Camaïeu’s customer file, in compulsory liquidation, was mentioned in an auction. This raises the question of the legality of this type of transfer, vis-à-vis the GDPR.
This is a message that caught the eye this weekend of December 3 and 4, 2022. Leafing through the newspaper, former MEP Jean-Marie Cavada noticed a curious advertising insert: the house Mercier & Cie, specialized in the auction, will offer for purchase the intellectual property rights of the Camaïeu brand, liquidated this fall.
By reading in detail the assets offered from 500,000 euros, we noted the portfolio of the different brands of the company, but also the domain names. It is especially a last element that caught the attention: the group’s customer file, containing 3.8 million active individuals, according to the description given in the advertising insert.
The presence of this file immediately questioned the legality of the approach with regard to the General Data Protection Regulation (GDPR). This text requires, among other things, to obtain the informed and explicit consent of individuals to process their personal data, according to previously well-explained purposes.
The sale, scheduled for December 7, ended up going up to the ears of the Cnil (the National Commission for Computing and Liberties). If it does not speak specifically about the case of Camaïeu, the personal data protection authority has, however, just specified the legal framework that applies to this type of database.
This sale may be legal, but there are rules to follow
Unsurprisingly, the Cnil observes that the sale of a customer file can be legal – it is also a common operation, she specifies. However, this must take place within the framework of the GDPR, with two conditions in particular: this list must contain active customers and they must have accepted that their data can be transferred to third parties.
What is meant by an active customer is a customer whose last commercial relationship with the company is less than three years old. This commercial relationship can take various forms: a purchase, the expiry of a guarantee, a provision of services, a contact from the customer. The last business relationship serves as a reference to determine whether it is an active customer or not.
The acquisition of the customer file also requires its new owner to follow certain rules. The first being that it will be necessary to warn, quickly, all the people present in this file of this transfer. The deadline for this is one month. It will also be necessary to check whether the consent of the persons has been obtained.
Before the intervention of the Cnil, several legal specialists had estimated that the sale of Camaïeu’s customer file may be legal if the provisions of the GDPR are respected. This is the case of Bernard Lamonta lawyer specializing in digital and communications law, and Thibault Douvilleuniversity professor and director of the master’s degree in digital law in Caen.
” Assignment is possible and the purchaser must obtain renewed consent from the persons concerned. It is GDPR compliant. Some say surrender is impossible: I don’t think so “wrote Bernard Lamon. Another of his colleagues, Jean-Christophe Guerrinihas also estimated the legal assignment if this database complies with the law.
What about Camaïeu’s customer file? In this case, it may not be required to inform individuals after this transfer or to carry out any verification. And for good reason: on the Interenchères site, the lot containing the group’s intellectual property no longer mentions the customer file at all. Only trademarks and domain names remain.