The French Supervisory Authority (the “CNIL”) has issued new updated guidelines on data retention during the month of July (the “CNIL’s Guidelines”).
They provide more practical guidance and update the CNIL previous Recommendations dated 11 October 2005 on the conditions of archiving personal data.
These Guidelines aim at providing practical tools to professionals to help defining the relevant rules to organize data retention and accordingly the retention period applicable for each step of the personal data processing life cycle so that the personal data are not kept indefinitely.
However, the Guidelines do not include the retention period applicable to each category of data processed. Such retention period are set forth in separate documents called “Référentiel” (the “Data Retention Standard”).
- Scope of application
The CNIL’s Guidelines apply to all private companies and public organizations processing personal data
The data retention rules detailed in this guide should also be read with the rules governing public archives where applicable (as governed by the French Heritage Code).
- Key points
a. An organization based on the personal data lifecycle
A distinction needs to be made between:
- an active database where the personal data are available to those who need to access it for the purpose for which it is processed;
- an intermediary database with restricted access, where the personal data is kept once the purpose for which the personal data is collected no longer exists but the it is still needed notably for administrative purpose, in case of legal action, or to comply with a legal obligation; and
- a permanent archive, when the data retention term to respond to the purposes of the intermediary archive has expired but the personal data processed has a scientific or statistical interest.
b. Responses in a Q&A format to usual questions when defining data retention
The CNIL’s Guidelines include answers to the following usual questions to have in mind when defining a relevant data retention period:
- What does the principle of limited data retention mean?
- Should a personal data be systematically erased at the end of the data retention term?
- What is the difference between an active and intermediary database?
- How to comply with limited data retention principle when the data is processed by a processor?
- How to define the relevant applicable data retention term?
- Which stakeholders may help the data controller to define such data retention term?
- How to document the data retention policy of the company ?
- What information to provide to data subjects regarding the retention term of their personal data?
- How to implement a limited data retention by design?
- How to proceed to data archive (separation between the active database and the intermediary database)?
- How to manage the retention term of a same data used for two different processing?
- What are the risks in case of non-compliance?
- How to identify the relevant data retention periods?
c. Practical guidance based on Data Retention Standards to define the precise data retention term applicable
To complete the framework of how data retention must be organized as defined in its CNIL’s Guidelines, the CNIL has issued specific Data Retention Standards, which specify the relevant data retention periods by sector and purpose. Such Data Retention Standards generally cover only the two first steps of data archive (active and intermediary). They are not mandatory and do not pretend to be exhaustive.
To date, two specific data retention standards have been released in the health sector:
- One related to the personal processed in the context of health research , such as clinical studies, etc.
- The other on data retention applicable to health data more generally (besides research) , such as management of patient files, sanitary vigilances, etc.; and
The CNIL’s Guidelines describe how these Data Retention Standards work and how to use them.
It should be noted that other CNIL’s standards provide guidance on data retention periods and may be used when determining the relevant data retention period, such as the whistleblowing standard, the sanitary vigilance standard.
Organization of data retention to comply with GDPR requirements is known as one of the most burdensome and complex task to achieve. The CNIL’s Guidelines and Data Retention Standards are thus very welcome. However, though these documents are not mandatory and may be used as a basis to structure the company’s personal data retention policy, they should facilitate, the dialogue with the Supervisory Authority in the event of a dawn raid, if they are properly implemented.