Guidance note: CNIL French whistleblowing policy

In May 2005, the French data protection authority (CNIL) refused to approve two ethical hotlines set up by US companies to comply with Section 301 (4) of the Sarbanes-Oxley Act on corporate governance. However, on November 10th 2005, the CNIL adopted a policy setting out a new framework for corporate whistleblowing in France.

CNIL whistleblowing policy: FedEE summary

• Companies that require their financial records and statements to be certified by the US stock exchange have strong grounds for ensuring that no irregularities are present in their accounts. This brings them within the scope of article 7-5 of the 1978 French data protection law (as amended) as having a legitimate interest to protect their fundamental rights by establishing 'devices of alarm' to 'fight against corruption'.
• Details communicated to employees and other interested parties about a company hotline should include:
• The entity responsible for the hotline.
• Its purpose and the fields of activity covered.
• Its voluntary nature and absence of penalties for individuals if it is not used.
• The role and position of persons handling hotline communications.
• The rights of people identified via the hotline to access and correct inaccurate information.
• The disciplinary action that will be taken in the event of abusive and malicious accusations.
• Whistleblowing hotlines must be strictly limited to relevant financial fields and operated only for the purpose of exposing unlawful transactions.
• Hotlines should not be advertised as 'anonymous', although users should be offered the facility to provide their information on an anonymous basis.
• The identity of whistleblowers, if known, should be carefully protected and not communicated to the person(s) accused of wrongdoing.
• Data collected through a hotline should be recorded in an objective way, include a precise time and date, and be limited to those details necessary for the case to be investigated in an efficient way.
• The persons responsible for receiving hotline communications must be professionals who may be trusted to handle confidential information. They must be appropriately trained and strictly limited in number.
• Communication between those entrusted with handling hotline communications is permissible, but only where strictly necessary and in order to carry out any resulting investigations. All communications of confidential hotline information across national borders outside the European Union must be on the basis of safeguards set down for the international transfer of personal data.
• Those responsible for the operation of whistleblower hotlines may communicate statistical data concerning the system to other group operations provided the identity of users is not compromised.
• Data considered to be without foundation must be destroyed without delay. Data subject to investigation must be destroyed within two months of first being reported, unless the information is being held for the purpose of disciplinary or legal proceedings.
• The data being reported through the hotline must be passed on to the person (or persons) who are the subject of the accusations 'without delay', but with regard to the need to prevent them from destroying any possible evidence relating to the hotline report.
• Every facility must be given to the subject of whistleblowing reports to have access to the data relating to them (except any data which might identify the whistleblower) and to correct any facts that can be established as untrue or inaccurate.
• Companies must take all steps necessary to ensure that whistleblowing hotlines do not expose staff to false, abusive or disproportionate accusations.
• Companies that confine their whistleblowing systems to the detection of financial irregularities will be able to benefit from a single authorisation from the CNIL for all their French operations.

© FedEE Services Ltd 2008

return to top