On April 11, 2019, the French Data Protection Authority (the “CNIL”) launched an online public consultation regarding two new CNIL draft standards (“Referentials”) concerning the processing of personal data for (1) core HR management purposes and (2) the operation of a whistleblowing hotline.


Following the 2018 update to the French Data Protection Act in light of the EU General Data Protection Regulation (the “GDPR”), the CNIL was granted the power to issue guidelines, recommendations and norms or standards called “Referentials.” These Referentials are not compulsory; they are mainly intended as guidance for carrying out specific data processing activities under the GDPR. Each Referential lists the purposes of the data processing in question, the legal basis for that data processing, the types of personal data that may be processed for those purposes, the authorized data recipients, the data retention periods, the data subjects’ rights with respect to their personal data, and the associated security measures. The CNIL’s Referentials also are intended to aid data controllers in carrying out a data protection impact assessment (“DPIA”) when the data processing requires a DPIA. In this case, data controllers may refer to the Referential to describe the measures they implement, or envision implementing, in order to comply with the necessity and proportionality requirements of the GDPR, to facilitate the exercise of the data subjects’ rights, and to address risks to data subjects’ rights and freedoms.

CNIL’s Draft Referential on HR Data Processing

This draft Referential covers processing the personal data of job applicants, employees and other staff members for the following core HR purposes:

  • recruitment (without use of innovative tools, e.g., psychometrics);
  • employee administration;
  • compensation management and completion of related administrative formalities;
  • provision of IT tools to staff members;
  • work organization;
  • career and mobility management;
  • training; and
  • administration of social benefits.

The CNIL’s draft Referential is intended to cover only core HR data processing activities and not those involving use of innovative tools, such as psychometrics and algorithmic processing for profiling purposes. It also does not cover any individual monitoring of employees’ activities and big data processing operations. Employers who will not comply with the CNIL’s Referential must be able to demonstrate why they need to depart from the CNIL’s Referential.

CNIL’s Draft Referential on Whistleblowing Hotlines

This draft Referential updates, in light of GDPR requirements, the CNIL’s Single Authorization AU-004 regarding the processing of personal data in the context of whistleblowing hotlines. In particular, the draft Referential declares that such processing requires a DPIA.

The public consultation on the draft Referential on HR data processing will be open until May 31, 2019; the draft Referential on processing personal data in the context of whistleblowing hotlines will be open for public consultation until May 10, 2019. The new Referentials will then likely be adopted by the CNIL in plenary session.