France: CNIL stipulates conditions for processor reuse of data entrusted by controller
The French data protection authority ('CNIL') published, on 12 January 2022, guidance on processor reuse of data entrusted by data controllers. In particular, CNIL highlighted that, under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), data processors processing personal data on behalf of the controller must only do so following the instructions of the data controller and cannot, in principle, use the data for their own account. However, CNIL noted that often processors may wish to reuse such data, for example with the aim of improving its services or products or the design of new services and product, and that this is indeed possible in certain circumstances.
Specifically, CNIL highlighted that the data controller must authorise the processor to reuse the personal data for its own purposes, and may only do so when certain conditions are fulfilled. First of all, CNIL outlined that, when the processing is not based on the consent of the data subject or under EU or Member State law, the data controller must determine whether this further processing is compatible with the purpose for which the data was originally collected, taking into account a number of factors, including the possible existence of a link between the purposes for which the personal data were collected and the purposes of the further processing envisaged, and the adoption of suitable safeguards, such as encryption or pseudonymisation.
In addition, CNIL emphasised that this compatibility test to be carried out for each individual envisages further processing operation, and that prior and general authorisation to reuse data is not legal. Furthermore, CNIL noted that the authorisation of the controller must be in writing, including in electronic format, further specifying that the GDPR requires a contract or any other written legal act to regulate the processing carried out by a processor.
Moreover, CNIL highlighted that the reuse of data entails additional responsibilities under the GDPR, stipulating, among other things, that the initial controller must inform the data subjects of the transmission of data to a new controller, for a new purpose, as well as indicating whether it is possible to oppose it. Additionally, CNIL outlined that the processor will become the controller of the subsequent processing and, as such, is accountable for compliance of such processing with the GDPR.
You can read the guidance, only available in French, here.