Companies hold vast amounts of personal information about their employees, customers, clients, and partners. Sharing this personal data with third-parties, where not required by law, has raised serious concerns in relation to consumer trust and confidence. It was only after the massive revelations about data abuses from the marketing industry that the need for strict compliance with data protection law became visible as well. Until recently, data sharing with third-parties, such as business partners, data brokers, marketers, credit reference agencies, and web trackers has not been scrutinised under data protection law.
As explained in detail in the complaint filed by Privacy International with data protection authorities in France, Ireland, and the United Kingdom against seven data brokers, data sharing with third-parties must respect all the data protection principles and provisions. One month later, on 28 December 2018, the French Data Protection Authority (CNIL) published guidance on the necessary conditions for data sharing with third-parties. The CNIL provides practical advice on the necessary conditions to be followed when disclosing personal data to third-parties, namely data brokers, reflecting on the GDPR requirements. The General Data Protection Regulation (EU) 2016/679 (GDPR) sets higher standards for the sharing of personal data with third-parties and provides mechanisms addressing profiling and monitoring.
The CNIL suggests adherence to the following 5 conditions:
Prior to data processing, organisations should obtain freely given, specific, informed and unambiguous consent from data subjects.
- Identification of third-parties
Data subjects should be made fully aware of the sharing of their data with third parties. The CNIL advises that data controllers could either include all third-parties in an exhaustive privacy notice, but periodically updated, or insert a link in this notice and redirect individuals to the list with the third-parties and their own privacy policies.
- Notification of new data recipients
Data controllers should regularly inform data subjects about any new third-parties and data sharing during the lifecycle of personal data. This obligation to inform lies either with the original data controller or the new recipient.
- Consent restrictions
Under the GDPR, consent must be informed and specific. If data subjects have not been informed about third-parties prior to data processing and have not given their consent, the data recipients cannot further disclose the data to other third-parties.
- Data subjects’ rights
The information to be provided in accordance with Articles 12-14 GDPR should be given during the first communication with data subjects by the companies who process the personal data to send their own marketing communications. Regarding data subjects’ rights, data subjects could exercise the right to object directly by contacting either the data recipient (third-party) or the original data controller, who shared their data.
In addition to the above, we would advise both original data controllers and third-parties to review their policies on handling data subjects’ rights and requests. Such policies should be in place to facilitate –and not hinder- the assessment and satisfaction of subjects’ rights. Moreover, they should draw on the guidance issued by the Information Commissioner’s Office (ICO). The ICO is currently working on updating their data sharing code of practice, which was originally published in 2011.
Although data sharing with third-parties is not forbidden, it is heavily regulated under the GDPR. Organisations should review their practices and policies to ensure that the principles of data protection law, namely transparency and lawfulness, are respected, otherwise, they run the risk of being fined and suffering reputational damage. For example, we recently commented on the ICO decision to impose a £140,000 to on Emma’s Diary for illegally collecting and selling personal information belonging to more than one million people, other companies could find themselves subject to similar measures if they do not ensure compliance.
Does your organisation have the appropriate safeguards in place to protect personal data? Trilateral offers a range of services to help organisations assess and identify compliance gaps, establish best practices for ongoing compliance, and foster a data protection culture. For more information please refer to our list of services or get in touch with one of our advisors for support on your compliance journey.