What should one keep in mind when selling, purchasing or licensing personal data?

Buying, selling or licensing are different ways of exchanging personal data. As a result, organisations can often quickly acquire new income. However, personal data is not a classic commodity, so can it just be traded or exchanged? What legal rules should be taken into account?

1. Sale of personal data

1.1. Is the sale compatible with the original purpose?

Without addressing the legal issue of the 'ownership' of personal data, some organisations realise over time that (parts of) their customer database are more valuable than first thought. Can these organisations use this personal data to make money by selling them?

Selling personal data is a separate processing activity with a separate purpose about which the data subject must be transparently informed. If the personal data were collected for an initial purpose other than sale, such as providing services or sending commercial messages from the vendor, the personal data cannot be sold.

After all, the buyer's objective is almost always incompatible with the seller's original objective. This is even more so when, as is often the case, the privacy policy of the organisation in question stipulates that personal data will not be shared with third parties without the consent of the data subject concerned.

It is therefore not easy to resell your customer database when this was not the intention at the time of collecting the personal data. However, it is also not completely impossible. However, if the transfer is not in accordance with the initial purpose, the data subjects must give their consent and be informed as explained below.

1.2. As part of the business model of an intermediary?

1.2.1. What is a data broker?

Other organisations, so-called data brokers, base their business model on the trade in personal data from the very beginning. Think of organisations that collect data from private and/or public sources and then combine these in a profile to sell them to financial institutions. These profiles can be used to assess a person's creditworthiness.

1.2.2. Transparency and the GDPR

Organisations with such a business model are also subject to the rules of the GDPR. At the time of collection of the personal data, the data subject must be informed about the legal basis for the processing and their rights, but also about the transfer of their personal data to other organisations. It is recommended that data brokers document their processes and obligations under the GDPR in great detail in order to be prepared for due diligence by the buyer (see below under point 3).

It follows from the recommendation of the Belgian Data Protection Authority (DPA) on direct marketing that transparency in the transfer of personal data is very important. For example, data subjects should be informed about the processing of their personal data by the data broker and more information about the transfer should be provided, such as:

• The specific identity of the recipients (i.e. the buyers) or at least the categories of recipients (e.g. their sector).
• The activities performed by the recipients (e.g. the type of services or products they offer).
• The processing(s) that the recipients will carry out (e.g. the enrichment and how this is done). The DPA states that when data are enriched, it should be explained with which other data from which other database the data are enriched, to which organisations those enriched data are provided and for what purpose those organisations will use the enriched data.
• If the recipient will use the personal data for sending commercial messages/advertisement, the method and the maximum frequency must also be stated. If these advertisements are sent by electronic means (e.g. e-mail, behavioural advertising, etc.), the consent of the data subject must also be obtained.
• The legal basis for the transfer and the legal basis for further processing by the recipient.

1.2.3. Be careful with publicly available information

When it comes to publicly available information, such as available on a public Facebook profile, the data broker should be very cautious. The fact that personal data are publicly available does not mean that they can be collected (by scraping), enriched and resold. The data broker must always observe the purpose for which this information has been made public by the data subject.

1.3. The customer database in the event of bankruptcy

An interesting contradiction can arise in the context of bankruptcy. The curator has to liquidate the assets of the bankrupt organisation, but he should also respect fundamental rights, such as the right to privacy. The curator could sell the customer database of the bankrupt organisation, but in most cases he can only do so with the consent of the data subjects.

1.4. Are public authorities allowed to sell personal data?

It has already happened in the past that public authorities or public services sold citizens' personal data to commercial organisations. For some commercial organisations, for example, the address details of applicants for a planning permission are particularly valuable.

However, public authorities or public services are also subject to the rules of the GDPR, even though administrative fines cannot be imposed on most public authorities or public services in Belgium. After all, it is doubtful that the sale of personal data can be reconciled with the transparency obligations or the statutory mandate.

Public authorities or public services may sometimes be legally obliged to make certain data public or available for re-use, but these will usually not be personal data. The re-use is then subject to a model license.

2. License to use personal data

In addition to selling personal data, it is also possible to retain the customer database and the personal data contained therein and to grant a right of use to other organisations. The personal data will then be licensed.

If certain conditions are met, the customer database or another collection of (personal) data of an organisation (the licensor) may be protected under sui generis database law. By licensing such a database, the licensor can determine the modalities of its use and the duration in the license agreement. This gives the licensor more control than with a sale.

In this case, too, the GDPR remains fully applicable and transparency towards data subjects is very important.

3. Purchase of personal data

3.1. Which rules apply?

Organisations that purchase personal data might mistakenly think that the rules on the processing of personal data, such as the GDPR, no longer apply to them because they do not collect the personal data directly from the data subjects. However, these rules cannot be circumvented by purchasing personal data through another organisation.

If personal data are purchased, the same rules apply as if the buyer would collect the personal data himself. The data subject should also be informed by the buyer, at the latest on the moment of first contact with the data subject, unless this would be impossible or unreasonable. For example, if a direct marketing email is sent to the data subject whose email address was purchased, that data subject must also be informed by means of that initial email, among other things, of:

• What personal data are processed,
• For which purpose and on which legal basis,
• How the personal data were obtained (e.g. via a data broker),
• How long the processing will take place,
• How rights can be exercised.

According to the Polish supervisory authority, the fact that the buyer only has the postal address of the data subject, does not exempt him from the obligation to provide information. The Polish supervisory authority did not take into account the high cost of postal mail and considered that informing by letter was not unreasonable.

3.2. Due diligence and contractual arrangements

In addition, a due diligence on the seller is always required. The buyer must check the origin of the data, but also how they were collected, on what legal basis, by whom, for what purposes, during what period and for which processing. In other words, the buyer must check whether the personal data were collected in accordance with the GDPR. For example, if a data broker claims that the data subjects have consented to the sale of their data for marketing purposes, then the buyer must verify that. If he does not do so and the consent later proves to be invalid, he commits an infringement of the GDPR. Or at least, that is what the British supervisory authority decided.

As a buyer, it is also always advisable to make adequate contractual arrangements with the seller. Please note that it is not sufficient that the seller merely guarantees that the personal data have been collected in accordance with the GDPR. Such guarantee does not relieve the buyer of his own responsibility under the GDPR.

Do you have any questions about buying or selling personal data? Contact Timelex.