§ 216.11 - Limits on redisclosure and reuse of information.  


Latest version.
  • (a)(1) Information you receive under an exception. If you receive nonpublic personal information from a nonaffiliated financial institution under an exception in §216.14 or 216.15 of this part, your disclosure and use of that information is limited as follows:

    (i) You may disclose the information to the affiliates of the financial institution from which you received the information;

    (ii) You may disclose the information to your affiliates, but your affiliates may, in turn, disclose and use the information only to the extent that you may disclose and use the information; and

    (iii) You may disclose and use the information pursuant to an exception in §216.14 or 216.15 in the ordinary course of business to carry out the activity covered by the exception under which you received the information.

    (2) Example. If you receive a customer list from a nonaffiliated financial institution in order to provide account processing services under the exception in §216.14(a), you may disclose that information under any exception in §216.14 or 216.15 in the ordinary course of business in order to provide those services. For example, you could disclose the information in response to a properly authorized subpoena or to your attorneys, accountants, and auditors. You could not disclose that information to a third party for marketing purposes or use that information for your own marketing purposes.

    (b)(1) Information you receive outside of an exception. If you receive nonpublic personal information from a nonaffiliated financial institution other than under an exception in §216.14 or 216.15 of this part, you may disclose the information only:

    (i) To the affiliates of the financial institution from which you received the information;

    (ii) To your affiliates, but your affiliates may, in turn, disclose the information only to the extent that you can disclose the information; and

    (iii) To any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which you received the information.

    (2) Example. If you obtain a customer list from a nonaffiliated financial institution outside of the exceptions in §216.14 and 216.15:

    (i) You may use that list for your own purposes; and

    (ii) You may disclose that list to another nonaffiliated third party only if the financial institution from which you purchased the list could have lawfully disclosed the list to that third party. That is, you may disclose the list in accordance with the privacy policy of the financial institution from which you received the list, as limited by the opt out direction of each consumer whose nonpublic personal information you intend to disclose, and you may disclose the list in accordance with an exception in §216.14 or 216.15, such as to your attorneys or accountants.

    (c) Information you disclose under an exception. If you disclose nonpublic personal information to a nonaffiliated third party under an exception in §216.14 or 216.15 of this part, the third party may disclose and use that information only as follows:

    (1) The third party may disclose the information to your affiliates;

    (2) The third party may disclose the information to its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the third party may disclose and use the information; and

    (3) The third party may disclose and use the information pursuant to an exception in §216.14 or 216.15 in the ordinary course of business to carry out the activity covered by the exception under which it received the information.

    (d) Information you disclose outside of an exception. If you disclose nonpublic personal information to a nonaffiliated third party other than under an exception in §216.14 or 216.15 of this part, the third party may disclose the information only:

    (1) To your affiliates;

    (2) To its affiliates, but its affiliates, in turn, may disclose the information only to the extent the third party can disclose the information; and

    (3) To any other person, if the disclosure would be lawful if you made it directly to that person.