Who: The French Data Protection Authority (CNIL).
Where: France
Publication: September 14th, 2017, published in JORF n°0214 text n°52.
What happened?
Under French law, data filing requirements are either “simplified” or “normal”. Simplified notifications are used for the most frequent categories of personal data processing that are not likely to be a violation of privacy or liberties. For example, this is the case for client and prospective client files, for which the French Data Protection Authority (CNIL) has developed a simplified declaration No 48.
The simplified declaration No 48 has been the applicable data protection rule document for the processing of clients’ and prospective clients personal data since 2005.
Therefore, companies that process personal data for the purposes of customer management profiling, business development, customer loyalty programs, leasing or exchange of customer and prospect files, organising contests, etc, must comply with this simplified declaration.
It was updated a first time in 2012 and a second time in 2016. Indeed, with the implementation of the ‘do-not-call’ list provided for by the French Consumer Code, an update to the regulation was necessary – particularly so that businesses wouldn’t have to carry out additional formalities to send their prospects database to the body in charge of the opposition list.
Deliberation no 2016-264 of 21 July 2016 introduces modifications and clarifications to this simplified declaration No 48, including on the topics of cookies, payment data and data retention periods. On the other hand, the following are not included in the scope of this simplified declaration: data processing carried out by banks or similar institutions, or insurance, health and education companies: the organization of online gambling subject to approval of ARJEL: and the processing of data which may exclude people from the enjoyment of a right, benefit or contract.Here, we focus on three main points of this deliberation:
- Cookies: This deliberation establishes a regulatory framework that reflects the previous CNIL guidance that recommended that a user’s cookies consent may be considered valid for up to 13 months. After this period, the website must get renewed consent from the user. Companies will have to ensure that statistical analysis and measurement cookies expire 13 months after they are placed on a user’s device as from 14 September 2017.
- Payment data: This deliberation adds some precision regarding the processing of banking data.
- The principle is that payment data must not be retained for longer than necessary in relation to the purposes for which they were collected, or for which they are further processed. However payment personal data may be stored for longer periods insofar as the data controller obtains the consumer’s explicit consent. The consent must be explicit (for example by ticking an unchecked box to say “I consent”. Silence, pre-ticked boxes or inactivity should not constitute consent) and cannot be bundled into general terms and conditions for the supply of services.
- The data controller must give the user a clear possibility to withdraw its consent at any time.
- The security code (CVV) cannot be retained for longer than the related transaction. This applies even in case of successive payments or when the user authorises the data processor to retain its banking data.
- Finally in any case, all payment data must be deleted no later than the expiration date of the credit card.
Data Retention Periods:
Until now, customer data could be kept for the duration of the business relationship and non-customer data for a period of three years from collection or from the prospect’s last contact from now:
- In the case of customers, retention of their data for evidence purposes may continue beyond the period of the commercial relationship, provided that this retention is in the form of an intermediate archive. This archiving must necessarily be subject to an archiving policy. Retention of data for the purpose of analysing or compiling aggregate statistics beyond the business relationship is also possible provided the data are irreversibly anonymised.
- For prospects, their data cannot be retained for more than three years from the date of their collection or from the prospect’s last contact. The declaration No 48 brings an interesting precision since it incorporates the click on a hypertext link contained in an e-mail as an example of contact. However, it states that the opening of an e-mail cannot be considered as a contact emanating from the prospect.
Why this matters:
This deliberation is the occasion to clarify previous CNIL guidance on various subjects. This will necessarily bring changes in the way that companies process personal data for purposes of customer management profiling, business development, customer loyalty program, etc.
Companies will have to comply with these rules from 14 September 2017 and therefore should introduce these new processes as soon as possible.
