France: The French Data Protection Agency Publishes New Data Privacy Self-Assessment Tool for Intra-Group Transfers
Multinationals with operations in France must comply with the European General Data Protection Regulation (“GDPR”) when transferring personal data outside the European Union. This includes personal data with regards to employees. Adopting “Binding Corporate Rules” (BCRs) is one-way multinationals can ensure compliance.
The recently published self-assessment tool, available in English, can be used by French entities and also by the Group Data Privacy Officer to verify the correct implementation of BCRs, and thus, ensure compliance with data protection principles.
This namely includes ensuring the BCRs have been communicated or are easily available to employees, that employees with permanent or regular access to personal data (e.g., customer files, HR databases) have been properly trained and that violation of the BCRs can lead to disciplinary sanctions.
Key Action Points for Human Resources and In-House Counsel
Ensure that you have implemented proper procedures with regards to transferring personal data outside France, including informing staff and putting in place the appropriate program. The fact that a violation of your data protection policy can give rise to sanctions should be included in the company’s internal rules (“règlement intérieur.”)