Whistleblower protection and reporting channels in France

A legal framework for whistleblowing already exists in France, which includes the following:

• A law enacted on 9 December 2016, enforceable since 1 June 2017 (the “Sapin 2 Act”), which provides for a general whistleblowing regulation and a protection of whistleblowers; 
• A law dated 27 March 2017, which provides for a duty of care for parent companies and contractors.
• A law enacted on 21 March 2022, enforceable since 1 September 2022, transposing the European Directive of 23 October 2019 into French law. This law amends the law of 9 December 2016.
• An implementing decree enacted on 3 October 2022 dealing with procedures for collecting and processing whistleblower reports.
• A decree of 28 December 2022 on the supplementation of the personal training account of an employee whistleblower.

Article 8 of the Sapin 2 Act in its version that was amended by the law dated 21 March 2022 provides for the implementation of a whistleblowing procedure. 

This obligation applies to the following:

• Public entities with at least 50 employees, excluding municipalities with fewer than 10,000 inhabitants, public establishments attached to them and public establishments for inter-municipal cooperation whose members do not include any municipality exceeding this population threshold;
• State administrations;
• Private entities and companies run in their own name by one or more natural persons, employing at least 50 employees,
• Any other entity falling within the scope of the European Union acts mentioned in B of Part I and in Part II of the Annex to Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report violations of EU law

The Sapin 2 Act in its latest version does not sanction companies for failure to establish a whistleblowing procedure, but it does provide in Article 13 for a penalty of imprisonment for one year and a fine of EUR 15,000 for any person who obstructs "in any way whatsoever" the transmission of an alert to the company or to an authority.

Even if it was already required in practice due to the Works Council consultation powers on questions relating to the organisation, management and general running of the company, the implementing decree of 3 October 2022 now clearly provides that staff representatives must be consulted prior to the implementation of internal procedure for collecting and processing alerts.

In addition, the reporting procedure must comply with the conditions laid down in the law and the decree dated October 2022.

According to the decree dated 3 October 2022, the procedure must be communicated by the entity by any means that ensures sufficient publicity including by notification, posting or publication on its website or by electronic means.

In addition, since the law of 21 March 2022, internal regulations must include a reminder of the existence of the whistleblower protection system.

Article L. 1222-4 of the Labour Code also provides that no information concerning an employee personally may be collected by a system that has not been previously brought to the employee's attention.

All employees must therefore be provided with the whistleblowing procedures and the documentation for consultation must be made available to them at any time. 

Before the transposition of the European Directive, French legislation provided for an escalation principle where employees should first notify their employer, supervisor or any dedicated person designated by the employer. It was only in the event of inaction by the person receiving the alert within a reasonable time that the employee could alert external parties (e.g. judicial authorities, administrative authorities, professional organisations, etc.). As a last resort, if the alert is not acted upon within three months, the alert may be made public. 

Whistleblowers can now choose the reporting procedure they wish to use, which includes the following options:

• Either to proceed with an internal alert and then, if this alert did not garner satisfactory diligence, to initiate an external alert, and finally, in the event of failure or reprisals, a public alert can be issued;
• Or to proceed directly to an external alert without any preconditions. External reporting may in that case be addressed to:
  • To a competent authority listed in the decree of October 2022;
  • To the Commissioner for Human Rights (Défenseur des Droits) who will direct it to the authority best placed to deal with it,
  • The judicial authority;
  • A competent EU institution, organisation or other competent entity.
• Or to proceed with a public disclosure without prior external warning, but only:
  • In the event of serious and imminent danger,
  • In the case of information obtained in the course of professional activities, in the event of imminent or obvious danger to the general interest, and particularly where there is an emergency situation or a risk of irreversible harm,
  • When referring the matter to the competent authority would entail a risk of retaliation for the person making the alert, or when the alert cannot be effectively remedied due to circumstances (e.g. suspected conflict of interest, risk of concealment or destruction of evidence, collusion, etc.).

The Decree from 3 October 2022 sets the conditions and deadlines of the process for collecting and processing whistleblower reports.

Article 6 of the law provides that a whistleblower is a physical person who reports or discloses, without direct financial consideration and in good faith, information concerning a crime, offence, danger or prejudice to the general interest, a violation or attempted concealment of a violation of an international commitment legally ratified or approved by France, and of a unilateral act of an international organisation taken on the basis of such a commitment of EU law or of a law or regulation.

When the information has not been obtained in the course of the professional activities, the whistleblower must have had personal knowledge of it.

In addition, the Act provides that the whistleblower may be an employee as well as an external and occasional collaborator (i.e. notably temporary workers, trainees or employees made available). This may also include shareholders, partners, members of the administrative, management or supervisory bodies, etc.

In addition, since the Act of 21 March 2022, protection is given to whistleblowers, and also physical persons connected with whistleblowers, legal entities controlled by whistleblowers and facilitators.

The transposition law also extends certain protections offered to whistleblowers. Finally, to facilitate whistleblowing, the transposition law reinforces the confidentiality guarantees surrounding a report and supplements the list of prohibited retaliation measures (e.g. intimidation, damage to reputation, particularly on social networks, inclusion on a blacklist, etc.).

Under the GDPR, preliminary formalities that should be carried out with the French Data Protection Authority (CNIL) disappeared and instead companies are required to be able to demonstrate their continued compliance to GDPR obligations.

In this regard, the CNIL published a reference system intended to provide a tool to help public and private organisations comply with the regulations on the protection of personal data by equipping themselves with devices for processing professional alerts (deliberation CNIL dated 18 July 2019). This referential was updated on 6 July 2023 to take into account the changes introduced by the law and the decree of 2022.

Within this framework, the CNIL has specified the categories of data that can be collected in the context of a report:

• Alert (in which facts are reported);
• Identity, functions and contact details of:
  • the issuer of the alert,
  • persons who are the subject of the alert,
  • persons involved, consulted or heard in the gathering or processing of the alert,
  • facilitators and persons in contact with the sender of the alert;
• Information gathered in the course of verifying the facts reported;
• Reports on verification operations;
• Action taken on the alert.

The CNIL underlines the importance of the principle of relevance and data minimisation and specifies that it is the responsibility of the data controller to ensure that only relevant and necessary information on the purposes of the processing is collected and/or stored in the whistleblowing system.

Concerning the duration of data retention, the CNIL provides that data collected must not be kept in a form that allows the identification of individuals for more than the time strictly necessary to achieve the intended purpose. In addition, data relating to an alert considered to be outside the scope of the device are either erased or anonymised. In this case, the data controller must inform the whistleblower that his or her alert cannot be processed under the alert framework and will therefore be deleted from the process (or anonymised, where applicable). The data controller may also refer the whistleblower to another competent department.

Where appropriate, the whistleblowing procedure mentions the existence of automatic processing of alerts and the compulsory particulars relating to it, such as the right of access, rectification and erasure.

These CNIL Guidelines and related Q&As are available in French on the CNIL website.

No.

The law of March 2022 expressly introduced the possibility of establishing a common procedure for collecting and processing alerts for several or all companies in a group.

In addition, information relating to an alert issued within one of the companies in a group may be transmitted to another of these companies with a view to ensuring or completing processing.

This procedure must comply with the conditions laid down in the decree of 3 October 2022.