The French Data Protection Authority releases guidelines on whistleblower reports

The French Data Protection Authority (“CNIL”) published new guidelines on December 10, 2019 to help companies to comply with GDPR1 requirements when implementing internal alert systems2.

In France, the setting up of an internal reporting system is mandatory since the Sapin II law for companies over fifty employees3. It has been expanded with the duty of vigilance law4, and many large companies go beyond their legal obligations to meet international expectations in terms of compliance by providing compliance reporting systems for violations of the code of conduct and internal rules.

After the entry into force of the GDPR, the reporting system through the authorization AU-004 was no longer adequate5. On July 18, 2019, the CNIL thereby decided to adopt guidelines for private or public organizations to implement a system for collecting and managing professional alerts requiring the processing of personal data6.

These Guidelines, based on a public consultation, update and strengthen the CNIL’s expectation on professional alerts, by integrating the changes linked to the implementation of the GDPR in France and the modification of the law on Data Processing and Individual Liberties adopted in 19787.

Compliance with these Guidelines enables organizations to ensure that data processing implemented in the context of alert systems complies with data protection principles.

I. A pragmatic reminder of the GDPR principles with respect to the alert data processing

The Guidelines stress the fundamentals principles that should apply governing the collection of personal data following a professional alert, by outlining the steps in processing an alert.

The purpose of the GDPR is to guarantee a high-level protection for the persons subject to the processing of their personal data and to increase the accountability of those involved in such processing.

First, the data processing must thus fulfil a specific purpose and be justified regarding the entity’s missions and activities8.

It is also up to the data controller to identify the legal grounds of the processing prior to any processing operation9. Regarding internal alert system, it involves complying with a legal obligation imposing the implementation of such a system (i.e. Articles 8 and 17 of the Sapin II law10 and Article 1 of Duty of vigilance law11). The controller is also required to select the relevant and necessary information regarding the purpose of the processing operation12.The conditions for the receipt of personal data are also specified. The Guidelines provide that only the authorized persons shall have access to the personal data13.

The time-frame for which data storage can be kept, warrants clarification. The CNIL, recalling the GDPR provisions, merely indicates that when no follow-up is given to the alert, the data must be destroyed. Anonymous data on the other hand, may be kept for an unlimited period14. In the other cases, the situation would need to be appreciated on a case-by-case basis.

II. The guarantee of individual rights and its limitations

The Guidelines also contain recommendations relating to information, the rights of individuals, as well as a list of security measures applicable to an information system. The controller shall then give information about the processing to the person concerned. More specifically, the Guidelines provide that the person subject to the alert must be informed within a month following the alert15.The right to be informed might be difficult to implement. There is an exception however and the information can be postponed when it is likely to compromise the objective of the alert (i.e. the destruction of evidence) 16.

While the European Directive on whistleblowers leaves the choice to Member States to accept anonymous reports17, the CNIL recommends that companies do not encourage reporters to remain anonymous18. In any event, information that is likely to reveal the identity of the reporter cannot be disclosed without the consent of the person concerned, except to the judicial authority19.

The processing of report data however involves some restrictions on the rights of individuals. For instance, the right to object may be overruled by the company, either by invoking legal obligations or by invoking the exceptions of legitimate and compelling reasons for the processing, which override the interests and the rights and freedoms of the subject of the data, or for the establishment, exercise or defense of legal claims. Companies will therefore have to ensure that any objection request is carefully examined to assess its receivability.

  1. Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The regulation entered into force on 24 May 2016 and applies since 25 May 2018.
  2. CNIL guidelines relating to the processing of personal data for the implementation of alert system, July 18, 2019, https://www.cnil.fr/sites/default/files/atoms/files/referentiel-alertes-professionnelles_dec_2019.pdf.
  3. Article 8 of the Sapin II law (“Appropriate procedures for collecting alerts issued by members of their staff or by external and occasional partners shall be established by public or private law legal entities with at least fifty employees, State administrations, municipalities with more than 10,000 inhabitants as well as public inter-municipal cooperation establishments with their own tax system of which they are members, departments and regions”); Article 17, II, 2° requires French companies to set up “an internal alert system intended to allow the collection of signals from employees and relating to the existence of conduct or situations contravenes the company’s code of conduct”.
  4. French Corporate Duty Of Vigilance Law of March 27, 2017 establishes a legally binding obligation for parent companies to identify and prevent adverse human rights and environmental impacts resulting from their own activities, from activities of companies they control, and from activities of their subcontractors and suppliers, with whom they have an established commercial relationship, http://www.assemblee-nationale.fr/14/ta/ta0924.asp.
  5. The purpose of single authorization AU-004 was to provide a framework for professional warning systems in accordance with the provisions of the Sapin II law. It no longer has legal value since the entry into force of the GDPR.
  6. https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000039470506&fastReqId=2024022847&fastPos=4.
  7. Law n° 78-17 of January 6, 1978 on Data Processing, Data Files and Individual Liberties, https://fra.europa.eu/en/law-reference/act-ndeg78-17-6-january-1978-data-processing-data-files-and-individual-liberties.
  8. CNIL guidelines relating to the processing of personal data for the implementation of alert system, July 18, 2019, p.3.
  9. Article 6(1) of the GDPR sets out the conditions the must be met for the processing of personal data to be lawful. (“(a) the data subject has given consent to the processing of their personal data for one or more specific purposes;(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks. These conditions are all equally valid and organizations should assess which of these grounds are most appropriate for different processing activities and then fulfil any further requirements the GDPR sets out for these conditions (GDPR Article 5)”).
  10. Article 8 III. and article 17 II. 2° of the Sapin II law.
  11. CNIL guidelines relating to the processing of personal data for the implementation of alert system, July 18, 2019, p.2.
  12. CNIL guidelines relating to the processing of personal data for the implementation of alert system, July 18, 2019, p.5 (“Which is often the case in the following category: identity, functions and contact details of the issuer of the alert; identity, functions and contact details of the persons who are the subject of the alert; identity, functions and contact details of the persons involved in the collection or processing of the alert; reported facts; evidence gathered; audit activity reports; follow-up to the alert”).
  13. CNIL guidelines relating to the processing of personal data for the implementation of alert system, July 18, 2019, p.7.
  14. CNIL guidelines relating to the processing of personal data for the implementation of alert system, July 18, 2019, p.8 (“In accordance with Article 5(1)(e) of the DPMR, personal data should be kept in a form which permits identification of individuals only for as long as is strictly necessary for the purposes of the aims pursued. It is therefore in the light of the purpose that the retention period will be determined”).
  15. CNIL guidelines relating to the processing of personal data for the implementation of alert system, July 18, 2019, p.7, referring to Article 12.3 of the GDPR (“The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request”).
  16. Article 14.5 b of the GDPR (“Paragraphs 1 to 4 shall not apply where and insofar as: […] in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available”).
  17. Directive (EU) 2019/1937, §34 (“Without prejudice to existing obligations to provide for anonymous reporting by virtue of Union law, it should be possible for Member States to decide whether legal entities in the private and public sector and competent authorities are required to accept and follow up on anonymous reports of breaches which fall within the scope of this Directive. However, persons who anonymously reported or who made anonymous public disclosures falling within the scope of this Directive and meet its conditions should enjoy protection under this Directive if they are subsequently identified and suffer retaliation”).
  18. CNIL guidelines relating to the processing of personal data for the implementation of alert system, July 18, 2019, p.6.
  19. CNIL guidelines relating to the processing of personal data for the implementation of alert system, July 18, 2019, p.7.