour, a telecom or ISP can know where you are at any moment, who you called, how long you spoke, what websites you visited, and when you were awake.
Why Telecoms Face the Strictest Obligations
The personal data a telecom processes is not just sensitive — it is constitutionally sensitive. Under the GDPR, telecoms are data controllers for the personal data they process about subscribers, callers, and network users. GDPR is supplemented — and in some areas superseded — by the ePrivacy Directive (Directive 2002/58/EC), implemented in the UK as PECR.
The ePrivacy framework imposes specific, sectoral rules on traffic data, location data, and the content of communications.
Traffic and Location Data
Traffic data must be erased or made anonymous when it is no longer needed to transmit a communication. Location data that is more precise than what is needed for routing can only be processed with explicit consent or where it has been anonymised.
Call Data Records: Retention vs. Storage Limitation
CDRs are both operationally essential and legally sensitive. In the UK, the Investigatory Powers Act 2016 requires Communications Service Providers to retain CDRs for 12 months for national security and law enforcement access — creating tension with GDPR's storage limitation principle.
Lawful Interception
Ofcom-regulated CSPs are required to have the technical capability to intercept communications when served with a warrant. Lawful interception is authorised under GDPR Article 6(1)(c) and Article 23.
Marketing to Subscribers: PECR Rules
Under PECR, automated marketing calls, texts, and emails require prior consent. The soft opt-in exception allows marketing to existing customers for similar products — but "similar" is narrowly interpreted.
Data Breaches: Dual Notification Obligations
Telecoms face both GDPR (72-hour) and PECR (24-hour) notification obligations to the ICO. These short timelines require mature incident response capability and a designated DPO.
IoT and Connected Devices
Broadband ISPs increasingly process data generated by connected devices in subscribers' homes. When providing value-added services that analyse connected device data, ISPs become controllers and must conduct DPIAs.
Compliance Checklist for MVNOs and Smaller ISPs
- Data Processing Agreement with host network
- Privacy Notice covering subscriber data, traffic metadata, marketing
- PECR marketing compliance with TPS screening
- Breach response plan with 24-hour PECR notification capability
- Records of Processing Activities (RoPA)
- Data Retention Policy aligned with IPA requirements
- DSAR process with 30-day response clock
Run a free scan at app.custodia-privacy.com/scan to see exactly what your customer-facing web properties are collecting.
Top comments (0)