Can processors re-use personal data for their own purposes? A view from France.

We are also seeing a growing pressure from processors to have greater rights in respect of using personal data provided by a customer, in particular to use such data to improve their own solutions – but how far can processors go when doing this without running into the regulatory problems associated with turning themselves into a controller?

Whilst the law does not permit processors to re-use such data, new guidance (the “Guidance”) from the French Data Protection Authority, the Commission nationale de l'informatique et des libertés (“CNIL”), published on 12 January 2022, indicates that there is growing sympathy from the regulators that this not an unreasonable or unrealistic prospect.

Background

Under Article 28(3)(a) of the EU GDPR and the UK GDPR (jointly referred to throughout this article as the “GDPR”) a processor’s processing of personal data is only permissible under documented instructions from a controller. If a processor itself determines the purposes and means of processing, i.e. where it processes personal data on its own initiative and for a separate purpose, the processor will be considered a controller in relation to that processing and could find itself in breach of the GDPR if it fails to comply with obligations imposed on a controller.

However, under the CNIL’s Guidance, a controller may, under strict conditions described below, authorise its processor to re-use the personal data for its own purposes. The Guidance addresses the requirements to be met before such authorisation is given and provides further clarity on the subsequent obligations of the parties. The article summarises the key points from the Guidance.

Conditions for giving authorisation

Under the Guidance, re-use of the data by a processor for its own purpose constitutes so-called "subsequent" processing, i.e. processing that follows the collection operation and has a purpose different from that justifying the initial collection.

Accordingly, a controller assessing whether to authorise the processing for a different purpose must determine whether such further processing is compatible with the purpose for which the data was originally collected (the “Compatibility Test”). Consequently, authorisation cannot be given where the original processing is based on the consent of the data subject or is mandated by EU or domestic law.

In its Guidance, the CNIL provides a list of the key factors for controllers to take into account when carrying out the Compatibility Test. These include:

• the possible existence of a link between the purposes for which the personal data was collected and the purposes of the envisaged further processing;
• the context in which the personal data was collected, in particular with regard to the relationship between the data subjects and the controller;
• the nature of the personal data, in particular whether the processing relates to “special categories of personal data” within the meaning of Article 9 GDPR or ”criminal offence data” within the meaning of Article 10 GDPR;
• the possible consequences of the envisaged further processing for the data subjects; and
• the existence of appropriate safeguards, which may include encryption or pseudonymisation.

If, following the controller’s assessment, the Compatibility Test is not met, the controller must refuse to give permission for the re-use of the data. If the test is met, the controller is free, but not obliged, to consent to the re-use of the data.

The CNIL makes clear that Compatibility Test must be carried out for specific processing, taking into account the purposes and characteristics of each processing for which the processor wishes to reuse the data. Therefore, a general authorisation is not permitted.

The Guidance stipulates that the Article 28(3) GDPR requirement for all processing activities to be governed by a contract or other legal act applies to the authorisation process. Therefore, this process must be documented in writing.

Post-authorisation obligations

The CNIL recommends that where authorisation for the re-use of the data has been granted, the original controller is the entity which informs the data subjects of the processing and, if applicable, their right to object. However, the Guidance further provides that where the processor already holds the contact details of the data subjects, the original controller may delegate this task to the processor.

Up until this point, the Guidance is likely to have been particularly welcome by processors. However, its conclusion, whilst not surprising, will dampen spirits somewhat.

If, following the Compatibility Test, the controller provides authorisation to the processor to re-use the data for its own purpose, the processor will be considered a controller over the data in relation to this processing. Accordingly, it will (in its new controller role) have to comply with certain GDPR obligations which did not apply to its original role as processor. In particular, it must:

• provide data subjects, subject to applicable exceptions, with information on that indirect collection of their data under Article 13 GDPR;
• define an adequate data retention period in compliance with Article 5(1)(e) GDPR;
• collect only the data necessary to meet the purpose set at the outset in accordance with Article 5(1)(c) GDPR;
• allow the exercise of the various other data subject rights in Articles 14 to 23 GDPR; and
• put in place appropriate security measures to ensure compliance with Article 32 GDPR.

Practical implications and view from the UK

The Guidance is useful in setting out a process for parties to follow where a processor is permitted to further process personal data for its own purposes. However, in our view, it is unlikely to go as far as many processors would want in a way which allows them to continue to be categorised as a processor (or at least not have all of the controller’s obligations apply) notwithstanding the fact that they are using the personal data provided by the customer outside of directly providing a service to the customer. However, for the time being, processors will need to consider their obligations as controllers if they are to use customer data for anything other than delivering the service to their customers.

Whilst the Guidance is not binding the UK, we expect the Information Commissioner’s Office to consider the views of its counterparts as and when it considers its own opinion on the same topic.

¹Available at https://www.cnil.fr/fr/sous-traitants-la-reutilisation-de-donnees-confiees-par-un-responsable-de-traitement (in French only)