Home

Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
Auditor
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:

News

Home / News
/
FRENCH SUPERVISORY AUTHORITY: Processing of criminal records: CNIL calls two ministries to order

FRENCH SUPERVISORY AUTHORITY: Processing of criminal records: CNIL calls two ministries to order

On October 17, 2024, the CNIL called the Ministry of the Interior and Overseas Territories and the Ministry of Justice to order for their poor management of the criminal record processing file (TAJ).

The context

The processing of criminal records (TAJ) is a judicial police file that records information relating to victims of offences and persons implicated and charged in the context of criminal investigations. In addition to the offence in question, it contains data relating to the identity of the persons, accused and victims, in particular information on their civil status, address, profession and photograph.

This file is used in particular in the context of judicial investigations to find the perpetrators of offences, but also in the context of administrative investigations, with a view to assessing the risk or incompatibility of a person with certain public or sensitive jobs, or for examining applications for obtaining French nationality.

Following a monitoring procedure involving representatives of the two ministries and several public prosecutors’ offices of judicial courts and courts of appeal, the CNIL noted the existence of several shortcomings in connection with the conditions under which personal data contained in the TAJ are processed.

As a result, the restricted committee – the CNIL body responsible for issuing sanctions – called the Ministry of the Interior and Overseas Territories and the Ministry of Justice to order. In addition to these sanctions, which it wished to make public, the restricted committee also ordered the ministries to comply with the Data Protection Act.

Breaches of the Data Protection Act

The retention of inaccurate, incomplete or outdated data (article 97 of the Data Protection Act)

The Code of Criminal Procedure provides that certain updates to the file are mandatory depending on the judicial follow-up given to the case. Thus, the data must be rectified during a judicial reclassification and they must be deleted in principle in the event of a decision of acquittal or discharge , unless the public prosecutor or the referring magistrate requests that they be maintained. In this case, the data will be noted, preventing them from being consulted in the context of administrative investigations. In the event of a dismissal or filing without further action, the data of the persons accused are in principle noted, unless the public prosecutor or the referring magistrate requests that they be deleted.

However, many public prosecutors’ offices did not automatically transmit decisions of acquittal, discharge, dismissal and closure without further action to the TAJ manager. As a result, the corresponding files were not deleted or could not be the subject of a note indicating that there had been a dismissal or acquittal. This absence can have concrete and serious consequences for individuals, in particular because it can influence the conclusion of administrative investigations prior to the exercise of a profession or admission to sit a civil service competition. The CNIL considered that, in the absence of transmission by the judicial authority of the elements allowing updates to be made in the TAJ, the management services are not in a position to ensure the accuracy of the data contained in the file.

Failure to inform the persons concerned (article 104 of the Data Protection Act)

The CNIL also noted that the information communicated during the data collection was not specific to the TAJ file and could be incomplete or even non-existent, depending on the management services responsible for data collection or the status of the persons concerned (accused or victim). Thus, the persons concerned were likely to be unaware of the very existence of this file. During the procedure, the Ministry of the Interior and Overseas Territories took measures to ensure that the persons concerned were better informed.

Failure to take into account the rights of the persons concerned (articles 105 and 106 of the Data Protection Act)

The CNIL finally noted that the TAJ management services are having difficulty obtaining responses from the public prosecutors consulted in the context of requests for access rights from individuals and considers that this undermines the effectiveness of individuals’ rights ( rights of access , erasure and rectification ).

The CNIL decision

While responsibility for TAJ processing lies with the Ministry of the Interior and Overseas Territories, the Code of Criminal Procedure gives the Ministry of Justice a key role in implementing the TAJ. The CNIL therefore considered that it was also competent to issue a warning to the two ministries to order them to take the necessary measures to comply with the regulations.

The CNIL has therefore ordered the ministries to:

  • take measures to better ensure the accuracy of data , in particular by ensuring that decisions of dismissal and acquittal are taken into account in the TAJ; these measures could notably consist of a system allowing the automated repercussion of these court decisions in the TAJ;
  • guarantee the effectiveness of individuals’ rights , for example by setting up an effective procedure that is generalised to all jurisdictions, aimed at ensuring that a response is systematically provided within two months to the TAJ management services following a request to exercise rights.

The restricted formation attached to these injunctions a deadline for compliance expiring on October 31, 2026.

By making its decision public, the restricted committee highlights the age of the problem concerning a file implemented by public actors, the significant number of people concerned and the sensitivity of the processing (data of victims or of people accused, who may be minors).

https://www.cnil.fr/fr/traitement-dantecedents-judiciaires-la-cnil-rappelle-lordre-deux-ministeres

Recommended to you

Advanced Research