Privacy Advisor

Global Privacy Dispatches- France- HR Data Processing

August 1, 2008

By Pascale Gelly

HR Data Processing Under Close Watch

After investigating no fewer than 50 companies on their employment data processing activities over the past year, the French data protection authority (CNIL) has concluded that employee notices are not robust enough, security measures are often weak and data retention procedures are usually non-existent.

Moreover, international data transfers have increased in global groups but are not always carried out in compliance with data protection laws, which require a specific notice to individuals and a prior authorization of the CNIL in most cases.

It is to be kept in mind that many on-site investigations by the CNIL are the logical consequence of claims brought by individuals. Among all the claims received by the CNIL, about 15 percent are made by employees or employee representatives.

Status Point on Whistleblowing

Taking advantage of on-site investigations on HR data processing, the CNIL inquired about the implementation of professional alert systems in global groups. The sample of companies investigated was small, but the trend shows that these systems are not used by French employees, thereby triggering a question on their usefulness in comparison with existing reporting modes.

In addition, the investigations showed companies' reluctance to reveal their whistle-blowing systems to the CNIL, as they fail to meet the data protection principles set forth by the authority.

BCRs and BCR Clubs

During the Privacy Laws & Business Conference in Cambridge on July 8, Sophie Nerbonne, Deputy Director, Legal, International and IT Affairs of the CNIL, confirmed the strong will of the CNIL to make BCR (Binding Corporate Rules) a workable solution for international data transfers. It was after a BCR workshop on June 10 in Paris with other G29 authorities that the first documents signed by Alex Türk in his position as Chairman of the G29 were finalized. These documents are now published on the European Commission's Web site. These three documents are intended to ease the application and review process of BCRs for companies and DP authorities.

In addition, the CNIL has launched a new and interesting initiative in the form of BCR clubs. The clubs intend to inform and sensitize businesses of specific sectors on data transfer issues and the usefulness of BCRs. So far, two BCR clubs have been created. The "aerospace club" held its first meeting in July and the "pharmaceutical club" will meet at the end of September. Businesses interested in joining these clubs or creating a club should take advantage of this momentum on BCRs and contact the CNIL.

Pascale Gelly is a partner at Cabinet Gelly. She may be reached at pg@pascalegelly.com.