France: Adopted guidelines on customers' lists sale for marketing use under the GDPR

On 5 December 2022, the French Data Protection Authority (CNIL) issued guidelines listing the national rules on the sale of a customer file. The guidelines clarify the data protection obligations listed in the General Data Protection Regulation (GDPR) that apply to the customers' lists sale for marketing use. In particular, the guidelines note that customer data may be used and then stored for the subsequent three years if the purpose for collection is commercial prospecting. Other uses for customer data, such as accounting or litigation, do not warrant data retention. Furthermore, it was noted that for a data transfer to be legal, the entities collecting data must obtain the customer's consent and the acquirer of data has to ensure that the data collected complies with the GDPR and process it based on the collection purpose.