The French Data Protection Authority (the “CNIL”) enacted on November 27, 2014 a new Simplified Standard No. 57 relating to the processing of personal data for the monitoring and recording of employee telephone calls in the workplace.
In principle, under French law each purpose for which personal data is processed must be declared to the CNIL. Since the enactment of the 1978 French Data Protection Act, the CNIL has issued many so-called Simplified Standards. This specific, fast-track procedure allows companies without Data Protection Officers to file a simplified declaration with the CNIL, providing that they adhere to the requirements set forth in the Simplified Standard. Where the contemplated data processing does not comply with said requirements, a normal declaration has instead to be filed with the CNIL.
Taking into account the growing number of devices deployed by employers to monitor or record their employees’ activity, the CNIL considered that it was necessary to issue a new Simplified Standard.
Public and private companies that wish to monitor and/or record their employees’ incoming and outgoing telephone calls in the workplace and to benefit from Simplified Standard No. 57 will have to comply with a number of requirements, among them:
- the purpose of the contemplated processing must either employee training or performance review, or the improvement of service quality.
- organizations collecting sensitive data may not benefit from the simplified filing procedure; only periodic monitoring/recording of employee phone calls is authorized (as opposed to permanent or systematic monitoring/recording);
- audiovisual recordings are excluded as well as recordings associated with data originating from screenshots of the employee’s computer. The new Simplified Standard No. 57 is however applicable to documents deriving directly from the monitoring/recording (such as analyses and reports);
- the data that may be collected and processed by employers can only pertain to the employee’s and/or the reviewer’s ID, technical information regarding the call and the employees’ performance review;
- access to the processed data will have to be limited to individuals in charge of training, performance reviews and the improvement of service quality;
- the recordings may be retained for a maximum of six (6) months, and of one (1) year for documents deriving directly from the monitoring/recording.
Data transfers outside of the EU are authorized provided that an adequate level of protection is ensured, i.e., if:
- the transfers are made to countries that ensure an adequate level of protection; or
- the entity to which the data is transferred is Safe Harbor certified; or
- the data importer and exporter have entered into:
- a data transfer agreement pursuant to the EU Commission standard contractual clauses; or
- internal rules (Binding Corporate Rules).
Transfers are also authorized if one of the exceptions set forth in Article 69 of the French Data Protection Act applies (e.g., for the protection of a public interest or for the performance of a contract between the data controller and the individual, or pre-contractual measures undertaken at the individual’s request).
Finally, the new Simplified Standard No. 57 is not to be confused with the existing Simplified Standard No. 47, the latter dealing only with personal data collected and processed in connection with the management of telephones in the workplace. Simplified Standard 47 expressly excludes any possibility to monitor or record employees communications.
As soon as an employer puts a telephone at the disposal of an employee, it may benefit from Simplified Standard No. 47 (provided that it complies with its requirements). However, if/when conversations are to be monitored or recorded, the employer will have to adhere to Simplified Standard No. 57 or, if it does not comply with its requirement, file a normal declaration with the CNIL.