Investigations on trade union organizations by the french DPA (CNIL): a recall of the fundamentals!
Focus on best practices essential to ensure good data management
The Commission Nationale de l'Informatique et des Libertés (CNIL), the French data protection supervisory authority for GDPR, has announced that it has carried out checks on trade union confederations. Although the latter have put in place means to comply, the CNIL was keen to point out certain principles that were not fully respected.
The CNIL underlines the fact that responsibilities are not clarified within the trade union organizations. This is not a new phenomenon and it is fundamental to start by answering this question before starting compliance actions. Indeed, the responsibility for compliance lies primarily with the data controller. As a processor, responsibilities are mainly limited to actions carried out on behalf of the controller. As a joint controller, responsibility may be confined to the agreement binding the parties.
Formalizing responsibilities makes it possible to know what to do and where to start.
To know it, it is necessary to take again the definitions of the GDPR.
The data controller is defined by the person (legal entity or not), the entity that determines the purposes and means of processing personal data. If the definition is shared, then responsibilities may be joint. Often the responsibility will be borne by the organization embodied by its head.
The processor is the person (legal or not) or entity acting on behalf of the controller.
Depending on the qualification, the formalities differ. A contract will have to be established under the conditions of article 28 of the GDPR in the case of a relationship between a controller and a processor. An agreement (generally in the form of a contract) will have to be formalized and communicated between two or more joint controllers in accordance with article 26 of the GDPR.
Without being mandatory, data transfers between data controllers may also be the subject of a contract in order to ensure compliance with data protection principles.
The CNIL's reminder concerns trade union organizations, but** it also concerns any organization involving several entities**. For example, we can think of groups of companies where the scheme of responsibilities will have to be clarified to determine compliance actions. In particular, each entity will have to keep a register of the processing operations for which it is responsible. Acting as a processor, the entity will also have to keep a register of the categories of processing it carries out on behalf of the controllers (often its customers).
The qualification of responsibility may have strong consequences, in particular in the event of controls, sanctions, group actions and compensation for damages. In addition to administrative sanctions, civil liability actions can result in enormous costs.
The most important thing is to ensure that the rights of individuals are protected. The Court of Justice of the European Union (CJEU) does not hesitate to qualify responsibilities in the pursuit of this objective.
What does the CNIL say?
Carry out an in-depth analysis of the responsibility for processing members' data before formalizing in legal documents (statutes, conventions, charters, contracts, etc.) the responsibilities of each of the entities (trade unions, local unions, professional federations, confederations, etc.) involved in the processing of this data, from data collection to its deletion.
This qualification must be carried out through an in-depth analysis. We will come back to this in a future article in this blog. But we are immediately thinking of an analysis grid of responsibilities according to determining criteria such as the purpose of the processing, the choice of tools, the benefit of the processing etc.
Information for individuals
The CNIL points out an inconsistency in the documents given to the data subjects. Privacy policies are not complete or embedded in other legal documents that are difficult to read. Sometimes, paper forms do not include any information.
This is a matter of transparency! Cardinal principle of data protection. Transparency is a guarantee of fairness in data processing. Transparency is also the only way for people to exercise their rights.
Let's not forget that the rights of individuals are the leitmotif of the GDPR, whose purpose is to give individuals control over the data that concerns them. The German Constitutional Court formalized this concept several decades ago in the following formula: informational self-determination defines as the authority of the individual to decide himself, on the basis of the idea of self-determination, when and within what limits information about his private life should be communicated to others.
What does the CNIL say?
Provide a double level of information to individuals: collective and individualized. The confederation's website can thus integrate a dedicated page that collectively informs members about the data processing implemented by the confederation. In addition, the data controller must inform members individually, at the time of collection, of the data processing implemented.
Articles 12 to 14 of the GDPR specify the information that data controllers must bring to the attention of individuals. In order to assist organizations in their compliance efforts, the CNIL publishes examples of information mentions on its website.
The approach adopted is the two-tier approach as recommended for years by all institutions dealing with the subject. Firstly, short, essential and readable information is given, in which a reference is made to a more complete document such as the policy or the privacy notice, using a "know more" formula.
The CNIL notes that the trade unions do not control the retention periods of processed data. Either durations had not been fixed (for the management of members for example), or fixed durations had not been effectively implemented or no intermediate archiving mechanism is in place.
What does the CNIL say?
Define strict retention periods, if necessary with automatic purge mechanisms.
When the person is no longer a member of the union, the retention of its data must be justified by purposes other than the management of its membership. These purposes may, for example, be of a probationary nature (litigation, tax obligations, etc.), statistical or of administrative interest, in particular if the former member has held positions within the union or as a union representative. These data must be subject to an intermediate archiving procedure with restricted access.
Managing retention periods is a real headache for many organizations. The first step is to define these durations. These can be numerical (3 months for example from the collection) or conditional to an action (end of contract for example).
It is essential to determine a retention period for each of the purposes of the processing. In the event that a processing activity will involve several purposes, a duration must correspond to each purpose. This is the only way to ensure that the data is kept for a period not exceeding that is necessary for the purpose and, ultimately, to comply with Article 5 of the GDPR.
Reference data retention periods are published by the CNIL. However, this choice must be made under responsibility and must be justified. The law sometimes imposes durations.
It is necessary to distinguish the durations in active base, that is to say in current use, and in intermediate base (intermediate archiving), that is to say, the conservation for another purpose generally, to meet a legal obligation or prevent litigation. This intermediate archiving occurs once the purpose of data processing is achieved.
This management therefore involves documenting these durations. It also implies an effective implementation and therefore to put in place technical processes such as automatic means of purging the database or a procedure for managing paper files.
A regular audit can be carried out to ensure this good practice.
Finally, the CNIL points to one of the most common problems: insufficient security applied to personal data. Trade union membership data is part of the sensitive data as defined by the French Data Protection Act and the GDPR. They must therefore be specially protected. Indeed, the damage in the event of a breach of security (for example, in the event of disclosure to a third party) is certainly greater for the person concerned than other more common data.
The CNIL points out the absence of a password policy in organizations, both at the workstation level and on the confederation's website.
What does the CNIL say?
Define security policies to ensure data confidentiality. The personal data of the members must be accessible only to the people having to know about it. It is recommended to define an authorization policy that defines access and modification rights for each type of data according to the user's profile.
The exchange of information between the various entities involved in data processing must also be secured, by encrypting data transfers or password-protecting any files exchanged. In addition, unions must implement measures to trace access to data, in order to detect illegitimate access.
Finally, the implementation of adequate physical (e.g. secure cabinets) and logical (e.g. computer access restrictions, secure passwords, etc.) protection is necessary.
As far as security is concerned, passwords are still the most secure means of ensuring the authentication of individuals and therefore the confidentiality of data.
A password must meet requirements of complexity and minimum length (8 characters including 3 of the 4 character types) and be associated with additional measures (such as blocking after several unsuccessful attempts) to reduce these requirements.
The password must above all be personal and not shared (not written on post-it notes on workstations). A good password manager can be a solution.
It is up to organizations to organize security, to define security objectives and means through a security policy. This will enable them to implement this specific project through technical measures (such as imposing a password or implementing encryption) and organizational measures (ensuring governance, managing the roles of each person, organizing the response to security incidents), but above all by increasing staff and user awareness of security issues and the resources put in place.
The CNIL says it itself: the conformity is not engraved in the marble and fixed.
The building site of the data protection requires a continuous implication of the trades and to have a person dedicated to its follow-up. This can be the DPO, the CISO for security but also other operational people who process data. The objective is to ensure that this approach is documented and effective.
A tool can be very useful to manage this project. You can start from a blank sheet of paper from an office suite and find the right rhythm. However, we believe that working on Excel and Word is not enough. These work tools are adapted to people working alone, but the project must involve a large number of functions (managers, DPO, CISO, trades, HR, etc.). Dastra tries to bring a complete and efficient solution to these issues.
Source : CNIL
*You will always be able to unsubscribe on each newsletter. Learn more.