Tag: CNIL

CNIL publishes model regulation on access control through biometric authentication at the workplace

9. April 2019

The French data protection authority CNIL has published a model regulation which regulates under which conditions devices for access control through biometric authentication may be introduced at the workplace.

Pursuant to Article 4 paragraph 14 of the General Data Protection Regulation (GDPR), biometric data are personal data relating to the physical, physiological or behavioural characteristics of a natural person, obtained by means of specific technical processes, which enable or confirm the unambiguous identification of that natural person. According to Article 9 paragraph 4 GDPR, the member states of the European Union may introduce or maintain additional conditions, including restrictions, as far as the processing of biometric data is concerned.

The basic requirement under the model regulation is that the controller proves that biometric data processing is necessary. To this end, the controller must explain why the use of other means of identification or organisational and technical safeguards is not appropriate to achieve the required level of security.

Moreover, the choice of biometric types must be specifically explained and documented by the employer. This also includes the justification for the choice of one biometric feature over another. Processing must be carried out for the purpose of controlling access to premises classified by the company as restricted or of controlling access to computer devices and applications.

Furthermore, the model regulation of the CNIL describes which types of personal data may be collected, which storage periods and conditions apply and which specific technical and organisational measures must be taken to guarantee the security of personal data. In addition, CNIL states that before implementing data processing, the controller must always carry out an impact assessment and a risk assessment of the rights and freedoms of the individual. This risk assessment must be repeated every three years for updating purposes.

The data protection authority also points out that the model regulation does not exempt from compliance with the regulations of the GDPR, since it is not intended to replace its regulations, but to supplement or specify them.

EDPB publishes information note on data transfer in the event of a no-deal Brexit

25. February 2019

The European Data Protection Board has published an information note to explain data transfer to organisations and facilitate preparation in the event that no agreement is reached between the EEA and the UK. In case of a no-deal Brexit, the UK becomes a third country for which – as things stand at present – no adequacy decision exists.

EDPB recommends that organisations transferring data to the UK carry out the following five preparation steps:

• Identify what processing activities will imply a personal data transfer to the UK
• Determine the appropriate data transfer instrument for your situation
• Implement the chosen data transfer instrument to be ready for 30 March 2019
• Indicate in your internal documentation that transfers will be made to the UK
• Update your privacy notice accordingly to inform individuals

In addition, EDPB explains which instruments can be used to transfer data to the UK:
– Standard or ad hoc Data Protection Clauses approved by the European Commission can be used.
– Binding Corporate Rules for data processing can be defined.
– A code of conduct or certification mechanism can be established.

Derogations are possible in the cases mentioned by article 49 GDPR. However, they are interpreted very restrictively and mainly relate to processing activities that are occasional and non-repetitive. Further explanations on available derogations and how to apply them can be found in the EDPB Guidelines on Article 49 of GDPR.

The French data protection authority CNIL has published an FAQ based on the information note of the EDPB, explaining the consequences of a no-deal Brexit for the data transfer to the UK and which preparations should be made.

CNIL fines Google for violation of GDPR

25. January 2019

On 21st of January 2019, the French Data Protection Authority CNIL imposed a fine of € 50 Million on Google for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.

On 25th and 28th of May 2018, CNIL received complaints from the associations None of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”). The associations accused Google of not having a valid legal basis to process the personal data of the users of its services.

CNIL carried out online inspections in September 2018, analysing a user’s browsing pattern and the documents he could access.

The committee first noted that the information provided by Google is not easily accessible to a user. Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are spread across multiple documents. The user receives relevant information only after carrying out several steps, sometimes up to six are required. According to this, the scheme selected by Google is not compatible with the General Data Protection Regulation (GDPR). In addition, the committee noted that some information was unclear and not comprehensive. It does not allow the user to fully understand the extent of the processing done by Google. Moreover, the purposes of the processing are described too generally and vaguely, as are the categories of data processed for these purposes. Finally, the user is not informed about the storage periods of some data.

Google has stated that it always seeks the consent of users, in particular for the processing of data to personalise advertisements. However, CNIL declared that the consent was not valid. On the one hand, the consent was based on insufficient information. On the other hand, the consent obtained was neither specific nor unambiguous, as the user gives his or her consent for all the processing operations purposes at once, although the GDPR provides that the consent has to be given specifically for each purpose.

This is the first time CNIL has imposed a penalty under the GDPR. The authority justified the amount of the fine with the gravity of the violations against the essential principles of the GDPR: transparency, information and consent. Furthermore, the infringement was not a one-off, time-limited incident, but a continuous breach of the Regulation. In this regard, according to CNIL, the application of the new GDPR sanction limits is appropriate.

Update: Meanwhile, Google has appealed, due to this a court must decide on the fine in the near future.

CNIL publishes guidance on data sharing

18. January 2019

At the end of last year, the French Data Protection Authority (“Commission Nationale de l’Informatique et des Libertés”, the “CNIL”) published guidance on sharing data with business partners or third parties. The CNIL stated that many companies that collect data from individuals transfer this data to “business partners” or other organisations especially to send prospecting emails. In case of a transmission the data subjects must maintain control over their personal data .

The published guidance state the following five requirements:

• Prior consent: Before sharing data with business partners or third parties such as data brokers, organisations must request the individual’s consent.

• Identification of the partners: The individuals must be informed of the specific partner(s) who may receive the data. According to the CNIL’s guidance, the organisation can either publish a complete and updated list containing the organisation’s partners directly on the data collection form or if such a list would be too long, it can integrate a link to the collection form. This should be inserted together with a link to their respective privacy policies.

• Information of changes to the list of partners: The organisations have to notify the individuals of any changes to the list of partners, especially if they may share the data with new partners. Therefore, they may provide an updated list of their partners within each marketing message sent to the individual and each new partner that receives the individual’s data must inform him or her of such processing in its first communication to the data subject.

• No “transfer” of the consent: Companies may not share the information they receive with their own partners without obtaining the consent of individuals, in particular with regard to the identity of new companies that would become recipients of the subject’s data.

• Information to be provided by the partner(s): The partner who received the individual’s data for their own marketing purposes must inform the data subject of the origin (name of the organisation who shared the data with them) and inform them of their data subject rights, in particular the right to object to the processing.

Category: EU · French DPA
Tags: , ,

CNIL fines Telecom Operator

7. January 2019

The French Data Protection Authority CNIL imposed a fine of €250.000,00 on telecom operator BOUYGUES TELECOM for not taking required security measures to protect the personal data of its clients.

BOUYGUES TELECOM offered their clients an option to create a profile on their webpage to have easier access to their contract details and telephone bills.

In March 2018, CNIL was informed that a lack of security measures gave free access to personal data of clients of B&You, a subsidiary company of BOUYGUES TELECOM. Each profile had its own URL address, which involved the first and last name of the client. Just by exchanging the name in the URL address, one gained free access to first and last name, date of birth, e-mail address, address and phone number as well as contracts and bills. The violation of data security went on for two years and had an impact on over two million clients.

Shortly after CNIL was informed, BOUYGUES TELECOM notified the data breach to CNIL. The company explained that the incident occurred after the computer code, which depends on user authentication, was deactivated for a test phase, but was forgotten to be re-activated after completion of the test phase. After noticing the data breach, the company quickly blocked the access to the personal data.

Nevertheless, CNIL stated that the company failed to protect the personal data of its clients and violated its obligation to take all required security measures, especially as appropriate measures would have revealed the data breach earlier.

As the incident occurred before the legal validity of GDPR, CNIL decided to impose a fine of €250.000,00 on BOUYGUES TELECOM.

CNIL released results of public consultation report about the GDPR

2. December 2016

CNIL, the French Data Protection Authority,  just released the report of the public consultation. This report refers to the consultation of  professionals about the upcoming General Data Protection Regulation, GDPR.

The basis of the report were 540 replies from 225 contributors and the main aspects relate to:

  • the Data Protection Officer, DPO
  • the right to data portability,
  • the data protection impact assessments and
  • the certification mechanism.

The report states that there are questions on how the requirements of the GDPR should be applied in practice. Some of the most frequently asked questions are:

  • What is considered to be a conflict of interest – who can be appointed?
  • Can a DPO be whole a team? Can a DPO be a legal person?
  • What kind of investments will need to be made in order to implement the right to data portability?

Therefore, CNIL announced that some national communication campaigns will be launched and that there will be training sessions and workshops in cooperation with the current CILs, Correspondants Informatique et Libertés.

 

Category: General
Tags:

The application of the right to be forgotten in France challenged by Wikimedia

24. October 2016

Since the ECJ established the right to be delisted from search engines (right to be forgotten) in 2014, Google has received numerous requests from individuals and organizations regarding the deletion of search results that contain their personal data which is not any more current, correct, relevant or which causes damages to the data subjects. The right to be forgotten refers to certain domains, such as co.uk; fr, de, es or nl.

However the French DPA requested Google to delete these results from all Google search domains (including .com). As Google did not fully comply with this request, the French DPA (CNIL) imposed Google a fine early this year.

As the French Highest Court has still to decide about this, Wikimedia, the parent company of Wikipedia, filed a petition in order to take part in the case and support Google France regarding the ongoing dispute about implementation of the “right to be forgotten”. Wikimedia’s legal counsel said in a statement that “no single nation should attempt to control what information the entire world may access”. Furthermore, she added that the application of the right to be forgotten involves the disappearance of several Wikimedia websites, which has an impact on the availability of knowledge.

Not only in France, but also in other jurisdictions is Google facing similar processes regarding the application of the right to be forgotten.

French DPA launches public consultation on GDPR

21. June 2016

In June 2016, a public consultation process about the GDPR was opened by the French DPA (CNIL). The consultation is based on the topics that the WP 29 identified as having priority in its action plan for the implementation of the GDPR, published beginning 2016.

The consultation aims at encouraging stakeholders to formulate questions regarding the GDPR in order to identify potential interpretation difficulties. Once the main questions and difficulties have been addressed, the WP 29 will issue guidelines regarding the relevant topics. The CNIL also offers the possibility to formulate questions about other topics, which are not directly mentioned in the consultation.

The main topics that are object of the current consultation are the institution of the DPO, Privacy Impact Assessments (PIA), data protection certifications and the right to data portability.

The consultation is opened until the 15th July 2016 and stakeholders can participate through the CNIL´s website. After that, the French DPA will publish a summary with the contributions.

The French DPA fines Google

29. March 2016

The French Data Protection Authority (“CNIL”) fines Google for data protection violation. In May 2014, the European Court of Justice had decided, that citizens could request search engines to delist inadequate or irrelevant web search results of themselves; the so-called “right-to-be-forgotten” was born.

The CNIL has now fined the US search engine 100.000 Euros over the right-to-be-forgotten, since Google just delisted web search results regionally, for instance only accross their European websites, such as google.fr and not also on the google.com website. By delisting web search results of a person only regionally, the data subject will practically not be able to exercise her/his right-to-be-forgotten efficiently. Search engines should instead delist search results from all their domains.

Authorization of the French DPA to process Personal Data for litigation purposes

26. February 2016

In February 2016, the French DPA (CNIL), published a single decision (AU-046) addressed to cover data processing activities from public organisms and private organizations for the purpose of managing and enforcing court actions.

The CNIL states that corporations may process certain categories of personal data, such as criminal convictions, offences or security measures in this context, in order to defend their interests in court. Art. 25. I. 3° of the French Data Protection Act, regulates the processing of these categories of personal data, for which a prior authorization from the CNIL is required. Also the prevention of criminal offences falls under the scope of this article. However, this article does not apply if the offences and criminal convictions are not related to the criminal sphere.

The AU-046 aims at accelerating and simplifying the process to obtain CNIL´s authorization for the processing of these personal data categories. The scope of application of this authorization is the processing related to offenses, convictions and security measures to prepare, perform and follow disciplinary action or judicial proceedings and, if necessary, to enforce the decision.

This authorization concerns all sectors and all types of litigation.

Category: French DPA
Tags: ,