These recommendations apply to customers based in France 🇲🇫
Since August 2021, the use of the photo time-clock has raised quite a few questions, following formal notices from the CNIL (Commission Nationale de l'Informatique et des Libertés).
To put it simply, 4 organizations were pinned down by the president of the CNIL who considered that the obligatory and systematic taking of photographs of employees, two to four times a day, was excessive, especially since it was found that, in practice, managers had very little access to these photos in order to control employees' schedules. The control therefore appeared excessive and not always justified!
Thus, according to the CNIL, the control of employees' schedules by conventional devices, without taking photos, appeared sufficient.
Therefore, these organizations have been put on notice to comply with the GDPR (General Data Protection Regulation).
What happened ?
The CNIL (Commission Nationale de l'Informatique et des Libertés) is a regulatory organization and, as such, is responsible for controlling (when requested or on their own) the compliance, of the devices put in place, with the RGPD (General Data Protection Regulation).
In 2018, following 6 complaints, the CNIL carried out 4 checks at the organizations involved and found that the photo-badging devices in place are against the provisions of the GDPR.
👉 The president of the CNIL has therefore issued a formal notice, to these organizations and only these organizations, to comply with the RGDP within 3 months.
Even though the organizations that were served with a formal notice were not users of the Combo solution, we immediately set up a working group and commissioned a specialized law firm to analyze the CNIL's position and evolve our solution to ensure our customers' compliance with the regulations.
How did we react ?
First, with the help of our Law Firm, we put the CNIL's formal notices into perspective in three respects:
These formal notices are targeted. They were only issued against controlled organizations;
These are not sanctions, but formal notices. The CNIL itself specifies on its website: "A formal notice is an injunction from the President of the CNIL addressed to a data controller or a processor, to cease one or more breach(s) found in the General Data Protection Regulation (GDPR) within a set period. It comes after a complaint received by the CNIL or an inspection (online or on site) carried out at an organization. A formal notice is not a sanction."
📌 https://www.cnil.fr/fr/la-procedure-de-mise-en-demeure
Finally and most importantly, it is important to emphasize that the CNIL has not formally prohibited the use of photo-badges. The warning relates to specific points: It is therefore still possible to set up or maintain a photo clock-in time control system, but taking certain precautions...
At Combo, using the time-clock, you can already be in control of your destiny as you have the ability to turn the photo option on and off at any time, allowing you to control how often you take photos of your employees. By default, the photo option is deactivated.
The principle is that of random photo-taking when clocking in : when the photo clock-in option is activated, by default the photo-taking will be done randomly according to an algorithm (the employee will then have a 10% chance of being photographed at sign-in).
But as life in a company evolves, it may be necessary, at some point, to accentuate this control. We therefore offer the possibility of activating a reinforced control: when this option is activated, all clock-ins will be systematically photographed. This control should obviously not be the rule, it should be limited in time and especially proportional to the purpose (in the case of suspected fraud, for example).
A message on the configuration interface alerts you when you enable the option.
In addition, regarding the retention period of the photographs : in compliance with the recommendations of the CNIL, at the expiration of a period of 30 days the photos are deleted from the time clock reports.
Finally, in accordance with the requirements of the CNIL, in our solution, the manager plays a role and exercises effective control since he validates the photos at the same time as validating the hours worked by the employees.
Again, we support the manager since we inform him via a message on the interface that, by validating the hours, he confirms that he has controlled the photograph generated by the time-clock.