In a deliberation dated 26 July relating to MONSANTO COMPANY, the French data protection authority (Commission Nationale de l’Informatique et des Libertés -CNIL”) confirmed – and this is good news – that personal data processing that consists of collecting information for the purpose of identifying influential individuals to whom a company would like to promote its interests can be, subject to certain conditions, carried out on the basis of the legitimate interest pursued by the data controller.
In this case, the CNIL noted that the individuals whose data was included in the challenged file had participated in the public debate on glyphosate use or on issues connected with that subject. Therefore those individuals could reasonably expect that MONSANTO or, more generally, organizations engaged in interest representation, would be interested in their position on glyphosate and process their professional contact details and information about the positions they had publicly taken – information that is publicly and lawfully available – in order to ascertain and understand their positions and potentially contact them.
The CNIL noted that a data controller that conducts this kind of processing must comply with the obligations contemplated by the GDPR and in particular the obligation to inform individuals so they can exercise their rights. On this point, what raises questions is the fact that the CNIL added that this information “thereby contributes to making the interest representation business more transparent”. This raises questions as this issue is not a GDPR one but rather a matter regulated by transparency policies.
Under article 4(7) of the GDPR, a data controller is the legal entity or person who, alone or jointly with others, determines the purposes of the processing being carried out, i.e., the expected or sought-after result, or the “why” of the processing, and the means of such processing, i.e., how to achieve this result or the “how” of the processing. In other words, the controller is the one who decide both the aim or objective of the processing and the means to be used to achieve that aim or objective. To qualify as a controller, one should not only determine the purpose,it must also make decisions about the means of processing. For its part, a data processor is never the one who determine the purposes of the processing.
In this case, in order to identify the data processor, the CNIL analyzed the exchanges between Monsanto and its consulting firm. It determined that those exchanges demonstrated that the consulting firm did not have the autonomy usually enjoyed by a data controller, given the management power Monsanto exercised over its activities, and could therefore only be a processor. In this regard, the CNIL specified that responding to requests from data subjects regarding the exercise of their rights is not a criterion for determining who the data controller is and that it is “commonly the case that the data processor is the one in the best position to process such requests”.
The CNILalso noted that it is the data controller, and not the data processor, who is responsible for ensuring that the information contemplated by article 14 of the GDPR has in fact been provided to data subjects. Indeed, under this article, when the personal data was not obtained from the data subject, the controller is responsible for providing “in particular, [its] identity and contact details […] [and] (the contact details of the data protection officer, where applicable), the purposes of the processing, its legal basis, the categories of personal data concerned, the recipients or categories or recipients of the personal data, if any, that the controller intends to transfer personal data to a recipient in a third country and, when necessary to ensure fair and transparent processing, the period for which the personal data will be stored, the existence of various rights from which data subjects benefit, the existence of the right to withdraw consent at any time and the right to lodge a complaint with a supervisory authority, the source from which the personal data originates and the existence or automated decision-making, if any.”
Regarding the way this information shall be provided, the CNIL specified that the controller must provide it “within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed, or if disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.”
The CNIL, which raises the contact details (address, phone number, email address) of the data subjects contained in the challenged file, appears to consider in this case that such information had to be provided individually.
The CNIL Monsanto decision calls for further clarification for public affairs professionals regarding its impact on public affairs activities and could present an opportunity for public affairs professionals to discuss with the Data Protection Authority on best practices.
SAMMAN Law & Corporate Affairs together with the professional organizations concerned, has approached the CNIL in order to better understand the implications this deliberation will have on its activities. Discussion to be followed.