FRANCE Law and Practice Contributed by: Eva Kopelman, Ségolène Cox and Alexis Alié-Sandevoir, Axipiter
7. Data Protection 7.1 Collecting Personal Data
The French Data Protection Authority (CNIL), in its publication of 11 October 2018, provides an indicative list of processing operations requiring a DPIA, includ - ing the management of whistle-blowing reports and the internal investigations arising from them. Furthermore, as interviews conducted during the investigation involve the collection and processing of personal data, Article 13 of the GDPR requires that interviewees be provided with a privacy notice that specifies, at a minimum: • the identity and contact details of the data control - ler; • the purposes and legal basis of the processing; and • the retention period for the data and the rights of the individuals concerned (access, rectification, objection, etc). In practice, these measures ensure the transparency and lawfulness of data collection and processing dur - ing an internal investigation, while mitigating risks for both the company and the individuals involved. 7.3 Access Under Article 15 of the GDPR, any current or former employee, upon verifying their identity, has the right to request access to all personal data concerning them held by their employer or former employer.
Under French law and the General Data Protection Regulation (GDPR), an employer is permitted to col - lect personal data for the purpose of an internal HR investigation, subject to strict limitations. Personal data collected must: • be processed for specified, explicit, and legitimate purposes; and • not be further processed in a manner incompatible with those purposes (Article 5 (b) GDPR). The lawfulness of data processing must be based on at least one of the legal grounds provided under Arti - cle 6 GDPR. In the context of an internal HR investi - gation, two bases are typically applicable, as follows. • Compliance with a legal obligation – eg, when the investigation is conducted following a manda - tory whistle-blowing report or to comply with the employer’s health and safety obligations. • Legitimate interest – this is justified when the data subject could reasonably expect, at the time of data collection, that their personal data would be processed for a given purpose. As an example, preventing fraud or misconduct may constitute a legitimate interest. All data collection and processing must be strictly necessary, proportionate, and transparent. Personal data should be secured and retained only for the dura - tion required to complete the investigation. 7.2 Specific Rules Under the GDPR, when the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals, the data controller must carry out a Data Protection Impact Assessment (DPIA) prior to processing. An internal HR investigation, which aims to determine whether legal or regulatory violations have occurred and whether disciplinary or judicial action is war - ranted, constitutes high-risk processing and should therefore be preceded by a DPIA.
This right includes, in particular: • the purposes of the processing; • the recipients of the data; and • the retention period of the data.
However, this right of access is not absolute. The employer may limit disclosure of certain information to protect:
• the privacy rights of third parties; • the company’s trade secrets; and • the confidentiality of correspondence.
In the context of an internal HR investigation, it is generally possible to refuse access to information where disclosure would compromise the confidenti -
162 CHAMBERS.COM
Powered by FlippingBook