• French Data Protection Authority Actively Examines Employee Data Processing
  • September 19, 2008 | Author: Thomas De Meese
  • Law Firm: Crowell & Moring - Brussels Office
  • The French Data Protection Authority "CNIL," recently announced that it is actively examining the processing of personal data by French employers. CNIL has found that many of these employers are in violation of French privacy legislation. CNIL's findings are very interesting since they contain a list of the most frequently occurring privacy violations. Employers interested in data protection compliance may therefore be interested in this list. CNIL's recent action is also an illustration of the increased enforcement activity of the national data protection authorities throughout Europe.

    The French Data Protection Authority (the "Commission Nationale de l'Informatique et des Libert├ęs" or "CNIL") recently announced that it has been actively examining (and will continue to do so) the processing of personal data of employees by French employers. CNIL has found that many employers are in violation of French privacy legislation.

    CNIL's findings
    CNIL noted that following violations occurred most frequently:

    • Providing insufficient or inadequate information to the employees with respect to their rights under applicable data protection laws;
    • Weakness of security measures destined to protect the personal data, especially in situations where such personal data are transferred abroad;
    • Absence of policies for updating personal data and removing information that has become obsolete;
    • Limited use by French employees of whistle-blow systems;
    • Lack of knowledge on French legal requirements relating to whistle-blow systems.

    With respect to whistle-blow systems (which are mandatory for listed companies in the United States under the Sarbanes-Oxley Act), CNIL made two observations.

    The first finding is that French workers do not make much use of such systems. In addition, whistle-blow mechanisms that are set up by parent companies headquartered abroad often appear to be incompatible with local practices within French companies, with the French labor legislation and with the traditional ways of resorting to the normal management line to report any malfunctions.

    The second finding concerns the poor understanding by employers of the French data protection legislation when implementing whistle-blow systems. In many cases, employers do not notify the existence of their whistle-blow system to CNIL, whereas this is legally required. In addition, when companies do make a notification, they often refer to CNIL's "Single Authorization No. 4" (i.e. a document of CNIL setting forth the conditions under which whistle-blowing is allowed), even though very few whistle-blow systems currently in place are actually in compliance with this document.

    With respect to the trans-border data flows, CNIL has noted an important increase of such data flows, especially in large multinational companies. However, this increase has not resulted in an increased attention to applicable data protection rules. This is rather surprising since violations of these rules are punished severely (up to 5 years of prison and penalties amounting up to 300.000 Euro). The violations established in this respect by CNIL include the absence of information to data subjects, unacceptably long data retention periods once the personal data has been transferred, and the absence of prior notifications to CNIL.

    CNIL's particular attention towards the processing of HR personal data should incite French employers to make sure that they are compliant with French data protection legislation.

    But the importance of CNIL's recent action goes further: it is illustrative of the increased activity of all national data protection authorities in Europe altogether. There is a tendency amongst these authorities towards actively enforcing compliance with data protection law. In doing so, the authorities are not hesitating to impose sanctions.

    Employers therefore have a real interest in setting up good data protection practices and adequately notifying their activities to the relevant authorities.