The French Data Protection Authority published new Guidelines on December 10, 2019 applicable to whistleblowing schemes, following a public consultation process. The Guidelines replace the former Single Authorization AU-004, which has not applied since arrival of the General Data Protection Regulation. The CNIL has also published a useful Frequently Asked Questions webpage regarding the Guidelines. The CNIL’s new Guidelines import certain aspects of its former position on whistleblowing schemes.
The French data protection authority has just published an amended version of its standard authorization for professional whistleblowing helplines which results in a significant broadening of its scope but also tightens the requirements for anonymous reporting. Under French data protection legislation, whistleblowing helplines are subject to prior authorization by the French data protection authority. Indeed, French data protection legislation require that processes which may result in the exclusion of a person from the benefit of a right or a contract are subject to prior authorization, as could be the case when resorting to a whistleblowing helpline (employees may incur sanctions and be terminated).
CNIL’s recently-released annual report gives insight from France’s authority into sanctions, the right to be forgotten, whistleblowing, and what it believes are several shortcomings in the proposed EU regulation.
On March 5, 2012, the Committee of Labor and Social Affairs of the German Parliament (Deutscher Bundestag) held a hearing on a draft bill on whistleblowing. The draft bill contains extensive provisions protecting whistleblowers in German enterprise. The Committee has appointed Hogan Lovells lawyer Tim Wybitul as official expert for a hearing on whistleblowing provisions.
A decision last week by the Court of Justice of the European Union (“ECJ”) introduces an important change to Spanish data protection framework – the “legitimate interest” justification.