When the GDPR became effective, the CNIL’s previous set of HR Data guidelines became out of date as they did not incorporate the new law’s requirements (e.g. obligations relating to records of processing activities and Data Protection Impact Assessments). These new guidelines replace several older HR guidelines issued by the CNIL, including and in particular the well-known Simplified Norm NS-46 and the Notification Exemption for payroll, both of which are no longer applicable.
The guidelines are accompanied by a useful Frequently Asked Questions webpage (French only) regarding their content and applicability.
Although these new guidelines are not binding and the CNIL expressly states that controllers can deviate from them (e.g., regarding retention periods or legal bases for processing), the CNIL’s expectation is that controllers will comply with them. Companies must therefore prepare strong arguments to support departures form the guidelines, with any difference in approach potentially open to investigation by the CNIL during audits or inspections.
The main provisions of the guidelines include:
The new guidelines are applicable to public and private companies for the processing of their employees’ personal data. “Employees” is broadly understood as including permanent employees, temporary workers, interns and trainees, civil servants, apprentices, etc.
The scope of the guidelines has been widened. The former guidelines only included staff management purposes, whereas they now also cover other standard HR processing such as recruitment and payroll.
Purposes which do not fall within what the CNIL considers to be standard HR processing are, however, excluded from the guidelines’ scope, including: biometric access control to work premises, whistleblowing schemes, the use of CCTV systems, recording of phone conservations, processing using big data, psychometric testing, etc. The CNIL provides specific guidelines for these processing activities.
The new guidelines include a comprehensive grid of applicable legal bases for processing related to each standard HR purpose, including: compliance with a legal obligation, performance of a contract or steps taken prior to entering into a contract, legitimate interests, or tasks performed in the public interest or in the exercise of official authority vested in the controller. For example, for recruitment purposes, pre-contractual measures or legitimate interests are acceptable legal bases for the CNIL. The guidelines remind controllers, however, that those suggested legal bases must be adapted to specific contexts and situations.
Regarding the consent of employees or applicants, the CNIL also reminds organisations that these individuals are hardly ever in a position to provide free, specific, informed and unambiguous consent due to the in-balance of power in the relationship between them and their current or future employer. The CNIL concludes that consent can be used as a legal basis for processing employee/applicant personal data only in cases where there are no consequences for them. For instance, the recording of a promotional video in a workspace that shows identifiable employees may be based on the employees’ consent if: (i) the employees have a real choice as to whether or not to appear in the recording; and (ii) the employees’ choice has no impact on them (in particular with regard to working conditions, remuneration, advancement, etc.).
Categories of personal data
The new guidelines provide a list of personal data that can be collected for standard HR processing (identification data, data about professional career, training, work-related injury, etc.). They also include explanations and examples for processing of specific personal data, such as the French identification number (Social Security Number or NIR), sensitive data and information relating to criminal convictions and offences, the processing of which is strictly limited under French law. In addition, the guidelines stress that controllers must ensure that employees’ personal data is kept accurate and up-to-date.
The CNIL explains that most employee personal data must be kept for the duration of the employment relationship unless legal provisions require a longer retention period. Data can then be kept in archives, which, in the CNIL’s view, means that personal data is kept in a separate database with limited access and processed for limited purposes such as answering legal, accounting, tax or social retention obligations, or for the purposes of litigation.
The CNIL also provides for the first time some detailed examples of retention periods based on the French Labour Code, Social Security Code, and Commercial Code.
Finally, the CNIL reminds controllers that a DPIA is required for any processing operation likely to result in a high risk to the rights and freedoms of natural persons.
The CNIL provides examples of purposes for which a DPIA is not required (e.g. training management, payroll management, reimbursement of business expenses, etc.) as well as examples of purposes for which a DPIA is required (e.g. recruitment processing using a selection algorithm, data loss prevention processing, CCTV systems used for money-handling employees, etc.). In any event, the CNIL notes that a DPIA is often required as employees are considered “vulnerable persons” under the European Data Protection Board’s guidelines.
Authored by Patrice Navarro and Julie Schwartz