GDPR Q&A session for entrepreneurs

Can I use a database obtained from a third party?

"First of all, you have to ask yourself whether you're in B2B or B2C, because commercial prospecting requires prior consent. It's possible to use a database obtained from a third party if you're in B2B, because prior consent doesn't apply.

The only 2 rules to respect in B2B are :

• the target is well respected.
• prospects must be able to unsubscribe easily and at any time. (Opt out)

Caution: For Opt Out, if a prospect asks to delete the data, you must not do so, as this removes the trace of the Opt Out; and potentially find yourself back in a prospect list."

 

With B2C contact forms, is it necessary to double opt-in?

"Legally, double opt-in does not exist in France.

 

The CNIL (National Commission for Information Technology and Civil Liberties) had said that there was case law to the effect that if you used Google Analytics, "you weren't in the clear". Can you confirm this?

"In France, the CNIL (National Commission for Information Technology and Civil Liberties) has communicated the fact that it has issued formal notices to around a hundred companies that it considers to be non-compliant with the GDPR due to their use of Google Analytics. The GDPR prohibits the transfer of data outside the European Union."

 

Can tools like Matomo Analytics be used in France?

"These are statistical cookie tools. There are two kinds of statistical cookies: those that require prior consent and those that do not. Matomo Analytics is legal and is one of those tools that doesn't require prior consent. So it's a tool that can be used in France."

 

Specific case: In the context of B2B commercial prospecting, as a consultant for architectural agencies, what data can I share?

You can share name, job title, professional e-mail, company and LinkedIn link. There's a tricky thing about cell phone numbers: you have to be careful, because you never know whether it's a personal or professional number.

 

What about the possibility of unsubscribing from commercial prospecting on social networks like LinkedIn?

We're not really in the business of prospecting. For example, LinkedIn is closer to a conversation than to prospecting. What's more, on most social networks, a person can block another person. So the problem doesn't arise today on LinkedIn.

 

Concerning database transfers, if we have two structures, one in France and one abroad, can we make a transfer?

Transfers outside the EU are prohibited, but there are exceptions. To transfer a database to a country like the USA, you need to have standard contractual clauses, drawn up by the European Commission, which aim to govern the relationship between a structure located within the European Union and a structure outside the European Union.

However, there is a subtlety: for some countries, it is only necessary to have these contractual clauses if data transfers are made on a daily basis as part of a commercial relationship. For some countries, it is not necessary to have contractual clauses if data transfers are made every 6 months or every year.