Out-Law News 2 min. read
13 Jan 2015, 4:04 pm
Organisations that adhere to conditions set by the Commission nationale de l'informatique et des libertés (CNIL) in its 'simplified norm' on such call monitoring and recording can declare their compliance with those conditions under a streamlined procedure.
Paris-based privacy law expert Anne-Sophie Mouren of Pinsent Masons, the law firm behind Out-Law.com, said that in practice this means that companies do not have to provide as much detail to the CNIL about those processing activities, as the authority has identified the processing carried out in line with the conditions it has set to be of a low risk of violating individuals' privacy rights.
"Simplified norms are adopted by the CNIL for personal data processing which are commonly operated by data controllers," Mouren said. "The purpose of these simplified norms is to define the conditions under which these types of personal data processing should be operated. This includes setting data retention periods, specifying what purposes are legitimate for such data processing, outlining the type of data that can be processed in those circumstances and who the data can be shared with, for example."
"When a data controller complies with the standards defined in the simplified norm, they can file a simplified self-declaration of compliance with the CNIL," she said.
Ordinarily businesses in France are obliged to provide the CNIL with detailed information about their personal data processing activities, Mouren said. This includes providing company information, details of the purpose and implementation of data processing activities, the type of data being processed, including whether it is sensitive personal data or not, data security arrangements, details of any data transfers outside of the EU and individuals' rights of access to their data, she said.
Part of this information would not need to be provided to the CNIL by businesses operating in accordance with the simplified norm, Mouren said.
The CNIL said that businesses and public bodies that temporarily monitor and record telephone conversations in the work place for the purpose of employee training, education or appraisals, or to improve the quality of service they deliver, can benefit from the procedure of simplified declaration of compliance.
To benefit from this streamlined procedure, businesses that record telephone calls in line with one of those purposes would be required to delete those recordings no later than six months after they were made, the CNIL said. They would also have to ensure documents containing analysis of such recordings were not retained for more than one year.
According to the CNIL, excluded from the scope of the simplified norm is processing operated by data controllers whose mission is to process sensitive data; audiovisual recordings; monitoring and recording that is subject to data linkage with data originating from the screenshot of an employee's computer; and the permanent or systematic recording of telephone calls made at the work place, including for evidentiary purposes.
Last year, data protection specialists Annabelle Richard and Guillaume Bellmont of Pinsent Masons warned that the failure by one employer in France to declare an employee monitoring system as a personal data processing tool to CNIL could cause it to lose a case brought against it for unfair dismissal by one of its former employees.