Article by: Silvia Axinescu, Senior Managing Associate, Reff si Asociații // Chair of the AmCham Data Protection & ePrivacy Task Force
With companies more and more interested to digitalize their business and to ensure a consistent marketing strategy, whether through launching new business models or products, investing in an innovative platform or application, changing their CRM or SAP tool or even moving core processes to the cloud, we have lately seen various data protection challenges which accompany the business processes involving data migration in marketing.
Usually, business areas interested to process current databases in a data migration process for purposes including business need to have centralized all personal data in a new system/tool and aggregate it so as to build better customers’ profile (on various factors, including business needs, periodicity of uses, how the users interact with new tool or system, shopping preferences etc.).
In principle, main challenges and careful attention would refer to the following:
A clear understanding of data flows within data migration process is critical to assess what are main data protection obligations and possible challenges so as to address them accordingly and mitigate possible risks. This can only achieved through a smooth cooperation between all main departments and stakeholders involved.
A preliminary assessment with respect to the role of each entity involved, such as IT provider(s), marketing providers or other companies within the same group is critical in determining further related obligations. As always, establishing who determines the purposes and means, understanding the level of influence, whether alone or jointly are amongst the questions which need to be carefully addressed and answered to in order to document accordingly the data protection qualification (joint controllers, controller/processor or independent controllers).
In principle, new technologies encompass enhanced levels of security, while they also provide technical functionalities in line with the state of the art, this being amongst the reasons for implementation of a data migration process.
In most cases, the migration activity would be carried out on the basis of the legitimate interest, as the other grounds for processing do not necessarily represent a solution for the processing of personal data. As such, the use of legitimate interest needs to be carefully balanced. The resources and conditions for processing need to be carefully documented throughout a legitimate interest assessment, in order to highlight the legitimate interest of the controller.
When engaging in the migration activity, controllers should ensure that it holds adequate control throughout the whole lifespan of the personal data.
If data is migrated for marketing activities and further processed via a third-party, controllers should ensure careful analysis of the qualification of the third-party from a data protection perspective. If the third-party providers are qualified as processors, then controllers should instruct in detail on the activities that are allowed, as well as providing instructions on all the elements concerning processing of data.
Unfortunately, many companies that work with a large amount of personal data face the risk of collecting the same personal data, for the same purposes, numerous times. Data migration may be used as an instrument for avoiding data duplication, as all data shall be transferred in a sole environment that shall serve one defined purpose.
However, while data migration may be a solution to avoid data duplication, such needs to be conducted in a manner that avoids unlawful processing of personal data, by segmenting the database, depending on each established purpose and ensuring interaction between different segments of the database only if a legal basis exists and if the data subjects are aware of such an activity.
