To follow-up on French Data Protection Authority Blocks SOX Whistleblower Programs and Whistleblowers in France, here is CNiL‘s FAQ on whistleblowing systems and guideline document for whistleblower systems.
CNiL defined a set of rules to be followed for whistleblower systems to be compatible with French data protection laws: Unique Authorisation dated December 8, 2005 (in French, without an English translation).
According to the FAQ on whistleblowing systems a whistleblower system must be limited to
serious risks to the company in the fields of accounting, financial audit, fight against bribery or banking areas can be collected and filed by the organisation in charge of handling the reports.
- Accounting and account auditing disorders,
- False entries,
- Tax evasion,
- Fictitious personnel employment,
- Bribery of public agents …
Specific examples in the banking area:
- Terrorism funding,
- Money laundering…
The whistleblower system may also be used to gather reports on facts
that affect the vital interests of the company or it its employee’s physical or mental integrity
- Threat to the safety of another employee,
- Moral harassment,
- Sexual harassment,
- Insider trading,
- Conflict of interests,
- Serious environmental breaches or threats to public health,
- Disclosure of a manufacturing secret,
- Serious risks to the company’s information system security …
CNiL also takes to position that the whistleblowing system must not be compulsory, but merely encouraged. CNiL takes the position that the systems should not be designed to encourage anonymity. Confidentiality is fine but anonymity is not. CNiL provides this example language for the scope of a whistleblower system:
The system is open to employees who wish to inform the organisation about facts susceptible to breach applicable rules in the financial, account auditing and corruption prevention areas. This system is an alternative way of reporting genuine concerns which would not be adequately dealt with by other existing reporting channels such as line management or personnel representatives. If the vital interest of the company is threatened in other areas or if the physical or mental integrity of employee(s) is at stake, reports on such serious facts may be redirected to appropriate individuals within the company. No other type of reports can be made using this system.