The CNIL’s new Guidelines import certain aspects of its former position on whistleblowing schemes. In particular, the CNIL maintains its position on anonymous reports by encouraging companies to incentivize whistleblowers to identify themselves. When exceptionally dealing with anonymous reports, companies must deploy specific and additional measures to assess the severity of the reported breach and what special care to apply.

The CNIL also has added new provisions based on the GDPR and the updated French Data Protection Act. Key provisions include:

• Scope: the Guidelines are now applicable to two types of whistleblowing schemes:
  1.  Schemes required by law pursuant to “Sapin II” (French Law articles 8 and/or 17) or the duty of care; and
  2.  Schemes implemented by a company on a voluntarily basis to collect alerts relating to lack of compliance with the company’s code of ethics or code of conduct.
• Legal basis for processing: Processing of personal data relating to whistleblowing alerts can be based on compliance with a legal obligation to which the company is subject (for instance the provisions of the “Sapin II”) or, if the company is not subject to a legal obligation to deploy a whistleblowing scheme, the legitimate interests of the company.

If companies deploy a single tool combining both schemes described above, the CNIL lists certain issues for special attention. For instance, regarding the legal basis, the CNIL indicates that companies combining both schemes must clearly distinguish the applicable legal basis for each purpose. For data retention periods, as data may need to be retained for different periods depending on the facts and alleged breaches described in each case, companies must ensure that appropriate retention periods are applied to data collected under each scheme.

To help with the implementation of these Guidelines, the CNIL provides companies with practical examples. For instance, information related to data subjects can be sent by e-mail or provided on a personally-delivered paper form. The Guidelines also provide companies with a list of technical and organisational measures to be adopted to ensure security.

The Guidelines are non-binding but they provide strong recommendations to help with the implementation of whistleblowing schemes with data protection principles. It is likely that the CNIL would require Controllers to justify deviating from the recommendations. A Controller may reasonably deviate from the Guidelines if the Controller is able to justify the deviation based on a particular scenario and appropriate measures exist to ensure that the processing operations still comply with protection of personal data regulations. The Controller must document the measures in a Data Protection Impact Assessment (DPIA), such a DPIA being compulsory here.

 Authored by Julie Schwartz