Publication of the standard in the OJ dated April 15, 2020 for processing personal data setup for personnel management

April 20th 2020

The French Data Protection Authority (CNIL) recently announced the publication in the Official Journal of the Deliberation no. 2019-160 dated November 21, 2019, adopting a standard relating to personal data processing setup for personnel management, for which the draft had been subject to a public consultation in April 2019.

This is the sixth standard that has been published by the CNIL since the entry into force of the General Data Protection Regulation (GDPR).

These documents are drafted on the basis of a public consultation, in order to inform the data subjects affected by the type of processing referred to in the standard, and to assist them in their compliance.

The compliance requirements differ depending on the type of processing carried out (management of client and prospective client files, management of health risks, human resource management). The European regulations and national legislation are general rules which do not provide a customized response for the specific constraints for each type of processing.

Furthermore, the standard frameworks proposed by the CNIL shall replace the single authorizations, simplified standards and compliance packs applicable prior to the entry into force of the GDPR, which no longer have legal status.

Accordingly, the publication of this new standard has replaced the simplified standard NS 46 relating to human resource management.

 

Is this standard mandatory?

No, according to the CNIL. Incidentally, the CNIL recalled that any organization that does not comply should provide a justification and should take all the “appropriate measures in order to guarantee the compliance of the processing with the regulations applicable to personal data processing”.

Furthermore, the CNIL specified that the organizations which previously complied with the simplified standard NS 46 must apply the new rules resulting from the GDPR.

In this context, this standard constitutes the starting point for the data controllers, who, upon identification of the processing, should verify any discrepancies between the processing carried out and the standards provided in the standard.

It must be mentioned that certain processing activities and, in particular, the processing purposes, differ between the simplified standard NS 46 and those of the CNIL standard. Therefore, it is essential for the organizations to make such comparison.

Furthermore, the organizations which were already in compliance with the simplified standard NS 46 must verify the legal status for each processing activity, in accordance with the provisions in the CNIL standard.

This verification shall be based on the information which the organization, as data controller, must provide to the data subjects (employees, associates, etc.): which data is processed, for what purposes, on what legal basis (its legitimate interest, the relevant person’s consent, etc.).

 

A larger scope of application

Generally, this standard covers a larger scope of application than the simplified standard NS 46, as it includes recruitment and payroll aspects.

In reality, certain of these aspects were quickly covered in the existing processing activities. Accordingly, concerning the recruitment, this was included in the simplified standard NS 46 under the activity “the employee’s administrative management”, in particular in the context of the purpose “the employee’s career management: date and conditions of hiring or recruitment, […]”.

Now, the recruitment is a distinct processing activity, with two purposes: “Application processes (CV and motivation letter) and interview management” and “Constitution of a CV-library”.

A contrario, the payroll management was, surprisingly, non-existent in the simplified standard NS 46.

Another significant difference: the data retention periods. In particular, the standard provides more details concerning the retention periods and the implementation procedures to be setup in the event of difficulty for the organization to define this period.

Finally, with regard to the aspects relating to the implementation of security measures, the latter are evidently more comprehensive in the CNIL standard than those proposed in the simplified standard NS 46, which simply provided for the implementation of “all useful precautions to protect the security and confidentiality of the processing and data”.

The CNIL provides for a list of measures in the standard, to be followed by the organizations in order to enhance the security of the processing.

 

A useful standard for the implementation of an impact analysis

Finally, the CNIL specifies that in addition to the compliance support for organizations, this standard framework also constitutes an aid for carrying out an impact analysis relating to data protection (DPIA), when required.

Such an analysis is required in the situations where the personal data processing which is carried out is likely to cause a significant risk for the rights and liberties of the data subjects.

In this regard, the GDPR requires the data protection authorities to draft a list of the processing requiring such analysis. This list was published by the CNIL in October 2018.

In the context of the standard, the CNIL has provided a list of the processing operations requiring such analysis and those that are exempt. The CNIL also provides for the criteria to be taken into consideration to define whether the impact analysis is necessary and the necessary procedural requirements.

 

Useful links:

 

Eugénie Richard