Commercial prospecting activities comply with specific rules on the protection of personal data, even if it concerns relations between companies (BtoB). Focus on the main principles to be respected.


Commercial prospecting can take many forms: by e-mail, post, SMS, MMS, telephone call… If this activity is legitimate and is an integral part of the panoply of marketing actions available to a company to win new customers and retain its installed base, it is nonetheless subject to a number of rules relating to the protection of personal data.

Commercial prospecting by post and telephone call must therefore respect the sacrosanct principle of prior information, as well as the right of opposition. The transparency approach allows data subjects to know the reason for the collection of the various data concerning them, to understand the processing that will be done of their personal information and to ensure control of their data by facilitating the exercise of their rights.

Data controllers must inform data subjects in the event of direct data collection (form, online purchase, subscription to a contract, etc.) or indirect collection (data collected from business partners or brokers, for example).

As for the right of opposition, it allows people who are the target of the prospecting campaign to refuse to have their personal data used for this purpose and to express their refusal to receive future solicitations.

In the same way, prospecting by e-mail and SMS/MMS must include an information phase and make sure to obtain the consent of the recipients. This consent must be “free, specific, informed and unequivocal”, specifies the CNIL. It requires, to be valid, a positive and specific action of the person concerned (for example, a box to be checked, and not already pre-checked).


BtoB Prospection: legitimate interest, an argument to be handled with care

In a BtoB context (business to business relations), prospecting towards professionals can be based on the legitimate interest of the prospecting company. The approached person must nevertheless, at the time of the collection of his e-mail address or his mobile phone number, be informed that these will be used for prospecting purposes and be able to oppose it thereafter in an easy and free procedure.

But beware, the subject of the commercial solicitation must be related to the profession of the person canvassed. In December 2020, the CNIL imposed a fine of 20,000 euros on the company Nestor (text in FR), which specialises in the delivery of meals to employees, for having solicited hundreds of thousands of people without their agreement and without a direct link to their professional activity.


Sale of client files: strict rules to follow

The sale of a customer file also falls within the scope of GDPR, because such a file contains a lot of personal data: identity of the persons (surname and first name), email address, telephone number, postal address, etc.

One of the first rules to respect is to transmit only the data of active customers. The CNIL recalls in this respect that customer data used for commercial prospecting purposes may be kept during the commercial relationship and then, with some exceptions, for a period of three years from the end of this relationship. Beyond this period of three years, the data can therefore no longer be transmitted in the context of the sale of a customer file.

The second rule to respect is to check that only the data of customers who have not objected to the transmission of their data or who have consented to it can be sold. “The data of customers who have objected to their transmission for prospecting purposes by post or telephone and those who have not consented to the transmission of data for prospecting purposes by electronic means must be deleted from the file before this is not transmitted to the purchaser”, specifies the CNIL.


The acquirer of the customer file also has obligations

Once the customer file has been purchased, the acquirer must inform the persons concerned as soon as possible (in particular during the first contact) and, at the latest, within one month. This information must include the source of the data, i.e. the name of the company behind the sale of the customer file.

In addition, the acquirer of the file must be able to demonstrate that he has the informed consent of the recipients if he wishes to use their data for commercial prospecting purposes by electronic means. If the seller of the file has not obtained the consent of its customers for the prospecting operations of the acquirer, the latter must himself proceed to the prior collection of this consent. 

In August 2022, ACCOR was fined 600 000 euros (text in FR), in particular for having carried out commercial prospecting without the consent of the persons concerned and for not having respected the rights of customers and prospects. Four breaches of the GDPR have thus been invoked:

  •  Breach of the obligation to inform individuals (art. 12 and 13 of GDPR),
  •  Breach of the obligation to respect the right of access of individuals to data concerning them (art. 12 and 15 of GDPR),
  •  Breach of the obligation to respect the right of opposition of the persons concerned (art. 12 and 21 of GDPR),
  •  Breach of the obligation to ensure the security of personal data (Art. 32 of GDPR) due to the use of insufficiently strong passwords.


A repository dedicated to the management of commercial activities

In order to support companies in their compliance, the CNIL has created a reference document (text in FR) relating to the management of commercial activities. It oversees the current management processing of “prospect” and “customer” files, such as contract management, management of loyalty programs or the performance of commercial prospecting operations.

The standard is intended to apply to commercial relations between an organisation and its prospects and customers, whether this organisation is governed by private or public law. Given the specific nature of their activities, this standard is not intended to apply to health or education establishments, banking or similar establishments, insurance companies and operators subject to the authorisation from the National Gaming Authority.

This reference is not binding. Data controllers may deviate from its recommendations, provided that they can justify their choice, for which they remain responsible.