It is common for a company to create an exclusion file that allows it to identify “bad debtors” and exclude them from all future transactions.

The Commission nationale de l’informatique et des libertés (“CNIL”) published on 13 November  the following recommendations for this type of data base.

  • The exclusion file must only concern actual unpaid bills, rather than be used to detect a simple risk. It will be necessary to delete the data within 48 hours of payment.
  • A human verification must be carried out before the registration in the data base. For example, it is necessary to carry out additional checks such as sending reminders and confirming that the missed payment is not due to a misunderstanding, etc.
  • The payment incident shall not be shared with anyone, including other merchants or data bases.
  • It is necessary to check the relevance of the personal data collected.
  • The data subject must be informed, in principle, at the time of the contract about the existence of the exclusion list and the possibility that the person will be registered if payment obligations are not met.  If the data subject subsequently fails to meet a payment obligation, they must also be informed at that time of the payment options open to them (for example, will the company accept payment by check, over the phone or perhaps by direct bank transfer online?)  The data subject must also be informed that they may challenge the company’s decision that the data subject has not complied with a payment obligation.  In any event the data subject must be told that the has been added to the bad debtor list.
  • The debtor must be  informed of his/her  rights as a data subject (right to access to rectify etc).
  • Data should not be retained for longer than necessary (i) data should not be retained beyond 3 years from the occurrence of the outstanding payment, except where justified in writing the need to keep the information longer and (ii) data has to be deleted  within 48 hours of payment.
  • Adequate security measures have to be implemented and  access shall be limited to specially authorized employees.

The processing activity has to be registered with CNIL (at least until 25 May 2018).