French Data Protection Regulator Publishes Guidance on Reuse of Personal Data by Processors
16 January 2022
Technology & eCommerce Regulation in the Spotlight
The French data protection supervisory authority (“CNIL“) has recently published a new guidance on the reuse of personal data by processors for their own purposes (“Guidance“) under the General Data Protection Regulation (“GDPR“). According to the Guidance, processors may use personal data obtained from their controllers for their own use, under certain conditions.
Under the GDPR, a processor is defined as a natural or legal entity which processes personal data on behalf of the controller. Processors may only process personal data on the basis of the controllers’ documented instructions, and in principal, they may not process such personal data for their own purposes (e.g. product improvement), unless required under by European Union on member states laws. However, according to the Guidance, processing of personal data by processors for their own purposes may be permitted under some restrictive conditions.
In order to process personal data for a purpose other than on the controller’s behalf, a processor must obtain the controller’s permission. According to the Guidance, the controller’s permission must be provided in writing and should be granted on a case-by-case basis. Prior and blanket authorizations by controllers shall be not be deemed acceptable.
Furthermore, since the processing of personal data for the processor’s purposes constitutes “further processing”, it is the controller’s responsibility to conduct a “compatibility test” (see 29WP opinion on purpose limitation), to determine whether such further processing is compatible with the purposes for which the personal data was initially collected. The CNIL emphasizes that only if the compatibility test is satisfied, then the controller may give permission for the reuse of data by the processor, otherwise it must refuse to such further processing. However, in cases where the legal basis for the original processing activity is consent, controllers and processors will not be able to rely on the compatibility test, and the data subjects’ consent will likely be needed to any reuse of personal data.
In the CNIL’s view, the controller is responsible for informing the data subject of the further processing and the additional purposes and must indicate to the data subjects whether they have the right to object to such further processing. However, in certain circumstances where the processor already processes the data subject’s contact details, the controller may delegate the responsibility to inform to the processor.
Finally, as per Article 28(10) of the GDPR, the CNIL clarifies that by reusing personal data for its own purposes, a processor becomes a controller of such individual processing activities under the GDPR. As such, it must comply with additional requirement and obligations as a controller, including, but not limited to, identifying a legal basis for processing and complying with transparency and notification requirements.
Please feel free to contact us if you have any questions regarding the implications of reuse of personal data by processors for their own purposes, and the effect of the Guidance on controllers’ disclosures and assessments when collecting personal data.
Kind regards,
Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation