FRANCE: Single Authorization for the processing of personal data resulting from Sapin II Law finally applicable

By Denise Lebeau-Marianna & Mathilde Hallé

The French Data Protection Authority (“CNIL”) has amended the Single Authorization No. AU-004 on whistleblowing systems.[1]

These modifications largely aim to simplify the formalities applicable to the processing of personal data resulting from the implementation of the compliance procedures required by French Law (dated December 9, 2016) regarding transparency, the fight against corruption, and the modernisation of the economy (also known as the “Sapin II Law”).

1.  The scope of the AU-004 has been widely extended

The CNIL has always been particularly watchful when it comes to whistleblowing systems, considering that French law did not offer any legal ground for allowing their implementation and that they tended to enable “organised denunciation” systems. This reluctance led the CNIL to adopt the Single Authorization No. AU-004 in 2005 to establish the conditions under which these systems could be considered lawful from a data protection perspective.

Initially limited to whistleblowing in the areas of finance, accounting, banking and anti-corruption issues, the AU-004 had already been amended in the past to reflect legal and regulatory changes. In 2010, the scope of the AU-004 had been extended to cover anti-competitive practices. In 2014, it extended further to include discrimination and harassment in the workplace, health, hygiene and safety issues in the workplace, as well as environmental issues (see our previous article on this).

With the enactment of the Sapin II Law, the CNIL extends once again the scope of the areas covered by the AU-004, by relying on this French law as the legal basis for this revision. The extension is much more significant than past modifications, as the limitations that were initially laid down in relation to the areas covered by the AU-004 are now lifted.

Indeed, the AU-004 now covers whistleblowing systems allowing any report or disclosure  of any of the following events (assuming they occur without pursuing any benefit and in good faith):

  • a crime or offence
  • a manifest and serious infringement of any international commitment duly ratified or approved by France;
  • a manifest and serious infringement of any unilateral act enacted by an international organization adopted on the basis of an international commitment duly ratified or approved by France;
  • a manifest and serious violation of laws or regulations;
  • a serious threat or damage to the public interest of which the whistleblower has had personal knowledge;
  • obligations defined by EU regulations and by the French Monetary and Financial Code or by the general regulations of the French Financial Markets Authority, which are monitored by the French Financial Markets Authority or the French Prudential Supervision and Resolution Authority; or
  • the existence of behaviors or situations contrary to the company’s code of conduct, with respect to corruption or traffic of influence, as soon as the processing is implemented by the data controller to comply with any legal obligation or to pursue its legitimate interest.

This list of areas subject to whistleblowing is extremely wide, and is much closer to the whistleblowing areas admitted for years in North America.

It is important to  note that the AU-044 will not cover reports relating to facts that are covered by (i) national defense secrecy, (ii) medical secrecy and (iii) legal privilege.

This extended scope comes along with other significant amendments which will impact organisations with existing whistleblowing systems.

2.  Significant amendments to take into account when implementing a whistleblowing scheme

Other amendments of the AU-004 that are likely to have an impact on organisations implementing whistleblowing schemes include:

  • Identity of the Whistleblower:
    • Whistleblowers may now be external and occasional collaborators of the organisation, not necessarily staff members.
    • The former version of the AU-044 already included the obligation to identify the whistleblowers and the ban to encourage anonymity. It is now specified that the whistleblower’s identifying information cannot be disclosed to any third party without his/her prior consent (except in the case of disclosure to judicial authorities).
  • Identity of the person concerned by the report: Likewise, information identifying the person subject of the report cannot be disclosed to any third party before it is established that the concern is well founded (except in the case of disclosure to judicial authorities).
  • Information of data subjects:
    • Information in respect of the processing of personal data must be provided to any potential user of the whistleblowing system. Therefore, as the system may now also be accessed by external or occasional collaborators, the entity will need to make sure it informs them as well.
    • The notice must notably include the different steps of the reporting process, define the recipients and the conditions in which the reports can be forwarded to them.
  • Recipients of the reports: The CNIL states that the reports may be addressed to the employer, the direct or indirect supervisor, but also to any third party contact person or provider, with the obligation to take contractual steps to ensure the security of the data provided and to guarantee the compliance with applicable regulatory requirements (in particular in terms of duration of data retention, confidentiality, misuse of the personal data, data recovery at the end of the contract, etc.).
  • Finally, the CNIL reassures American economic operators (often actively involved in the management of whistleblowing systems) by acknowledging the validity of the Privacy Shield in the instance of data transfers to certified recipients.

3.  What are the formalities to be filed by organisations?

Entities that have already committed to the CNIL to comply with the AU-004 do not need to file any additional formality with the CNIL. However, they need to review their privacy notice and their internal procedures to make sure they duly comply with the new conditions laid down by the AU-004, in particular regarding the processing of the identity of the whistleblower and of the persons concerned by the report, contracts with providers, etc.

If no formality has been filed and the whistleblowing system complies with the conditions of the revised AU-004, a commitment to compliance must be filed with the CNIL.

If the system is not compliant with the AU-004 (for instance, if the company plans to implement a whistleblowing system relating to issues covered by medical secrecy or by client-attorney privilege), a specific authorisation will need to be requested from the CNIL.

The adoption of the revised AU-004 will likely be welcomed by companies whose whistleblowing systems and hotlines tend to generalise and, for many, have become a key element of their compliance efforts. The revised AU-004 will certainly entail a decrease in the number of specific authorization requests relating to whistleblowing systems covering corruption, money laundering or terrorism financing, which have already significantly decreased since 2014.

For further information, please contact Denise Lebeau-Marianna (Partner, Paris) or Mathilde Hallé (Consultant, Paris).


[1] See Decision n° 2017-191 of 22 June 2017 amending Decision n° 2005-305 on authorizing the automated processing of personal data in the context of whistleblowing systems. This was published in the Official Journal on 25 July 2017.