Or how to be reminded that the General Data Protection Regulation must be effective within each company
The French National Technologies and Civil Liberties Commission (CNIL) ensures that personal data is duly protected.
As an independent administrative authority, the CNIL has the power to monitor and sanction compliance with Law No. 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties, known as the “Information Technology and Freedoms Law”, as well as with the provisions of the European Union Regulation, known as GDPR, on the protection of personal data and the free circulation of data.
In May 2020, the CGT-RATP union filed a complaint to the CNIL regarding an evaluation file for RATP employees created as part of their career development procedure. The CNIL launched an investigation.
In this context, it audited RATP, both on-site and off-site.
In its responses, RATP revealed that its processing of personal data stored in an application called DORA, a tool for viewing and extracting data from other computer applications for the processing and management of human resources in RATP’s Bus department, did not comply with the law.
Thus, two personal data processing operations were investigated by the CNIL, although the matter was initially referred to it for a single personal data processing operation.
In a decision dated October 29, 2021, the CNIL ordered RATP to pay an administrative fine of €400,000 for “serious failings in the field of personal data protection“, for “breaches of the key principles of GDPR, which are the principles of data minimization, accountability, limitation of the duration of data retention and security” in relation to these two data processing operations.
This decision allows us to recall what the proportionate collection of adequate, relevant personal data can mean in practice.
I – RATP had collected personal data that was inadequate, irrelevant and excessive
Personal data collected, processed and stored must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This is the principle of data minimization.
In this case, the following data may be considered necessary in the case of the RATP staff appraisal file compiled as part of the staff member’s career development procedure: surname and forename of the staff member, name of the team manager, staff number, date of recruitment, date of qualification, former level with date, proposed level, any bonuses, work attendance, unavailability (without distinction between reasons), accidentology, any customer complaints, penalties, etc.
If the number of days of absence, in the same way as, for example, the number of days worked, is data that can be taken into consideration according to the CNIL,
And if, in its opinion, some absences, such as those related to maternity leave, should be shown separately so that this data is not unfavourably taken into account in the evaluation of the performance of the staff member concerned,
The CNIL considers that indicating the number of strike days as a separate category from the total number of days of absence appears to be excessive and contrary to the principle of minimization in the context of a processing operation intended to provide career development for RATP staff.
The CNIL mentions in this respect that the processing of such personal data is not neutral.
While RATP has indicated that this practice was carried out personally by operational units, contrary to its general policy on personal data protection,
The CNIL found that this practice was the result of a lack of consistency on the part of RATP in supervising the organization of the career development procedures and the tools made available to the various departments in this context by RATP.
It considered that it was under RATP’s liability, as the controller of the files in question, to ensure that only the categories of data necessary to make decisions relating to the evaluation were used.
II – RATP has not defined a personal data retention period that is proportionate to the purpose of processing collected data
According to RATP,
The planned retention period for the files used to prepare the Classification Committees was eighteen months from the date of the Classification Committee meeting for which they were drawn up.
This period is laid down in the corresponding register in accordance with the reason for the processing operation, namely to assist in decision-making for the purpose of staff appraisal.
However, during the investigation, it was found that in two bus centres audited, files for the preparation of the 2017 classification committees were present on the servers. This duration of several years was therefore considered excessive in relation to the purpose of the processing.
As these files were established as a basis for decision-making in the context of preparatory meetings for the annual classification committees, with a view to evaluating staff members, they could therefore only be kept for the time required for the committee to meet.
RATP, therefore, failed to fulfil its obligation to keep the data for a period that was proportionate to the purpose of the collection.
III – RATP did not ensure the security of personal data
The files used to prepare the RATP’s classification committees were accessible on a server that was open to all participants in the arbitration meetings for which they were drawn up, i.e. the management of the bus centre concerned, the RATP’s human resources department, and also all the line team managers, who also had access to data relating to bus drivers who were not under their responsibility.
RATP maintained that access to data for all authorized managers was necessary and proportionate in order to provide visibility on all the staff who could potentially be promoted, to be able to carry out arbitration and to ensure the collegiality of the decisions taken during the arbitration meetings in question.
On the other hand, the CNIL considered that the confidentiality of the data was not guaranteed. The staff data was made available to all line managers, regardless of whether or not these staff members were under their responsibility.
However, a presentation of this data made only during the arbitration meetings, could have ensured the confidentiality of the data as well as collegial decision making
RATP, therefore, did not ensure the security of the data collected and stored.
This decision precisely illustrates the due care that must guide the collection, processing and retention of personal data.
It is not enough for a company to have established a general data protection policy. It must be effective within the structure, which must provide information and training on its policy and ensure that it is correctly followed.
An audit of the practices of each entity is possible, which allows for the determination of the best measures to adopt and the changes to be made if necessary.
We remain at your disposal to assist you.