The French regulator, CNIL, on January 12, 2022. Guidelines for the further use of personal data processed on behalf by order processors published (“Sous-traitants : la réutilisation de données confiées par un responsable de traitement”).
The CNIL starts from the principle that order processors must process personal data Only on the documented instruction of the person responsible but not for their own purposes and on their own initiative (subject to legal obligations that require different processing). Otherwise, the order processor becomes the responsible party and has corresponding liability and sanction risks.
However, order processors often have the understandable need to keep order data also for own purposes to use, especially in the area of IT services based on a form of Machine Learning are based. The responsible party may permit such use under certain conditions, and at the same time the order processor is dependent on this consent.
This is where the CNIL comes in – the responsible party would have to proceed as follows:
- Compatibility test: To the extent that the further use by the processor serves a different purpose than the purpose that justified the original collection (acquisition), the controller must check whether this new purpose is compatible with the original purpose (unless the data subject has consented to the processing for the new purpose or the further processing is exceptionally legally required). CNIL explains the criteria of this compatibility test and provides the following example (translation by DeepL):
A processor wants to reuse data to perform its Improve cloud computing services. This reuse could be considered as related to the original processing compatible be considered, subject to appropriate guarantees such as the anonymization of the data, if these identifying data are not necessary. In contrast, their further use for a purpose of the commercial advertising the “compatibility test” only with difficulty meet </blockquote
- No generic approval in advanceThe compatibility test must be carried out specifically for a particular processing. A prior, general authorization for further use is therefore not lawful.
- WritingThe approval must be in writing (also in electronic form).
- Information: The original data controller must inform the data subjects and, in particular, indicate whether it is possible to object to further processing. However, it is also possible to delegate the information to the new controller (i.e. the processor).
- Legality: The new person in charge must ensure that his processing complies with the regulations.