France: CNIL releases standard on processing traffic violation data
The French data protection authority ('CNIL') released, on 7 May 2021, a standard on the processing of data in relation to designating traffic violations. In particular, the standard sets out guidelines for public and private organisations, including vehicle rental companies and private employers who provide rental vehicles to employees, on the application of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') when identifying and designating drivers who have committed traffic violations, highlighting the following three main use cases:
- the designation, to the National Agency for Automated Offence Processing ('ANTAI'), of the person who was driving or was likely to have been driving the vehicle when the offence was observed;
- the monitoring of the procedure for recovering traffic violations for which public or private organisations may be financially liable; and
- the production of anonymous statistics, in particular with a view to adapting road prevention training.
For each of the above contexts, the standard explains how to apply the relevant data protection considerations, including what the applicable legal basis for processing would be, how to implement data minimisation, how long the data should be retained for, how to facilitate data subject rights, and how to ensure data security.