French data protection authority
Subscribe to French data protection authority's Posts

CNIL Announces Inspection Program—Focus Will Be on BCR Compliance and Treatment of Psychosocial Data, Among Others

The mission of the French data protection authority—the Commission Nationale Informatique et Libertés (CNIL)—is “to protect personal data, support innovation, [and] preserve individual liberties.” In addition to its general inspections, every year the CNIL establishes a different targeted-inspection program. This program identifies the specific areas that CNIL’s controls will concentrate on for the following year. The 2014 inspection program was focused on everyday life devices, such as online payment, online tax payment and dating websites, among other things. On May 25, 2015, the CNIL announced its 2015 inspection program and identified a focus on six issues in particular: contactless payment, Driving Licenses National File (Le Fichier National des Permis de Conduire), the “well-being and health” connected devices, monitoring tools used for attendance in public places, the treatment of personal data during evaluation of psychosocial risks and the Binding...

Continue Reading

GPEN Children’s Privacy Sweep Announced

On 11 May 2015, the UK Information Commissioner’s Office (ICO), the French data protection authority (CNIL) and the Office of the Privacy Commissioner of Canada (OPCC) announced their participation in a new Global Privacy Enforcement Network (GPEN) privacy sweep to examine the data privacy practices of websites and apps aimed at or popular among children. This closely follows the results of GPEN’s latest sweep on mobile applications (apps),which suggested a high proportion of apps collected significant amounts of personal information but did not sufficiently explain how consumers’ personal information would be collected and used. We originally reported the sweep on mobile apps back in September 2014. According to the CNIL and ICO, the purpose of this sweep is to determine a global picture of the privacy practices of websites and apps aimed at or frequently used by children. The sweep seeks to instigate recommendations or formal sanctions where non-compliance...

Continue Reading

Are You Monitoring Your French Employees? Make Sure You Have Registered That Activity with the CNIL!

French employers must declare monitoring to the French Data Protection Authority (CNIL) in advance if they want to use evidence obtained from that monitoring in court.   The use of the employee’s company mailbox for personal purposes is tolerated under French law, when reasonable. Where it is considered abusive, however, it could constitute a breach of conduct against which the employer may impose sanctions. Employers generally use monitoring software to discourage and establish evidence of abuse. Such software may be lawful provided the employer follows the rules stipulated by the French Labor Code and the French Data Protection Act to ensure the protection of personal data. In particular, the employer must submit information to and engage in consultation with the works council, provide information to employees impacted by the software, as well as make a formal declaration of the proposed monitoring activities to CNIL – except where a Data Protection...

Continue Reading

CNIL Expands Scope of Whistleblowing Programs under French Privacy Law

On February 11, 2014, the French data protection authority (CNIL) published Deliberation #2014-042 and expanded the list of issues that a whistleblowing program may permissibly receive and process under French privacy laws.  Now, these programs also can be used to report employment discrimination and harassment, and health, hygiene, safety and environmental issues.  This is a significant development under French privacy law because, up to this point, the Single Authorization No. 4 strictly limited the type of data that French subsidiaries and other companies operating in France could collect.  In particular, companies only could receive reports concerning finance, accounting, banking, anti-corruption, and unfair competition.  A program that was constructed to receive reports concerning employment discrimination or harassment, for example, was technically in breach of French data privacy laws.  Under Deliberation #2014-042, this is no longer the case.  For...

Continue Reading

STAY CONNECTED

TOPICS

ARCHIVES