Navigating French helpline requirements:

CNIL requirements and the single authorization process explained

Download PDF>>

LRN offers a full range of applications and services to help companies manage their governance, ethics and compliance processes across the enterprise. The LRN Helpline solution represents an important element of this process. Helplines empower a workforce to play an active role in compliance by giving them a tool to report potential misconduct and ask questions freely about ethical situations they face on the job. They also enable management to detect and respond to issues and recognize trends that may call for early, corrective action.

LRN Helpline is offered in collaboration with EthicsPoint. EthicsPoint has been studying European Union (E.U.) data privacy concerns for several years and has certified with the U.S. Department of Commerce its compliance with the Safe Harbor guidelines for the safe and secure treatment of personal information from workers in the E.U.

When the draft guidelines regarding the use of helplines in France were released by the Commission national de l'informatique ET des libertes' (CNIL) in 2005, EthicsPoint created a working group, consisting of its leading multi-national and international clients, to provide analysis, comments and questions regarding the viability of the whistleblowing scheme recommendations put forth. Working through Mark Schreiber, Esq., an expert in E.U. data privacy, counsel at Palmer Dodge and member of the World Law Group, EthicsPoint was able to fully understand the CNIL process and rulings. The analysis and recommendations developed by EthicsPoint were submitted to the CNIL for consideration. CNIL reviewed the information they provided, along with similar comments from other leading organizations, and these comments helped influence changes and to clarify the final whistleblowing scheme recommendations issued November 10, 2005.

As a result of our proactive approach to monitoring changes in legislation both domestically and internationally, EthicsPoint developed technology and modified its work flow processes to accommodate the CNIL requirements. EthicsPoint chose to follow the CNIL requirements because EthicsPoint believed they would prove the most stringent. As a result, organizations utilizing our Data Privacy Module (part of the Reporting System) are well positioned to meet whistleblower requirements throughout the E.U.

The information contained within this document, while not to be interpreted as legal advice, is intended to go beyond a restatement of the CNIL guidelines to outline practical considerations for multinational companies attempting to establish a sustainable global ethics and compliance program while respecting E.U. data privacy laws.

NOTE: This document is not intended as legal advice nor does it imply the existence of any attorney-client privilege. Organizations should seek the advice of counsel to determine appropriate steps to comply with any data privacy laws to which the organization may be subject.

Brief history of the CNIL guidelines and their online authorization process

In May 2005, the French data protection authority (CNIL) refused to approve the ethics helplines set up by two U.S. companies to comply with Section 301(4) of the Sarbanes-Oxley Act (SOX) on corporate governance. On November 10th 2005, the CNIL adopted guidelines setting out a new framework for corporate whistleblowing systems in France. The CNIL created these guidelines to be consistent with SOX code of conduct and whistleblower requirements for U.S. and other public companies. These rules apply, however, to all public or private companies operating whistleblower programs in France.

The November CNIL guidelines document promised organizations a definitive means for an expedited and automatic approval of their helpline operations in France. The simplified online authorization, based on a self-certification and online registration, was then released in December, 2005 by the CNIL, and is referred to as the “Single Authorization.” (What we call the helpline is, by the way, referred to by the CNIL as a “whistleblowing system.”)

The two CNIL submission alternatives

With these new guidelines, there are two ways in which an organization may seek CNIL approval:

1) Follow the online authorization procedure. This requires the company helpline whistleblower system be limited in scope to audit, fraud, financial irregularity, anti-bribery and related subject matters, or
2) Submit the normal direct application to the CNIL. In addition to SOX subjects this may also encompass broader subject matter, including for example employment, labor and sexual harassment complaint topics.

After the online authorization certification has been “clicked-through,” the company will be sent a receipt by the CNIL, expected within two weeks. Once the CNIL receipt is obtained, the company can immediately implement its helpline without further approval or review by the CNIL.

The direct application to the CNIL, on the other hand, takes approximately two months for the CNIL to review, unless they require further documents which may prolong the process.

This presentation is intended only to address the requirements of the online Single Authorization process, not the regular direct application to the CNIL.

Understanding the single authorization compliant method

Any procedure that captures or stores reported information or investigation data electronically (referred to by the CNIL as an “automated system”) must comply with the CNIL requirements for operating a whistleblowing system. Whether the system is internally developed or provided by a third-party, a number of requirements must be in place in order to support the CNIL Single Authorization procedure (“Single Authorization”). We believe this document sufficiently captures these specific requirements and functionality so as to allow an organization to configure a helpline solution that they can confidently register with the CNIL. The Single Authorization does not take into consideration any other French or European Union data protection requirements to which an organization may be subject. Individuals should contact their legal counsel regarding any additional data privacy requirements.

The E.U. Article 29 Data Protection Working Party (Working Party) issued an opinion document following the release of the CNIL guidelines. The Working Party opinion of February 1, 2006 discusses how whistleblowing schemes can operate in compliance with the 1995 Directive 95/46/EC and provides enhanced definitions regarding the processing of personal data, echoing the guidelines issued by the CNIL. The Working Party opinion also acknowledges that helplines are a useful mechanism for an organization to monitor its corporate governance, but the Working Party fell short of creating a pan-European directive regarding registration of an organization’s helpline operations.

The Single Authorization online registration process of a helpline system, which we will discuss here, is limited to France. Prior to using a helpline system, an organization must register its system online with the CNIL. The receipt process by the CNIL is anticipated to be very short and there is no review of content by the CNIL. Once a declaration (application) has been received, the CNIL will forward a receipt of the declaration. With this receipt an organization can begin utilizing its system in France. While we have outlined the steps necessary to create a system in keeping with the Single Authorization registration, an organization is not precluded from applying on its own, now or in the future, directly to the CNIL for approval of a system that is outside the scope and parameters of the Single Authorization.

Regardless of whether an organization is using an internal system or a third-party provider, it must insure that its system provides the organization with the workflow, communication, and data protection tools necessary to support its compliance. Registration of a helpline with the CNIL is founded on a self-assessment and self-certification of an organization’s whistle-blowing and data protection processes. It is the combination of the choices the organization makes in tailoring its system, utilizing the information received, and processing reports that constitutes compliance, and it is this overall process that a company must certify online with the CNIL.

Specific single authorization requirements

The CNIL Single Authorization requirements, as will be explained within this document, are very specific and cover not only the scope of what may be reported, but also necessitate establishing specific data report recipients and helpline report retention policies.

As an organization is considering whether to move forward with the Single Authorization, we believe there are a number of critical factors that must be given special attention during preparation. These are:

Scope of what may be reported

The CNIL Single Authorization allows the whistleblower system to accept reports only in the following categories: financial, auditing, accounting, banking, anti-bribery, or vital corporate interests related to these categories. The Working Party referred to this last group as fundamental and necessary to the legitimate interests of the data controller. These reporting categories are ones required under French or E.U. laws, or under SOX. Specifically:

Organizations are not restricted from creating a description of these limited issue categories that they feel appropriately reflects their business, but it is suggested that the issue categories titles remain as designated by the CNIL.
These categories are not restricted from allowing reporter anonymity.

Information about the helpline should be provided to reporters and should identify the entity responsible for the helpline including its purpose and scope. Additionally, reporters should be made aware:

There will be no adverse consequence to employees who do not use the helpline;
Where and by who the helpline reports are reviewed;
Whether details are transferred outside the European Union.

It must be clearly communicated that abuse of the helpline may expose the caller to disciplinary sanctions, as well as judicial proceedings. However, the good faith use of the helpline, even if the facts are later found to be incorrect or inconclusive, will not expose the reporter to disciplinary action.

Protecting the reporter

In order protect the data privacy of French citizens during the process of the helpline‘s operation and reporting procedure, two questions must be answered:

Is the reporter is located in France?
Did the incident being reported occur in France?

Should either a reporter be located in France (which conservatively assumes he/she is a French citizen) or the report involve an incident that occurred in France, the helpline system can only use the helpline approved incident categories (as outlined above) and these reports should be identified as requiring special handling under the CNIL guidelines.

Selecting data privacy report recipient(s) (“DPRR”)

Identifying the appropriate report recipients to manage the report intake, investigation and resolution process is crucial to an organization. The CNIL requires that a “data privacy” assessment be made of the reported information and that particular precautions be taken before this information is communicated through the helpline system. Therefore, the person(s) selected should have a basic and clear understanding of the E.U. and French data protection laws and the online Single Authorization requirements. Some of the functions this person(s) will be responsible for understanding and implementing include:

Initial review of reports – This requires an understanding of what information to edit and whether to move the report forward for investigation or delete it;
Notification of named parties – This requires notifying individuals who are named in an initial report or personally identified during the investigation process;
Ultimate disposition of the reported information - This requires an understanding of the scope of the data that may be retained. The CNIL guidelines require organizations have the ability to delete or archive reports which may be outside the scope of the authorized issue types or are too subjective in nature.

Security precautions

Those responsible for operation and use of the helpline should take all precautions necessary to preserve the security of the report details, specifically regarding their receipt, communication, and/or retention. Should a reporter disclose his or her identity, this information must be treated confidentially to prevent retaliation.

Access to report details should be restricted to those with a user ID and individual password (regularly updated) or by other authentication methods. Access should be recorded and regularly monitored.

Transfer of personal data outside of France

In order to comply with E.U. Data Privacy laws, transfers of personal information to entities located in a non-E.U. country require either a data privacy agreement, approval by the Data Protection Authorities that the organization provides adequate protections in the transfer of personal information, or Safe Harbor Certification (in the case of a transfer to a U.S.-based organization) with the U.S. Department of Commerce. If an internal system or the third-party provider is Safe Harbor certified, transfers of personal information from an organization in any E.U. country to and through a third-party provider or internal system (for example, during the investigation process) are also covered. Because the transfer of information is different for every organization, a thirdparty provider may require assurances from the organization that it is in compliance with these same data protection principles to ensure their continued compliance with Safe Harbor.

Depending on the procedure an organization develops to process reports, other precautions or specific data transfer agreements between the various divisions of the organization may be required. For instance, a French branch office may want to transfer personal information about an implicated person directly (not through a Safe Harbor certified third-party provider) to the U.S. corporate headquarters. In this instance, the French branch office and the U.S. corporate headquarters would each need to have in place its own data transfer mechanism, unless the U.S. corporate headquarters is already Safe Harbor certified.

Notification of individuals identified in reports

The guidelines require that immediate notification be provided to the implicated party or any individual whose personal information is contained in the report. The notification requirement is continuous in that notification is required not only upon receipt of the initial report but for any personal data received during the investigation process. However, should the report contain information which the report recipient(s) determine to be actionable and the investigative evidence associated with the report could be compromised by immediately notifying the implicated party (for example destruction of evidence), notification to the implicated party may be delayed until the organization believes the integrity of the evidence has been preserved.

Helpline report retention policy for archived reports

Reports that have organizational cultural significance, are believed to be of vital interest to the organization or the physical and moral integrity of its employees, or that may show a pattern of behavior (even if these reports are not actionable), along with reports that have been fully investigated, may be archived and retained (according to the CNIL Single Authorization procedures). Other data may have to be deleted or archived. For example, according to the CNIL guidelines, a report found by the entity to be unsubstantiated should be deleted or archived “immediately.” Also, personal data related to reports should not be kept more than two months after closure of the investigation, unless disciplinary procedures are undertaken against the accused person or there is other legal or court action against the incriminated person or the author of an “abusive report.”

It should be noted that if disciplinary or legal proceedings have been initiated against either the implicated party or reporter, the report and all related data may be retained by the organization until the proceedings or procedures have ended. Moreover, no report may be archived for a period exceeding the time limits of litigation proceedings, including any appeals.

An organization should develop a retention policy for these archived reports and should keep in mind that this policy may be different from its existing data retention policy. Personal data that may be collected There is a select group of personal data that the CNIL allows to be processed under the Single Authorization. That data is:

Identity, job title, and contact information of the whistleblower;
Identity, job title, and contact information of the person(s) incriminated;
Identity, job title, and contact information of the person(s) involved with the collection and/or processing of reports;
Facts reported;
What was done to collect and verify the facts reported;
Account or summary of the investigation made;
Follow-up to the report.

When selecting a third-party provider or reviewing an internal system, an organization must ensure that the report intake procedure gathers data within these parameters and be aware that information provided by the reporter in their free-form description of the incident’s details may be outside this scope. Should the reporter provide information in the report details section that is outside these parameters, editing or removing this data is the responsibility of the DPRR.

Anonymity

Anonymity of reporters is permitted under the CNIL system, but the CNIL guidelines instruct that organizations must not “encourage” it in the use of the helpline. In fact, the CNIL has indicated that reporters should be encouraged to identify themselves. SOX only requires the availability of an anonymous reporting method, not that individuals are required to use it. Based on its own corporate cultural expectations, an organization’s helpline operation should include a brief statement to those reporting from or about issues in France on how to report.

CNIL single authorization registration

This is an English translation of the forms on the CNIL website (in French) to be completed by companies notifying the CNIL that they are about to implement a whistle-blowing system that is in compliance with the Single Authorization AU-004. The webpage is divided into 4 sections (numbered from 1 to 4 below, for purposes of this translation). To access this form, click here.

It is provided for informational purposes only and should not be relied upon as an official translation or as authoritative. THIS PAPER WAS UPDATED JUNE 30th, 2007.

1. Declaring entity

This is the individual or company who is responsible for the information processing. Beware: parent companies cannot make the declaration on behalf of their subsidiaries.

There is a scroll down menu that provides a choice between either “a legal entity” or “an individual.” The information below in bold must be provided.

When “a legal entity” is selected, either “Public sector” or “Private sector” must be selected. Then, the following information is required: commercial register references SI REN number (9 digits) and SIRET number (14 digits, the first 9 digits being the SIREN number); commercial register code of professional activity-choose the APE code or NAF code from the scroll down menu); name of the entity concerned; abbreviation or acronym; name of the department concerned; street address, zip code, city, name of the city and code of the post office that distributes the mail in the entity’s location (usually the same city as the one mentioned for “city”), telephone number, fax number, email address.

Click on the “Next” button located at the bottom right of the page to go to the next page.

2. Contact person

This is the person that the CNIL may contact in the event there are questions or they require further information.

There is a scroll down menu that provides a choice between either “the contact person is with the declaring entity” or “the contact person is with a third-party entity.” Check this box if you wish for a copy of the declaration receipt to be sent to the contact person.

There is a scroll down menu for the prefix (Mrs., Miss, or Mr.) and then, the following information is requested: last name, first name, title or position, telephone number, fax number, email address.

Click on the “Next” button located at the bottom right of the page to go to the next page, or click on the “Return” button to the left of the “Next” button to go back to the previous page.

3. Signatory of the declaration

The person who signs the declaration must be part of the declaring entity. This person must make sure that the information processing is in compliance with the present declaration and the French law of January 6, 1978. An English language version of the law may be found at: http://www.cnil.fr/fileadmin/documents/uk/78-17VA.pdf.

There is a scroll down menu for the prefix (Mrs., Miss, or Mr) and then, the following information is requested: last name, first name, title or position, telephone number, fax number, email address.

A receipt of the declaration will be sent to the signatory at the address of the declaring entity.

4. Purpose

About the information processing being declared in this declaration.

There is a scroll down menu with a proposed list of single authorizations. Choose the one that the declared information processing is in compliance with. If the organization uses a third party whistle-blowing system it should select the single authorization AU-004 for “Management of professional alert system.” You may refer to the matching single authorization legal text if you click on the orange icon (French only).

The fields to be completed are the following: name of the software (insert the name of the third-party whistleblowing system), number of persons concerned (the number of employees the system is made available to), and the year the system is to be implemented.

The question in bold letters “Are there any data transfers to countries outside the European Union?” must be answered by checking “Yes” or “No”.

Click the “CONFIRM and submit the declaration to the CNIL” button located at the bottom right of the page to send your declaration, or click on the “Return” button to go back to the previous page.

Note: A data transfer is considered a transfer, whether it is made electronically or with the use of paper.

Beware! Such international data transfers can only occur with countries who provide adequate protection or if the data recipient(s) can grant that the transferred information is clearly safe and secure.