A system for auditing personal data not declared to the CNIL is illegal
ven., 16 janv. 2015 12:22:00 +0100
Any personal data processing system must be declared to the National Data Protection and Freedom of Information Commission (CNIL) in order to be legal. In the contrary instances, all data is unusable. Consequently, the social chamber at the Court of Cassation dismissed a decision by the Amiens Court of Appeal(décision n° 13-14.991 of 8 October 2014), which approved a dismissal for real and serious reasons, based on processing of personal data which had not been declared to the CNIL.
The dismissal decision was solely based on information included within the control system for the number and content of emails of employees implemented by the company. This data processing system, including personal data, had not been declared to the CNIL. It was, consequently, illegal and the company was unable to use the proof it had established.
Declaration to the CNIL is compulsory, excluding where the processing method is covered by one of the 19 exemptions declared by the Commission.
It is important to reiterate that the declaration to the CNIL is not the only condition for legality of processing personal data, with this legality additionally being subject to the condition, notably, of prior notification to the people concerned. This information concerns the right to information. The right of consultation over one's own personal data also concerns the collection of information and the use thereof.