CNIL recommendation of April 10, 2025 (deliberation no. 2025-028)
In a context of increased efforts to combat discrimination and promoting equal opportunities, a growing number of employers seek to assess the diversity of their workforce through surveys administered directly to employees. These initiatives, however, raise sensitive issues regarding data protection and in view of prohibition of ethno-racial studies in application of the fundamental principles of the Constitution of the French Republic. To support professionals in these efforts, the French Data Protection Authority (CNIL) has issued a recommendation providing a framework for self-administered surveys conducted in the workplace.
Ensuring Anonymity of Responses: A Core Principle
The CNIL encourages designing surveys to ensure the anonymity of participants from the outset, i.e., from data collection. The objective is to prevent any direct or indirect identification of a respondent. To guarantee effective anonymity at the collection stage, several concrete precautions are advised:
- Avoid collecting identifying information, such as name, address, phone number, date of birth, or any technical connection data (IP address, login credentials, etc.).
- Use multiple-choice questions with broad response options, to reduce the level of granularity and the risks of re-identification through cross-referencing. Example: broad age ranges (“18-25 years”) rather than specific ages (“18”, “19”, “20”, etc.).
- Strictly separate technical environments, especially for online surveys, to isolate responses from connection logs.
The CNIL recalls that true anonymity removes the personal data qualification, meaning the GDPR no longer applies.
The authority notes, however, that anonymity from the outset, while highly protective, is neither mandatory nor always feasible. In certain cases, a certain level of identification may be necessary, for example, to identify duplicate responses. In any event, anonymization must occur before any dissemination or use of the results.
Voluntary Participation: A Systematic Requirement
Regardless of whether the data qualifies as personal data – and thus whether the GDPR applies – participation in the survey must always be voluntary. No employee should be compelled to participate, directly or indirectly. This implies, in particular:
- A positive action to participate (e.g., voluntarily clicking on a link),
- A complete absence of incentive (for example financial) or repercussion in case of refusal to respond,
- No individualized follow-ups/reminders ot respondents or non-respondents.
Each question must also be strictly optional: participants must be able to decline without justification, even in the presence of a trusted third party. The structure of the survey itself is a key factor in ensuring voluntariness.
A Single Purpose: Promoting Equal Opportunity in the Workplace
The only acceptable purpose of a diversity measurement survey, as defined by the CNIL, is to establish a collective diagnosis of discrimination and diversity within the organization, with a view to identifying barriers to equal opportunity and implementing corrective measures. Any individual use, even for the benefit of an employee, is prohibited.
Drafting Questions in Compliance with the Principle of Data Minimization and Constitutional Requirements
The GDPR’s minimization principle requires that questions in a diversity survey be limited to what is objectively necessary to achieve the stated purpose.
Additionally, the CNIL highlights a constitutional constraint: in decision No. 2007-557 DC of November 15, 2007, the French Constitutional Council expressly excluded the use of ethnic or racial classifications in statistical surveys. Any ethnoracial reference such as “race,” “racial origin,” or categories like “Arab,” “Asian,” or “Caucasian” is thus prohibited, regardless of intent. This rule applies even to fully anonymous surveys.
The CNIL does allow for questions about social, geographic, or cultural background based on objective data or subjective perceptions, provided that such wording respects the aforementioned prohibition and does not enable easy reidentification.
Permissible questions include, for example:
- Place of birth: “Where were you born?” with broad options such as:
? In mainland France
? In Overseas France
? Abroad, in a European continent country
? Abroad, outside the European continent
? I do not wish to answer
- Nationality at birth, including that of the parents
- Perceived affiliation with a group subject to discrimination or how one believes they are perceived.
On the other hand, prohibited questions include:
- “What race do you belong to?”
- “What is your ethnic or racial origin?”
- Any nomenclature offering checkboxes corresponding to ethno-racial groups such as “Arab”, “Asian”, “Latino”, “Caucasian”, etc.
The CNIL also recommends strictly limiting free-text fields, especially unstructured ones, as they may lead to overly specific responses or allow reidentification. Instead, dropdown menus, checkboxes, and multiple-choice formats should be used, with a “prefer not to answer” option included for each question
Legal Bases: Legitimate Interest + Specific Consent for Sensitive Data
When a survey is not anonymous at the point of data collection, the preferred legal basis is the employer’s legitimate interest. This basis is justified by the survey’s purpose but requires, notably: (i) voluntary participation; (ii) anonymization of the survey results; and (iii) additional organizational safeguards to protect data subjects’ rights and freedoms, such as limited access, pseudonymization, or segregation of technical environments.
The CNIL also considers the involvement of a trusted third party (discussed below) as one of the safeguards supporting a fair balance between the employer’s interests and employees’ rights.
Furthermore, if the survey cannot be fully anonymous and includes so-called “sensitive” data (e.g., health, sexual orientation, disability, perceived origin), processing such data requires explicit consent from the data subject. This consent must be freely given, specific, informed, and indicated through a clear affirmative act, without pressure or consideration. For example, a pre-unchecked box placed before the relevant questions. To reinforce safeguards, the CNIL recommends that a trusted third party be used to collect this consent, host the data, and return only aggregated results to the employer. These precautions are particularly critical in a professional context, given the structural imbalance between employer and employee.
Use of a Trusted Third Party: A Strongly Recommended Measure
To enhance anonymity and/or pseudonymization, ensure data confidentiality, and boost credibility among employees, the CNIL strongly recommends involving a trusted third party to: (i) collect and centralize responses; (ii) separate identity from collected data; (iii) manage the collection of specific consent for sensitive data, where applicable; and (iv) anonymize results before transmission to the employer.
Additional Safeguards to Be Observed
The CNIL recommendation also outlines other standard compliance requirements:
- Data Controller Responsibilities: Clearly identify the data controller (the employer), any joint controllers, and any processors. Where a trusted third party is involved, the CNIL considers that they may be either a joint controller or a processor, depending on the circumstances.
- Information to Data Subjects: An information notice must be attached to the questionnaire, containing all mandatory details under Article 13 GDPR. The CNIL recommends reiterating this information at several stages (e.g., before sending the survey and upon opening it). As a best practice, the CNIL suggests involving employee representatives to enhance transparency and acceptability.
- Rights Management: Data subjects must be able to exercise their rights until data is deleted or anonymized. For pseudonymized surveys, specific procedures must allow the retrieval and deletion of data based on elements provided by the data subject (e.g., answers to a few questions).
- Data Retention: The CNIL mentions a maximum retention period of six months for identifying data from the close of the survey. This period should suffice to analyze results, generate aggregated statistics, and correct errors. After this time, data must be deleted or anonymized.
- Data Protection Impact Assessment (DPIA): The DPIA must assess risks to individuals, describe implemented safeguards, and be updated with any changes to the system. It must be conducted before data collection begins.
- Data Security: Access must be strictly limited to authorized personnel and documented. Connection logs must be kept separate from survey data. For postal surveys, return by prepaid envelope to a distinct address is recommended.
Conclusion
Measuring diversity can serve as a valuable tool in policies aimed at combating discrimination and promoting equal opportunity. However, in France, such initiatives remain sensitive and must comply with a clear legal framework. With the publication of this long-awaited recommendation, the CNIL offers much-needed clarity. Employers must ensure strict compliance with these rules, or risk turning a well-meaning initiative into a disproportionate data processing activity.
