In a deliberation dated January 31, 2024, the Commission Nationale de l’Informatique et des Libertés (in short CNILthe French data protection authority (the equivalent of the Autorité de Protection des Données here in Belgium) provides some very useful reminders in the context of thedata acquisition with brokers and, more generally, on the commercial prospecting and the GDPR.
First of all, and contrary to popular belief, buying data from brokers is not prohibited by the GDPR. However, it must meet strict conditions, particularly with regard to transparency.
Failure to comply with these legal obligations can result in severe penalties. In this case, FORIOU was fined €310,000.
📁 The facts behind the decision
In short, FORIOU was involved in cold calling prospective customers.
To identify its prospects, FORIOU purchased from brokers who regularly organized Internet games and competitions, as well as commercial promotions.
These brokers collect personal data and resell it, notably for commercial prospecting purposes.
These online questionnaires and participation forms did indeed include various mandatory information related to the GDPR but the CNIL considered, as it does in terms of cookies in particular, that the way the information was presented (colors, text, etc.) was highly debatable and that to this extent, the consent was not valid.
Here is an example of a form that does not validly collect personal data :
In short, the appearance of the forms used by data brokers fails to collect users’ informed consent, in line with legal obligations linked to the GDPR.
As a result, FORIOU had no legal basis for prospecting its clientele.
As a reminder, there are several possible (but not unlimited) legal bases : consent, legitimate interest, performance of a contract, for example.
In this case, the CNIL rejected the legal basis for consent, considering that it had not been validly collected from the persons concerned.
📝 A contract is fine, but it has to be effective in practice
Another interesting point in this decision concerns the contractual aspect.
The FORIOU company argued that it had a valid contract with the data broker.
However, it was considered that even if FORIOU had imposed certain contractual requirements on its data suppliers upstream, there was no effective control of these requirements downstream.
🔎 What’s in it for me ?
First of all, identify and validate the legal basis for data processing (consent, legitimate interest, performance of a contract, etc.). This is usually done in the processing register.
Next, we need to make sure that the data transfer is actually contracted for, and that the contract is put into practice. As a data controller, you need to go beyond the contract and ensure that your partner complies with it in practice.
Finally, in terms of transparency, ensure that the color scheme, text, font, use of buttons, etc. respect the principles of transparency and avoid influencing the user.
Do you have any doubts about the legality of your processing ?
Did you like this article ? Consult the author :