Privacy & Information Security Law Blog

On December 28, 2018, the French Data Protection Authority (the “CNIL”) published guidance regarding the conditions to be met by organizations in order to lawfully share personal data with business partners or other third parties, such as data brokers. The guidance focused, in particular, on such a scenario in the context of the EU General Data Protection Regulation (“GDPR”). The CNIL guidance sets forth the 5 following conditions:

• Prior consent: Organizations must seek the individual’s consent prior to sharing personal data with the organization’s partners.
• Identification of the partners: The data collection form must provide notice of the particular partner(s) who may receive the personal data. According to the CNIL guidance, the organization that first collects the data may either (1) publish an exhaustive and regularly updated list of partners directly on the data collection form, or (2) insert a link to that list on the form, together with a link to the partners’ privacy policies.
• Notification of changes to the list of partners: Individuals must be informed of any updates to the list of partners and, in particular, of the fact that their personal data may be shared with new partners. This information may be provided on two “levels”: (1) each marketing message sent by the organization that collects the data must provide an up-to-date list of partners (see above); and (2) each new partner receiving an individual’s data must inform the individual, in its first communication to the data subject, of such processing. (See last bullet point below.)
• Limit to further sharing without consent: The partners may not share the personal data with their own partners without seeking the individual’s informed consent.
• Notice to be provided by the partners at the time of the first communication to the individual: The partners who process the personal data to send their own marketing communications must inform the concerned individuals of the source from which the data originates (by providing the name of the organization who shared the data with them), and how the individuals may exercise their data protection rights, in particular, their right to object to the processing of their personal data for direct marketing purposes. The CNIL guidance states that individuals may exercise their right to object either directly by contacting the partner, or by contacting the organization who first collected the data. That organization is required to pass the objection on to its partners who received that individual’s data