Global Data and Cyber Handbook

France

Select a Topic
Start Comparison
Data Processing in the Employment Context
Jump to
Data Processing in the Employment Context Start Comparison
Is an identified legal basis required in order to collect or process personal data or sensitive personal data in the employment context?

Last review date: January 2025

Yes.

The potential legal bases for data processing in the employment context are:

There are no express provisions in the Data Protection Act, but French employers acting as data controllers must take into account their specific legal obligations. Therefore, the processing of personal data by employers can be based on the compliance with a legal obligation. This may be the case in the fields of recruitment (background checks), mandatory social declarations (for the use of the Social Security Number), immigration law (status/work permit), managing disabled workers (French Labor Code obligations) or managing sick leave and health data (French Social Security Code).

Lastly, article 44(4) of the Data Protection Act specifies that biometric data could be processed by employers or administrations, insofar as the purpose of the processing “ is strictly necessary to control access to workplaces and to equipment and applications used in the context of tasks entrusted to employees, agents, trainees or service providers".

Can consent be validly obtained in the employment context?

Last review date: January 2025

☒        Yes, but this consent is typically more difficult to establish in an employment context (specify details below)

Pursuant to recital 43 GDPR, "consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, which could be the case in the relationship".

This was the position of the CNIL prior to the GDPR, and the CNIL keeps that position and has an extended interpretation of that constraint. CNIL seems to consider that consent is not a valid consent for the processing of applicants' personal data (even though they are not subject to the "subordination link" which is deemed to jeopardize the freedom of consent).

Has the data privacy regulator issued guidance on use of artificial intelligence, automated decision making or profiling in an employment context – for example, relating to use in employee monitoring or hiring?

☒       Yes

Please refer to the EU Chapter for detailed information regarding EU-wide guidance.

  • CNIL framework on recruitment, Sheets 11 to 13 on the use of assessment tools and automated decision making in the hiring context
  • More recently, on 19 November 2024, the CNIL published specific guidelines on AI cameras which offer new ways of analyzing driving practices, with the aim of assisting drivers. Employers must ensure that these devices respect drivers' personal data and privacy (link here).
{{ $store.state.loadingScreen.message }} ...