Data sharing for charities: guidance from CNIL

CNIL recently published guidance relating to data sharing for charities for the purposes of prospecting.

 

CNIL recently published guidance relating to data sharing for charities for the purposes of prospecting. According to CNIL, these guidelines are geared towards any association or foundation appealing to the generosity of the public to receive donations, which wishes to transmit the data files of its donors or contacts for the purposes of charitable or commercial prospecting. The applicable rules vary slightly depending on the objective of the reuse of the data; whether it be for charitable canvassing or commercial canvassing. This guidance is also geared towards commercial companies that sell or rent prospect files to charities for charitable prospecting. 

 

Organisations collecting prospect data must inform them that their data may be transferred to other organisations for charitable prospecting.

 

The rules applied to prospecting for charitable purposes are a bit less strict than those governing commercial prospecting. An organisation can transmit the data of its donors or contacts to another organisation for charitable prospecting purposes, contingent upon basic conditions under the GDPR. This prospecting may be done by mail, phone calls or electronically. Electronic prospecting includes methods like using  SMS, e-mails, or automated calls. Under the GDPR, the concerned parties (donors/contacts) must necessarily have been informed of the use of the data collected for charitable prospecting purposes at the time of the initial collection of their data by the association collecting their data and offering it to another. Data subjects must, at that time, be informed of the possible transmission of their data to partners for charitable prospecting purposes. 

 

The use of prospect data for commercial prospecting must be consented to at the time of the collection of their data.

 

In some cases, an association or foundation appealing to the generosity of the public may wish to transmit the data of its prospects to another organisation for the purposes of   commercial prospecting. In these instances, these prospects must have given their explicit consent at the time of collecting their contact information, for the use of their data, specifically for commercial prospecting. In addition, prospects or donors must be able to oppose either of these uses beforehand, in a simple and free manner. For example, it should be as easy as checking a box made available to them when the data is collected. They should be able to withdraw consent at any time, in particular during each contact.

 

An organization receiving the data of prospects or donors becomes responsible for processing this data and must comply with governing this under the GDPR.

 

Once an organisation has received the data of donors or contacts from the organisation collecting the donor data, the receiving organisation becomes responsible for processing this data and must comply with governing this under the GDPR. It must provide the data subject with all relevant information, at the very latest during its initial communication with them. This includes, in particular, the source from which their personal data was obtained, as well as all other applicable information provided for under Article 14 of the GDPR.  At the initial contact, as well as at each new solicitation, the data subject must be able to easily opt out of being contacted again.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Google Analytics custom features do not make transfers legal, according to CNIL

CNIL has announced that even with the use of Google Analytics custom features, transfers are still not legal. 

 

CNIL recently announced that even with the use of Google Analytics custom features, transfers are still not legal in the absence of a transfer deal between Europe and the US. This announcement was added in the Q&A on CNIL’s website, as a point of clarification, after numerous businesses hoped that the customization tool could be used to allow data transfers to the US from Europe through Google Analytics. However according to the CNIL, the use of this tool still does not comply with the GDPR despite the precautionary options now available. 

 

While efforts have been made to replace the invalidated Privacy Shield, authorities say there is still a long way to go.

 

Earlier this year, CNIL sent out formal notices to a series of companies after deciding that data transfers to the US via Google Analytics were illegal. This decision was based on the Schrems II decision which invalidated the Privacy Shield two years ago. While a decision to replace the deal was announced, there is still a long way to go. European Commission Vice-President Margrethe Vestager confirmed at the International Cybersecurity Forum earlier this month, that negotiations are “finalised”, however that “a lot of work remains to be done.” 

 

In the absence of the Privacy Shield, CNIL has addressed questions and concerns regarding other solutions that have been offered. 

 

While we await a replacement for the Privacy Shield, CNIL has been very vocal, providing clarification when necessary. The authority addressed a question on the possibility of configuring Google Analytics so as to avoid transferring personal data outside the EU. CNIL’s response to this was an unambiguous “no”, followed by an explanation that “the use of solutions proposed by companies subject to non-European jurisdictions is likely to pose difficulties in terms of access to data.” This remains the case even in the absence of a transfer, as Google has confirmed to CNIL that all data collected by Google Analytics is hosted on US soil.

 

Many of the proposed solutions are not deemed satisfactory as any personal data transferred to the US seems to be at risk. 

 

Google has proposed additional guarantees like anonymisation and encryption but none of these solutions are deemed satisfactory by the CNIL. CNIL acknowledges that Google offers an IP address anonymisation feature. However, this does not apply to all transfers, and Google has been unable to demonstrate that this anonymisation happens before data is transferred to the US. Unique identifiers are also not a great solution as their use can be identified through their association with other data. The CNIL states that the encryption solutions offered by Google were ineffective, as Google offers and saves encryption keys, allowing the company to access personal data if it so wishes. As a result, any companies or organisations who wish to use the tool need to obtain explicit consent from the individuals concerned.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Cookie assessment criteria published by the CNIL of France

The CNIL of France has published a cookie assessment criteria guide to aid businesses in determining the validity of cookies and other tracers. 

 

The CNIL has published guidelines on the use of cookies and other tracers, which initially prohibited cookie walls as they were seen as a violation of the principle of free consent. A cookie wall requires users to consent to cookies, in order to gain access to a site or service. The CNIL concluded that the validity or legality of cookie walls was better determined on a case by case basis, rather than prohibiting cookie walls altogether. The authority deemed it necessary to publish a guide containing preliminary criteria, to assess the legality of the use of cookie walls, in the absence of a position from the CJEU. 

 

While not prohibited in France, a careful assessment is required prior to the implementation of cookie walls. 

 

Cookie walls require an internet user to accept cookies or other tracking devices in order to access the content of a website. In most cases, there is an alternative, paid option, in the form of a subscription, to compensate for any loss of advertising revenue from targeted ads made possible by the collection of cookies. The validity and legality of cookies is intended to be assessed on a case by case basis based on what alternatives are offered to users if they choose to decline cookies, and how reasonable these alternatives are. This will require a careful assessment of the alternative options, as suggested by the CNIL. 

 

CNIL outlined several key factors which are considered in determining the validity of cookie consent and cookie walls. 

 

While the validity of a cookie wall is to be determined on a case by case basis, there are a few key determining factors which the CNIL highlighted. For one, it matters whether or not the Internet user who refuses cookies still has a fair alternative to access the content. In some cases, paid access can be granted, replacing the cookie wall with a paywall. In cases where there is a paywall to access content, CNIL will consider whether the price is deemed reasonable. This, in most cases, will be determined by the amount of ad revenue which would be lost as a result of the user refusing cookies. Another important point to consider is whether the cookie wall can cover “all” cookies indiscriminately, or just certain types of cookies. 

 

CNIL recommends that the publisher offers a real and fair alternative allowing users access to the site, in the event that they refuse cookies, which does not does not include having to consent to the use of their data. In cases where the user chooses paid access without consenting to cookies, there may be limited cases where cookies can still be deposited. The CNIL stressed that users should be able to accept and refuse cookies based on their purpose, and should be able to access the site setting and revoke consent at any time. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Recorded telephone conversations for the establishment of a contract

CNIL has published guidance on the establishment of contacts via recorded telephone conversations. 

 

In the establishment of a contract, it is sometimes necessary to record a telephone conversation as proof of the formation of the contract. Under the law, this is permitted where necessary. Therefore, in order for an organisation  to lawfully record telephone conversations, it must, as data controller, demonstrate that there is no other way to prove that a contract has been formed with the data subject. CNIL has published a report, detailing the factors to be considered when an organisation may need to record phone conversations in the establishment of a contract. 

 

While some contracts can be formed orally, others must be established by a written act.

 

Registration must be necessary to prove the formation of the contract. For written contracts, registration is not necessary in order to establish the formation of the contract. However, when a consumer is contacted by telephone with the aim of forming a contract relating to the sale of goods or the supply of a service, for example, the customer is only bound by this, after having signed and accepted it on a durable medium, like a written contract. The recording of telephone conversations for purposes of proof of the formation of the contract is therefore unnecessary in this context. However, for contracts that can be taken out orally (for example, for the purchase of certain paid services), if the recording of conversations is possible, the principle of data minimization must be respected in the process. 

 

In cases where the contract is established via a telephone conversation, only the part of the conversation relating to the establishment of the contract may be recorded.

 

In cases where contracts can be taken out over a recorded line, unless legal provisions allow it, these recordings may not be permanent or systematic. Only the conversations relating to the establishment of a contract by telephone may be recorded. Therefore, the company or organization will have to provide mechanisms to record the telephone conversation between the phone operator and the consumer only from the moment when the conversation clearly relates to the establishment of a contract . The relevant part of the conversation can only be retained in the absence of any other proof of the formation of the contract. The recording of the telephone conversation also cannot be triggered by default, in an automated way. Ideally, the phone operator would manually trigger the recording, only in cases where the purpose of the conversation is to confirm a contract which cannot be proven by any other means.

 

Processing of personal data which is based on the establishment of the contract is permitted under the GDPR. 

 

When people agree to enter into a contract by telephone, the recordings of the telephone conversations can be processed on the basis of the legal basis of the contract under the GDPR. Article 6(1)(b) GDPR provides a lawful basis for the processing of personal data to the extent that “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.