On November 29, 2018, the French Data Protection Authority (the “CNIL”) launched an online public consultation regarding two new CNIL draft standards (“Referentials”) concerning the processing of personal data to manage (1) business activities and (2) unpaid invoices


Following the 2018 update to the French Data Protection Act for purposes of implementing the EU General Data Protection Regulation (“GDPR”), the CNIL may issue guidelines, recommendations or standards called “Referentials.” These Referentials are not compulsory: they are mainly intended as guidance for carrying out specific data processing activities under the GDPR. Each Referential lists the purposes of the data processing in question, the legal basis for that data processing, the types of personal data that may be processed for those purposes, the data retention periods and the associated security measures. By providing this information, the Referential is also intended to aid data controllers to carry out a data protection impact assessment (“DPIA”) as necessary. Data controllers may refer to a Referential to describe the measures the controllers implement, or envision implementing, in order to comply with the necessity and proportionality requirements of the GDPR, to honor data subjects’ rights, and to address risks to data subjects’ rights and freedoms.

CNIL’s Draft Referential on Data Processing for Managing Business Activities

This draft Referential updates the CNIL’s Simplified Norm No. 48 on the management of customers and prospective customers. It therefore intends to cover standard customer data processing activities carried out by any data controller, except (1) health or educational institutions; (2) banking or similar institutions; (3) insurance companies; and (4) operators subject to approval by the French Online Gambling Regulatory Authority. It does not, however, cover the following customer data processing activities: (1) fraud detection and prevention; (2) preventing, on a temporary or permanent basis, data subjects from receiving or accessing services or goods (e.g., due to unpaid invoices); (3) profiling; (4) monitoring store traffic; (5) enriching databases with information collected by third parties. Interestingly, the draft Referential refers to the CNIL’s December 2013 guidelines in advising how to comply with the EU/French cookie law rules, thereby confirming the validity of its previous guidelines even post-GDPR, pending the adoption of the draft ePrivacy Regulation.

CNIL’s Draft Referential on Data Processing for Managing Unpaid Invoices

This draft Referential intends to cover the processing of personal data for managing unpaid invoices. It does not cover the processing of customer data for detecting risks of non-payment, or to identify other infringements (such as discourtesy shown by customers).

The public consultation on the two draft Referentials will be open until January 11, 2019. The new Referentials will then likely be adopted by the CNIL in plenary session.