CNIL guidance on data deletion and retention

In July 2020, the CNIL (DPA for France) published guidelines on data retention (Guide pratique – Les durées de conservation). https://www.cnil.fr/sites/default/files/atoms/files/guide_durees_de_conservation.pdf

These reflect early CNIL recommendations from 11-Oct-2005 on the archiving of personal data.
They aim to provide practical help to define the data retention rules and periods.
Similar to DIN-66398 (German industry standard on data retention/deletion) they don’t include guidance on specific data categories. https://din-66398.de/

However, CNIL does define data retention periods in separate dcouments (“Référentiel”). Up to now, two such Référentiels have been published for the health sector:

publishable_fr_2020-05_chapter_iii_-_rights_of_the_data_subject_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand

Background information
Date of final decision: 11 May 2020
LSA: FR
CSAs: ES, PT, UK

Legal Reference: Right to erasure (Article 17)
Decision: Reprimand
Key words: Right to erasure, Data retention

Summary of the Decision

Origin of the case
The data subject requested the controller to delete their personal data and received the controller’s confirmation of the deletion of the data subject’s account and their personal data. However, despite the confirmation, the data subject verified that he/she still had access to their customer account with the controller. Consequently, the data subject decided to lodge a complaint with the LSA.

Findings
In a first exchange of communications between the LSA and the data controller, the controller stated it had deactivated the complainant’s account the day after their request, but that the deactivation was not effective when the complainant tried access the account due to a technical malfunction, which was only resolved months after. In a second letter, the controller reported that one the members of its customer service team had previously obfuscated the sole complainant’s account ID to try to solve the data subject’s difficulty, which prevented the functioning of the script and overall, the deletion of the account.

When the LSA inquired the controller for the second time, the controller had subsequently restored the complainant’s account ID and restarted the script so that the account could effectively be unavailable. The LSA concluded that the controller had not been able to demonstrate the effectiveness of the deletion of the complainant’s data, despite a first confirmation to the complainant and a second one to the LSA.

The controller indicated that it would proceed with the definitive deletion of the complainant’s data at the end of the applicable limitation periods and domestic retention obligations.

Decision
The LSA reprimanded the controller on the need to sort through the complainant’s data to store, in intermediate archives with restricted access, solely the personal data necessary for the exercise of legal claims, or for compliance with legal obligations.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2020-05_chapter_iii_-_rights_of_the_data_subject_summarypublic.pdf

Please see also EDPB Copyright page

publishable_cy_2019-10_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No infringement of the GDPR

Background information
Date of final decision: 10 October 2019
LSA: CY
CSAs: DE-Hamburg
Controller: Seachefs Cruises Ltd
Legal Reference: Right to erasure (Article 17), Lawfulness of processing (Article 6)
Decision: No infringement of the GDPR
Key words: Right to erasure, Data retention, Legal claims, Compliance with a legal obligation

Summary of the Decision
Origin of the case
The complainant submitted an erasure request to the controller, who was his previous employer. The HR department of the controller replied that some of his data (e.g. his passport information, employment contract, salary information and dismissal records) were to be kept in order to comply with national law obligations and be able to exercise or defend legal claims. As a result, the complainant lodged a complaint requesting the deletion of all his data.

Findings
The LSA found that, pursuant to the applicable national social insurance and tax law, the controller was required to keep records of all expenses including salaries. In order to comply with this obligation, the controller was obliged to keep the complainant’s passport information, employment contract and salary information. Moreover, according to the national law on statute of limitations, the controller was allowed to keep the complainant’s dismissal records for a period of six years after the dismissal as the complainant could appeal the decision of the controller to the relevant court.

Decision
The LSA found no infringement of the GDPR made by the controller.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_cy_2019-10_right_to_erasure_summarypublic.pdf

Please see also EDPB Copyright page