Following the November 2022 authorization decision regarding the use of a list purchased by a data broker for email marketing, the CNIL (French National Committee for Information and Freedoms) assessed the importance of applying the rule to revoke the change on December 5, 2022. . Customer details.
Access to these cookies allows the buyer to access contact details for commercial marketing communications. As such files contain personal data, distribution must comply with the EU General Data Protection Regulation (GDPR).
Customer List Requirements
Lists created from scratch can only be sold or transferred in accordance with the rules.
The list should contain only active customer data. In implementing CNIL recommendations, data may be kept for three (3) years after the end of the business relationship (or last contact). Customer data stored only for administrative purposes (accounting, litigation, etc.) will not be transferred.
The list may not contain information on data subjects who (i) have objected to the transmission of their data for postal or telephone marketing and/or (ii) have not consented to the transmission of data for electronic marketing.
Transfer Obligation
The terms of information exchange and transfer between the seller and the buyer must be implemented in a way that guarantees the security and confidentiality of the information.
Buyer commitment from customer list
The buyer must do the following:
Notify data owners
The information must be provided as soon as possible (in particular when the data subject is contacted for the first time) and no later than one month after receiving the details, unless the data subject receives the necessary information.
This information must include the source of the information, the name of the company behind the sale to the customer list.
Make sure you can confirm that e-commerce consent and informed consent are available. There are two different types of layouts:
When consent is obtained, the buyer's identity appears electronically on the company's list of transactions, after which the buyer can pull individuals who have consented to the transfer directly from their records. For this purpose.
The identity of the buyer is not known and the consent of the persons involved must be obtained before any transaction.
Make sure any marketing communications allow recipients to choose whether they want to receive new communications.
Compliance with all obligations imposed by GDPR in general (data retention period, data protection, respect of right of access, right of erasure, etc.)
In November 2022, the CNIL's approval decision revealed non-compliance with various laws mentioned above, as well as a lack of auditing of buyers of data broker schemes. A large fine (€600,000) shows the importance of such cases.
© Copyright 2022 Squire Patton Boggs (US) LLP National Law Review, Volume XII, Issue 339