In 2022, it is highly likely health data will still be at the center of concern for France’s DPA, the Commission nationale de l’informatique et des libertés. Indeed, this data, known as sensitive data in European law, has been widely collected and processed by many different data controllers and processors inthe current health context to fulfill different purposes, such as access to the workplace for certain professions, allowing establishment of the sanitary pass, monitoring the evolution of the pandemic, establishing vaccination campaigns, deepening research, implementing health protocols for people suffering from COVID-19 and more.
In view of the numerous data breaches that have occurred in this field and the numerous interests this type of data can arouse, the verification of the conformity of the data processing implemented and security measures taken should still give rise to numerous controls by CNIL agents.
Similarly, it is anticipated employee monitoring systems will be subject to increased vigilance by the CNIL. As a result of the pandemic, many employees are now working in a hybrid work environment, with periods of office work and periods of working at home. This requires companies to adapt, since they must allow them to continue carrying out their remote missions under the same conditions as if they were in the office.
Therefore, companies must give them access to personal data, such as data on customers, prospects, suppliers or even employees of the organization, under appropriate security conditions, all while controlling their activity (management of working time; respect of health and safety rules during telework; respect of instructions concerning the transfer of personal data of the persons concerned; respect of cybersecurity measures).
Cécile Martin for the IAPP, Partner, Ogletree Deakins