In France, companies (i) operating their own voluntary whistleblowing hotlines or (ii) required to operate one by law (e.g. because of the so-called French Sapin 2 law) are encouraged to ensure that their associated data processing activities are compliant with the recently updated referential issued by the French Data Protection Authority ("CNIL").
A summary of the main elements introduced by the CNIL referential is set out below.
The CNIL referential introduces new rules on transparency, requiring whistleblowers to be provided with a data protection notice at the start of the whistleblowing process, for example by placing this on the whistleblowing reporting site.
Anyone accused in a whistleblowing report must also be provided with a data protection notice within a month of the report being made, although no information about the whistleblower may be disclosed during the investigation. There are exemptions for providing this notice if alerting the incriminated individual would compromise the investigation.
The referential also sets out precise rules on retention, requiring all information to be deleted or anonymised within two months of the end of the whistleblowing investigation, unless legal proceedings have been started. Information which is not relevant to the investigation must also be deleted or anonymised.
The CNIL referential also explains how individual rights granted under GDPR apply to whistleblowing scenarios. For example, the investigated individual has the right to receive an answer to an access request, as long as this does not disclose the identity of the whistleblower.
The right to object does not apply to legally required whistleblowing hotlines, but does apply to voluntary hotlines. In these cases, the organisation would need to examine the objection request and consider, on a case-by-case basis, whether there is a legitimate overriding interest in the whistleblowing hotline or whether the investigation is required to defend a claim or exercise a legal right. As this is likely to often be the case, many voluntary hotlines will be able to refuse the right to object, but will still be required to consider any requests.
As operating whistleblowing hotlines present particular privacy challenges due to the sensitivity of the information being collected, the CNIL emphasises the need for robust security measures.
The referential sets out detailed security measures which organisations are expected to implement: IT requirements (such as regular password changes and access controls), physical security (such as anti-intruder alarms) and organisational measures (such as due diligence on processors and appropriate staff training).
Any organisation operating a whistleblowing hotline will also need to carry out a data protection impact assessment (DPIA), as this is a type of processing on the CNIL's DPIA blacklist. The CNIL's new referential can be used to help compile a DPIA, using the points raised in the referential to identify the processing risks and relevant mitigating measures.
Companies required to maintain a record of processing activities will also have to ensure that their register contains information about whistleblowing activities.