The French Data Protection Authority (“CNIL”) published new guidelines on December 10, 2019 to help companies to comply with GDPR1 requirements when implementing internal alert systems2.
In France, the setting up of an internal reporting system is mandatory since the Sapin II law for companies over fifty employees3. It has been expanded with the duty of vigilance law4, and many large companies go beyond their legal obligations to meet international expectations in terms of compliance by providing compliance reporting systems for violations of the code of conduct and internal rules.
After the entry into force of the GDPR, the reporting system through the authorization AU-004 was no longer adequate5. On July 18, 2019, the CNIL thereby decided to adopt guidelines for private or public organizations to implement a system for collecting and managing professional alerts requiring the processing of personal data6.
These Guidelines, based on a public consultation, update and strengthen the CNIL’s expectation on professional alerts, by integrating the changes linked to the implementation of the GDPR in France and the modification of the law on Data Processing and Individual Liberties adopted in 19787.
Compliance with these Guidelines enables organizations to ensure that data processing implemented in the context of alert systems complies with data protection principles.
I. A pragmatic reminder of the GDPR principles with respect to the alert data processing
The Guidelines stress the fundamentals principles that should apply governing the collection of personal data following a professional alert, by outlining the steps in processing an alert.
The purpose of the GDPR is to guarantee a high-level protection for the persons subject to the processing of their personal data and to increase the accountability of those involved in such processing.
First, the data processing must thus fulfil a specific purpose and be justified regarding the entity’s missions and activities8.
It is also up to the data controller to identify the legal grounds of the processing prior to any processing operation9. Regarding internal alert system, it involves complying with a legal obligation imposing the implementation of such a system (i.e. Articles 8 and 17 of the Sapin II law10 and Article 1 of Duty of vigilance law11). The controller is also required to select the relevant and necessary information regarding the purpose of the processing operation12.The conditions for the receipt of personal data are also specified. The Guidelines provide that only the authorized persons shall have access to the personal data13.
The time-frame for which data storage can be kept, warrants clarification. The CNIL, recalling the GDPR provisions, merely indicates that when no follow-up is given to the alert, the data must be destroyed. Anonymous data on the other hand, may be kept for an unlimited period14. In the other cases, the situation would need to be appreciated on a case-by-case basis.
II. The guarantee of individual rights and its limitations
The Guidelines also contain recommendations relating to information, the rights of individuals, as well as a list of security measures applicable to an information system. The controller shall then give information about the processing to the person concerned. More specifically, the Guidelines provide that the person subject to the alert must be informed within a month following the alert15.The right to be informed might be difficult to implement. There is an exception however and the information can be postponed when it is likely to compromise the objective of the alert (i.e. the destruction of evidence) 16.
While the European Directive on whistleblowers leaves the choice to Member States to accept anonymous reports17, the CNIL recommends that companies do not encourage reporters to remain anonymous18. In any event, information that is likely to reveal the identity of the reporter cannot be disclosed without the consent of the person concerned, except to the judicial authority19.
The processing of report data however involves some restrictions on the rights of individuals. For instance, the right to object may be overruled by the company, either by invoking legal obligations or by invoking the exceptions of legitimate and compelling reasons for the processing, which override the interests and the rights and freedoms of the subject of the data, or for the establishment, exercise or defense of legal claims. Companies will therefore have to ensure that any objection request is carefully examined to assess its receivability.