< Back

Share |

Whistleblowing policies in France

May 2013

Whistleblowing is a process made available to employees allowing them to report problems via channels such as designated telephone numbers, email addresses or online forms, relating to activities of the company that are dishonest or illegal and could result in the company facing significant liability.

In France, in the absence of a general whistleblowing law, whistleblowing policies are regulated by the French Data Protection Authority (CNIL).

Indeed, as whistleblowing policies involve the collection, registration, storage, disclosure and destruction of personal data, the CNIL has authority over these schemes.

MalletThe CNIL was initially opposed to whistleblowing policies but changed its position in 2005. This change in stance permitted the implementation of whistleblowing schemes for relevant French companies affiliated to US companies that are subject to the Sarbanes-Oxley Act (SOX), a US federal law providing standards for all US public company boards, management and public accounting firms. The SOX also contains certain protection provisions for whistleblowers.

Depending on the envisaged whistleblowing policy, two applicable procedures (explained below) require CNIL authorisation in order to be implemented.

Expedited procedure: Single authorisation

The CNIL adopted a single authorisation system (AU-004) on 8 December 2005. This was subsequently revised by decision N° 2010-369 on 14 October 2010, in order to regulate the implementation of whistleblowing policies and simplify administrative formalities in France.

The purpose of the single authorisation system (for companies that have in place whistleblowing policies which strictly comply with the guidelines provided for in the AU-004) is to enable companies to make a declaration of compliance (enegagement de conformité) with a single authorisation, as opposed to numerous individual authorisations.

The CNIL has recently specified the scope of AU-004 following the Dassault Systèmes decision handed down by the French Supreme Court (Cour de cassation) which held that whistleblowing policies regulated by AU-004 must have a strictly limited scope.

Below is a non-exhaustive summary of the main requirements for complying with an AU-004 authorisation.

In order to comply with AU-004, whistleblowing policies must be based on French statutory or regulatory obligations relating to internal control in the financial, accounting, banking and anti-bribery areas. Where companies are caught by s.301(4) SOX and the Japanese Financial Instrument and Exchange Act dated 6 June 2006, whistleblowing policies must comply with the data processing measures specified within the foregoing legislation and data processing measures implemented to combat anti-competitive practices.

PenData collected related to a whistleblowing report shall only concern:

  • the whistleblower;
  • those persons that form the subject of the report;
  • those persons involved in the handling of the report
  • the facts of the report; and
  • the actions taken.

The recipients of such data must be limited to the persons specifically involved in the processing of such data who are further bound by a reinforced obligation of confidentiality.

As far as data retention is concerned, relevant personal data shall be kept for a period of two months following the conclusion of investigations where no further action is undertaken. Where further action based on a procedure set in place is carried out, relevant personal data can be kept until the end of the procedure.

Users of the whistleblowing system must be provided with clear and complete information on the following:

  • the identity of the person or entity responsible for the whistleblowing schemes;
  • the purpose of the whistleblowing scheme and the sectors concerned;
  • the optional nature of the use of the whistleblowing system;
  • the fact that any abuse of the system may result in disciplinary sanctions;
  • the identity of the recipients of the whistleblowing reports;
  • the possibility of the transfer of the whistleblowing reports outside the European Union; and
  • the right to access and correct data relating to the persons identified by the whistleblowing system.

The relevant company should not encourage users of the whistleblowing system to file anonymous reports which should be used as the exception rather than as the rule.

Normal procedure: Individual authorisation

TouchscreenIf a company wants to implement a whistleblowing system which does not fully comply with the AU-004 requirements, it should file a request for an individual authorisation by the CNIL. In order to do this, a company must fill out the form for standard notifications (déclaration normale).

The request for an individual authorisation is then reviewed in a plenary session chaired by the CNIL within two months following the filing of the standard notification form, provided that no additional information is required from the company.


The normal procedure detailed above is far more burdensome than the expedited AU-004 procedure. Therefore, where possible, companies in France should try to adapt their whistleblowing policies in order to ensure compliance with AU-004 requirements.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

France flag
Grégory Sroussi


Myriam Bouchrara


Gregory and Myriam consider the requirements of whistleblowing policies in France.

"Companies in France should try to adapt their whistleblowing policies in order to ensure compliance with AU-004 requirements."