The life cycle of personal data

Legal Watch No. 41 – November 2021

The life cycle of personal data. Among the obligations provided for by the GDPR, there is one which can quickly turn into a headache for the data controller, despite its apparently innocuous nature: it is the retention period of personal data.

A priori, it seems natural to only keep data for as long as it is necessary for the purposes pursued, as provided for in article 5.1.e of the GDPR.

In practice, many questions arise: should the information then be deleted? Or should it be kept for evidentiary purposes? Or in accordance with legal provisions? What if the same data is needed in two separate contexts?

The retention period is one of the aspects to which the CNIL pays particular attention during its checks, as evidenced by its deliberation of October 29 concerning RATP files.

The company was fined €400,000 for violating the principles of purpose, retention period and data security. 

As part of its human resources management, the RATP kept data relating to agents in the active database of an application that was too widely accessible and for a period that exceeded that necessary for the purposes pursued.  

The CNIL also observed that the RATP kept staff evaluation files for more than 3 years after the promotion committee for which they were established, whereas their retention was only necessary for 18 months after these committees were held.

In a different context, the CNIL had already pointed in November 2020 the duration of retention by the Carrefour company of its customers' data.

It considers that a retention period of four years is excessive, and recommends keeping the data of "inactive" customers (who have no longer traded with the company) for a maximum of three years (see this newsletter, December 2020).

The following steps will guide the data controller in determining retention periods:

• Storage of data in an active database, accessible to people in the relevant department, for example human resources, for as long as the data is needed (for example, payment of salaries)

• Deletion or intermediate archiving of data for evidentiary purposes or possible litigation, with restricted and more secure accessibility, under special authorization

• Deletion, or permanent archiving under even more restricted access conditions.

At each stage, sorting must be carried out and certain data may be deleted or anonymized if it is not useful or required by law.

When the same data is used for two different purposes, a separate retention period must be applied to them depending on these respective purposes, as well as appropriate access and deletion rules.

The CNIL provides in a practical guide published recommendations in July 2020 and lists in its reference documents certain retention periods provided for by law.

Examples include:

In the context of human resources, candidate data for a maximum of two years, pay slips for a minimum of five years (in application of article L. 3243-4 of the labor code)

In a commercial context, billing data for a period of ten years (obligation provided for by the Commercial Code)

In the context of video protection, images for a maximum duration of one month (article L. 252-3 of the internal security code).

It should be added that rigorous management of data processing, deletion of unnecessary data and limitation of access to data internally contribute to securing databases.

These steps will play a preventive role in the face of external attacks and the risk of data breaches, which are significant risks today.

And also

France:

On November 30, the CNIL published a new deliberation concerning measures to combat the Covid-19 pandemic.

It draws the government's attention to the need, more than 18 months after the start of the epidemic, to produce elements allowing a full assessment of the effectiveness of the files and systems implemented, including the health pass, the "vaccines" file and the "TousAntiCovid" app.

The supervisory authority has initiated a fifth phase of controls, which notably concerns the retention period, deletion and/or anonymization of data.

Europe:

The European Union supervisory authorities have initiated a joint investigation regarding compliance with the GDPR by the second-hand sales platform Vinted.

THE European Data Protection Supervisor (EDPS) announces a conference on June 16 and 17 on the theme of data protection: “effective controls in the digital world”, bringing together speakers on the themes of artificial intelligence, competition law and digital markets and services.

This conference is being organised in the context of debates on the need to centralise GDPR implementation controls at European level.

We refer more precisely to the reviews issued on 2 December by the Vice-President of the European Commission, Vera Jourova, on the (in)effectiveness of controls in countries such as Ireland.

On October 21, seven UN Special Rapporteurs denounced in a Communication the European policy on combating terrorism which, through overly vague measures, would violate the principles of legality, necessity and proportionality set out in European and international instruments for the protection of fundamental rights. 

THE European Data Protection Board (EDPB)) adopted on November 18 guidelines specifying the scope of the rules concerning international data transfers.

It recalls, among other things, that these rules apply to transfers between controllers (or subcontractors) when the exporter is subject to the GDPR and transmits or makes the data accessible to the importer located in a third country.

These transfer rules do not apply when data is transmitted by an individual in Europe on their own initiative. The document is open for public consultation until the end of January.

The Committee also reiterated its concerns in a press release concerning the European Commission's Proposals on data governance, digital services and digital markets as well as on the regulation of artificial intelligence.

It points to insufficient protection of fundamental rights and fragmented supervision, and calls for a ban on the use of AI in public spaces, child profiling and advertising targeting based on the systematic tracking of individuals.

This echoes the call of the new German government coalition on November 24 for a ban on biometric surveillance in public places.

The European Commission has initiated a infringement procedure against Belgium for lack of independence of its data protection authority.

Belgium has two months to react or face action before the European Court of Justice.

The Committee of Ministers of the Council of Europe adopted on November 3 a Recommendation on the protection of individuals with regard to the processing of personal data in the context of profiling.

This new text updates the previous recommendation CM/Rec(2010)13 on the same subject.

The company Clearview, specializing in the collection of biometric data, is in the sights of the British supervisory authority.  

The ICO is considering fining the company £17 million for collecting data from Britons without their knowledge.

The ICO investigation furthermore on the practices of the company Cignpost Diagnostics which plans to market the genetic information obtained from its customers during PCR tests for screening for the COVID virus. 

International :

THE United Arab Emirates adopted on November 28 a federal law on data protection. Data controllers will have 12 months to ensure compliance from the date of publication of the law in the official journal.

On November 24, 193 countries adopted the recommendation UN on the ethics of artificial intelligence, which provides for the prohibition of social scoring and the use of AI for the purpose of global surveillance.