Implementing whistleblowing hotlines in France has caused
significant concern for companies implementing such hotlines
globally, as French regulation had considerably narrowed their
scope with the major threat of considering non-compliant hotlines
as null and void.
Times have changed: a couple of months ago, the French CNIL
adopted an important modification of its unique authorisation
policy AU-004 dedicated to whistleblowing hotlines, last revised in
2010. Initially, the companies were only allowed to collect and
record through a whistleblowing hotline any serious situation
related to banking, accounting, financial, and fight against
corruption areas, as well as any facts involving compliance with
the applicable competition law – but only to "answer
to a legislative or regulatory requirement".
Every time the planned policy fell outside this very limited
scope, the company had to ask the CNIL an individual authorization
with very limited chances of success, besides an exception
To face those increasing requests – more than 60 between
2011 and 2013 – the CNIL amended its AU-004 in two ways:
In addition to the areas already under its scope, the
Commission extended the unique authorization system to
environmental protection, fighting against discriminations and
harassment in the workplace, and health, hygiene and security at
The AU-004 now applies in those areas to "answer a
legislative requirement or a legitimate interest".
In order to empower and protect users of such hotlines, the
Commission has always insisted on the principle of an
identification of the author of the alert , which has been
reaffirmed. Nevertheless, the new applicable rules open the way
towards anonymous alerts in exceptional cases, when "the
gravity of the facts is established and the factual elements
sufficiently detailed". The Commission specifies that
processing those anonymous alerts has to be surrounded with special
precautions, such as a "preliminary examination, from its
first consignee, on the opportunity of its diffusion within the
With these amendments, the CNIL obviously seeks to ease, step by
step, the use of whistleblowing hotlines in France, and to finally
allow global compliance programs to be rolled out without too many
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In this article Filippo Noseda examines the impact of the Common Reporting Standards (CRS), based on practical examples of data transfer and data breaches and analysed in the light of general tax law principles.
Four years after the overhaul of European data protection laws began, the final text of the new General Data Protection Regulation (GDPR) was approved in Spring 2016 and the new rules will come into effect on 25 May 2018.
This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.
The market of the so-called "connected vehicles" has been considerably growing since 2015. According to a recent study by AlixPartners, 78 million of connected vehicles will be commercialized in 2018, generating a EUR40 billion turnover.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).