CNIL publishes new guidelines on human resources data management

CNIL Delib. n°2019-160, Nov. 21, 2019

Following a public consultation launched in April 2019, the CNIL has released new guidelines regarding the management of personal data related to human resources (HR) activities in a deliberation published on 15th April, 2020. (the “New Guidelines”)

The New Guidelines are not binding and it is therefore possible for a data controller to deviate from the CNIL’s recommendations. They do, however, clarify CNIL’s views and expectations and it is strongly advised to support and document any material deviations from the principles set out by these guidelines.

The New Guidelines replace several prior guidelines and standards, such as the former “norme simplifiée” no. 46 (NS-046), which are no longer applicable since the entry into force of GDPR.

  1. A wider scope of application

The New Guidelines cover the processing of personal data “routinely” carried out by employers in the context of the management of their staff.

Its scope has been broadened with six new purposes being added to the purposes initially referred to in article 2 of NS-046. Newly added routine purposes include: recruitment, management of remuneration and performance of related administrative formalities, keeping of compulsory registers and relations with staff representatives, internal communication, management of social aid, carrying out audits and management of litigation and pre-litigation.

Certain non-routine or sensitive HR processing activities are not covered by the New Guidelines such as:

  • Algorithmic processes and innovative processes such as those based on psychometrics or carried out for profiling purposes;
  • Processing for the purpose of checking the employee’s individual activity;
  • Processing operations carried out by trade unions, staff representative bodies and occupational medicine.

These excluded processing operations will be subsequently the subject of a supplementary communication from the CNIL. Some of them are already governed by specific rules such as the use of CCTV, whistleblowing systems or access to professional premises using a biometric device.

  1. Lawfulness of processing and choice of legal basis

Pursuant to article 6 of the GDPR, a processing of personal data, to be lawful, must be based on one of the six legal basis required by the text: performance of a contract, compliance with a legal obligation, legitimate interest of the data controller, public interest, protection of vital interests or the consent of the data subject.

The New Guidelines include a comprehensive grid of applicable legal bases for processing related to each main routine HR processing operations (the bulk of which having the legitimate interest of the data controller or the performance of the contract as their legal basis).

Regarding the consent of employees, the CNIL highlights that employees are seldom in a position to freely give, to refuse or to revoke their consent due to the inherent power imbalance in employment relationships. According to the CNIL, consent should therefore be used as a legal basis for processing employee personal data only in exceptional cases (i.e., where giving or refusing consent entail no consequences for the employees).

  1. Nature of the data processed and the management of data falling under a special category (article 9 GDPR)

The principle of “data minimization” (article 5(c) GDPR) is recalled; it requires the data controller to limit the collection of data to what is strictly necessary for the purpose and this collection and processing can only take place where it isn’t reasonably feasible to carry out the processing in another manner. Additionally, data collected for a given legitimate purpose cannot be repurposed if the new purpose itself is not valid and legitimate. The CNIL lists the data likely to be collected in the context of HR management activities. 

Concerning the nature of the data processed, the CNIL emphasizes that data controllers must be particularly vigilant with respect to data that are subject to specific restrictive legal frameworks such as:

  • Social security numbers;
  • Data relating to offences, criminal convictions and related security measures;
  • Sensitive data (article 9 GDPR; articles 6 and 44 of the French Data Protection Act) such as data regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation
  1. Data recipients

The New Guidelines specify that when an access authorization is given, it must be documented by the employer; access to the various processing must be subject to traceability measures.

The CNIL also recalls the obligation for the data controller to conclude a contract with its processors in accordance with article 28 of the GDPR and to ensure that it presents the necessary guarantees regarding data protection.

The recipients may be persons accessing the data on behalf of the employer (payroll and personnel manager, supervisors etc.) or anybody receiving the data (staff representatives, auditors etc.). Examples of recipients are listed in the New Guidelines. The rules governing data transfers outside the European Union are also recalled.

  1. Retention period

Regarding the retention period, the formerly simplified norm NS-046 simply stated that the data should be kept for the duration of the employment relationship. The New Guidelines goes further and provides the employer with guidance to determine the retention period in accordance with the purpose of the proposed data processing operation.

The CNIL reminds that it is up to the data controller to determine this retention period and to inform the data subject. The CNIL specifies that the retention period in active database does not prevent data from being retained in the form of intermediate archiving, with restricted access, in order to meet certain legal obligations or because of pending litigation.

The New Guidelines provides, on an indicative basis, examples of data retention periods (whether in active database or in archive) for some HR data processing activities, with reference of relevant legislation.

  1. Information and rights of data subjects

The CNIL reminds that data subjects must be informed of the existence of the data processing and their rights, whether in the case of direct collection (article 13 GDPR) or indirect collection (article 14 GDPR).

The New Guidelines further set out the rights of data subjects: right of objection, access, rectification, erasure, limitation and portability.

Some clarifications were made concerning the right of opposition. Thus, the data subject may not exercise it where:

  • the data processing is carried out in fulfilment of a legal obligation;
  • the data processing is necessary for the performance of the contract;
  • the employee consents to the data processing (such consent being revocable).

Where the legal basis for the processing operation is the legitimate interest of the employer or the performance of a task carried out in the public interest, the data subject must state the grounds for objection.

  1. Conducting a data protection impact assessment (DPIA)

This is one of the major changes from NS-046. The New Guidelines provide a method for determining whether a data protection impact assessment is required. This methodology is specially adapted to HR data management.

Two lists of processing operations had previously been published by the CNIL: a list of processing operations which are exempt from a DPIA and a list of those data processing operations that require a DPIA. As a first step, the employer must refer to these lists to assess the need to carry out a DPIA.

In addition, examples of treatments applied to HR management are also provided. It should be noted that a headcount threshold of 250 employees is set for processing operations implemented solely for human resources purposes (payroll management, training, follow-up of annual performance reviews, etc.). Below this threshold, the CNIL considers that a DPIA is not necessary unless the processing operations are implemented for profiling purposes.

Conversely, processing with the purpose of constant monitoring of employees (such as biometrics or analysis of e-mail flows to detect information leaks) or the use of algorithms in recruitment processes are regarded as requiring an impact assessment.

If the processing operation is not present in the examples set forth in the New Guidelines, the CNIL recommends relying on the guidelines drawn up in 2017 by the European Data Protection Board (EDPB).

Among the nine criteria set by the EDPB, if at least two are met, a DPIA is mandatory.

These criteria are as follows:

  • Evaluation or scoring of a person;
  • Automated-decision making with legal or similar significant effect;
  • Systematic monitoring
  • Sensitive data or data of a highly personal nature;
  • Data processed on a large scale;
  • Matching or combining datasets;
  • Data concerning vulnerable data subjects;
  • Innovative use or applying new technological or organizational solutions;
  • When the processing in itself prevents data subjects from exercising a right or using a service or a contract.

The CNIL states that employees may be considered as vulnerable data subjects, in light of the criteria identified by the EDPB, because of the inherent power imbalance of employment relationships. The introduction of large-scale data processing or data processing involving the surveillance of individuals will require the data controller to consider the need to carry out a DPIA.

  1. Security measures to be implemented

 The New Guidelines set out some fifty security measures to be put in place to guarantee the security of personal data processing, such as the implementation of a binding IT charter, or a process allowing the traceability of authorizations.

In the event that the data controller does not implement the security measures laid-out by the New Guidelines, it will have to justify the implementation of equivalent measures or the reasons why there is no need to implement said measures.

Ultimately, this New Guidelines are a useful tool for ensuring corporate compliance with regard to the CNIL’s expectations. Companies that have already finalized their privacy compliance program will certainly regret that the final version of these guidelines, despite covering routine HR processing activities, are published by the CNIL two years after the GDPR’s entry into force. The release of the New Guidelines should incentivize them to re-evaluate the choices made previously and process/policies already in place.

Lou Mailhac