What is the influence of the CNIL in commercial prospecting?
The General Data Protection Regulation, known as « GDPR », in force since May 25, 2018, is a European text aimed at regulating the processing of personal data on the territory of the European Union. It follows the amendment of the law relating to data processing, files and freedoms of 6 January 1978. The CNIL is the regulator. Cooperation with the CNIL in the processing of personal data in the context of commercial prospecting is mandatory. What is the CNIL and what is its impact on commercial prospecting?
What is the CNIL?
It is an independent administrative authority responsible for the protection of personal data in France. The CNIL or Commission nationale de l’informatique et des libertés carries out checks at the level of companies to verify the compliance of their actions with the GDPR. It ensures that digitalisation and digital technology do not infringe on human identity, privacy and individual freedom. The CNIL carries out its tasks in accordance with Law No. 78-17 of 6 January 1978 amended on 6 August 2004.
It has six main missions:
- Inform: it informs people about their obligations and rights.
- Regulate: it supports managers in their digital projects. It is solicited for all projects relating to the protection of personal data (bill, defense and public security). In order to ease the formalities for common requests, the CNIL has established simplified standards.
- Protect: it helps citizens in exercising their rights (access to files and data concerning them, receipt and investigation of complaints). She accompanies the data protection officers appointed by companies.
- Control: it controls computer processing in companies. It verifies respect for individual freedom, but also the security of the information system.
- Sanction: if it finds a breach of the provisions relating to the GDPR, after a formal notice, the CNIL can impose sanctions ranging from a fine to a legal measure (seized of the competent court, seized of the public prosecutor)
- Anticipate: it must be able to anticipate technological developments in order to assess the consequences on the exercise of rights and freedoms.
In commercial prospecting, the CNIL aims to protect the people approached.
Commercial prospecting and CNIL
In terms of commercial prospecting, the CNIL’s verifications are based on two main lines: the « free, specific, informed and unambiguous » consent of the persons to be canvassed and the respect of the right of opposition of the persons.
In this case, in general, the application of the GDPR and the existence of the CNIL does not change the rules on commercial prospecting. However, there are basic principles to respect:
- for individuals or BtoC canvassing can be done on the sole condition that the person has explicitly given his consent at the time of collection of personal data. The person must be able to object easily and free of charge.
- For professionals or BtoB, the manager must be informed in advance that his email address will be used for prospecting purposes. He also has a right to object. On the other hand, generic business addresses (contact details of legal entities) are not subject to the right of opposition. The subject of prospecting must remain in agreement with the profession of the person approached.
Sometimes this data is transmitted between business partners. The CNIL recalls that companies that carry out commercial prospecting on databases collected by another company must obtain the free and specific consent of Internet users before any canvassing.
Under these conditions, any organization that holds contact details and wishes to share them with other organizations in order to carry out prospecting, regardless of the channels used, must first comply with the following devices:
- The person must consent to their address being shared with others. But before that, it must be informed of the transmission and its purpose.
- The person can oppose it by a simple and free means. Concretely, the right to opposition must be materialized by a checkbox often accompanied by a message that stipulates this opposition.
- The person must have access to the list of partners receiving the data (visible on the form).
- The person must be aware of changes in the list. An updated exhaustive list must be visible directly on the form or via a link.
- The consent collected by the company collecting the data on behalf of its partners is only valid for the latter.
- The partners who solicit the persons must give them the right to object. They must also indicate the origin of their sources.
This information on the processing of personal data must be provided to the data subject.
Personal data cannot be transmitted outside the European Union (according to the European Directive of 24 October 1995) if the country of destination does not offer an appropriate level of protection. Some countries that are not members of the European Union have adopted similar laws recognized by member states (Monaco, Switzerland, …). Beyond Europe Canada, Australia, Senegal, …. are also endowed with equivalent authority. The United States, Japan … have, on the other hand, adopted legislation to guarantee it is the judicial courts that are responsible for sanctioning breaches.
The CNIL supervises commercial prospecting. It ensures a good practice of commercial canvassing by: verifying the nature and origin of the data; the supervision of the contract with subcontractors; and informing the persons concerned.