Following a sanction decision in November 2022 relating to the use for marketing by email, of a list purchased from a data broker, the CNIL (France’s Commission Nationale de l’Informatique et des Libertés)  deemed it useful to remind on December 5, 2022 the rules applying to transfers customer lists.

The acquisition of such files allows the purchaser to have contact details to carry out commercial marketing communications. Because such a file contains personal data, its transfer must comply with the EU General Data Protection Regulation (GDPR).

Requirements relating to the customers’ list

Only lists that have been created from the outset in compliance with the regulations can be sold or transferred.

  • The list should only contain active customer data. In application of CNIL recommendations, the data may be kept for up to three (3) years after the end of the commercial relationship (or the last contact). Customer data that is only retained for administrative purposes (accounting, litigation, etc.) should not be transmitted.
  • The list shall not contain data of data subjects (i) who have objected to the transmission of their data for marketing by post or telephone and/or (ii) who have not consented to the transmission of data for electronic marketing.

Obligations relating to the transmission

The conditions of transmission and remittance of data between the seller and the purchaser must be carried out in such a way as to guarantee the security and confidentiality of the data.

Obligation on the part of the purchaser of a client list

The purchaser must:

  • Inform the data subjects
    • Information must be provided as soon as possible (notably during the first contact with the data subject) and, at the latest, within one month of acquiring the list, unless the data subjects have already received the necessary information.
    • This information must include the source of the data, i.e., the name of the company behind the sale of the customer list.
  • Verify the existence of consent to electronic marketing and be able to demonstrate that he has the informed consent. There are two different types of situations:
    • At the time of the collection of consent, the identity of the purchaser already appeared in the list of companies to which the data would be transmitted for marketing by electronic means, in this case the purchaser can directly canvass the persons who have consented to the transmission of their data for these purposes.
    • The identity of the purchaser was not known, and he must collect the consent of the persons concerned before any marketing actions.
  • Ensure that each marketing communication must allow recipients to express their refusal to receive new communications.
  • More generally, comply with all the obligations imposed by the GDPR (data retention periods, data security, respect for the right of access, the right to erasure, etc.)

The CNIL’s sanction decision in November 2022 notes the non-compliance with a certain number of the above rules as well as the lack of audit by the acquirer of the data broker’s methods. The high amount of the sanction (EUR 600K) demonstrates the importance it attaches to this type of subject.