Presentation
Force Ouvrière was audited by the CNIL for failing to comply with the GDPR and for violating personal data
The CNIL (French Data Protection Authority) continues its work of monitoring the content of documents and illegal practices related to employee ratings, in addition to its regulatory obligations to impose sanctions for GDPR breaches and personal data violations.
On Wednesday, September 10, the satirical weekly Le Canard enchaîné revealed the existence of a file listing a number of executives from the Force Ouvrière (Workers’ Force) union, established in 2016 by associates of Pascal Pavageau, who was then a candidate and subsequently elected general secretary in April 2018.
Based on this information and without waiting for any formal complaints, the president of the CNIL decided to conduct an inspection at the union’s headquarters on Friday, September 12.
Personal data: An internal “wall of idiots” within the union, intended to prepare for elections
The file in question reportedly contains a list of around one hundred FO (Workers’ Force) executives, each accompanied by a particularly varied and controversial set of comments. The leaked documents include personal data associated with:
- comments related to political beliefs (e.g., “anarchist,” “Trotskyist”), sexual orientations (e.g., “homosexual”),
- health conditions, and subjective judgments such as “naive,” “stupid,” “Freemason,” “scum,” “cowardly,” “homophobic,” “completely crazy,” “unreliable,” “collaborator,” or even “too intelligent to join the confederation’s executive committee.”
When questioned by the weekly magazine, Pascal Pavageau explained that it was a “stupid blunder” and a “serious mistake” by two female colleagues. “For me, it was a memo, a kind of note-taking exercise, but I had never seen or approved the result, which is riddled with nonsense, with…”accourcis. »
In the past, the CNIL has been extremely vigilant regarding the content of this type of document, severely penalizing abuses and legal breaches. It may also transmit the information it possesses to the courts if criminal offenses are discovered.
GDPR and CNIL: A recurring and illegal practice in professional environments
Numerous cases involving unregulated employee data files or rating systems regularly result in prosecutions: Leroy Merlin, France Télévisions, RATP, SNCF, Boulanger, and, internationally, FedEx and Lufthansa. This practice of data collection is prohibited by the French Labor Code and the Data Protection Act.
Article L1222-2 of the Labor Code stipulates that “information requested from an employee may only be used to assess their professional skills. This information must have a direct and necessary link to the evaluation of their skills.”
The personal data that may be collected can relate to identity, education, career management, performance appraisal, or the validation of prior learning and experience.
While the use of a “comment” field is not prohibited by law, it must be filled out with the greatest possible objectivity, recording remarks that are “relevant, adequate and not excessive”.
The data protection law specifies on this point that the assessments appearing in these areas must be relevant, adequate and not excessive, each employee assessed being able to access their own assessment data on simple request and obtain a copy.
Personal data: Professional practices and compliance
It is important for companies and businesses to anticipate their legal and regulatory obligations in this area to enable employers to evaluate their employees and monitor their activity, progress, and career development within the organization.
The creation of performance evaluation files is a common practice, but their content must be carefully controlled. Beyond any insulting or denigrating comments, any rating or reference not directly related to the employee’s work must be prohibited.
Only objective evaluations are permitted, generally based on legal criteria or derived from internal company documents: internal regulations, training programs, schedules, meetings, etc.
The Force Ouvrière union case is likely to become a cautionary tale in this regard. It will be up to the CNIL (French Data Protection Authority) to determine the appropriate follow-up, sanctions, and, if necessary, their publicity.
