To Lex4u Digital
Lex4u Law Firm sur fond transparent

7 March 2024

⚠️ GDPR and commercial prospecting: data purchase, yes but be careful !


Associate lawyer

Dark mode

In a deliberation dated January 31, 2024, the Commission Nationale de l’Informatique et des Libertés (in short CNILthe French data protection authority (the equivalent of the Autorité de Protection des Données here in Belgium) provides some very useful reminders in the context of thedata acquisition with brokers and, more generally, on the commercial prospecting and the GDPR.

First of all, and contrary to popular belief, buying data from brokers is not prohibited by the GDPR. However, it must meet strict conditions, particularly with regard to transparency.

Failure to comply with these legal obligations can result in severe penalties. In this case, FORIOU was fined €310,000.

In short, FORIOU was involved in cold calling prospective customers.

To identify its prospects, FORIOU purchased from brokers who regularly organized Internet games and competitions, as well as commercial promotions.

These brokers collect personal data and resell it, notably for commercial prospecting purposes.

These online questionnaires and participation forms did indeed include various mandatory information related to the GDPR but the CNIL considered, as it does in terms of cookies in particular, that the way the information was presented (colors, text, etc.) was highly debatable and that to this extent, the consent was not valid.

Here is an example of a form that does not validly collect personal data :

Contest entry form does not validly collect the participant's consent in accordance with GDPR obligations in the context of commercial prospecting

In short, the appearance of the forms used by data brokers fails to collect users’ informed consent, in line with legal obligations linked to the GDPR.

As a result, FORIOU had no legal basis for prospecting its clientele.

As a reminder, there are several possible (but not unlimited) legal bases : consent, legitimate interest, performance of a contract, for example.

In this case, the CNIL rejected the legal basis for consent, considering that it had not been validly collected from the persons concerned.

Another interesting point in this decision concerns the contractual aspect.

The FORIOU company argued that it had a valid contract with the data broker.

However, it was considered that even if FORIOU had imposed certain contractual requirements on its data suppliers upstream, there was no effective control of these requirements downstream.

First of all, identify and validate the legal basis for data processing (consent, legitimate interest, performance of a contract, etc.). This is usually done in the processing register.

Next, we need to make sure that the data transfer is actually contracted for, and that the contract is put into practice. As a data controller, you need to go beyond the contract and ensure that your partner complies with it in practice.

Finally, in terms of transparency, ensure that the color scheme, text, font, use of buttons, etc. respect the principles of transparency and avoid influencing the user.

Do you have any doubts about the legality of your processing ?

Read the CNIL decision here

Did you like this article ? Consult the author :

Photo of Frédéric DECHAMPS, lawyer and founder of LEX4U

Other news

6 May 2024
The general terms of use of your website are not mandatory, but they are certainly very useful ...
1 May 2024
“Is my website in legal compliance ?” This is a question we are often asked. And rightly ...
13 December 2023
🤖 Artificial Intelligence and the European Union: Towards an era of strict regulation
The European Union has finalized a landmark agreement on the regulation of artificial intelligence (AI) after three ...
14 November 2023
Recently, the legislature adopted the law of May 4, 2023 , amending certain aspects of consumer debt ...

Contactez-nous pour obtenir l'audit gratuit de votre site web

Nous traiterons vos données conformément à notre politique de confidentialité que vous pouvez consulter ici.


Nous traiterons vos données conformément à notre politique de confidentialité que vous pouvez consulter ici.