Who: French Data Protection Supervisory Authority (CNIL).
Where: France
When: 28 December 2018
Law stated at: 22 February 2019
What happened:
On 28 December 2018, the French Data Supervisory Authority (“CNIL”) issued guidance on the principles and rules to comply with when a company intends to share personal data collected to its business partners (as well as brokers and other organisations) for marketing purposes.
Not surprisingly, the principles are in line with the GDPR, allowing greater information and control of the data subjects on their personal data:
- Consent: Before any transmission of data to third parties, the data subject must consent to the transmission of his/her data to the business partners of the organization collecting the data.
- Identification. This consent is only valid for the partners who are clearly identified – by the data subject – at the time of the data collection. This consent does not allow the recipient partners to communicate the data to their own business partners (no “transmission” of the consent). These partners or other data recipients must be identified directly on the form used to collect the data. In order to do so, in practice, company may opt to either:
- directly include the complete list of the partners with whom data are shared, which should be updated on a regular basis (in particular in case of arrival of new partners); or
- if the list of business partners is too long to be included on the form, include on the form a link to the list and to the partners’ privacy policies.
- Information about business partner’s updates or evolution shall be provided to the data subject. From a practical standpoint, this information can be transmitted at two levels:
- each email or marketing message received by the data subject from the company collecting the data must include an up-to-date list of its business partners; or
- each new partner receiving the data shall, when first communicating with the prospective recipient, inform him/her, within one month at the latest, of the intended processing of his/her data it will carry out.
- Information on data subjects’ rights: The business partners of the original recipients of the data, who in turn sends marketing messages to the data subjects, must indicate, at the time of their first communication, how to exercise their rights, in particular their right to object. They must also indicate – this is new – the source of the data used (name of the company that originally transmitted the data to the partner).
- Right to object. How to express this right to object in practice?
- directly with the new business partner; or
- to the company that initially collected the data, which shall in turn pass it directly to its partners who received the data.
Why this matters:
The rules laid down by the CNIL are in line with the GDPR and the former CNIL position (PRISMA decision) and have a direct impact on how you should collect data, inform data subjects and manage the life cycle of the data when data is transmitted to business partners.
On the front end, the rules likely imply to update any data collection form to make sure it includes all mandatory information (list of partners, link to their privacy policy, right to object, etc.). On the back office, this implies to have the relevant procedure and systems in place to ensure that the communication to data subjects include an updated list of the partners to whom data is transmitted, as well as a link to their privacy policy. This may require to update your contracts with partners to obtain such an information and ensure a smooth cooperation in case a data subject exercises its right to object to receiving further marketing communication.
For more information, please contact Grégoire Dumas, Béatrice Delmas-Linel, Claire Bouchenard or Xavier Pican.