On February 19, 2016, the French Data Protection Authority published its new Single Authorization Decision No. 46, relating to data processing by public and private organizations with respect to the preparation, exercise and follow-‐up regarding disciplinary or court actions.
The Commission nationale de l'informatique et des libertés (hereinafter, “CNIL”) observed that, as part of their regular activities, companies may have to prepare and manage claims with customers, vendors, employees or other individuals, to defend their rights. In doing so, companies may process personal data that is likely to include information relating to criminal offenses and convictions or security measures.
In principle, companies are not allowed to process such data under French data protection law. However, in a 2004 decision, the French Constitutional Court opined that this should not deprive companies of their right to judicial redress. The CNIL therefore stated that companies may process personal data relating to offenses, convictions and security measures, when they are victims of an offense. Such data processing requires CNIL’s specific prior authorization. However, if compliance is ensured with all the requirements laid down in the new issued new Single Authorization Decision No. 46, only a simplified registration must be filed with the CNIL.
The purpose of Single Authorization AU-‐46 is to reduce the administrative burden of companies’ registration formalities, in light of the future EU General Data Protection Regulation that, according to the consolidated text, it seems to abolish their registration obligation.