May the pro­ces­sor pro­cess data for its own purposes?

From mar­ke­ting cam­paigns to soft­ware for per­son­nel and cus­to­mer manage­ment, from paper and file shred­ding to out­sour­cing the data cent­re to a cloud pro­vi­der – almost all com­pa­nies use exter­nal ser­vice pro­vi­ders for their dai­ly tasks. In terms of data pro­tec­tion law, the­se pro­vi­ders are usual­ly pro­ces­sors, which is why the strict pro­vi­si­ons of Artic­le 28 of the GDPR must be com­pli­ed with and a pro­ces­sing con­tract must be con­cluded with bin­ding spe­ci­fi­ca­ti­ons. One of the core pro­vi­si­ons here is that data may only be pro­ces­sed by the pro­ces­sor on the basis of docu­men­ted ins­truc­tions from the con­trol­ler and that the pro­ces­sor may not use the data for its own purposes.

Howe­ver, this prin­ci­ple is in ten­si­on with the inte­rests of the pro­ces­sor, who would usual­ly like to use the data for its own pur­po­ses, for exam­p­le, to impro­ve the ser­vices or pro­ducts it offers or to design new ser­vices. The­r­e­fo­re, excep­ti­ons to the abo­ve prin­ci­ple may be made sub­ject to com­pli­ance with cer­tain pre­re­qui­si­tes. Based on gui­dance on this issue published (only in French) by the French data pro­tec­tion super­vi­so­ry aut­ho­ri­ty Com­mis­si­on Natio­na­le de l’In­for­ma­tique et des Liber­tés (CNIL), we take the oppor­tu­ni­ty to look at the pre­re­qui­si­tes and con­di­ti­ons for fur­ther pro­ces­sing that must be com­pli­ed with in this context.

1. Writ­ten per­mis­si­on from the controller

The basic pre­re­qui­si­te for fur­ther pro­ces­sing, i.e. the fur­ther use of data by a pro­ces­sor for its own pur­po­ses, is per­mis­si­on from the con­trol­ler. The lat­ter must careful­ly exami­ne whe­ther fur­ther pro­ces­sing is com­pa­ti­ble with the pur­po­se for which the data were ori­gi­nal­ly collected.

Accor­ding to the CNIL, the fol­lo­wing aspects must be taken into account:

  • It must be che­cked whe­ther the­re is a cor­re­spon­dence bet­ween the pur­po­ses for which the per­so­nal data were coll­ec­ted and the pur­po­ses of the inten­ded fur­ther processing.
  • Con­side­ra­ti­on must also be given to the con­text in which the per­so­nal data were coll­ec­ted, par­ti­cu­lar­ly with regard to the rela­ti­onship bet­ween the data sub­jects and the controller.
  • The type of per­so­nal data is also important, espe­ci­al­ly if the data are sen­si­ti­ve data (e.g. health data) or per­so­nal data about cri­mi­nal con­vic­tions and offenses.
  • The con­se­quen­ces for the data sub­jects of the plan­ned fur­ther pro­ces­sing must also be weighed.
  • Final­ly, it must also be che­cked whe­ther sui­ta­ble safe­guards (e.g. encryp­ti­on or pseud­ony­mi­sa­ti­on) are in place.

For exam­p­le, CNIL men­ti­ons a pro­ces­sor that wants to reu­se data for the pur­po­se of impro­ving its cloud com­pu­ting ser­vices. Pro­vi­ded that appro­pria­te safe­guards, such as anony­mi­sa­ti­on of the data in the best case, are in place, the fur­ther use might be con­side­red com­pa­ti­ble with the ori­gi­nal pro­ces­sing. The use of the data by the pro­ces­sor for the pur­po­se of com­mer­cial adver­ti­sing, on the other hand, is gene­ral­ly not com­pa­ti­ble with the ori­gi­nal pur­po­ses. In this case, the con­trol­ler may not give con­sent for fur­ther use.

In its hand­out, the CNIL men­ti­ons two other con­di­ti­ons regar­ding the per­mis­si­on of the con­trol­ler: On the one hand, sin­ce an exami­na­ti­on in this regard must be car­ri­ed out for each spe­ci­fic case, no pri­or or gene­ral aut­ho­ri­sa­ti­on for the fur­ther use of data may be gran­ted. On the other, sin­ce the GDPR requi­res a con­tract or other writ­ten legal act, the respec­ti­ve aut­ho­ri­sa­ti­on must be gran­ted in writing.

2. Informing the data subjects

In prin­ci­ple, the pre­vious con­trol­ler has to inform the data sub­jects about the trans­fer of the data to a new con­trol­ler. In par­ti­cu­lar, the infor­ma­ti­on must also con­tain details of whe­ther it is pos­si­ble for the data sub­ject to oppo­se dis­clo­sure. Howe­ver, if the pro­ces­sor alre­a­dy has the cont­act details of the data sub­jects, the con­trol­ler may also ent­rust the pro­ces­sor with this task.

3. Com­pli­ance by the pro­ces­sor with the legal requirements

As the new con­trol­ler in the terms of the GDPR, it is sub­se­quent­ly the respon­si­bi­li­ty of the for­mer pro­ces­sor to pro­cess the data in accordance with the pro­vi­si­ons of law. In par­ti­cu­lar, the pro­ces­sor must:

  • ensu­re that fur­ther pro­ces­sing ser­ves a cle­ar­ly defi­ned pur­po­se and is based on a legal basis appro­pria­te to that purpose;
  • inform the data sub­jects in accordance with the requi­re­ments of the GDPR;
  • com­ply with the prin­ci­ple of data mini­mi­sa­ti­on by means of appro­pria­te reten­ti­on peri­ods and dele­ti­on concepts;
  • allow the exer­cise of the various rights of the data sub­jects; and
  • take appro­pria­te tech­ni­cal and orga­ni­sa­tio­nal mea­su­res to ensu­re the secu­ri­ty of processing.

4. Deli­mi­ta­ti­on of own and joint responsibility

Over­all, when exami­ning fur­ther pro­ces­sing by the pro­ces­sor, care should also be taken to distin­gu­ish this from the processor’s own respon­si­bi­li­ty, as the boun­da­ries are flu­id here even within a con­trac­tu­al rela­ti­onship. For exam­p­le, the coll­ec­tion of user tele­me­try data by the processor’s soft­ware is not com­mis­sio­ned pro­ces­sing, but is the processor’s own respon­si­bi­li­ty. In this con­text, with a view to the Euro­pean Court of Justice’s exten­si­ve legal rulings on joint and seve­ral lia­bi­li­ty, it must be exami­ned in detail whe­ther such joint and seve­ral lia­bi­li­ty can be con­side­red in the pre­sent case.


Fur­ther pro­ces­sing of data by the pro­ces­sor for its own pur­po­ses may only be car­ri­ed out in com­pli­ance with strict pre­re­qui­si­tes, but is by no means impos­si­ble. Howe­ver, both the con­trol­ler and the pro­ces­sor should inform them­sel­ves in advan­ce about the respec­ti­ve com­plex legal requi­re­ments and ensu­re a clear dis­tri­bu­ti­on of roles, espe­ci­al­ly when informing data sub­jects. In order to avo­id errors during fur­ther pro­ces­sing that can lead to seve­re fines, legal exper­ti­se should be obtai­ned in cases of doubt.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.