Privacy & Cybersecurity Law Blog

On January 12, 2022, the French Data Protection Authority (the “CNIL”) published guidelines on the re-use of personal data by data processors for their own purposes (such as product improvement or the development of new products and services) under the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”). This post outlines key takeaways from the Guidelines.

In the CNIL’s view, a data processor’s re-use of personal data for its own purposes results in its re-qualification into a data controller and may be subject to sanctions (i.e., for failure to act on the instructions of the controller). However, the CNIL highlights the conditions under which such re-use may be lawful:

• Compatibility Test. Conducting a compatibility test is required when a processor re-uses personal data received from the data controller for its own purpose and such processing does not rely on the individual’s consent or is not taking place to comply with EU or Member State law. The new controller must determine whether the purpose for further processing is compatible with the “original” purpose for which the data was collected. In doing so, the following may be taken into account: (1) whether there is a link between the original and further processing purpose; (2) the context in which personal data was collected, particularly the relationship between the data subjects and the data controller; (3) the nature of personal data and whether sensitive data is involved; (4) potential consequences of the further processing; and (5) whether safeguards are in place, such as encryption, pseudonymization or anonymization. If the conclusion of the compatibility test is negative, the data controller must prohibit the data processor from further processing the data. If, however, the test is conclusive of compatibility, the data controller may choose to give (or not) its approval to the data processor.
• Prior and General Authorization Is Prohibited. The CNIL clarifies that the compatibility test must take place on a case-by-case basis, taking into account all of the circumstances of the processing – hence, a prior and general authorization of the data controller to the data processor is not valid.
• Written Authorization. The data controller’s authorization must be given in writing (which also can be done electronically).

Furthermore, the Guidelines highlight the consequences of a data processor’s further processing:

• In principle, the original data controller is responsible for informing the data subjects about the sharing of their personal data with another data controller for a new processing purpose. Data subjects must also be offered the possibility to object thereto. This obligation, however, can be left to the data processor contractually.
• The new controller (i.e., ex-data processor) must ensure that the new processing activity complies with the GDPR. Among other things, the new controller will need to comply with the GDPR principles of purpose limitation (e.g., personal data must be collected for specified, explicit, and legitimate purposes, and not be processed further in a manner incompatible with those purposes) and lawfulness (i.e., the processing activities must rely on a valid legal basis).

View the CNIL’s guidelines (only available in French).