Explore our collection of PDF documents and enrich your knowledge now!
back
Data Protection Newsflash
Article IT and Data Protection Competition, Retail and Consumer Law Commercial and International Contracts | 27/07/12 | 5 min. | Florence Chafiol
The CNIL adopts new simplified standard no. 48 on the management of client and prospect files.
A “simplified standard” allows the data controller, who strictly meets the conditions listed in said standard, in order to declare a processing, to only fill out a “simplified” declaration, under which, without going into the details of the processing carried out, he simply certifies that he meets the conditions of the relevant standard. Said procedure therefore enables companies to simply and rapidly meet their declaratory obligations.
Standard no. 48 allows one to benefit from said simplified procedure for automated personal data processing relating to the management of clients and prospects files that meet the terms and conditions listed therein.
Said standard, initially adopted in 2005, has just been updated by the CNIL and was published on July 13, 2012, after having concerted for several months with the representatives of professionals, Data Protection Officers (Correspondants Informatique et Libertés) and consumers, with the clear objective of ensuring a greater balance between the needs of professionals and the respect of client and prospect privacy and rights. Indeed, the change of on-line trade and retailer prospecting methods made said update indispensable for professionals as well as for clients.
In favor of professionals: New standard no. 48 extends the scope of the purposes of processing likely to benefit from the simplified procedure. Indeed, many processing purposes, although common, were not up until now in the initial standard and prevented automatically certain professionals from benefiting from said standard. In this regard, the following objectives were added: conducting satisfaction surveys, handling claims and customer service, organizing games, lotteries and promotional operations, managing the access, rectification and opposition requests, managing customer satisfaction relating to products and services.
In addition, new data can now be processed by professionals without having to go through the (longer) procedure of the so called “normal" declaration. For example, the gathering of connection data for the purpose of measuring audiences is now authorized by the standard, subject to the website’s editor providing clear and complete information to users and to compliance with internet users’ right of access and opposition. Furthermore, a copy of the identity card can also be kept but only for the purposes of proving the exercise of a right of access or to meet a legal obligation, any other objective implying the loss of the standard’s benefit. Lastly, more anecdotally, information can also be collected regarding the clients’ marital life. Naturally, in compliance with Article 6 of the French Data Protection Act of January 6, 1978, as amended, in principle, said information can only be processed if they are “appropriate, pertinent and not excessive with regard to the purposes for which they were collected”.
Regarding the data recipients, the standard explicitly provides that, in addition to sub-contractors, partners, external companies or subsidiaries of a same group, may also have access to the data, subject to, of course, prior approval by the persons concerned. The previous standard seemed to limit this possibility to sub-contractors only.
Lastly, data transfers outside the European Union no longer directly exclude processing from the benefit of the standard’s application, subject to compliance with legal formalities aiming to ensure transfer security (Safe Harbor, data transfer agreements, BCR, compliance with exceptions listed in Article 69 of the French Data Protection Act).
In favor of the clients: A certain number of points were usefully specified and/or clarified by the CNIL, guaranteeing greater protection of clients.
For instance, the conditions under which the data relating to unpaid debts or contracted credits are specified.
Besides, the duration of data retention is now specified, which should avoid the usual debates on determining “the duration that is strictly necessary for the management of the commercial relationship” referred to in the previous standard. The CNIL now expressly indicates that client or prospect data can be kept for 3 years as of the end of the commercial relationship or, for prospects, as of their collection or the last contact emanating from the prospect. After said time period, the data controller will be able to contact the relevant person again in order to find out if he/she wishes to continue to be solicited. If the answer is no, the data will either be deleted or archived. Thus, canvassing mechanisms are now clearly specified, putting an end to a number of practical questions regarding the retention duration and management of the “end” of relationships with the client or prospect.
The CNIL also indicates the retention duration of data relating to identity documents (1 year), bank cards (13 months or more with the client’s consent), audience statistics and cookies (6 months), etc.
The practical terms for informing data subjects are specified, in particular with respect to obtaining consent and opposition right, drawing up a useful summary of the different regulations in force.
Lastly, the security measures to be taken to ensure data confidentiality are specified.
It should be noted that the provisions of said standard do not apply to banks or equivalent institutions, insurance and health companies or educational institutions. In addition, public or private organizations that filled out a simplified declaration under the framework of previous simplified standard no. 48, are not required to fill out another declaration. They will, however, need to ensure that they comply with the terms of the new standard. If this is not/no longer the case, they have a one-year time period, up to July 13, 2013, to come into compliance. It is likely that the CNIL will organize controls to be carried out to make sure that, as of said date, the companies concerned have come into compliance with the new requirements or clarifications.
Florence Chafiol-Chaumont - Partner
Chloé Minet - Senior associate