CNIL: Can processors use their controllers’ data for their own purposes?

Addressing cloud service providers’ increased interest in processing their controllers’ data for their own purposes – such as for product improvements or to develop of new services – the French data protection authority CNIL published a guideline in January that discusses how such further processing can lawfully take place.

According to the CNIL, the controller may allow the processor to further process data for its own purposes under certain conditions. To do so, the controller must verify, as part of a “compatibility test” for each specific further processing of data, whether the further processing is compatible with the purpose for which the data was originally collected. Permission must be granted in writing, analogous to the data processing agreement. The obligation to provide information regarding the planned further processing is imposed on the original controller, which may, however, also delegate this to the processor. Ultimately, the processor becomes the controller for the further processing of the data itself and must ensure compliance with the GDPR for its processing activities.

The CNIL bases the permission for further processing mainly on the rarely cited provision on the so-called change of purpose in art. 6(4) GDPR. The CNIL justifies this with the wording of the clause, which allows further processing of data in principle after a “compatibility test”. In addition, it requires compliance with the other standards for data processing, such as the text form of the agreement pursuant to art. 28(9) of the GDPR, but also compliance with the duty to inform the data subjects pursuant to art. 13 et seq. GDPR.

It remains open how the CNIL resolves the conflict arising from the fact that the GDPR actually does not provide for an application of art. 6(4) GDPR to processors. If one follows the CNIL’s guideline, a former processor that now acts as a controller in relation to the data subjects with the controller’s permission, but still without the original controller’s instructions.
On the one hand, this violates the principle of art. 28(3)(2) of the GDPR, according to which processors may only act under documented instructions from the controller, and surprises on the other hand especially regarding art. 28(10) GDPR. According to this, it is literally considered an infringement of the Regulation if a processor determines the purposes and means of processing itself.

This can hardly be countered by the fact that the original controller has given permission for this and the new controller (ex-processor) acts within the scope of a documented instruction. Such a contractual arrangement grants the processor rights that are not covered elsewhere in the GDPR. The actual consequence would therefore theoretically be a breach of art. 28(3)(1) GDPR.
It remains to be seen how other European supervisory authorities will react to this proposed solution by the CNIL. In any case, there is a significant and legitimate interest of processors in processing personal data for their own purposes – in view of the rather weak dogmatic justification, the CNIL guidelines should probably be treated with some caution for the time being. 

Dr. Lukas Mezger UNVERZAGT Rechtsanwälte