Privacy & Cybersecurity Law Blog

On February 19, 2016, the French Data Protection Authority (“CNIL”) made public its new Single Authorization Decision No. 46 (“Single Authorization AU-46”). This decision relates to the data processing activities of public and private organizations with respect to the preparation, exercise and follow-up regarding disciplinary or court actions, and the enforcement of those actions.

The CNIL observed that, as part of their regular activities, companies may have to prepare and manage claims with customers, vendors, employees or other individuals, to defend their rights. In doing so, companies process personal data that is likely to include data relating to criminal offenses and convictions or security measures.

In principle, companies are not allowed to process such data under French data protection law. However, in a 2004 decision, the French Constitutional Court opined that this should not deprive companies of their right to judicial redress. The CNIL therefore stated that companies may process personal data relating to offenses, convictions and security measures, as victims of an offense. Such data processing requires the CNIL’s specific prior authorization. However, if the data processing complies with all the requirements laid down in Single Authorization AU-46, only a simplified registration must be filed with the CNIL.

Single Authorization AU-46 includes detailed requirements on the types of personal data that may be collected and processed, data retention periods, data recipients and security measures that must be implemented. If these requirements are not met, an authorization request must be filed with the CNIL.

The purpose of Single Authorization AU-46 is to reduce the administrative burden of companies’ registration formalities, in light of the future EU General Data Protection Regulation that will abolish their registration obligation.