French CNIL: The great oversight

The CNIL strikes hard against joint data controllers who fail to comply with their obligation to provide for an agreement between them. This decision gives us the opportunity to stress once again the importance of inter-company agreements on shared data processing. These agreements, particularly joint liability or subcontracting agreements, are often forgotten by partners, or at the very least poorly drafted. Since the risk is that the processing will not be compliant, it is important to review the situation.

A decision of the French CNIL of June 15, 2023¹ condemns CRITEO to a 40 million Euro fine.

Five years after the entry into force of the GDPR, the compliance matter still thrives, but few can boast mastery. 

This is particularly true of data processing agreements between companies organizing a common processing of data (partnerships, subcontractors, suppliers, customers, etc.), in particular joint data processing agreements and especially intra-group agreements, where the roles and obligations of the parties with regard to the personal data that circulates between them are rarely or negligently addressed.

Rightly so, as to GDPR compliance in contracts, the challenge of ensuring compliance does not merely stop at the qualification of those involved in data processing and at producing basic information documents. Once the partners have been able to qualify their respective status and obligations in this respect, they are not out of the wood just yet!

Admittedly, it is no always an easy task for data processing actors to determine which of the three categories – independent data controllers, joint data controllers or data processors – they fall into. There may even be a tendency for the parties to quickly label themselves as independent data controllers, so as to avoid having to enter into a detailed data processing agreement with each other.

While the definitions of a Data controller and a Data processor is pretty much straightforward – the controller being the person who determines the "why" (the purposes) and "how" (the means) of the processing initiated by it, and the processor being an executor who carries out processing on behalf of the latter – it is not so simple, in certain situations where each of the actors has a certain degree of autonomy, to determine whether the parties enter into a controller/processor relationship, a joint controller relationship or an independent controller relationship.

Already, as soon as the partner is not simply carrying out instructions on behalf of the other party, it will be difficult to consider it as a Data processor. This may be the case for a company offering regulated services to its clients, which require the management of certain personal data; or a partner whose services are so standard and independent that the customer is obliged to adhere to general conditions, with no room for negotiation (e.g. payroll software from international editors). In many cases, the contracting parties should be regarded either as joint controllers or more often as independent controllers. However, this issue is rarely correctly addressed and therefore rarely formalized in these written agreements, to the detriment and risk of the parties.

The first step is therefore undoubtedly to analyze the contractual relationship carefully, so as to be able to correctly qualify the role of each party, in compliance with the qualification rules and criteria set out in the GDPR and the guidelines issued by the CNIL or the EDPB². The simple fact of deciding, sometimes too quickly, on a classification in the contract is not binding on the authorities: it still needs to be justified.

Further, once this qualification has been made, these actors now have to contractually divide up their roles and responsibilities! This again is even more often forgotten in said agreements, especially intra-group and inter-companies agreements.

It follows respectively from Article 26 and Article 28 of the GDPR that the essence of the arrangement shall be made available to the data subject and that processing by a processor shall be governed by a contract or other legal act, in other words, that the partners are responsible for contractually allocating their roles and responsibilities.

The risks of not complying with these provisions are that the actors involved may find themselves unable to fulfill their respective obligations, and may, more importantly, be faced with very substantial penalties from the CNIL (French Data Protection Authority) or equivalent national authorities abroad, should the matter be referred to them by a complainant, by self-referral to the CNIL or in the event of a dispute between the parties.

And yet, it is clear that many intra- or inter-group partners: 

A typical example is the processing of employees data between the employer (subsidiary of a group) and a parent company or other sister companies. Very often, some of such data under the responsibility of the employer (acting as Data Controller) circulate within the group of companies, for various legitimate (or illegitimate) reasons. Another example is when two commercial partners (intra-group or not) decide to organize a common activity or event, for example cobranding and marketing operations. Or when the business of a subsidiary is partly managed by a parent company or a partner company (particularly insurance, travel agencies, etc.), requiring a transfer of employees or clients’ data.

It was in these latter circumstances that the French company CRITEO was fined 40 million euros by the CNIL.

On November 8, 2018 and December 4, 2018, two associations lodged a complaint with the CNIL, denouncing in particular the formalism imposed by CRITEO in handling requests from data subjects. 

One complainant, in particular, wanted to withdraw his consent and oppose the processing of his data, and complained that despite sending an e-mail to the company to this effect, the latter had redirected him to various online procedures devoted to exercising his rights.

CRITEO had, in fact, concluded an agreement with its external service providers (advertisers, publishers and online auction platforms), regarded as joint controllers for the processing of data, in order to implement such online procedures. This agreement contained:

We can already welcome the fact that the parties have thought, which is not often the case, to draw up a joint data processing agreement, but it still has to be valid.

However, at the date of the findings, the agreement concluded by CRITEO with its partners did not specify some of the respective obligations of the joint data controllers vis-à-vis requirements contained in the GDPR, such as:

As it happens, the CNIL considered that it was clear from the wording of Article 35 of the GDPR that the agreement allocating the obligations of the joint data controllers must cover all the obligations laid down by the GDPR in order to determine, for each of these obligations, which of the joint data controllers would be responsible for.

CRITEO did attempt to argue that, as drafted, the agreement with its partners did not harm data subjects, who benefited from the full protection of the GDPR, since the general terms of use of its services provide that partners must provide a link to Criteo's privacy policy and allow data subjects to express their consent to targeted advertising. 

It also emphasized that it had equipped itself with a new agreement that came into force on July 5, 2022, to include the required mentions. It is true that, in general, the CNIL appreciates the fact that, during the course of the procedure, the company concerned takes the necessary steps to correct the situation.

And yet, the CNIL considered that CRITEO’s late compliance does not call into question the characterization of the breach for the past and that CRITEO has breached its obligation under Article 26 of the RGPD. 

Although the CNIL has not called into question the legal qualification adopted by CRITEO and its partners, i.e. joint controllers, it should be stressed that supervisory authorities are not bound by such contractual qualifications and are free to analyze and challenge the merits of such a classification. 

Further, the CNIL's decision does not specify whether CRITEO's partners, jointly responsible for this data processing, have been or will also be subject to binding injunctions or penalties in respect of the breach identified, but it is a safe bet that this could be the case in other similar cases in the future. 

Data processors as well as joint controllers should never overlook the risks when proceedings are initiated against the main controller!

Finally, further breaches have also been identified by the CNIL:

In the end, the CNIL imposed a fine of 40 millions Euro in light of various factor, including :

This decision, among others, is a reminder of the importance of agreements between companies or organizations that process personal data together, for the benefit of third data subjects.

These agreements must be in writing, complete and comply with the rules laid down by the GDPR and the EDPB Directives to qualify each party and clearly define their respective roles and obligations.

All too often, and particularly in intra-group and inter-companies relations, the parties do draw up the necessary information and documentation for data subjects whose data is collected, including customers or end users, but fail to draw up, at least properly, a data processing agreement between themselves.

The processing partners must therefore, on a case-by-case basis:

We therefore recommend to anticipate such topics and to correctly analyze their contractual relations in order to determine their own GDPR qualifications and not omit to sign such agreements. If the purposes and means of processing tend to qualify both entities as an independent data controller, it may not be required to sign a detailed data processing agreement (“DPA”) between them. But, if one is classified as a joint data controller or processor, we strongly advise to formalize a detailed and documented agreement. Failing to do so, both parties may be subject to administrative or judicial procedures, and to severe penalties from the regulatory authorities.

It is recommend to seek assistance in drafting or proofreading such agreements, which, although mandatory, face the risk of being no compliant at all due to the lack of various information and negotiated terms!​

____________________