CNIL provides guidance on data sharing with third parties for marketing purposes

Written on 5 Feb 2019

On 28 December 2018, the French Data Supervisory Authority (the CNIL) issued guidance on the principles and rules to comply with when a company intends to share personal data collected to its business partners (as well as brokers and other organisations) for marketing purposes.

Not surprisingly, the principles are in line with the GDPR, allowing greater information and control by the data subjects of their personal data. The guidance includes the following:

Consent

Before any transmission of data to third parties, the data subject must consent to the transmission of their data to the business partners of the organisation collecting the data.

This consent is only valid for the partners who are clearly identified – to the data subject – at the time of the data collection. This consent does not allow the recipient partners to communicate the data to their own business partners (no “transmission” of the consent).

These partners or other data recipients must be identified directly on the form used to collect the data. In order to do so, in practice, company may opt to either:

  • directly include the complete list of the partners with whom data are shared, which should be updated on a regular basis (in particular in case of arrival of new partners).
  • if the list of business partners is too long to be included on the form, include on the form a link to the list and to the partners’ privacy policies.

Updated information about business partners

Data subjects should be kept updated in relation to the business partners with which their data will be shared. From a practical standpoint, this information can be transmitted at two levels:

  • each email or marketing message received by the data subject from the company collecting the data must include an up-to-date list of its business partners (or a link to a list of business partners); and
  • each new partner receiving the data shall, when first communicating with the prospective recipient, inform them, within one month at the latest, of the intended processing of their data it will carry out.

Information on data subjects’ rights:

The business partners of the original recipients of the data, who in turn sends marketing messages to the data subjects, must indicate, at the time of their first communication, how the data subject can exercise their rights, in particular their right to object. They must also indicate – this is new – the source of the data used (the name of the company that originally transmitted the data to the partner).

Right to object.

Data subjects can express this right to object in practice in one of two ways:

  • either directly with the new business partner; or
  • to the company that initially collected the data, which must in turn pass it directly to its partners who received the data.

Why this matters

The rules laid down by the CNIL are in line with the GDPR and the former CNIL position (PRISMA decision) and have a direct impact on how you should collect data, inform data subjects and manage the life cycle of the data when data is transmitted to business partners.

At the front end, the rules imply the need to update any data collection form to make sure it includes all mandatory information (a list of partners, link to their privacy policy, right to object, etc.). For the back office, this implies the need to have the relevant procedure and systems in place to ensure that the communication to data subjects include an updated list of the partners to whom data is transmitted, as well as a link to their privacy policy. This may require you to update your contracts with partners to obtain such an information and to ensure smooth cooperation where a data subject exercises their right to object to receiving further marketing communication.

For more information, please contact one of the experts listed below.