By Cécile Martin, Esq.

FRANKLIN

26, AVENUE KLÉBER 75116 PARIS

Téléphone : 33 (0) 1 45 02 79 00 – Télécopie : 33 (0) 1 45 02 79 01/02

e-mail : cmartin@franklin-paris.com

www.franklin-paris.com

Nowadays every second a huge amount of personal data are collected and stored in databases by employers with an extreme facility, which is not without raise the question of the validity of such retention and disclosure of those data.

It is incumbent upon employers to make sure when collecting personal data that they are entitled to do so and to ensure that the retention is in compliance with the French law requirements[1].

Employers should be aware that they are not entitled to disclose information about employees to everybody requesting it.  They are under the obligation to make sure that the persons claiming those data are entitled to get them.

CEOs and other officers are not the only persons in a company to be under this kind of responsibility.  Each employee, including employees’ representatives and network administrators, who intend to disclose information belonging to the company must be very careful about the information that they are about to disclose. 

In order to practically understand the retention and disclosure process in France, we will focus on the obligations incumbent upon the employers in case of retention of personal data (I) as well as how and by whom the company’s information may be disclosed (II).

It should be noted that this presentation will not deal with the issues relating to electronic discovery, obligations of preservation of electronically stored information incumbent upon the employers or failure to provide electronically stored information since there is not particular regulation on these issues and very few retention policies are implemented for the moment in France.

I.        RETENTION OF PERSONAL DATA BY EMPLOYERS

I.1     Data to be retained by employers

Under French employment law, employers are obliged to retain some information and documents during a certain amount of time.

However, how long must those documents be retained and what happen if the employer is not able to provide the requested information?

I.1.1     Personal data which must be kept by employers

Several situations must be distinguished since sometimes the French labor Code expressly provides the timeframe during which documents must be retained whereas for others documents the French labor Code only provides that they must be retained by employers without specifying any particular timeframes. 

The Labor Code’s lack of exhaustiveness and precision is not without creating a feeling of insecurity among employers when storing personal data.

In order to avoid problems, especially in case of litigation, it is preferable to keep the data as long as legal actions are not prescribed.  This is the main consequence that can be drawn from the decision rendered on October 29, 2003 by the French Supreme Court.

In this ruling, the French Supreme Court held that a bank does not have the obligation to destroy its archives at the expiration of the ten-year timeframe during which bank statements must be stored.  Therefore, if it is established that the bank did not destroy the plaintiff’s bank statements at the end of the legal timeframe, the plaintiff is entitled to get these bank statements from the bank in order to get the payment of his benefit scheme.  Indeed, according to Article R.442-16 of the French Labor Code, the payment of benefit scheme can be claimed by the employees during 30 years.  Consequently, the plaintiff’s action was not yet prescribed.

Moreover, it is highly recommended for employers to keep certain data in order to prove that plaintiffs’ claims are ill-grounded and be able to challenge their claims.  This is particularly true when the plaintiff is claiming overtime payment after leaving the company or when the plaintiff claims that his/her dismissal did not comply with the French due process rules.

Employer’s failure to provide the court with pieces of evidence showing that the plaintiff’s claim is ill-grounded may have some adversarial consequences depending on the nature of the claim.

In particular in case of a claim for overtime, the French Labor Code provides that the burden of the proof is borne by both parties (See Article L.212-1-1).  Therefore, if the employer is unable to provide the court with some basic pieces of evidence such as the employee’s timesheets, the employee will have a serious chance to win the case if s/he may rely on some documents event though they are not conclusive pieces of evidence.

Where an employee challenges the validity of his dismissal, the burden of proof on the employer will vary whether the termination is for economic reasons or based on the employee’s misconduct.

In the first case, employers are under the obligation to provide the court with any financial documents that may prove the seriousness of the economic difficulties faced by the company. The employer’s failure to provide such a proof will inevitably lead the court to rule in favour of the employee.

In case of a dismissal based on the employee’s misconduct, the employee as a plaintiff will have to demonstrate that the employer’s grievances are irrelevant.  Even if the employer’s burden of proof is not as strict as in the case of a termination of an employment agreement for economic reasons, he will nevertheless have to disclose some pieces of evidence that show the employee’s misconduct.  Furthermore, he will not be allowed to take advantage of facts that would not have been inserted in the termination letter. 

In this respect, it must be outlined that if an employee is successful in proving that his/her dismissal is not supported by a real and serious cause, a court can decide to reinstate the employee (Article L.122-14-4 of the French Labor Code). However, the employer is always entitled to oppose the reinstatement. In such a case, ,the employee is entitled to get an indemnity for abusive dismissal which should not be less than 6 months gross salary[2].  

In any event, French labor courts are bound by Article L.122-14-3 of the French labor Code which provides that in case of doubt, the employee’s argumentation should prevail.

Consequently, employers must be particularly cautious when they are sued in court by employees.

Moreover, it must be noted that employers’ failure to store legal documents required by the French labor Authorities, including Labor Inspectors, may face criminal sanctions (e.g. a fine amounting to Euros 450).

I.1.2     How long should employees’ data be retained by employers?

Retaining employees’ data for an indefinite period of time is not recommended. The employer must make a declaration to the French Data Protection Agency (“CNIL”) where a time limit is specified. According to Article 226-20 of the French Criminal Code, the retaining and storing of personal data beyond this time limit is punishable by a five-year term of imprisonment and a fine up to Euros 300,000 when there is no written approval of the CNIL for longer retaining.

One of the main goals of the CNIL is to ensure that, on the basis of the 1978 Act on Data process, Data files and Individual Liberties, the individuals’ rights concerning where and how personal information is contained or used (on computer files) are protected.

In particular, the CNIL prescribes that:

Ø      the lists of telephone numbers dialed by employees in the workplace cannot be kept more than 6 months by employers;

Ø      the reasons of employees’ absenteeism cannot be kept more than 2 years;

Ø      data issuing from employees’ badges showing their entrances and departures of the company cannot be kept more than 3 months;

Ø      data from the timekeeper cannot be kept more than 1 year.

I.2  Employers’ guidelines for validly retaining employees’ personal data in France

The main principle to be kept in mind is that any personal database established for professional purposes through an automatic processing must be declared to the CNIL.  Under Article 2 of the French Data Protection Law, personal data mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his identity. 

In order to properly collect, use and store personal data, all companies established in France (including non French companies having an establishment in France) must inform the CNIL of their intention to create a database and fill out a declaration indicating which information will be stored, the time during which it will be retained, to whom it will be disclosed and for which purpose those data are retained. 

The only companies which are exempted of such obligation are the companies which have decided to appoint an in-house privacy controller.  However, it must be noted that the law creating an in-house privacy controller dated August 6, 2004 (which aims at implementing the EU Directive of 1995 and amending the 1978 Act), provides that the terms and conditions for appointing such a controller will be provided by a Decree.  As we are still waiting for this regulation, it is not yet possible at this time to take advantage of the new law of August 6, 2004 in order to be exempted from the declaration to the CNIL.

Failure to submit a declaration can (according to Article 226–16 of the French Criminal Code) be sanctioned by 5 years of imprisonment and a fine of Euros 300,000.

In France, three types of declarations for private companies without public prerogatives are possible:

Ø      ordinary declaration: the data controller just needs to fill out a form mentioning which types of information are stored, the purpose of the processing, the department responsible for the processing, the categories of persons who, by reason of their duties, have direct access to the data recorded, the duration of storage, the department in charge of the access right, the categories of recipients authorized to receive such data, the steps taken to provide security of the processing.  Upon receipt of the Agency’s receipt (which is delivered without delay), the processing can be put in place.

Ø      declaration which needs to be authorized by the Agency : this declaration is used in case of processing of sensitive data[3], processing about infractions committed by individuals, processing mentioning the social security number, biometric data, or processing whose data are going to be transferred outside the EU in a country which does not offer an equivalent level of data protection.  Upon receipt of the declaration, the CNIL must render its decision within the next 2 months (this timeframe is renewable once).  If the Agency remains silent during this timeframe, the authorization is denied.

Ø      simplified declaration of conformity: interestingly enough, in order to lighten the declaration process for employers, especially HR managers, the CNIL has enacted different norms called simplified declarations of conformity (“declarations simplifiées”) in order to speed up the declaration process.

Employers do not have to fill out a declaration or an ordinary declaration anymore relating to:

§               the issuing of the salary slips (Agency’s decision of May 27, 2004 and deliberation of December 9, 2004);

§               the management of the human resources (careers management, organization of the professional elections, professional mobility, training sessions, ranking… ) as long as the purpose of those databases is not to monitor the employees in the workplace (Agency’s decision dated January 13, 2005).

The CNIL has stated that the computerized management of mails and electronic filing of documents produced within the framework of the above mentioned purposes are covered by the simplified declaration of conformity.  In other words, employers do not have to fill out a special declaration relating to electronic filing.

They just have to indicate the norm they are going to respect and to sign a form indicating that they undertake to strictly comply with the norm enacted by the CNIL.  This kind of declaration is particularly used for common types of processing, which manifestly do not infringe privacy or liberties.

Upon receipt of the acknowledgement issued by the Agency, the employers may proceed with the processing.

The CNIL has specified that data collected in those circumstances cannot be stored after the end of the employment relationship, unless provided otherwise by the law.

It must also be outlined that this kind of declaration is not possible if a transfer of the data outside of the EU is envisaged.

I.3     Employers’ obligations vis-à-vis their employees in case of retention of personal data

I.3.1     Duty of information:

Employers must inform employees of the existence of the database.  This could be done through a memo or a handbook posted within the premises of the company or through a statement included in the employment agreements. 

However, when this has not been made and even though employers are not obliged to make a declaration process (e.g. processing for issuing salary slips), employers must communicate certain information at the employees’ request, i.e.:

Ø      end-purpose of the processing;

Ø      who is in charge of this processing;

Ø      the department in charge of the access right;

Ø      which personal data are collected;

Ø      the categories of recipients authorized to receive such data;

Ø      if the data are going to be transferred outside the EU.

When employees have not been informed beforehand and that employers must declare databases containing information that is directly collected from employees, employers must inform employees of:

Ø      the end-purpose of the processing;

Ø      who is in charge of this processing;

Ø      the compulsory or optional nature of their responses;

Ø      any consequences resulting from their failure to answer;

Ø      the existence of their rights of access and opposition;

Ø      if the data are going to be transferred outside the EU.

Ø      the identity of the individual in charge of the processing;

Ø      the end-purpose of the processing;

Ø      the compulsory or optional nature of their responses;

Ø      the existence of their rights of access and opposition.

It should be noted that when informing employees is either impossible or could result in disproportionate efforts with respect to the interest of the answer, employers are not required to comply with the obligation of information (Article 32.III of the French Data Protection Law).

I.3.2     Rights of access and communication:

Any employee is entitled to require access to his/her personal data from the department of the company in charge of the access’ right.  The information supplied to this employee must be communicated in a clear language (which means that it cannot be codified).  At the employee’s request, the employer is obliged to provide him/her with a copy of the personal data registered.  The copy’s deliverance may be subordinated to the payment of a sum which cannot exceed the reproduction’s cost (Article 39-I§2 of the French Data Protection Law). 

If there is a risk of dissimulation, the judge can take measures, via a summary procedure, in order to avoid the dissimulation or disappearance of the personal data.

However, to avoid frivolous claims, employers are entitled to refuse answering to employees’ requests if they are manifestly abusive due to their number, their repetitive and systematic character.  If an employee challenges an employer’s right to refuse to his/her claims, the burden of proof of the abusive character of the request is borne by the employer (Article 39.II of the French Data Protection Law).  Would be considered as an abusive request, the request made by an employee claiming to his/her employer the communication of all his/her personal data stored over the last 15 years.

I.3.3     Duty of rectification:

It is incumbent upon the employer to make sure that the data stored are accurate, complete and updated. 

Employees may require the correction, completion, updating, blockage or erasure of personal data which are inaccurate, incomplete, ambiguous, outdated or which acquisition, use, disclosure or storage is prohibited.  Upon employees’ request, employers must justify that they strictly complied with this obligation (Article 40 of the French Data Protection Law). 

If an employee considers that an employer did not comply with this obligation, the burden of the proof will be borne by the employer, unless the employer is successful in proving that the inaccurate information has been provided by the employee him/herself or with his/her consent.

Moreover, if inaccurate information has been transferred to another company, its rectification or cancellation must be notified to that company.

I.3.4     Duty of security:

When processing personal data or ordering such processing, employers must make sure vis-à-vis the persons concerned that all necessary precautions are taken to protect the data and in particular to prevent them from being distorted, damaged or disclosed to unauthorized third parties.  Employers should be very careful when collecting employees’ personal data and strictly limit it to information that it is allowed to be processed.

Article 226-17 of the French criminal Code provides that processing personal data without taking all relevant steps to preserve the confidentiality of such information and in particular to prevent it from being damaged or disclosed to unauthorised third parties, is punished by a five-year term of imprisonment and a fine of Euros 300,000.

II.       DATA DISCLOSURE

II.1    Data disclosure by employers

II.1.1   Is the employer under the obligation to disclose data concerning his employees to third parties?

It should be noted that pursuant to Article 226-22 of the Criminal Code, “anyone who has collected, at the time of its recording, classification, transmission or any other form of processing, name-bearing information the disclosure of which would result in undermining the reputation of the concerned person or cause harm to the intimacy of his private life, and then brings such information to the knowledge of a third party who has no authority to receive it without prior authorisation of the person concerned, is punished by five year’s imprisonment and a fine of Euros 300,000”.

Disclosure contrary to the previous paragraph is punished by three year’s imprisonment and a fine of Euros 100,000 where it was committed with lack of care or negligence.

Nevertheless, in the cases set out under the two previous paragraphs, the prosecution may only be initiated upon the complaint of the victim, his legal representative or successors.

However, pursuant to Article 3-II of the French Data Protection Law, a recipient can be considered as “any person empowered to get communication of the stored data other than the data subject, the data controller, the subcontractor and the persons who, due to their functions, are in charge of the management of the data”.

This legal definition enables to identify the categories of persons who have access to the data.  Nonetheless, the data may be communicated to others persons who are not recipients.

Indeed, the French Data Protection Law provides that cannot be considered as recipients: “the authorities empowered, within the framework of a particularly mission or a particular right of communication, to ask to the data controller to communicate personal data”.

These authorities are generally judicial, tax, social authorities or the CNIL itself since they do not need to be identified as recipients.

Moreover, the CNIL is endowed with investigate powers such as powers of access to the data and powers to collect all the information necessary for the performance of its supervisory duties (Article 11§2 of the French Data Protection Law).

Therefore, the employers cannot oppose to the CNIL’s prerogatives and must, on the contrary, take every necessary step for facilitating the CNIL’s investigation.

In this respect, it must be noted that the CNIL’s agents, after having informed the Public Prosecutor, have access to the company’s premises, or installations where the processing is made from 6.00 am to 9.00 pm.

If an employer refuses access to the CNIL’s agents or refuse to communicate the data, the CNIL may ask to the Presiding Judge of the civil court to grant an authorization to conduct the investigation.  During the visit, all the verifications conducted by the CNIL’s agents will be described in the minutes which will be signed by the employer and the CNlL’s agents.

However, despite this procedure authorizing the CNIL’s agents to enter into the company, the CNIL may decide to take legal action against the employer who decides to refuse to communicate the data to the CNIL’s agents (Article 51 of the French Data Protection Law).  Obstruction to the CNIL’s investigation is punished by a one-year term of imprisonment and a fine amounting to Euros 15,000.

II.1.2   Is the employer entitled to disclose employees’ data outside the EU?

An employer is entitled to disclose employees’ data outside the EU only if the country which is going to receive the data ensures a sufficient level of protection[4].

Therefore, is an employer entitled to transfer to the US his employees’ data when getting his employees’ consent?

The CNIL has adopted a strict interpretation of the terms “unambiguous consent” and considers that given the subordination relationship, an employee is not in a position to give a genuine consent[5].

Consequently, in order to transfer personal data outside the EU, the employer will have to either enter into a contract based on the EU Commission-approved standard contractual clauses[6] or make sure that the data importer adheres to the Safe Harbor.  In both cases, a declaration must be established to the CNIL even if an in-house data controller has been appointed.  Upon receipt of the declaration, the CNIL will issue a special receipt authorizing the transfer outside the EU.

It should be noted that according to Article 226-22-1 of the French Criminal Code, unless provided otherwise by the law, a transfer of personal data outside of the EU in violation of the measures taken by the EU Commission or the CNIL is punished by a five year’s imprisonment and a fine amounting to Euros 300,000.

II.1.3    Is the employer entitled to read his employees’ emails?

It should be considered that an email sent or received by an employee from a workstation belonging to the employer is of professional nature since the computer put at the employee’s disposal in the workplace is the company’s property.

Nevertheless, it should be noted that the use of professional computers for sending or receiving personal emails, within reasonable limits, corresponds to a generally and socially accepted use in France.[7]

However, it is not because a company’s computer is put at the disposal of an employee for professional reasons, that the employer has an absolute right to go through the emails of that employee and to disclose their content to a third party.

The employer must make sure before opening and reading employees’ email that this is not a personal email.  This is the position adopted by the French Supreme court in a decision dated October 2, 2001.

In a previous decision of November 2, 2000, the First Instance Court of Paris had found that an employer was liable for examining an email in full knowledge of its personal feature, no matter that the company’s privacy policy regarded any email received via a company’s computer as being professional.

The CNIL recommends that the employee mentions expressly in the email’s object whether it is a personal or professional email.  In such a case, it is incumbent upon the employer to check, before opening the email and disclose it, when the employee is absent, whether it is a personal or confidential email.

Opening or disclosing correspondences of someone else can be punishable to one year of imprisonment and a fine of Euros 45,000.

The employee must undertake not to transform, in bad faith, professional data into private data. In order to make sure that such obligation will be respected by employees, it is highly advisable to mention it into the company’s Rules of Procedure (“Réglement Intérieur”) and to remind to the employees that pursuant to Article L.120-4 of the French Labor Code, the employment contract must be performed in good faith.

II.2    Data disclosure by employees

II.2.1   Is the employee obliged to disclose his/her computer’s password to his/her employer?

As explained here above, the computer put at the employee’s disposal is the company’s property.  If it can be protected by a password, this security measure is not sufficient to transform the computer into a personal belonging.

Therefore, the French judges have found in a decision dated March 18, 2003 that it is incumbent upon the employee, who is absent of the company, to communicate to his/her employer his/her password when the good functioning of the company depends on the data retained by the employee.

In order to be totally transparent, the CNIL[8] recommends that the employer informs the employee that he accessed to his/her computer during his/her absence and that he pays attention not to open private emails.

II.2.2   Is the employee entitled to disclose data belonging to the company before French courts?

It may happen that employees who have issue a lawsuit against their employer be tempted, in order to establish that their claims are well grounded, to disclose before French labor Courts documents belonging to the company and duplicated without the company’s knowledge.

Since 1998, the French Supreme Court (labor division) acknowledges that an employee may validly disclose documents belonging to the company in order to ensure his/her defense if s/he took knowledge of them when performing his/her duties.

On the contrary, the French Supreme Court (criminal division) considered that the employees might be condemned for theft.

Nonetheless, in two rulings dated May 11, 2004 the criminal division of the French Supreme Court decided to standardize its position with the one of the labor division.  

Henceforth, favoring the employee’s defense right upon the company’s property right, the criminal division of the French Supreme Court rules that an employee prosecuted for theft for having duplicated documents belonging to the company may be discharged if the two following conditions are fulfilled:
 

Ø      the employee took knowledge of the documents when performing his duties for the company;

Ø      the disclosed documents must be strictly necessary to the employee’s defense before the court.

II.2.3   Is the employee entitled to disclose data belonging to the company to competitors?

It should be known that in France, even if the employees’ employment contracts do not contain a clause of exclusivity, all along their employment relationship, the employees are not entitled to perform, for themselves or for another company, a competitive activity from the one performed by their employer (except if they work on a part time basis).

Indeed, the employees are bound by an obligation of loyalty.  This principle is indirectly indicated in the French Labor Code which provides under Article L.120-4 that: “the employment contract should be  performed in good faith”.

This obligation of loyalty must be distinguished from the non-compete obligation which comes into force only at the end of the employment relationship.

In the same way, it should be outlined that employees are not entitled to disclose an employer’s manufacturing process without prejudice to be punished to a two year’s imprisonment and to a fine amounting to Euros 300,000.

Therefore, the French Supreme Court[9] has considered that the storage and conservation of clients and suppliers databases is a fault and their use justifies a condemnation for unfair competition.

It appears from the foregoing that employees are not entitled to disclose data belonging to the company to third parties, except express request from their employer, without prejudice to have to pay damages to their employer and to be dismissed for reckless misconduct or gross fault.

III.3   Data disclosure by employees’ representatives and networks administrators

III.3.1  Are the employees’ representatives entitled to disclose information concerning the company?

Under French employment law, the works council’s members and the unionists are bound by an obligation of professional secrecy for all questions relating to manufacturing process (Article L.432-7§1 of the French Labor Code).

Moreover, it should be outlined that works council’s members and unionists are bound by an obligation of discretion toward any information which presents a confidential character or which is presented as having a confidential character by the employer (Article L.432-7§2 of the French Labor Code).

Consequently, if an employer considers that a protected employee is in breach of his/her obligation of confidentiality and that such a breach involves that the employee should not stay any longer in the company, it would have no other choice but to ask to the Labor Inspector the authorization to dismiss the employee.

III.3.2  Are the network administrators authorized or forced to disclose personal data they have access to when performing their duties?

The network administrators who are responsible for ensuring the regular functioning and the security of the company’s networks are led, when performing their duties to access all users’ information (emails, Internet connections, hard disc…).

However, the CNIL specifies that those employees should not use the data they have access to for purposes other than those linked to the functioning of the network[10].

Therefore administrators are not entitled to read others employees’ emails in order to satisfy their own curiosity since they are bound by the professional secrecy and to breach the correspondence secrecy (Article 226-15 of the Criminal code).

In this respect, it should be noted that employers are not entitled to get from them the disclosure of information they had access to in the course of their employment contracts.

*     *     *     *     *     * 

It appears from the foregoing that employers located in France, and more generally in the EU must be really cautious when collecting, storing and disclosing personal data or data  as their criminal liability could be involved.

Interestingly enough, others actors within the company (employees, employees’ representatives and networks administrators) are bound by the same obligation of prudence.  Consequently, it is of the utmost importance to make sure that companies’ internal procedures are well established.

Most of the problems employers in France have to deal with are in relation with the storage of personal data and are thus quite different from the e-discovery issues faced by their US counterparts.