Sapin II – The CNIL gives its view on the whistleblowing systems

Difficulties with the whistleblowing provisions of Sapin II have been addressed by the National Commission of Informatics and Liberties.

Following Decision No 2017-191 dated 22 June 2017, published on 25 July 2017, any private organisation with more than fifty employees and some public organizations must set up a whistleblowing system by 01 January 20181.

Difficulties had arisen for the implementation of Law No. 2016-1691 of 09 December 2016, (Sapin II), which requires relevant companies to put in place formal whistleblowing systems. Indeed, a decision has been made by the National Commission of Informatics and Liberties (CNIL) that its "Single Authorization" for alerts (the Alert) is not currently compliant with these new requirements of Sapin II, in particular because the scope of the Alert is currently too restrictive. In the Decision, CNIL proposes a modification of the Alert system - a welcome update for companies that will be required to comply with Sapin II in future.

The main changes to the Alert set out in the Decision relate to the scope of the alert, the potential for the information contained to be disclosed to judicial authorities, and the use of the “Privacy Shield” in circumstances where data is to be transferred outside the European Union.

Companies may therefore set up a whistleblowing system that incorporates the Alert as required by Sapin II, provided that the system conforms with the terms of the amended Decision. The relevant data controller will have to make an online commitment of compliance with the Decision on the CNIL website. Upon the acknowledgment of receipt of that commitment by the CNIL (which is usually sent within 24-48 hours), the whistleblowing system can be implemented.

Revised scope of Alert

Unsurprisingly, the Decision specifies that the Alert must now cover the very broad scope of alerts authorised by Sapin II, ie any alert concerning "a crime or an offence, a serious and manifest violation of an international commitment duly ratified or approved by France, of a unilateral act of an international organisation taken on the basis of such a commitment, of the law or of the regulation, or of a serious threat or injury to the public interest, of which [someone] has personal experience".

The Alert will also cover other types of alerts under Sapin II, including those issued under article 16 (alert relating to a regulation supervised by the AMF) and article 17 (alert system required by the plan for the preventing of corruption, relating to acts of corruption or trading of influence).

It should be noted that the Alert cannot relate to matters covered by professional secrecy of relations between a lawyer and his client (article 1).

Processing the identity of the whistleblower

The aspects of the Alert concerning anonymous complaints will remain unchanged, stipulating that "the organisation should not encourage people who use the system to do so anonymously". In fact, since the law and the decree aim at monitoring the alert with the whistleblower, it seems preferable for him to be identified.

The CNIL has previously specified restrictive conditions under which an anonymous Alert can be dealt with, each of which must be met: the alert must be serious, the facts must be sufficiently detailed, and the alert must require “special treatment” (including a preliminary screening by the receiver of the alert). Consequently, anonymous alerts will continue to be viewed as having insufficient detail for the CNIL to deal with them.

The confidentiality of the identity of the whistleblower must in any case be ensured throughout the processing of the Alert. It can only be disclosed to judicial authorities, with the consent of the whistleblower himself.

The identity of a person who is the subject of an Alert cannot be disclosed except to the judicial authority, and even then only once the alert is proven well-founded.

Data processing

In line with French law, the CNIL limits the types of data that can be processed to those that can be set objectively and those that are necessary for the processing of the Alert.

Therefore, no data can be processed that could be considered subjective, or too removed from the objectives of the Alert - for example data of an insulting nature.

Moreover, investigations by companies beyond the scope of the Alert are expressly prohibited by the Decision. It is therefore impossible for the recipient of the Alert to extend the scope of the alert to investigate similar or related facts.

Recipient of the data

The CNIL also specifies in the Decision that the direct or indirect supervisor, the employer or designated contact are only required to provide data for the Alert that is necessary for the performance of their duties.

For example, in a group of companies, the recipients of the Alert may send the data to the persons designated to manage the Alerts only if the transmission is necessary to check or deal with the Alert. Consequently, the CNIL’s view is that escalation of an alert to persons in charge of dealing with it involves an exercise of discretion, which means escalated Alerts could be viewed as being treated more favourably by the initial recipient.

Specific obligations are imposed on compliance or legal teams, or the external service providers who manage Alerts. Whether internal or external, these persons must be limited in number, specially trained and subject to a reinforced obligation of confidentiality (which should be specified by contract).

Transfers of personal data outside the European Union

In the Decision, the CNIL sets down conditions for data processing if the company in which the Alert is issued (parent company or subsidiary) or if the company handling the alert (third party provider) is established outside the European Union:

  • the legal entity in which the data recipient operates has joined the "Privacy Shield" (where the US company concerned has expressly chosen to include data on human resources in the scope of the Alert)
  • the recipient of the Alert has concluded a transfer agreement based on the standard contractual clauses issued by the European Commission, and
  • the recipient of the alert has adopted internal rules which the CNIL has previously recognised as guaranteeing a sufficient level of protection of the private life and fundamental rights of individuals.

As a result, third parties offering outsourced Alert processing services will have to comply with these provisions, French parent companies will need to implement these requirements in order to deal with alerts issued by foreign subsidiaries, and foreign parent companies will need to comply in relation to Alerts issued by a French subsidiary.

Information to potential users and persons covered by the Alert system

The CNIL also provides that guidance must be made available to employees of the company both collectively and individually, as well as the potential users of the system to whom the Alert system must be explained (article 8).

The guidance will specify the steps in the procedure for collecting Alerts, its recipients and the conditions under which the Alert may be sent, in accordance with Sapin II.

This information may be given retrospectively to a person who becomes the subject of an Alert but who was not aware of the system beforehand (article 9).

Furthermore, insofar as they allow the supervision of the activity of employees, whistleblowing systems must give rise to information and prior consultation of the works council in accordance with article L.2626-47 §3 of the French Labor Code.

Other provisions

The Decision reminds companies of the retention periods for data from whistleblowing systems, which must comply with Sapin II, the decree, and previous CNIL decisions (article 6).

It also reiterates the security measures provided for in the legal provisions (article 7).

1 In accordance with Law No 2016-1691 dated 09 December 2016 (Sapin II Act) and Decree No 2017-564 dated 19 April 2017

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.