February 5, 2023

Volume XIII, Number 36

Error message

  • Warning: Undefined variable $settings in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
  • Warning: Trying to access array offset on value of type null in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
Advertisement

February 03, 2023

Subscribe to Latest Legal News and Analysis
Advertisement

CNIL Reminds the Rules Applying to Purchase of Customers’ Lists for Marketing Use

Following a sanction decision in November 2022 relating to the use for marketing by email, of a list purchased from a data broker, the CNIL (France’s Commission Nationale de l’Informatique et des Libertés)  deemed it useful to remind on December 5, 2022 the rules applying to transfers customer lists.

The acquisition of such files allows the purchaser to have contact details to carry out commercial marketing communications. Because such a file contains personal data, its transfer must comply with the EU General Data Protection Regulation (GDPR).

Requirements relating to the customers’ list

Only lists that have been created from the outset in compliance with the regulations can be sold or transferred.

  • The list should only contain active customer data. In application of CNIL recommendations, the data may be kept for up to three (3) years after the end of the commercial relationship (or the last contact). Customer data that is only retained for administrative purposes (accounting, litigation, etc.) should not be transmitted.

  • The list shall not contain data of data subjects (i) who have objected to the transmission of their data for marketing by post or telephone and/or (ii) who have not consented to the transmission of data for electronic marketing.

Obligations relating to the transmission

The conditions of transmission and remittance of data between the seller and the purchaser must be carried out in such a way as to guarantee the security and confidentiality of the data.

Obligation on the part of the purchaser of a client list

The purchaser must:

  • Inform the data subjects

    • Information must be provided as soon as possible (notably during the first contact with the data subject) and, at the latest, within one month of acquiring the list, unless the data subjects have already received the necessary information.

    • This information must include the source of the data, i.e., the name of the company behind the sale of the customer list.

  • Verify the existence of consent to electronic marketing and be able to demonstrate that he has the informed consent. There are two different types of situations:

    • At the time of the collection of consent, the identity of the purchaser already appeared in the list of companies to which the data would be transmitted for marketing by electronic means, in this case the purchaser can directly canvass the persons who have consented to the transmission of their data for these purposes.

    • The identity of the purchaser was not known, and he must collect the consent of the persons concerned before any marketing actions.

  • Ensure that each marketing communication must allow recipients to express their refusal to receive new communications.

  • More generally, comply with all the obligations imposed by the GDPR (data retention periods, data security, respect for the right of access, the right to erasure, etc.)

The CNIL’s sanction decision in November 2022 notes the non-compliance with a certain number of the above rules as well as the lack of audit by the acquirer of the data broker’s methods. The high amount of the sanction (EUR 600K) demonstrates the importance it attaches to this type of subject.

© Copyright 2023 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 339
Advertisement
Advertisement
Advertisement

About this Author

Stephanie Faber International Business Attorney Squire Patton Boggs Paris, France
Of Counsel

Stephanie Faber heads the Data Privacy & Cybersecurity Practice and the Intellectual Property & Technology Practice in the Paris office. She specialises in international business law, with more than 20 years of experience. Her legal practice encompasses business transactions and operations, as well regulatory and compliance work.

In relation to the Data Privacy & Cybersecurity Practice, Stephanie advises on:

  • GDPR gap assessment and compliance programs
  • Data breach management and notification
  • Database creation, international...
33 1-5383-7400
Advertisement
Advertisement
Advertisement