On January 12, 2022, the French data protection authority (“CNIL“) published guidance on the reuse of personal data by processors for their purposes (“Guidance”). This the most recent guidance of a major EU regulator on a topic of acute interest to controllers and processors alike.

The GDPR generally restricts processors’ use of personal data that they process on behalf of controllers: processors may only process the data as instructed by the controller in a data processing agreement. Processors that exceed the instructions by using the data for their own purposes risk running afoul of the GDPR and their contracts.

The reuse of personal data by processors has been a key focal point of data processing agreement negotiations. Processors contend that reusing personal data for product improvement, including, for example, to train AI models, ultimately benefits controllers, who expect state-of-the-art products and services. The Guidance confirms that processors can reuse personal data obtained from controllers for such purposes - but only if:

• The purpose for reusing the personal data is compatible with the initial purpose for processing

The controller remains responsible for conducting, on a case-by-case basis, a Compatibility Test. The controller must determine if the further processing (reuse) is compatible with the purpose for which the data was originally collected (when the legal basis for the processing is neither consent nor EU or Member State law).¹

Controllers must assess the link between the initial purpose for which the data was originally collected and the purpose of the further processing; the context of the collection; the type of personal data at stake (especially in case of special categories of personal data or data relating to criminal convictions); the consequences of the further processing for data subjects; and the data protections in place, such as encryption or pseudonymization.²

The CNIL offers illustrative use cases: where a processor wants to reuse personal data to improve its cloud computing services, the reuse would be considered compatible with the initial processing but subject to appropriate protections (anonymization of data that is unnecessary for the further processing). In contrast, the processor’s reuse of data for marketing purposes would likely fail the Compatibility Test.

• The controller agreed in writing to the reuse

If the reuse is compatible, controllers can decide to authorize reuse of personal data for further processing.

The controller’s authorization for reuse must be specific. A prior general authorization to any reuse by the processor (similar to the prior general authorization to use sub-processors included in many data processing agreements), will not be valid.

• Data subjects have been duly informed

The controller is responsible for informing data subjects of (i) the further processing and its purpose; and (ii) the right of data subjects to object to further processing, where applicable. Where the processor can communicate with data subjects directly, the controller can delegate its duty to notify to the processor.

Key Takeaways

If processors use controllers’ data without complying with the above conditions, they may be prevented from reusing the data (which could jeopardize future development of processors' products and services). They also risk a GDPR fine.

If a processor reuses personal data for its own purposes, it will become a controller for that processing and be subject to the suite of GDPR obligations that apply to controllers.

With the foregoing in mind:

Controllers and processors will want to consider reviewing processing agreements to ensure that the agreements:

• Reflect a specific written authorization to reuse personal data, clearly specifying the purpose of the further processing.
• Reference the outcome of the Compatibility Test.
• Assign responsibility among the parties for informing data subjects of the reuse of their personal data.

The controller’s privacy policy will also need to be updated to properly disclose the processor’s reuse and corresponding right to object.

Footnotes

1) Article 6.4 of the GDPR

2) Article 6.4 of the GDPR