Insights
The CNIL publishes guidelines on the commercial use of customer files: A warning for data brokers and their clients
Dec 20, 2022On 3 February 2022, the French Commission Nationale de l'Informatique et des Libertés (the "CNIL") published a set of commercial management guidelines for all organizations that conduct data processing for the management of their commercial activities (the “Guidelines”). Notably, the Guidelines provide guidance on the carrying out of commercial canvassing actions (for example: sending advertising messages and promotion).
Commercial prospecting has been designated as one of the CNIL's priority regulatory themes for 2022. The CNIL is particularly focusing on those organisations that resell data (knows as “data brokers”) and those who buy such data.
On 5 December 2022 the CNIL published guidelines reminding organisations of the rules on the sale of customer files for electronic prospecting purposes. Organisations acting as a “controller” of personal data need to pay attention to the following points when purchasing or selling customer data.
The seller's obligations before the sale
- On the types of data that can be transferred: Only data relating to active customers can be shared. Customer data that is only kept for administrative purposes (accounting, litigation, etc.) should not be transmitted.
- On the consent of data subjects: The seller must inform the data subjects at the time of collection of the data (for example via the online form), and obtain their consent to any transfer at the same time.
The seller must have appropriately informed the data subjects before obtaining consent, so that they are able to appreciate the consequences of their choice as to whether or not to permit the transfer of their data (including by informing them of the extent of the transfer).
The data of customers who have not consented to the transfer for electronic prospecting purposes must be removed from the file, before the transfer takes place.
The conditions of data sharing between the seller and the purchaser shall be such as to ensure the security and confidentiality of the data.
The purchaser’s obligations after the sale
- On informing the data subjects: the purchaser must inform the data subjects of the transfer and the source of the data (i.e. the name of the company that sold the customer files). This notification must be made as soon as possible (at the time of the first contact with the data subject) and at the latest within one month, unless the data subjects have already received the necessary information. The number of commercial solicitations addressed to the same data subject should be limited as individuals do not expect to receive multiple solicitations, which may constitute a significant nuisance.
- On the verification of the existence of consent to prospecting: the purchaser must be able to demonstrate that it has obtained the data subjects’ consent if it wishes to use their data for electronic commercial prospecting purposes.
- If the seller has already obtained the customers' consent for the purchaser's prospecting activities and the purchaser's identity was already included in the list of recipients, the purchaser will be able to approach the individuals directly.
- If the seller has not obtained customers' consent, the purchaser will have to ensure the compliance of its operations by obtaining the consent of the data subjects itself.
Related Practice Areas
-
Data Privacy & Security