Update by the CNIL of its guidelines on whistleblowing systems

The main changes from the previous version are the following:

• Noteworthy items
  • The scope of the guidelines has been extended to include third-party entities offering services related to receiving, processing, and storing alerts and new developments have been added on the possibility of outsourcing the management of internal whistleblowing systems to third parties;
  • New purposes for processing personal data collected in the context of a professional whistleblowing system have been added;
  • The obligation to inform whistleblowers not only of the receipt of their alert but also of the actions taken or contemplated in response to assess the accuracy of the allegations, and where applicable, to remedy the cause of the alert;
  • New developments relating to anonymous alerts (different from anonymization of personal data).
  • The list of security measures to be put in place has been updated following the update of the CNIL's security guide in April 2023  
• Clarifications:
  • Data retention: new clarifications have been provided on the applicable data retention periods, the retention modalities and the ground for such retention.
• Finally, certain requirements from the 2019 guidelines are no longer present:
  • The requirement for a systematic data protection impact assessment to be conducted prior to the implementation of a whistleblowing system even if it is still mentioned that the guidelines are of help when carrying out DPIA;
  • The deletion of the data associated to an alert when no action has been taken within a period of (2) months following the end of the verification operations.

The CNIL has also issued an FAQ with its update.

Authored by Patrice Navarro, Sihem Hassani, and Alexandra Tuil.