On December 5th, 2022, the French Data Protection Authority (known as “Commission Nationale de l'Informatique et des Libertés”, hereinafter “CNIL”) published a reminder of the rules applying in case of communication of customers’ lists to third parties for commercial purposes.
In these cases, the CNIL reminds that such communications are not prohibited by the Regulation (EU) 2016/679 (“GDPR”), but must be done in compliance with specific obligations.
In particular, communication of customers’ lists to third parties can take place when:
- personal data have been collected – from the beginning – in compliance with the GDPR;
- personal data were collected for commercial purposes. On this regard, for example, CNIL excludes the communication of personal data kept for administrative purposes;
- personal data are active[1]; and
- the customers have given their consent or have not objected to the communication of their personal data to third parties for commercial purposes. Without the consent or in case of objection, the relevant personal data must be deleted before the communication of the customers’ list to the purchaser.
Moreover, the purchaser must ensure that the rights of data subjects are respected and, specifically, the purchaser shall:
- provide specific information to the data subjects at the time when personal data are obtained and, in any case, at latest within one month, also indicating from which source the personal data were originated (i.e., the name of the company that has communicate the personal data, unless this information has already been provided);
- be able to demonstrate that it has the data subjects’ informed consent for commercial purposes.
Regarding the informed consent, it is possible to distinguish two different situations:
- the data controller has already obtained the consent on behalf of the purchaser. On this regard, if, at the time of data collection, the identity of the purchaser was already included in the list of the recipients of the personal data, the purchaser may directly contact the data subjects who have consented to the communication of their personal data for commercial purposes;
- the data controller has not obtained the consent on behalf of the purchaser. In this case, the purchaser shall inform the data subjects and collect their consent before sending them commercial communication.
In any case, the purchaser must respect the rights of data subjects (such as the right of data subjects to withdraw the consent, at any time, or to express their refusal to receive new communications) and, in general, all the obligations provided by the GDPR (e.g., principle of the accountability, data retention periods, security of processing, etc.). The CNIL reminder is available here, only in French.
[1] According to the CNIL recommendations, customers’ personal data collected for commercial purposes may be kept for a period of three years after the end of the commercial relationship or after the last contact by the customer.
