On 2 July 2018, the French Data Protection Authority (“Commission Nationale de l’Informatique et des Libertés” or “CNIL”) published its yearly thematic guidance for the priority axes of its control activities, notably further to the entry into force of the recent General Data Protection Regulation (“GDPR”).
As for the previous periods, the CNIL is expecting to launch 300 dawn-raids, either on premises or online, in order to control compliance of companies subject to French and European data protection regulations, notably on newly introduced aspects relating to the implementation of GDPR (right to portability, data protection impact assessments…).
One of the new aspects of GDPR also includes the joint control operations by several EU supervisory authorities.
The themes which will guide the CNIL’s actions over the following months will include:
Recruitment operations
While the development of big data solutions and AI-assisted recruitment, through the use of algorithm offer the vast possibility to assess the applicants and predicts their adequacy for the position on the basis of pre-defined criteria, such technologies are also likely to impact a broad number of data subjects and subject them to arbitrary or opaque decision making outcomes. The CNIL will therefore target the transparency and the selection requirements, as well as retention periods for the surrounding meta data.
Real estate documentation
Fair home access is a key concern of our times. French Decree no.2015-1437 dated 5 November 2015 aims at protecting tenants with regard to information which may be requested. However, almost three years after this decree, it seems that asking additional documentation remains common practice, including sensitive data such as medical files. The lack of proportionality between the documents requested and the purposes of the processing may affect the compliance of realtors, who will be a priority control target.
Connected e-ticketing services
The MAPTAM Act allowed for local territorial administration to outsource the parking ticket process and the automation thereof. However, several complaints emerged since the beginning of the year from data subjects who perceived a decrease in their protection under the data protection framework. As such, the CNIL will also target the conditions under which the outsourcing operations have been performed and the conditions for use, retention and safeguarding of the data subjects’ information.
While the guidance addresses the control aspects of its activities, the CNIL also mentioned that the follow up to such controls, notably in terms of sanctions against the controlled companies, would be assessed at a later stage and will take into consideration good faith efforts initiated by targeted companies.
As a consequence, it remains a priority to validate a sound action plan to reach compliance with GDPR undertakings by the end of this year for all impacted companies.
The French Privacy team of K&L Gates remains available to assist you in your implementation and evaluation of your GDPR compliance strategy.
First published on K&L Gates French Privacy Alert