Lexicon > Commercial prospecting

IT Glossary

Commercial prospecting

The concept of commercial prospecting refers to the sending of any message intended to promote, directly or indirectly, goods, services or the image of a person selling goods or providing services.

Commercial prospecting can be direct, when it is specifically aimed at a natural or legal person. It can therefore also be indirect, when it is not aimed at a specific natural or legal person.

It can be carried out by all existing means of communication, and in particular by electronic mails, faxes, SMS, telephone calls, advertising displays, postal mails, flyers…

Prospecting can be aimed at consumers (B2C) or professionals (B2B).

While indirect commercial canvassing should not require the processing of personal data, direct commercial canvassing necessarily requires the processing of personal data when a natural person is targeted by this canvassing. Direct commercial prospecting actions must therefore be implemented under the conditions provided for by the GDPR.

Thus, in the context of direct prospecting actions targeting consumers by means of automated electronic communication systems (e-mail, SMS, automatic call systems), the data controller should obtain their prior consent.

This consent is not required if the person concerned is already a customer of the responsible for the processing and if the canvassing concerns similar products or services provided by the latter, that he/she is informed in advance and that he/she can object at any time, or that the canvassing is not of a commercial nature.

Furthermore, the prior consent of the person concerned is not required in the context of commercial prospecting operations between professionals or not using an automated electronic communications system – for example, by carrying out direct prospecting by telephone without an automatic calling machine.

In any case, when prospecting operations are not based on the prior consent of the person concerned, the latter must nevertheless be informed in advance and be able to object at any time.

Furthermore, the data controller must be able to demonstrate that it has a legitimate interest in carrying out the processing and that this interest does not create an imbalance to the detriment of the rights and interests of the persons whose data are processed.

Finally, any communication that is part of a direct prospecting operation must specify the identity of the advertiser and offer a simple means of objecting to the prospecting – or of withdrawing consent to the said prospecting.

Point of legislation

“Direct prospecting by means of automated electronic communication systems within the meaning of 6° of Article L. 32, a fax machine or electronic mail using the contact details of a natural person, subscriber or user, who has not previously expressed his or her consent to receive direct prospecting by this means is prohibited.”

Article L34-5 of the French Post and Communications Code

Point of jurisprudence

The National Commission of Data processing and Freedoms could consider:

“In the absence of a purchase, the company cannot usefully invoke the benefit of the exception created by article L. 34-5 of the CPCE allowing canvassing without prior consent when the recipient’s contact information has been collected from him or her during a sale or provision of services if the direct canvassing concerns similar products or services provided by the same natural or legal person.

Consequently, the restricted panel considers that it was up to the company to obtain the prior, free, specific and informed consent of persons creating an account on the company’s website without having made a purchase, to receive direct prospecting messages by e-mail, in accordance with paragraph 1 of article L. 34-5 of the CPCE.

CNIL, June 14, 2021, N° SAN-2021-008

The Bouchara Law firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.