The French Data Supervisory Authority (the CNIL) released guidance on December 28th 2018 on the principles to be followed when an organization that collects personal data through online or hard copy forms, shares it with business partners or data brokers to send SMS or emails for marketing purposes.
To comply with the GDPR, the CNIL reminds the key rules that such sharing must cumulatively respect to allow data subjects to keep control over their data. These principles are mainly focused on (I) Consent and (II) Information of the data subject.
- Prior consent: the data subject must give his/her consent before his/her personal data is transmitted to the business partners;
- Limited consent: the consent given by the data subject to the organization that collects personal data is only valid for the specific partners identified at the time of the data collection. However, said partners cannot in turn transfer the personal data to any partners of their own without receiving first the informed consent of the data subject.
II. Information of the data subject
- Identity of the personal data recipient: the data subject must, on the collection form, easily identify the business partners with whom the personal data will be shared:
- The list of business partners must be exhaustive: therefore, if the list is too long to be displayed on the collection form, a link may be inserted to the list of partners together with a link to their privacy policies.
- Such list must be kept up to date: from a practical standpoint, this may be done at two levels: (i) through each marketing email or communication sent from the organization which is at the origin of the personal data collection which may include an updated list of partners that the data subjects can consult and (ii) any new business partner receiving the personal data, must in its first communication to the data subject and no later than one month from the time it receives the personal data, inform him/her about the processing it will carry out with his/her data.
- In any case, the information must include:
- the name of the organization which is at the origin of the personal data collection and transmission;
- the list of data subjects’ rights and more precisely the right to object to receive marketing communication from the new partner;
- Data subjects’ rights: Partners must, in their first communication to the data subject, indicate the way in which he/she can exercise his/her rights (and in particular the right to object) along with the source of the data. In this respect, the right to object can be exercised:
- either with the new partner or;
- with the organization that initially collected the personal data, which will then have to relay such decision to all the partners who received the personal data concerned.
The guidance published by the CNIL is in the continuity of its former position and follows the trend initiated with the GDPR towards more protection for data subjects by ensuring that they are properly informed of the life cycle of their data and are able to control it. This guidance aims at giving data subjects more empowerment over their personal data.