France: National Commission on Informatics and Liberty adopts data protection recommendations on multi-factor authentication

On 20 March 2025, the National Commission on Informatics and Liberty (CNIL) adopted a recommendation on the use of multi-factor authentication (MFA) to support compliance with the General Data Protection Regulation (GDPR). The document is addressed to data controllers, processors, and providers of MFA solutions, setting out GDPR obligations applicable to the implementation of such systems. It includes guidance on identifying a legal basis for processing, minimising the scope of collected data, determining retention periods, and enabling data subjects to exercise their rights. The recommendation also outlines the conditions under which biometric authentication may be used and discusses the use of MFA on employees’ personal devices.