5 min

Prospecting file and GDPR: 3 steps not to be missed!

With the development of Big Data, the amount of data generated by browsing networks, subscribing to online contracts, or the use of software solutions is essential for all organizations.

Oriana Labruyère

The consulting firm Oriana Labruyère & Co assists its clients with the challenges of digital law—from compliance to crisis management. Its founder, Oriana Labruyère, is an experienced lawyer. She strives to provide concrete answers to the specific operational and legal constraints of each client. Furthermore, in partnership with the audit and risk management firm MitiRisk & Co, Oriana Labruyere & Co runs a blog called "La Robe Numérique" [The Digital Dress], which features podcasts, legal news, and webinars on new technologies.

View all posts

Presented as the “black gold” of the digital economy, inexhaustible, data is essential for innovation in commercial matters, in particular to optimize solutions, study individual or collective behaviors, such as consumption habits.

As such, they are sources of many transactions by the organizations that collect them. Thus, sellers, service providers, publishers of websites or software solutions are likely to want to exploit them in order to enhance them, to make their databases profitable.

It is therefore common to find files containing contact information on the market for purchase or rental. The interest for the tenant or buyer is simple: he seeks to increase his base of information and potential customers.

Before any exploitation of this type of database, checks are necessary, at least

1/ Determine the nature of the data concerned

In the context of customer prospecting data, the nature of the data may be varied. This may include contact data such as first and last names, telephone number, addresses (email, postal, etc.) and profile data such as age range, interests, occupation or gender. It is also possible to find data related to consumption habits.

By way of illustration, a file consisting of customer data integrating contact details, technical information and consumption data is identified as a file containing personal data by the French Competition Authority. However, as soon as a data relates to an identified or identifiable natural person, its legal regime is governed by Regulation (EU) 2016/679 of 27 April 2016 known as the European Regulation on the Protection of Personal Data or “GDPR” and Law No. 78-17 of 6 January 1978 known as the “Data Protection Act”.

On the other hand, these regulations do not apply if the data relate only to data relating to legal persons, such as generic “contact@société.fr” e-mail addresses.

Beyond the content, it is therefore necessary to define the objective pursued by this file.

2/ Obtain consent for the commercial purpose

When an organization solicits its customers or prospects, it is essential that they [customers or prospects] identify what the organization does with their data. It is only on this sole condition that they can validly consent to communicate their data to you. This principle of information is the necessary prerequisite before exploiting the data in the hypothesis of customer / prospect files.

Depending on the business relationship that the organization has with them, it is necessary to distinguish whether the persons targeted are customers or prospects. It is also necessary to identify the typology of persons: are they consumers or professionals acting in the context of their commercial, industrial, artisanal, liberal or agricultural activities?

Obviously, the organization must obtain the prior and unequivocal consent of prospects/consumer customers to receive commercial solicitations. This agreement must be obtained prior to the processing and therefore at the time of data collection. As such, it must not be obtained through but in a free and explicit way.

A temperament exists, however, for the consumer who has already used the goods or services of the organization. In this case, the organization may send commercial solicitations for products and/or services similar to those previously subscribed. Since the consumer has already been informed of the purpose, it is sufficient to give him the opportunity to object to the receipt of this type of communication.

In practice, it is recommended to set up a preference center and ensure the proper functioning of the unsubscribe link in all communications.

In the context of a B to B relationship, the solicitation must be related to the profession of the persons concerned. The organization must inform prospects / customers of the processing of their data for prospecting purposes and put them in a position to object to this use. However, the consent of the data subject prior to sending such messages is not required.

To distribute this type of file, free of charge or for a fee, to third parties so that they can carry out commercial prospecting operations by electronic means (email or SMS), the organization, at the time of data collection, must carry out the following operations:

  • Inform his customer / prospect about the transmission of his data to partners;
  • Collect explicit consent to the transmission of data to its partners;
  • Communicate the list of partners and notify, if necessary, the update of this list when there are new partners.

In parallel, in the relationship with its partners, it is necessary to contractually supervise the provision of data. Thus, the organization circumscribes the scope of the data processing, their purposes and the limits of the processing that may be considered with regard to the consents collected.

3/ Contract the assignment or rental of the database

It is important to remind each partner of their duties towards natural persons. Indeed, the legally compliant constitution of the database is not sufficient to exempt the partners from their obligations. They must also inform people at the time of their first communication, indicating to them:

  • how to exercise the rights, in particular so that they can simply and effectively withdraw their consent;
  • where the data used comes from.

On the other hand, if you plan to acquire a customer / prospects file, you must ensure that the seller has collected the consent of the people whose data is contained in the file for the purpose you are pursuing.

Vigilance must be great when you are the purchaser of this type of database because the consent given by the person only applies to the partners on the list communicated at the time of collection of said consent.

Trade in this type of base is common and the advisability of using it must not obviate the obligations of the parties to the contract. Otherwise, beyond the loss of image associated with the scandals of this subject, the penalties are incurred, both administratively, by a fine of the CNIL, at the criminal level, by a prison sentence and a fine and at the civil level with the attribution of damages for the persons concerned.

Finally, the contract concluded in violation of the legal expectations of the text would undoubtedly be null and void and could not be the subject of trade. In other words, the purchaser could request reimbursement of the sums paid.

Send this to a friend