Insights

The CNIL publishes guidelines on the commercial use of customer files: A warning for data brokers and their clients

The CNIL publishes guidelines on the commercial use of customer files: A warning for data brokers and their clients

Dec 20, 2022
Download PDFDownload PDF
Print
Share

On 3 February 2022, the French Commission Nationale de l'Informatique et des Libertés (the "CNIL") published a set of commercial management guidelines for all organizations that conduct data processing for the management of their commercial activities (the “Guidelines”). Notably, the Guidelines provide guidance on the carrying out of commercial canvassing actions (for example: sending advertising messages and promotion).

Commercial prospecting has been designated as one of the CNIL's priority regulatory themes for 2022. The CNIL is particularly focusing on those organisations that resell data (knows as “data brokers”) and those who buy such data.

On 5 December 2022 the CNIL published guidelines reminding organisations of the rules on the sale of customer files for electronic prospecting purposes. Organisations acting as a “controller” of personal data need to pay attention to the following points when purchasing or selling customer data.

The seller's obligations before the sale

  • On the types of data that can be transferred: Only data relating to active customers can be shared. Customer data that is only kept for administrative purposes (accounting, litigation, etc.) should not be transmitted.
  • On the consent of data subjects: The seller must inform the data subjects at the time of collection of the data (for example via the online form), and obtain their consent to any transfer at the same time.

The seller must have appropriately informed the data subjects before obtaining consent, so that they are able to appreciate the consequences of their choice as to whether or not to permit the transfer of their data (including by informing them of the extent of the transfer).

The data of customers who have not consented to the transfer for electronic prospecting purposes must be removed from the file, before the transfer takes place.

The conditions of data sharing between the seller and the purchaser shall be such as to ensure the security and confidentiality of the data.

The purchaser’s obligations after the sale

  • On informing the data subjects: the purchaser must inform the data subjects of the transfer and the source of the data (i.e. the name of the company that sold the customer files). This notification must be made as soon as possible (at the time of the first contact with the data subject) and at the latest within one month, unless the data subjects have already received the necessary information. The number of commercial solicitations addressed to the same data subject should be limited as individuals do not expect to receive multiple solicitations, which may constitute a significant nuisance.
  • On the verification of the existence of consent to prospecting: the purchaser must be able to demonstrate that it has obtained the data subjects’ consent if it wishes to use their data for electronic commercial prospecting purposes.

- If the seller has already obtained the customers' consent for the purchaser's prospecting activities and the purchaser's identity was already included in the list of recipients, the purchaser will be able to approach the individuals directly.

- If the seller has not obtained customers' consent, the purchaser will have to ensure the compliance of its operations by obtaining the consent of the data subjects itself.

Related Practice Areas

  • Data Privacy & Security

Meet The Team

Meet The Team

Meet The Team

This material is not comprehensive, is for informational purposes only, and is not legal advice. Your use or receipt of this material does not create an attorney-client relationship between us. If you require legal advice, you should consult an attorney regarding your particular circumstances. The choice of a lawyer is an important decision and should not be based solely upon advertisements. This material may be “Attorney Advertising” under the ethics and professional rules of certain jurisdictions. For advertising purposes, St. Louis, Missouri, is designated BCLP’s principal office and Kathrine Dixon (kathrine.dixon@bclplaw.com) as the responsible attorney.