France: First EU country to issue revised whistleblowing hotline referential under the GDPR

Written By

ariane mole module
Ariane Mole

Of Counsel
France

I am Global Chair of Data Protection. Thanks to many years of experience dedicated to data protection, I can provide innovative and practical solutions to clients around the world.

gabriel voisin Module
Gabriel Voisin

Partner
UK

As a partner in our London-based international Privacy & Data Protection practice, I advise companies on a range of international data and privacy compliance projects, including the implementation of global data management strategies, international data transfers and data compliance issues such as the General Data Protection Regulation (GDPR) or the ePrivacy directive. I am also a member of the firm's global (i) Executive Committee (ExCom) and (ii) Diversity & Inclusion leadership group.

In France, companies (i) operating their own voluntary whistleblowing hotlines or (ii) required to operate one by law (e.g. because of the so-called French Sapin 2 law) are encouraged to ensure that their associated data processing activities are compliant with the recently updated referential issued by the French Data Protection Authority ("CNIL").

A summary of the main elements introduced by the CNIL referential is set out below.

Transparency

The CNIL referential introduces new rules on transparency, requiring whistleblowers to be provided with a data protection notice at the start of the whistleblowing process, for example by placing this on the whistleblowing reporting site.

Anyone accused in a whistleblowing report must also be provided with a data protection notice within a month of the report being made, although no information about the whistleblower may be disclosed during the investigation. There are exemptions for providing this notice if alerting the incriminated individual would compromise the investigation.

Retention

The referential also sets out precise rules on retention, requiring all information to be deleted or anonymised within two months of the end of the whistleblowing investigation, unless legal proceedings have been started. Information which is not relevant to the investigation must also be deleted or anonymised.

Individual rights

The CNIL referential also explains how individual rights granted under GDPR apply to whistleblowing scenarios. For example, the investigated individual has the right to receive an answer to an access request, as long as this does not disclose the identity of the whistleblower.

The right to object does not apply to legally required whistleblowing hotlines, but does apply to voluntary hotlines. In these cases, the organisation would need to examine the objection request and consider, on a case-by-case basis, whether there is a legitimate overriding interest in the whistleblowing hotline or whether the investigation is required to defend a claim or exercise a legal right. As this is likely to often be the case, many voluntary hotlines will be able to refuse the right to object, but will still be required to consider any requests.

Security requirements

As operating whistleblowing hotlines present particular privacy challenges due to the sensitivity of the information being collected, the CNIL emphasises the need for robust security measures.

The referential sets out detailed security measures which organisations are expected to implement: IT requirements (such as regular password changes and access controls), physical security (such as anti-intruder alarms) and organisational measures (such as due diligence on processors and appropriate staff training).

Accountability obligations

Any organisation operating a whistleblowing hotline will also need to carry out a data protection impact assessment (DPIA), as this is a type of processing on the CNIL's DPIA blacklist. The CNIL's new referential can be used to help compile a DPIA, using the points raised in the referential to identify the processing risks and relevant mitigating measures.

Companies required to maintain a record of processing activities will also have to ensure that their register contains information about whistleblowing activities.

Latest insights

More Insights
featured image

4 Things to Know About Australia's New Statutory Tort of Privacy

5 minutes Jun 10 2025

Read More
featured image

A game-enhancer, not a game-changer: key takeaways on the new UAE Media Law penalties

5 minutes Jun 10 2025

Read More
Curiosity line green background

China Cybersecurity and Data Protection: Monthly Update - May 2025 Issue

May 26 2025

Read More