The transfer of personal data to third parties according to the GDPR. Two examples: data transfer for marketing purposes and in connection with a due diligence exercise
I want to share my thoughts on a misconception that, I reckon, often occurs when it comes to transferring personal data from one party to another.
Strange as it seems, most of the time such misconception stems from the fact that data controllers believe that they are entitled to transfer personal data to third parties just because they originally obtained the data directly from the data subjects. That is not the case.
On this issue, it is necessary a preliminary explanation. According to the GDPR, the only case where it is possible to share data with third parties is when the transferee/recipient qualifies as “data processor” according to art. 28 of the GDPR. In this case, indeed, the processor is only an auxiliary to the controller, must abide by its instructions and cannot handle or process data unless as it is strictly instrumental to providing the controller with the specific service it required. In other words, in this case there is only one single data processing operation, that does not change in its constituents because a hierarchically-dependant third party is involved.
Quite different is the case where data are transferred to a third party in order to have such third party use them in its capacity as data controller. Think, for instance, of an agency that (by hypothesis, lawfully) collects personal data from certain individuals profiled based on their common interest in crime fiction books, and imagine that this agency wants to sell the resulting database to a publisher of crime fiction that in turn wants to use it to launch an online direct marketing campaign. In this situation both the agency and the publisher are independent data controllers, as each of them determines the purposes as well as the means of processing.
Art. 4, no. 2 of the GDPR is very clear when it sets out that the mere “disclosure by transmission” of data is to be included in the definition of “processing”. Under GDPR, the disclosure by transmission is then processing on its own right and as such, pursuant to art. 6 of the Regulation, it must be grounded in a legal basis, taking into account also the purposes such processing pursues. Turning back to the aforementioned example, most probably, the only legal basis the publisher may resort to is the consent of the data subject (art. 6(1) a) GDPR) for direct marketing purposes. Consent that shall be freely-given, specific, informed and an unambiguous display of the data subject's will.
A point that should also be made is that the burden of obtaining the consent is to be borne, according to the example, by the agency that intends to transfer the data, based on an information notice compliant with art. 13 of the GDPR; if it is true that disclosing information to third parties is in itself processing, it is not systematically possible to believe that consent might be obtained by the transferee/recipient after the processing, based on an information notice drawn up pursuant to art. 14 of the GDPR which, by that time, would be given when the processing had already been carried out.
Consent is not the only legal basis for processing. It is therefore possible to imagine the disclosure of data from a controller to another to be grounded in one of the other legal bases listed in art. 6. An example that comes to mind on this concerns the transfer of the personal data of the employees of a target company to a purchasing company in connection with a due diligence exercise instrumental to an acquisition.
In a similar situation, I reckon that it is possible to base the transfer upon art. 6(1) f) of the GDPR, that is on the target’s as well as on the prospective buyer’s legitimate interest. In particular, it is apparent that both parties are interested, respectively, in either granting or having access to personal data such as the employees’ insomuch as it necessary for the parties to understand the risks and opportunities in the operation. For example, let us think of labour-related lawsuits either pending or threatened, which may translate into liabilities for the target (and thus for the buyer in case the transaction goes through).
Besides, any processing operation, although hypothetically lawful as it concerns art. 6 of the GDPR, must also comply with the general principles set out in art. 5, and in particular with the too often overlooked data minimisation principle referred to under let. c) of the aforementioned art. 5. This principle states that the processing must be relevant and limited to what is necessary in relation to the purposes it pursues. Hence, turning back again to the example concerning the transfer of personal data in connection with an acquisition, bearing in mind this principle, should the prospective buyer require access to information relating to the salaries of the target’s employees, such a request shall be considered lawful based on a legitimate interest; at the same time though, the data minimisation principle will most likely require such information to be provided in an anonymised fashion, except - at most - for those key employees whose specific identification might be relevant over and above the salary related information and thus be lawfully based in the legitimate interest of the parties involved in the transaction.