Buying, selling or licensing are different ways of exchanging personal data. As a result, organisations can often quickly acquire new income. However, personal data is not a classic commodity, so can it just be traded or exchanged? What legal rules should be taken into account?
Without addressing the legal issue of the 'ownership' of personal data, some organisations realise over time that (parts of) their customer database are more valuable than first thought. Can these organisations use this personal data to make money by selling them?
Selling personal data is a separate processing activity with a separate purpose about which the data subject must be transparently informed. If the personal data were collected for an initial purpose other than sale, such as providing services or sending commercial messages from the vendor, the personal data cannot be sold.
It is therefore not easy to resell your customer database when this was not the intention at the time of collecting the personal data. However, it is also not completely impossible. However, if the transfer is not in accordance with the initial purpose, the data subjects must give their consent and be informed as explained below.
Other organisations, so-called data brokers, base their business model on the trade in personal data from the very beginning. Think of organisations that collect data from private and/or public sources and then combine these in a profile to sell them to financial institutions. These profiles can be used to assess a person's creditworthiness.
Organisations with such a business model are also subject to the rules of the GDPR. At the time of collection of the personal data, the data subject must be informed about the legal basis for the processing and their rights, but also about the transfer of their personal data to other organisations. It is recommended that data brokers document their processes and obligations under the GDPR in great detail in order to be prepared for due diligence by the buyer (see below under point 3).
It follows from the recommendation of the Belgian Data Protection Authority (DPA) on direct marketing that transparency in the transfer of personal data is very important. For example, data subjects should be informed about the processing of their personal data by the data broker and more information about the transfer should be provided, such as:
When it comes to publicly available information, such as available on a public Facebook profile, the data broker should be very cautious. The fact that personal data are publicly available does not mean that they can be collected (by scraping), enriched and resold. The data broker must always observe the purpose for which this information has been made public by the data subject.
An interesting contradiction can arise in the context of bankruptcy. The curator has to liquidate the assets of the bankrupt organisation, but he should also respect fundamental rights, such as the right to privacy. The curator could sell the customer database of the bankrupt organisation, but in most cases he can only do so with the consent of the data subjects.
It has already happened in the past that public authorities or public services sold citizens' personal data to commercial organisations. For some commercial organisations, for example, the address details of applicants for a planning permission are particularly valuable.
However, public authorities or public services are also subject to the rules of the GDPR, even though administrative fines cannot be imposed on most public authorities or public services in Belgium. After all, it is doubtful that the sale of personal data can be reconciled with the transparency obligations or the statutory mandate.
Public authorities or public services may sometimes be legally obliged to make certain data public or available for re-use, but these will usually not be personal data. The re-use is then subject to a model license.
In addition to selling personal data, it is also possible to retain the customer database and the personal data contained therein and to grant a right of use to other organisations. The personal data will then be licensed.
If certain conditions are met, the customer database or another collection of (personal) data of an organisation (the licensor) may be protected under sui generis database law. By licensing such a database, the licensor can determine the modalities of its use and the duration in the license agreement. This gives the licensor more control than with a sale.
In this case, too, the GDPR remains fully applicable and transparency towards data subjects is very important.
Organisations that purchase personal data might mistakenly think that the rules on the processing of personal data, such as the GDPR, no longer apply to them because they do not collect the personal data directly from the data subjects. However, these rules cannot be circumvented by purchasing personal data through another organisation.
If personal data are purchased, the same rules apply as if the buyer would collect the personal data himself. The data subject should also be informed by the buyer, at the latest on the moment of first contact with the data subject, unless this would be impossible or unreasonable. For example, if a direct marketing email is sent to the data subject whose email address was purchased, that data subject must also be informed by means of that initial email, among other things, of:
According to the Polish supervisory authority, the fact that the buyer only has the postal address of the data subject, does not exempt him from the obligation to provide information. The Polish supervisory authority did not take into account the high cost of postal mail and considered that informing by letter was not unreasonable.
In addition, a due diligence on the seller is always required. The buyer must check the origin of the data, but also how they were collected, on what legal basis, by whom, for what purposes, during what period and for which processing. In other words, the buyer must check whether the personal data were collected in accordance with the GDPR. For example, if a data broker claims that the data subjects have consented to the sale of their data for marketing purposes, then the buyer must verify that. If he does not do so and the consent later proves to be invalid, he commits an infringement of the GDPR. Or at least, that is what the British supervisory authority decided.
As a buyer, it is also always advisable to make adequate contractual arrangements with the seller. Please note that it is not sufficient that the seller merely guarantees that the personal data have been collected in accordance with the GDPR. Such guarantee does not relieve the buyer of his own responsibility under the GDPR.
Do you have any questions about buying or selling personal data? Contact Timelex.