Who is affected by GDPR, even outside the EU

GDPR scope is defined by where the data subject is, not where you are

A common misconception is that GDPR only applies to European businesses. The regulation is explicit: it applies to any organization that collects or processes personal data of individuals located inside the EU — even if that organization is headquartered in the United States, Canada, or anywhere else.

If your call center dials EU residents, loads Lead lists that include EU phone numbers, or stores any identifying data about EU-based contacts, the regulation applies to you.

Controllers vs. processors: which one are you?

GDPR draws a distinction between two types of entities:

• Data controller: an organization that decides what personal data is collected and why. If you run the call center and own the Campaign, you are likely the controller.
• Data processor: an organization that processes data on behalf of a controller — for example, a cloud hosting provider or a third-party dialing platform. Processors are also subject to GDPR obligations.

In many VICIdial deployments, the call center operator is the controller and the hosting provider is a processor. Both carry GDPR obligations, and a data processing agreement between them is typically required.

What counts as personal data under GDPR?

The European Commission defines personal data broadly: any information relating to an individual, whether it relates to their private, professional, or public life. That includes a name, home address, email address, bank details, social media posts, medical information, or even a computer's IP address.

For a VICIdial system, that definition covers lead records (name, phone, address, Custom field values), call logs, Call recording files, and agent notes. Any of these fields tied to an identifiable EU resident falls under GDPR.

Who is NOT automatically exempt

flowchart TD
  A[Does your org collect or process data?] --> B{Is any data subject an EU resident?}
  B -- Yes --> C[GDPR applies regardless of your location]
  B -- No --> D[GDPR does not apply]
  C --> E{Are you the one deciding how data is used?}
  E -- Yes --> F[You are a Data Controller]
  E -- No --> G[You are a Data Processor]
  F --> H[Full controller obligations apply]
  G --> I[Processor obligations and DPA required]

• US-based call centers dialing into EU countries for sales or collections campaigns
• BPOs based in Asia or Latin America processing EU customer records on behalf of a European brand
• SaaS or VoIP providers whose platform stores or routes EU resident data

VICIdial settings that apply to affected organizations

If your organization is affected, VICIdial provides a dedicated compliance layer. Under Admin -> System Settings, the Enable GDPR-compliant Data Download Deletion setting controls whether agents and admins can export or delete a lead's data in response to a data subject request. The system-level setting caps what individual users can do: a user cannot be granted higher GDPR permissions than the system allows.

For the step-by-step process of actually handling a request, see how to export or purge a lead's data for a GDPR request. For the broader compliance picture, start with the VICIdial compliance overview.

Running a managed VICIdial instance through VICIfast means GDPR-relevant settings are configured and auditable from day one. See pricing to compare hosting tiers.