On January 12, 2022, the French Data Protection Authority (CNIL) issued guidance (available in French only) that sets out the conditions for processors to reuse the personal data entrusted by controllers for their own purposes. The CNIL notably refers to a scenario where a processor wants to reuse the personal data “to improve its services or products or to develop new services and products.”
#1: What conditions must be met?
The conditions are particularly burdensome for the initial controller, which must:
- Conduct a case-by-case compatibility test to assess whether the purpose for further processing is compatible with the purpose for which the personal data was initially collected, to the extent that consent was not the legal basis used for the initial purpose. In this respect, the CNIL recalls the conditions listed in Article 6(4) of the GDPR to conduct such a compatibility test (i.e., establish a link between the initial purpose for processing and the purpose for further processing).
- Provide a prior written authorization, which needs to be specific to the processor’s contemplated processing activities. The CNIL explicitly states that a prior and general authorization is not allowed.
- Inform the data subjects that their personal data will be further processed and note the purposes for those further processing activities, unless the parties agree that the processor will provide such notice.
By reusing the personal data, the processor then turns into a controller and needs to comply with all GDPR requirements applicable to controllers, such as identifying a legal basis for the processing activity, conducting a data protection impact assessment, sending notifications about personal data breaches, etc.
#2: What are the risks of noncompliance?
In case of noncompliance with these conditions, the risks lie primarily with the processor who turned into a controller.
Article 28.3(a) of the GDPR requires processors to act in accordance with the instructions of the initial controller. When a processor starts determining the purposes and means of the processing activity, Article 28(10) of the GDPR provides that the processor will be a controller in respect of that processing.
As a result, if the conditions for a lawful further processing by the ex-processor are not met, the processor would be considered in breach with the GDPR’s requirements applicable to controllers and could be subject to enforcement actions, including fines.
#3: How can processors mitigate the risks?
Some processors believe it will be extremely difficult to obtain an authorization from the initial controller, who typically is their customer, given the constraints for initial controllers (except in an intragroup context). As a result, the reuse of personal data by processors for their own purposes without complying with such conditions is risky. For a processor with a margin of negotiation, appropriate wording in the data processing agreement with the controller could help mitigate the risks.