The obligations are laid down by Law n° 2016-1691 of December 9, 2016 concerning transparency, the fight against corruption and the modernisation of economic life.
This obligation applies to the following entities:
Public or private persons in a company with at least 50 employees; companies with more than 50 employees, all companies with more than 50 employees, which are required by law to have an employee representative committee.
State administrations: middle schools, high school and hospitals
The municipalities with more than 10,000 inhabitants
Departments: County Council
Regions: Regional Council
Public institutions of inter-municipal co-operation with their own taxation
These entities are obligated to set up an appropriate procedure for their employees, providers.
But let’s not forget that:
How does one set up a whistleblowing procedure?
All other entity types must be able to process an alert when it is sent, even if they have not set up an appropriate procedure.
Even people who are neither employees nor providers can send an alert to a company, a municipality, a hospital, a clinic, a high school.
The alert is brought to the attention of a supervisor, either direct or indirect, or a contact person that has been designated by the entity. In the context of setting up a procedure, it is preferable to designate a person or group of persons responsible for receiving the alert (attention should be given to the case where the alert involves the contact person).
The procedure put in place must guarantee strict respect for the alert launcher confidentiality; however, according to former single approval of the CNIL, it must not favor anonymity . The procedure put in place must therefore be able to obtain the identity of the alert launcher while keeping it strictly confidential.
The procedure must also provide for exchanges between the alert launcher and the company in order to have all of the elements necessary to qualify the alert. Though the whistleblower’s privacy is always kept confidential, this is not easy to achieve.
Alert Launcher and RGPD procedure
The General Data Protection Regulations (RGPD) Add a bit of complexity to the protection of alert launchers. In fact, often the alert will challenge a natural person from within the entity.
Compliance with the RGPD without further analysis would lead to immediately inform the person concerned of the data withheld in the procedure pertaining to him or her and give him or her right of access and rectification of said data.
The person implicated in the alert must be informed as soon as all the measures necessary for the protection of the evidence have been carried out.