Data sharing for charities: guidance from CNIL
CNIL recently published guidance relating to data sharing for charities for the purposes of prospecting.
CNIL recently published guidance relating to data sharing for charities for the purposes of prospecting. According to CNIL, these guidelines are geared towards any association or foundation appealing to the generosity of the public to receive donations, which wishes to transmit the data files of its donors or contacts for the purposes of charitable or commercial prospecting. The applicable rules vary slightly depending on the objective of the reuse of the data; whether it be for charitable canvassing or commercial canvassing. This guidance is also geared towards commercial companies that sell or rent prospect files to charities for charitable prospecting.
Organisations collecting prospect data must inform them that their data may be transferred to other organisations for charitable prospecting.
The rules applied to prospecting for charitable purposes are a bit less strict than those governing commercial prospecting. An organisation can transmit the data of its donors or contacts to another organisation for charitable prospecting purposes, contingent upon basic conditions under the GDPR. This prospecting may be done by mail, phone calls or electronically. Electronic prospecting includes methods like using SMS, e-mails, or automated calls. Under the GDPR, the concerned parties (donors/contacts) must necessarily have been informed of the use of the data collected for charitable prospecting purposes at the time of the initial collection of their data by the association collecting their data and offering it to another. Data subjects must, at that time, be informed of the possible transmission of their data to partners for charitable prospecting purposes.
The use of prospect data for commercial prospecting must be consented to at the time of the collection of their data.
In some cases, an association or foundation appealing to the generosity of the public may wish to transmit the data of its prospects to another organisation for the purposes of commercial prospecting. In these instances, these prospects must have given their explicit consent at the time of collecting their contact information, for the use of their data, specifically for commercial prospecting. In addition, prospects or donors must be able to oppose either of these uses beforehand, in a simple and free manner. For example, it should be as easy as checking a box made available to them when the data is collected. They should be able to withdraw consent at any time, in particular during each contact.
An organization receiving the data of prospects or donors becomes responsible for processing this data and must comply with governing this under the GDPR.
Once an organisation has received the data of donors or contacts from the organisation collecting the donor data, the receiving organisation becomes responsible for processing this data and must comply with governing this under the GDPR. It must provide the data subject with all relevant information, at the very latest during its initial communication with them. This includes, in particular, the source from which their personal data was obtained, as well as all other applicable information provided for under Article 14 of the GDPR. At the initial contact, as well as at each new solicitation, the data subject must be able to easily opt out of being contacted again.
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.
- The risks associated with geolocation data: an assessment by LINC, CNIL - August 11, 2022
- CJEU ruling on special categories of personal data - August 9, 2022
- Fine imposed on Volkswagen by German Data Protection Commissioner for multiple GDPR violations - August 4, 2022