On April 15, 2020, the French Data Protection Authority (the “CNIL”) published the final version of its standard (“Referential”) concerning the processing of personal data for core Human Resources (“HR”) management purposes. That Referential was adopted following a public consultation launched by the CNIL on April 11, 2019. The CNIL also published a set of questions and answers (“FAQs”), which aim to answer some practical questions that the CNIL are regularly asked regarding HR data processing activities.
Following the 2018 update to the French Data Protection Act, in light of the EU General Data Protection Regulation (the “GDPR”), the CNIL was granted the power to issue Referentials. These Referentials are not compulsory; they are intended as guidance for carrying out specific data processing activities in compliance with the GDPR and the French Data Protection Act. In particular, the Referential on HR data processing provides guidance to both private and public organizations that process personal data of job applicants, employees and other staff members for core HR purposes. The Referential is also intended to aid them in carrying out a data protection impact assessment (“DPIA”), when the data processing requires one. In this case, data controllers may refer to the Referential to describe the measures they implement, or envision implementing, in order to comply with the necessity and proportionality requirements of the GDPR, to facilitate the exercise of individuals’ data protection rights, and to address risks to individuals’ rights and freedoms. Companies that do not comply with the CNIL’s Referential on grounds relating to their particular situation will need to demonstrate why they need to depart from it and take all appropriate measures to ensure compliance with the GDPR and the French Data Protection Act.
Main Changes in the Referential on HR Data Processing
The summarized key changes introduced by the Referential on HR data processing include:
- Scope of the Referential: The Referential covers the processing of personal data for the following core HR purposes: (1) recruitment (without use of innovative tools, e.g., psychometrics); (2) employee administration; (3) compensation management and completion of related administrative formalities; (4) provision of professional tools to staff members; (5) work organization; (6) career and mobility management; (7) training; (8) keeping of compulsory records and management of relations with employee representatives; (9) internal communications; (10) administration of social benefits; and (11) auditing and (pre)litigation management. It does not cover the processing of employee personal data for the following purposes as these are subject to specific rules:
- access control with biometrics;
- operation of a whistleblowing hotline;
- CCTV; and
- telephone call listening/recording.
- Legal bases for HR Data Processing: The Referential further specifies the legal bases for processing personal data for the above core HR purposes.
- Data Retention: The Referential provides specific data retention periods for some HR data processing activities, including for payroll/compensation management. This includes the maximum period for which the personal data may be kept in an active database as well as the archiving period.
- DPIA: The Referential further specifies the cases in which a DPIA will be required in light of the CNIL’s list of data processing activities that are exempt from a DPIA (such as the processing of employee data for access control purposes without using biometrics) and the list of those data processing activities that require a DPIA (such as the implementation of Data Loss Prevention tools).