background preloader

France CNIL statement

Facebook Twitter

French data protection authority issues guidance on personnel data. The French Data Protection Authority (CNIL) published practical guidelines to help employers and recruiters manage personal data of employees and job candidates ("personnel data"), in addition to the Work & Personnel Data Guidance Sheet and Guide for Employers and Employees. Recruitment During the recruitment process, employers should only collect information that may help them assess the candidate's ability to perform the job duties, such as their qualification and experience. Employers are not allowed to ask for the job candidate's social security number or information about their immediate family, political opinion, or trade union membership.

Hiring Employers may collect additional information at the hiring stage, or information necessary for complying with a legal obligation. Employees should have access to comments employers recorded about them which must remain objective and proportionate. Access Data Protection Rights Candidates and employees should be informed of: Retention. French regulator issues guidance on transatlantic data transfers post Schrems.

On 19 November 2015, the French data protection authority (“CNIL”) published a set of guidelines and FAQs providing guidance to French businesses currently transferring, or planning to transfer, personal data from the EU to the U.S. What Options Are Available For Transferring Personal Data From France To the U.S.? CNIL expressly states that transferring personal data from France to the U.S. on the basis of Safe Harbor is no longer an option. It further confirms that, while the national data protection authorities (“DPAs”) will continue to assess the impact of the Schrems ruling on alternative transfer mechanisms, companies may rely on Binding Corporate Rules (BCRs) and European Commission Model Clauses at least until 31 January 2016.

That said, CNIL also reminds businesses that the implementation of alternative transfer mechanisms does not prevent DPAs from investigating particular transfers, notably in the event of a complaint. Do Transfers To The U.S. Require CNIL’s Authorization? Plow. Safe harbor : le G29 demande aux institutions européennes et aux gouvernements d’agir sous 3 mois. 16 octobre 2015 Safe harbor : le G29 demande aux institutions européennes et aux gouvernements d’agir sous 3 mois La CNIL et ses homologues européens (G29) se sont réunis le 15 octobre pour analyser les conséquences de la décision de la Cour de Justice de l’Union européenne du 6 octobre 2015 invalidant le safe harbor. Elles ont adopté une approche commune sur la question, en demandant aux institutions européennes et aux gouvernements concernés de trouver des solutions juridiques et techniques avant le 31 janvier 2016. En premier lieu, le G29 souligne que la question de la surveillance massive et indiscriminée est au cœur de l’arrêt de la CJUE invalidant la décision de safe harbor du 26 juillet 2000.

Il rappelle à ce titre qu’il a toujours considéré qu’une telle surveillance était incompatible avec le cadre juridique européen et que les outils de transferts ne pouvaient constituer une solution à ce problème. Wp228 en. Invalidation du « safe harbor » par la Cour de Justice de l’Union européenne : une décision clé pour la protection des données. 07 octobre 2015 Invalidation du « safe harbor » par la Cour de Justice de l’Union européenne : une décision clé pour la protection des données Par une décision du 6 octobre 2015, la CJUE a invalidé la décision par laquelle la Commission européenne avait constaté que les États-Unis assurent un niveau de protection suffisant des données à caractère personnel européennes transférées. Cet arrêt est majeur pour la protection des données. Le transfert de données à caractère personnel vers un pays tiers à l’Union européenne est, en principe, interdit, sauf si le pays de destination assure un niveau de protection suffisant (ou « adéquat ») des données personnelles.

Sur le fond, la CJUE a relevé que les autorités publiques américaines peuvent accéder de manière massive et indifférenciée aux données ainsi transférées, sans assurer de protection juridique efficace aux personnes concernées. FRANCE: CNIL to Hold Emergency Meeting on Oct. 7 Following ECJ Safe Harbor Decision » Privacy Matters. By Jeanne Bossi Malafosse and Carol Umhoefer After the ECJ’s Oct. 6 decision invalidating the EU-US Safe Harbor, all the European data protection authorities are facing an unprecedented situation: What will be the legal basis for personal data transfers to the United States? How will transfers be authorized? The Article 29 Working Party, presided by French data protection authority (CNIL) president Isabelle Falque-Pierrotin, is seeking to find a coordinated response among all EU Member States. European Commission representatives have asked the national data protection authorities to find a solution and not to revoke authorizations granted to date.

For its part, the CNIL will be holding in the morning of Oct. 7 a special emergency meeting. FRANCE: CNIL Reiterates Need for Common Position on Safe Harbor » Privacy Matters. By Jeanne Bossi Malafosse and Carol Umhoefer Following an emergency meeting this morning, Oct. 7, the CNIL has published a statement summarizing the ECJ’s Oct. 6 decision in the Schrem case invalidating EU-US Safe Harbor, and reiterating the fact that the CNIL is discussing with the G29 data protection authorities a position that should be shared by all the Member States. The CNIL’s president, Isabelle Falque-Pierrotin, presides over the G29. The CNIL has therefore remained silent on positions emerging from a few other Member State authorities supporting European Commission-approved standard contractual clauses as a stopgap measure in light of the ECJ’s invalidation of Safe Harbor. For further information, please contact Jeanne.BossiMalafosse@dlapiper.com or Carol.Umhoefer@dlapiper.com.