The CNIL has set up a specific device to collect and process whistleblower reports in order to comply with the publication of the Waserman decree in early October.
Indeed, in December 2016, the « Sapin II » law introduced detailed mandatory whistleblower schemes (among others) for certain private and public sector organizations in France. This law came into force in 2018 and was amended in 2022 to ensure the transposition of the EU whistleblower directive. » The legal amendments went into effect on September 1, 2022, and the October 3, 2022, implementing decree took effect on October 5, 2022.
Whistleblowers’ reports to the CNIL must concern a breach falling under personal data protection regulations (RGPD, Loi Informatique et Libertés), including cybersecurity.
The alert must concern facts that have occurred or for which there is a strong probability that they will occur.
This CNIL mechanism is reserved for individuals who report or disclose, without direct financial compensation and in good faith, information relating to personal data, and more specifically
- a violation of European Union law,
- a violation of the French Data Protection Act or the General Data Protection Regulation (RGPD);
- a crime or an offense
- or a threat or harm to the general interest.
The whistleblower is not obliged to make an internal report before reporting to the CNIL.
However, where an internal reporting procedure exists within the organization concerned, the CNIL invites the whistleblower to use it if this does not expose the person to the risk of retaliation and if there is no risk of destruction of evidence.
In addition, the procedure implemented by the CNIL guarantees the integrity and confidentiality of the information collected in the context of a whistleblowing report and, more particularly, the anonymity of the whistleblower.
When processing an alert, the CNIL may request any information it deems necessary to assess the accuracy of the allegations made. Under the same conditions, the CNIL may provide confidential advice.
Finally, the CNIL can take various actions when a whistleblower sends it an alert: it can close the alert when it has become irrelevant or when the allegations are inaccurate or unfounded; it can also carry out checks and even impose sanctions if it considers that what has been reported to it justifies it.
It is therefore appropriate to ask whether this new system will have a significant impact on the number of reports received and the number of fines imposed by the CNIL. After having reviewed the CNIL’s balance sheet in 2021, we will soon take stock of the year that has just ended. Could this new mechanism influence our balance sheet?