October 20, 2018

October 19, 2018

Subscribe to Latest Legal News and Analysis

October 18, 2018

Subscribe to Latest Legal News and Analysis

CNIL Makes Recommendations on “Bad Debtor Data Bases”

It is common for a company to create an exclusion file that allows it to identify “bad debtors” and exclude them from all future transactions.

The Commission nationale de l’informatique et des libertés (“CNIL”) published on 13 November  the following recommendations for this type of data base.

  • The exclusion file must only concern actual unpaid bills, rather than be used to detect a simple risk. It will be necessary to delete the data within 48 hours of payment.

  • A human verification must be carried out before the registration in the data base. For example, it is necessary to carry out additional checks such as sending reminders and confirming that the missed payment is not due to a misunderstanding, etc.

  • The payment incident shall not be shared with anyone, including other merchants or data bases.

  • It is necessary to check the relevance of the personal data collected.

  • The data subject must be informed, in principle, at the time of the contract about the existence of the exclusion list and the possibility that the person will be registered if payment obligations are not met.  If the data subject subsequently fails to meet a payment obligation, they must also be informed at that time of the payment options open to them (for example, will the company accept payment by check, over the phone or perhaps by direct bank transfer online?)  The data subject must also be informed that they may challenge the company’s decision that the data subject has not complied with a payment obligation.  In any event the data subject must be told that the has been added to the bad debtor list.

  • The debtor must be  informed of his/her  rights as a data subject (right to access to rectify etc).

  • Data should not be retained for longer than necessary (i) data should not be retained beyond 3 years from the occurrence of the outstanding payment, except where justified in writing the need to keep the information longer and (ii) data has to be deleted  within 48 hours of payment.

  • Adequate security measures have to be implemented and  access shall be limited to specially authorized employees.

The processing activity has to be registered with CNIL (at least until 25 May 2018).

© Copyright 2018 Squire Patton Boggs (US) LLP

TRENDING LEGAL ANALYSIS


About this Author

Stephanie Faber Attorney Squire Patton Boggs Paris
Of Counsel

Stephanie Faber heads the Data Privacy & Cybersecurity Practice and the Intellectual Property & Technology Practice in the Paris office. She specialises in international business law, with more than 20 years of experience. Her legal practice encompasses business transactions and operations, as well regulatory and compliance work.

In relation to the Data Privacy & Cybersecurity Practice, Stephanie advises on:

  • GDPR gap assessment and compliance programs

  • Data breach...

33 1 5383 7400