On 11 April 2019, the French Data Protection Supervisory Authority (CNIL) published two draft standards intending to provide practical guidance in relation to the processing of personal data for HR management and whistleblowing systems.
The purposes of such standards is to:
- Assist businesses in their compliance process, and
- Help controllers with the preparation of data protection impact assessments (PIA), where required;
by detailing what the CNIL considers as compliant and best practice.
The standards, which in a way replace the former “simplified standards” and “single authorizations” (formerly known as simplified declarations with the CNIL, prior to the entry into application of the GDPR), describe in particular:
- The purposes for which the personal data may be processed,
- The legal grounds which may be used,
- The categories of personal data that may be processed,
- The recipients of the personal data,
- The acceptable retention periods,
- How to inform data subject,
- How to manage their rights,
- The recommended security measures to be implemented, and
- Whether or not a PIA is required.
They also provide practical examples.
Such standards are not mandatory (unlike the standard regulations – see e.g., our post on the recent standard regulation for biometric systems in the workplace adopted by the CNIL recently). But if a controller decides to departs from them, based on its specific situation, then it must be able to demonstrate there is a real need for doing so and take all appropriate measures to ensure compliance of the processing with data protection rules.
For now, the standards are mere drafts, open to public consultation until:
- May 10 for the draft standard on HR management,
- May 31 for the one on whistleblowing schemes.
At the end of the public consultation, the CNIL may modify its drafts before they are approved and published in their final version. We will provide a more detailed analysis of the two standards once they will be definitely adopted.