July 22, 2018

July 20, 2018

Subscribe to Latest Legal News and Analysis

July 19, 2018

Subscribe to Latest Legal News and Analysis

CNIL Makes Recommendations on “Bad Debtor Data Bases”

It is common for a company to create an exclusion file that allows it to identify “bad debtors” and exclude them from all future transactions.

The Commission nationale de l’informatique et des libertés (“CNIL”) published on 13 November  the following recommendations for this type of data base.

  • The exclusion file must only concern actual unpaid bills, rather than be used to detect a simple risk. It will be necessary to delete the data within 48 hours of payment.

  • A human verification must be carried out before the registration in the data base. For example, it is necessary to carry out additional checks such as sending reminders and confirming that the missed payment is not due to a misunderstanding, etc.

  • The payment incident shall not be shared with anyone, including other merchants or data bases.

  • It is necessary to check the relevance of the personal data collected.

  • The data subject must be informed, in principle, at the time of the contract about the existence of the exclusion list and the possibility that the person will be registered if payment obligations are not met.  If the data subject subsequently fails to meet a payment obligation, they must also be informed at that time of the payment options open to them (for example, will the company accept payment by check, over the phone or perhaps by direct bank transfer online?)  The data subject must also be informed that they may challenge the company’s decision that the data subject has not complied with a payment obligation.  In any event the data subject must be told that the has been added to the bad debtor list.

  • The debtor must be  informed of his/her  rights as a data subject (right to access to rectify etc).

  • Data should not be retained for longer than necessary (i) data should not be retained beyond 3 years from the occurrence of the outstanding payment, except where justified in writing the need to keep the information longer and (ii) data has to be deleted  within 48 hours of payment.

  • Adequate security measures have to be implemented and  access shall be limited to specially authorized employees.

The processing activity has to be registered with CNIL (at least until 25 May 2018).

© Copyright 2018 Squire Patton Boggs (US) LLP


About this Author

Of Counsel

Stéphanie Faber specialises in international business law, commercial law, data protection and consumer law. With 20 years of experience, Stéphanie’s legal practice encompasses advising on, drafting and negotiating contracts in the following areas:

  • Commercial contracts including distribution agreements, services and supply agreements, advertising agreements, logistic agreements, general conditions of sales and sponsoring agreements;

  • Joint ventures, transfer of businesses, assets or licenses;

33 1 5383 7400