May the pro­ces­sor pro­cess data for its own purposes?

From mar­ke­ting cam­pai­gns to soft­ware for per­son­nel and cus­to­mer manage­ment, from paper and file shred­ding to out­sour­cing the data cent­re to a cloud pro­vi­der – almost all com­pa­nies use exter­nal ser­vice pro­vi­ders for their dai­ly tasks. In terms of data pro­tec­tion law, the­se pro­vi­ders are usual­ly pro­ces­sors, which is why the strict pro­vi­si­ons of Arti­cle 28 of the GDPR must be com­plied with and a pro­ces­sing con­tract must be con­clu­ded with bin­ding spe­ci­fi­ca­ti­ons. One of the core pro­vi­si­ons here is that data may only be pro­ces­sed by the pro­ces­sor on the basis of docu­men­ted inst­ruc­tions from the con­trol­ler and that the pro­ces­sor may not use the data for its own purposes.

Howe­ver, this princip­le is in ten­si­on with the inte­rests of the pro­ces­sor, who would usual­ly like to use the data for its own pur­po­ses, for examp­le, to impro­ve the ser­vices or pro­ducts it offers or to design new ser­vices. The­re­fo­re, excep­ti­ons to the abo­ve princip­le may be made sub­ject to com­pli­an­ce with cer­tain pre­re­qui­si­tes. Based on gui­d­ance on this issue publis­hed (only in French) by the French data pro­tec­tion super­vi­so­ry aut­ho­ri­ty Com­mis­si­on Natio­na­le de l’In­for­ma­tique et des Liber­tés (CNIL), we take the oppor­tu­ni­ty to look at the pre­re­qui­si­tes and con­di­ti­ons for fur­ther pro­ces­sing that must be com­plied with in this context.

1. Writ­ten per­mis­si­on from the controller

The basic pre­re­qui­si­te for fur­ther pro­ces­sing, i.e. the fur­ther use of data by a pro­ces­sor for its own pur­po­ses, is per­mis­si­on from the con­trol­ler. The lat­ter must care­ful­ly exami­ne whe­ther fur­ther pro­ces­sing is com­pa­ti­ble with the pur­po­se for which the data were ori­gi­nal­ly collected.

Accord­ing to the CNIL, the fol­lowing aspects must be taken into account:

  • It must be che­cked whe­ther the­re is a cor­re­spon­dence bet­ween the pur­po­ses for which the per­so­nal data were collec­ted and the pur­po­ses of the inten­ded fur­ther processing.
  • Con­si­de­ra­ti­on must also be given to the con­text in which the per­so­nal data were collec­ted, par­ti­cu­lar­ly with regard to the rela­ti­ons­hip bet­ween the data sub­jects and the controller.
  • The type of per­so­nal data is also important, espe­cial­ly if the data are sen­si­ti­ve data (e.g. health data) or per­so­nal data about cri­mi­nal con­vic­tions and offenses.
  • The con­se­quen­ces for the data sub­jects of the plan­ned fur­ther pro­ces­sing must also be weighed.
  • Final­ly, it must also be che­cked whe­ther sui­ta­ble safe­guards (e.g. encryp­ti­on or pseud­ony­mi­sa­ti­on) are in place.

For examp­le, CNIL men­ti­ons a pro­ces­sor that wants to reu­se data for the pur­po­se of impro­ving its cloud com­pu­ting ser­vices. Pro­vi­ded that appro­pria­te safe­guards, such as anony­mi­sa­ti­on of the data in the best case, are in place, the fur­ther use might be con­si­de­red com­pa­ti­ble with the ori­gi­nal pro­ces­sing. The use of the data by the pro­ces­sor for the pur­po­se of com­mer­cial adver­ti­sing, on the other hand, is gene­ral­ly not com­pa­ti­ble with the ori­gi­nal pur­po­ses. In this case, the con­trol­ler may not give con­sent for fur­ther use.

In its handout, the CNIL men­ti­ons two other con­di­ti­ons regar­ding the per­mis­si­on of the con­trol­ler: On the one hand, sin­ce an exami­na­ti­on in this regard must be car­ri­ed out for each spe­ci­fic case, no pri­or or gene­ral aut­ho­ri­sa­ti­on for the fur­ther use of data may be gran­ted. On the other, sin­ce the GDPR requi­res a con­tract or other writ­ten legal act, the respec­ti­ve aut­ho­ri­sa­ti­on must be gran­ted in writing.

2. Informing the data subjects

In princip­le, the pre­vious con­trol­ler has to inform the data sub­jects about the trans­fer of the data to a new con­trol­ler. In par­ti­cu­lar, the infor­ma­ti­on must also con­tain details of whe­ther it is pos­si­ble for the data sub­ject to oppo­se dis­clo­sure. Howe­ver, if the pro­ces­sor alrea­dy has the con­ta­ct details of the data sub­jects, the con­trol­ler may also ent­rust the pro­ces­sor with this task.

3. Com­pli­an­ce by the pro­ces­sor with the legal requirements

As the new con­trol­ler in the terms of the GDPR, it is sub­se­quent­ly the respon­si­bi­li­ty of the for­mer pro­ces­sor to pro­cess the data in accordance with the pro­vi­si­ons of law. In par­ti­cu­lar, the pro­ces­sor must:

  • ensu­re that fur­ther pro­ces­sing ser­ves a clear­ly defi­ned pur­po­se and is based on a legal basis appro­pria­te to that purpose;
  • inform the data sub­jects in accordance with the requi­re­ments of the GDPR;
  • com­ply with the princip­le of data mini­mi­sa­ti­on by means of appro­pria­te reten­ti­on peri­ods and dele­ti­on concepts;
  • allow the exer­cise of the various rights of the data sub­jects; and
  • take appro­pria­te tech­ni­cal and orga­ni­sa­tio­nal mea­su­res to ensu­re the secu­ri­ty of processing.

4. Deli­mi­ta­ti­on of own and joint responsibility

Over­all, when exami­ning fur­ther pro­ces­sing by the pro­ces­sor, care should also be taken to dis­tin­guish this from the processor’s own respon­si­bi­li­ty, as the bounda­ries are flu­id here even wit­hin a con­trac­tu­al rela­ti­ons­hip. For examp­le, the collec­tion of user tele­me­try data by the processor’s soft­ware is not com­mis­sio­ned pro­ces­sing, but is the processor’s own respon­si­bi­li­ty. In this con­text, with a view to the Euro­pean Court of Justice’s exten­si­ve legal rulings on joint and several lia­bi­li­ty, it must be exami­ned in detail whe­ther such joint and several lia­bi­li­ty can be con­si­de­red in the pre­sent case.

Sum­ma­ry

Fur­ther pro­ces­sing of data by the pro­ces­sor for its own pur­po­ses may only be car­ri­ed out in com­pli­an­ce with strict pre­re­qui­si­tes, but is by no means impos­si­ble. Howe­ver, both the con­trol­ler and the pro­ces­sor should inform them­sel­ves in advan­ce about the respec­ti­ve com­plex legal requi­re­ments and ensu­re a clear dis­tri­bu­ti­on of roles, espe­cial­ly when informing data sub­jects. In order to avoid errors during fur­ther pro­ces­sing that can lead to seve­re fines, legal exper­ti­se should be obtai­ned in cases of doubt.

back

Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.