Key Benefits:
The National Commission on Informatics and Liberties,
In view of the Council of Europe Convention 108 for the Protection of Individuals with regard to Automatic Data Processing, Personal character;
In view of Directive 95 /46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and the free movement of such data ;
In view of Law No. 78-17 of 6 January 1978 on computer, files and freedoms, as amended by Act No. 2004-801 of 6 August 2004, on the protection of natural persons with regard to the processing of character data Staff, and in particular Article 25-I (4 °) and II;
In view of the guidance document on professional alert arrangements adopted by the committee on 10 November 2005, annexed to this Decision;
After hearing Mr. Alex Türk, President, in his report, and Mrs. Pascale Compagnie, Commissioner of the Government, in her observations,
A system of professional alerting is a system made available to employees of a public or private body to encourage them to To supplement the normal methods of alerting the organisation's malfunctions, to inform their employer of the behaviour which they consider to be contrary to the applicable rules and to organise the verification of the alert thus collected within the organisation. The organization concerned.
Recognizes that workplace alerting devices ("whistleblowing") can take the form of automated processing of susceptible personal data as a result of Their scope, to exclude persons from the benefit of their employment contract in the absence of any legislative or regulatory provisions.
Accordingly, such devices constitute treatment under Article 25-I (4 °) of the Law of 6 January 1978 amended and, as such, must be authorized by the CNIL.
Under Article 25-II of the Act of 6 January 1978, as amended, the Commission may adopt a single authorisation decision for treatment in particular Same purposes, for the same categories of data and categories of recipients.
The controller implementing a professional alert system in accordance with the provisions of this single decision Address to the Commission a commitment to comply with this authorisation.
Decides that the processing managers who send to the Commission a declaration containing a commitment of conformity for their data processing operations to Personal character complying with the conditions laid down by this single decision shall be authorised to implement such treatment.
Processing Finalities.
Only those treatments implemented by public or private bodies in the framework may be subject to a commitment of conformity by reference to this single decision. A professional alert system which complies with a legislative or regulatory obligation under French law for the establishment of internal control procedures in the financial, accounting, banking and control areas Corruption.
In accordance with Article 7 (5 °) of the law of 6 January 1978 amended, the processing operations in the accounting and auditing fields by the undertakings concerned by Section 301 (4) of the American Sarbanes-Oxley Act Of July 2002 also fall within the scope of this Decision.
Processing issuer identity Alert.
The issuer of the business alert must identify itself, but its identity is treated confidentially by the alert management organization.
This organization cannot collect, by exception, the alert of a Person who wishes to remain anonymous only under the following conditions:
-the processing of this alert must be surrounded by special precautions, such as a screening, by its first recipient, of the timeliness of its distribution in the Framework of the device;
-the body does not encourage persons who are intended to use the device to do so anonymously and the publicity given on the existence of the device takes them into account. On the contrary, the procedure is designed so that employees identify with the alert management organization.
Registered personal data categories.
Only the following categories of data can be processed:
-the identity, functions, and coordinates of the occupational alert emitter;
-identity, The functions and coordinates of the people who are the subject of an alert;
-the identity, functions and contact information of people involved in the collection or processing of the alert;
-facts reported;
-items collected in the framework The verification of the reported facts;
-the report of the verification operations;
-the action taken on the alert.
The facts collected are strictly limited to the areas covered by the alert system. Facts which do not relate to these areas may, however, be communicated to the competent persons of the body concerned where the vital interest of that body or the physical or moral integrity of its employees is at stake.
Taking the The professional alert is based solely on data provided in an objective manner, in direct relation to the field of the alert system and strictly necessary for the verification of the alleged facts. The formulations used to describe the nature of the reported facts indicate their presumed character.
To Of personal data.
The persons specially charged within the body concerned with the collection or processing of professional alerts shall be addressed to all or part of the data referred to in Article 3 only in the The extent to which these data are necessary for the performance of their missions.
These data can be shared with those specifically responsible for the management of professional alerts within the group of companies to which The body concerned if this communication is necessary for the verification of the alert or is the result of the organisation of the group.
If a service provider is used to collect or process alerts, specifically Entrusted to such missions within the service provider body shall access all or part of the data referred to in Article 3 only within the limits of their respective powers. The service provider who may be appointed to manage all or part of that device shall, inter alia, undertake, by contract, not to use the data for the purposes of misuse, to ensure their confidentiality, to respect the duration of the Limited retention of data and the destruction or restitution of all manual or computerized data carriers of personal data at the end of its performance.
In all cases, the persons responsible for the collection and the The processing of professional alerts is limited in number, specially trained and bound to an enhanced obligation of contractually defined confidentiality.
Transfers of personal data outside the European Union.
This Article applies in cases where the data communications envisaged in Article 4 Transfer to a legal person established in a non-member country of the European Union which does not grant sufficient protection within the meaning of Article 68 of the Act of 6 January 1978 as amended.
In these cases, these Personal data must be carried out in accordance with the specific provisions of the amended law of 6 January 1978 relating to international data transfers, in particular Article 69, paragraph 8.
It is satisfied with these Provisions where the legal entity within which the data recipient works has acceded to the Safe Harbor, to the extent that the relevant American company has expressly made the choice to include human resources data in the Scope of this accession.
These provisions are also satisfied where the consignee has entered into a transfer contract based on the standard contractual clauses issued by the European Commission in its decisions of 15 June 2001 or 27 December 2004, or when the group to which the entities concerned have adopted internal rules which the CNIL has previously recognised as guaranteeing a sufficient level of protection of the privacy and fundamental rights of the People. If these conditions are met, and if the treatment of which the transfer originates is otherwise in accordance with all other provisions of this deliberation, this deliberation shall also permit the transfer envisaged in Application of Article 69, paragraph 8, of the Act of 6 January 1978 as amended.
Retention Period for Character Data Staff.
The data relating to an alert considered, as soon as it is collected by the controller, as not entering the field of the device shall be destroyed or archived without delay, subject to the application of the penultimate Paragraph of Article 3.
Data relating to an alert that has been audited shall be destroyed or archived by the alert management organization within two months of the closure of the alerts Verification when the alert is not followed by a disciplinary or judicial procedure.
Where disciplinary proceedings or legal proceedings are instituted against the accused or the author of an abusive alert, The alert data is kept by the alert management organization until the end of the procedure.
Data that is being archived is retained as part of an information system Limited access, for a period not exceeding the time limits for contentious proceedings.
Measures of Security.
The controller takes all necessary precautions to preserve the security of the data both in the collection and in their communication or preservation.
In particular, access to Data is carried out by an individual identifier and password, regularly renewed, or by any other means of authentication. These accesses are registered and their regularity is checked.
The identity of the issuer of an alert is treated confidentially so that it is not prejudiced as a result of its approach.
Information for potential users of the appliance.
Clear and comprehensive information for potential users of the alert system is Realized.
In addition to the collective and individual information provided for in the Labour Code, and in accordance with Article 32 of the law of 6 January 1978 amended, this information shall specify in particular the identification of the entity responsible for the Devices, the objectives pursued and the areas concerned by the alerts, the optional nature of the device, the absence of consequence to employees of the non-use of this device, the recipients of the alerts, the possible Transfers of personal data to a non-member State of the European Community, as well as the existence of a right of access and rectification for the benefit of the persons identified in the framework of that scheme.
It is Clearly indicated that the misuse of the device may expose its author to disciplinary sanctions and to legal proceedings but, on the contrary, the use in good faith of the device, even if the facts subsequently turn out to be He or she will not be liable to any disciplinary sanction.
Information for the Person subject to a professional alert.
The person who is the subject of an alert is, in accordance with Articles 6 and 32 of the law of 6 January 1978 amended, informed by the person in charge of the device from the time of registration, computerised Or not, of data concerning him in order to enable him to oppose the processing of such data.
Where conservatory measures are necessary, in particular to prevent the destruction of evidence relating to the alert, the information of this Person intervenes after the adoption of these measures.
This information, which is carried out in a manner which makes it possible to ensure that the person concerned is properly issued, in particular the entity responsible for the device, the facts which Charges, the services which may be addressed to the alert, and the procedures for exercising its rights of access and rectification. If the person has not previously received it, the person also receives information in accordance with section 8 of this decision.
Respect for access and rectification rights.
In accordance with articles 39 and 40 of the law of 6 January 1978 amended, the person in charge of the alert system shall guarantee to any person identified in the alert device The right to access and request data concerning the data, if they are inaccurate, incomplete, equivocal or outdated, rectification or deletion.
The person who is the subject of an alert can never get Communication by the controller, on the basis of his right of access, of information concerning the identity of the issuer of the alert.
Any professional alert system providing for the implementation of processing of personal data which does not comply with the preceding provisions shall be the subject of a request for authorisation from The Committee in the forms prescribed by Articles 25-I (4 °) and 30 of the Act of 6 January 1978 as amended.
The Will be published in the Official Journal of the French Republic.
A N N E X E
GUIDANCE DOCUMENT ADOPTED BY THE COMMISSION ON NOVEMBER 10, 2005 FOR THE IMPLEMENTATION OF PROFESSIONAL ALERT DEVICES ON THE ACT OF JANUARY 6, 1978, AMENDED IN AUGUST 2004, IN THE MATTER OF COMPUTER, FILES AND RATES LIBERTIES
The Commission nationale de l' informatique et des libertés notes the recent development in France of devices allowing employees to report the behaviour of their colleagues who are supposed to be contrary to the law or the rules Established by the company.
These "whistleblowing" devices are not intended or prohibited by the Labour Code. When they rely on the processing of personal data, that is, the collection, registration, retention and dissemination of information relating to an identified or identifiable natural person, they are subject to the law of 6 January 1978 amended, that the processing be carried out on a computer or paper-based medium. When they are automated, they must be subject to an authorisation by the CNIL, pursuant to Article 25 (4) of that Law, by virtue of the fact that they are liable to exclude persons from the benefit of a right or their employment contract in The absence of any specific legislative or regulatory provisions.
In May 2005, the CNIL refused to allow two specific "ethical lines" systems under this professional alert approach. However, it has no objection in principle to such devices, since the rights of the persons involved directly or indirectly in an alert are guaranteed under the rules on data protection Personal. In fact, these persons, in addition to the rights of defence provided to them by the labour legislation in the event of the initiation of a disciplinary procedure, have special rights which are recognised by the law " Computer and Freedoms ' or the European Directive 95 /46/EC of 24 October 1995, when information concerning them is subject to processing: the right to such information to be collected in a fair manner, to be informed of the processing of such information, The right to object to such treatment if a legitimate ground may be invoked, the right to rectify or remove inaccurate, incomplete, equivocal or outdated information.
To contribute to the implementation of alerting devices In accordance with the principles laid down by the law and the Directive, the CNIL advocates the adoption by undertakings of the following rules, which relate only to the application of these texts, excluding questions for which the CNIL does not have Competence, in particular those relating to labour legislation.
1. Scope of the alert device: a complementary character, a restricted field, an optional use
The normal operation of an organization means that alerts about a malfunction in any domain At the same time, it can be traced back to the leaders through the chain of command or through open methods of alerting, such as the intervention of the staff representatives or, in the area of account control, the reports of the auditors. In French legislation, the protection and independence of each other is particularly assured.
The introduction of an alert system may be justified by the assumption that these information channels could Not to function in certain circumstances. However, such a device cannot be conceived, by undertakings, as a normal way of reporting the malfunctions of the undertaking, on the other hand equal to the methods of reporting managed by persons whose functions or duties Is precisely to identify and address such malfunctions. In this sense, alerting devices must be designed as only complementary to other alert modes in the enterprise.
In order to take this intrinsically complementary character into account, an alert device must be Limited in its field. Devices with a general and undifferentiated scope (such as those intended to ensure compliance with legal rules, rules of procedure and internal rules of professional conduct) raise, in fact, a difficulty in principle in the With regard to the law "computing and freedoms" in view of the risks of undue or disproportionate use of the professional or even personal integrity of the employees concerned.
In this regard, it follows from Article 7 of the Law of 6 January 1978 amended that warning devices can only be considered legitimate as a result of the existence of a legal (legislative or regulatory) obligation to establish such devices (art. 7 [1 °]), or because of the legitimate interest of the controller, as long as the controller is established, and "subject not to disregard the interest or fundamental rights and freedoms of the person concerned" (art. 7 [5 °]).
This legitimacy is acquired under Article 7 (1) of the Act of January 6, 1978, when warning devices are implemented solely for the purpose of responding to a legislative or regulatory obligation under French law aimed at The establishment of internal control procedures in precisely defined areas. Such an obligation is a clear result, for example, of the provisions relating to the internal control of credit institutions and investment firms (adopted on 31 March 2005 amending the Regulation of the Committee on Banking Regulation and 97-02 of 21 February 1997).
On the other hand, it does not appear that the mere existence of a foreign legal provision under which an alert system would be put in place would legitimise a treatment of Personal data within the meaning of Article 7 (1). This is the case with the provisions of Section 301 (4) of the Sarbanes-Oxley Act, which provides that employees of a company must be able to report to the Audit Committee on their concerns about Questionable accounting or audit by being assured of confidentiality and anonymity guarantees.
In this case, however, it is impossible to ignore the legitimate interest, within the meaning of Article 7 (5) of the Act of 6 January 1978, that French companies listed in the United States or French subsidiaries of companies listed in the United States, which are required to certify their accounts to U.S. securities regulators, have to put in place alert procedures Alleged malfunctions in accounting and auditing. Obviously, the upturn to the board of directors of information relating, for example, to suspicions of accounting manipulations that may have an impact on the financial results of the company is a key concern for the Enterprises making public use of savings.
Far from being limited to the United States, initiatives have also been taken in Europe (see, in particular, the recent recommendation of the European Commission of 15 February 2005 on Role of non-executive directors and supervisory board members of listed companies and boards of directors and supervisors), which pursue the same objective of strengthening financial market security Sarbanes-Oxley Act. These various texts clearly characterise, within the meaning of Article 7 (5) of the Act of 6 January 1978, the legitimate interest of the undertaking to set up warning devices in the areas covered by them, and in this context they Must therefore be considered acceptable.
For the same reasons, alert devices are legitimate to fight corruption, such as that of foreign public officials in international business transactions (OECD Convention of 17 December 1997, ratified by Act No. 99-424 of 27 May 1999).
The alert devices limited to the defined field will benefit from a single authorisation from the CNIL, subject to compliance with the other recommended rules By her. On the other hand, for devices not based on legislative or regulatory obligations of internal control in the financial, accounting, banking and anti-corruption areas, the CNIL will conduct a case-by-case analysis, Within the framework of its powers of authorising the legitimacy of the purposes pursued and the proportionality of the alert system envisaged.
To prevent misuse of the alerting device to expose facts unrelated to The areas defined a priori, the person in charge of this device must clearly indicate that it is strictly reserved for such areas and must be prohibited from exploiting the alerts that are foreign to it, unless the vital interest of the undertaking, The physical or moral integrity of its employees is at stake.
More generally, the use by personnel of an early warning device may be of a non-mandatory nature. In this sense, the Ministry of Labour, Labour and Youth Employment stressed, in a letter to the CNIL, that " the use of warning devices should not be the subject of an obligation but of a simple Incentive. (...) Making whistleblowing compulsory, therefore, effectively transfers the employer's burden of compliance with respect to the rules of procedure to employees. It can also be argued that the obligation to denunciation would be contrary to Article L. 120-2 of the Labour Code as a hardship which is not proportionate to the objective to be achieved.
2. A definition of the categories of persons affected by the alert system
In accordance with the principle of proportionality, the categories of personnel likely to be subject to an alert should be precisely Defined in reference to the grounds legitimising the implementation of the alert system.
This definition falls within the competence of the head of the undertaking, to whom it is, in accordance with the procedures laid down in labour law, to fix the Limitations of the procedure.
3. Restrictive handling of anonymous alerts
The possibility of making an alert anonymously can only reinforce the risk of slanderous denunciation. Conversely, the identification of the issuer of the alert can only contribute to the responsibility of the users of the device and thus to limit such a risk. Indeed, the identified alert has several advantages and allows:
-to avoid slideshovers and slanderous denunciation;
-to organize the protection of the whistleblower against possible retaliation;
- To ensure better treatment of the alert by opening the possibility of requesting additional clarification from the author.
The protection of the alert emitter is a consubstantial requirement for an alert device. The CNIL does not have to decide on the means to ensure it except on a point which is clearly the result of the law "IT and freedoms": the identity of the issuer must be treated confidentially so that the identity of the issuer is not prejudiced by the Made his approach. In particular, that identity cannot be communicated to the person concerned on the basis of the right of access provided for in Article 39 of that Act.
However, the existence of anonymous alerts, even in the absence of organized systems Confidential alert, is a reality. It is also difficult for an organisation to ignore this type of alert, even if they do not support it in principle.
The processing of such alerts should be accompanied by special precautions, such as The preliminary examination by their first addressee of the appropriateness of their dissemination within the framework of the scheme. In any event, the organisation must not encourage persons who are intended to use the device to do so anonymously and the publicity given to the existence of the device must take this into account. On the contrary, the procedure must be designed so that employees identify with each communication of information through the alert procedure and submit information relating to facts rather than to persons.
4. The dissemination of clear and comprehensive information about the alert system
A clear and complete information of the potential users of the alert system must be made by any appropriate means.
Beyond Collective and individual information provided for in the Labour Code, and in accordance with Article 32 of the law of 6 January 1978, as amended, this information must in particular specify the identification of the entity responsible for the device, the objectives And the area concerned by the alerts, the optional nature of the device, the absence of consequence to employees of the non-use of this device, the recipients of the alerts, and the existence of a right of access and Of correction for the benefit of the persons identified in the framework of this scheme.
Finally, it must be made clear that misuse of the device can expose its author to disciplinary sanctions and to prosecution Court, but on the other hand, the use of good faith in the operative part, even if the facts are subsequently incorrect or do not give rise to any action, may not expose its author to sanctions.
5. A collection of alerts by dedicated means
The collection of alerts can be based on all means, whether computerized or not, of data processing.
These means must be dedicated to the alerting device in order to remove all Risk of embezzlement and the confidentiality of data.
6. Relevant, appropriate, and non-excessive alert data
Support for the use of the professional alert must include only objective data, in direct relation to the field The alert system and strictly necessary for the verification of the alleged facts.
The formulations used to describe the nature of the reported facts must show their presumed character.
7. Internal management of specialist alerts, in a confidential framework
The collection and processing of professional alerts should be entrusted to a specific organisation set up within the framework of the The undertaking concerned to deal with these matters. The persons responsible for dealing with the alerts must be limited in number, specially trained and subject to an enhanced obligation of contractually defined confidentiality.
The confidentiality of personal data must be Guarantee both for the occasion of their collection and of their communication or their preservation.
The data collected by the alert device may be communicated within the group if this communication is necessary to meet the needs of the The investigation and results from the organization of the group. Such a communication will be considered necessary for the purposes of the investigation, for example if the alert involves an employee of another legal person in the group, a senior member or a management body of the undertaking concerned. In this case, the data must be transmitted, in a confidential and secure setting, only to the competent organisation of the recipient legal person providing equivalent guarantees in the management of professional alerts.
If a In the case of a legal person established in a non-member country of the European Union which does not grant adequate protection within the meaning of Directive 95 /46/EC of 24 October 1995, it must be applied Specific provisions of the law of 6 January 1978 amended, relating to international transfers of data (special legal framework and information for data subjects on the fact that the data will be transferred to such a Country).
Finally, in the event that a provider is considered for the management of the alerting device, the latter must be contractually committed not to use the data for the purposes of diversion, to ensure their Confidentiality and the limited shelf-life of the data. The undertaking concerned will remain in any event responsible for the treatment which the claimant will pay on his behalf.
8. The possibility of evaluation reports on the device
As part of the evaluation of the professional alert system, the responsible company can communicate to the entities responsible for this mission within its group All statistical information relevant to their mission (such as data on the type of alerts received and the corrective action taken).
This information must under no circumstances permit direct or indirect identification People affected by the alerts.
9. Limited retention of personal data
Data relating to an alert deemed to be unfounded by the alert entity must be destroyed without delay.
Data for alerts that have The need for an audit must not be kept beyond two months from the close of the verification operations, except for the initiation of disciplinary proceedings or legal proceedings against the person involved or Of the author of an abusive alert.
10. Accurate information of the respondent
In accordance with sections 6 and 32 of the amended Act of January 6, 1978, the information of the identified person to which an alert relates must be, in principle, carried out by Responsible for the device from the registration, computerised or not, of the data concerning him so that he can object without delay to the processing of those data.
However, the information of the respondent cannot intervene Prior to the adoption of precautionary measures where such measures are necessary, in particular to prevent the destruction of evidence necessary for the processing of the alert.
This information is carried out in accordance with Ensure that the person concerned is properly issued.
In particular, it must specify to the employee concerned the entity responsible for the device, the facts complained of, the services to which the alert may be addressed, as well as the Procedures for exercising its rights of access and rectification.
11. Respect for rights of access and rectification
In accordance with Articles 39 and 40 of the law of 6 January 1978, as amended, any person identified in the professional alert device may access the data And request, where appropriate, the correction or deletion.
It cannot, under any circumstances, obtain, on the basis of its right of access, information concerning third parties, such as the identity of the issuer of Alert.
The President,
A. Türk