whistleblower-policy-malik-taiar

# Whistleblower Systems - Assessment & Drafting

## Overview
This Guide can help you (a) assess the compliance of an existing whistleblower system or (b) draft a reporting policy based on a provided template.

## Legal Framework Covered
- EU Directive 2019/1937
- Amended Sapin II Law (Waserman Law 2022)
- Decree No. 2022-1284
- CNIL Professional Alerts Framework

### Two Modes of Use

| Mode | Description | Output |
|------|-------------|--------|
| **A. Compliance Assessment** | Audit an existing system | Assessment report + action plan |
| **B. Policy Drafting** | Create a system based on referenced sources | Policy based on template |

### What This Skill Does / Does Not Do

| What this skill does | What it does not do |
|:---------------------|:---------------------|
| Assesses compliance of an existing system | Provide definitive legal conclusions |
| Drafts a reporting policy based on the provided template | Guarantee enforceability |

**Scope**: Internal reporting systems subject to the amended Sapin II Law and Decree No. 2022-1284.

> **Variation Callouts**:
> - **Public Sector**: Coordination with Art. 40 CPP
> - **Duty of Vigilance**: Companies with ≥ 5,000 / 10,000 employees

## Contents

```
/
├── SKILL.md
├── LICENSE.txt
├── README.md
├── assets/
    ├── Template_Politique_Lanceur_Alerte.docx ← Template for Mode B
    ├── [PDF sources]
└── references/
    ├── TEXTES_LEGAUX.md      ← Verbatim legal article citations
    ├── DECRET_PROCEDURE.md   ← Mandatory elements (Decree 2022-1284)
    ├── RGPD_CNIL.md          ← GDPR compliance and CNIL framework
    ├── FONCTION_PUBLIQUE.md  ← Public sector specifics + Art. 40 CPP
    └── VIGILANCE.md          ← Duty of vigilance coordination
```

## DISCLAIMER

**THIS IS NOT LEGAL ADVICE.** This skill is provided for informational and educational purposes only. Laws vary by jurisdiction and individual circumstances, and only a qualified lawyer can provide advice tailored to your specific situation. This does not constitute legal advice or opinion—it is a Claude skill intended for legal professionals. All outputs from this skill must be reviewed by a qualified legal professional before any legal use.

## Choosing the Mode of Use

### Mode A: Compliance Assessment
**When to use**: The client already has a system and wants to verify its compliance.

→ Go to **Section 3** (Inputs) then **Section 5** (Assessment Workflow)

### Mode B: Policy Drafting
**When to use**: The client does not have a system or wants to create a new one.

→ Go to **Section 3** (Inputs) then **Section 13** (Policy Drafting)

| Template | Format | Usage |
|:---------|:-------|:------|
| `Template_Politique_Lanceur_Alerte.docx` | Word | Internal reporting policy template |

> **IMPORTANT**: The template must be used **EXACTLY** as provided. Only variable elements should be adapted.

## Inputs to Collect (request before assessing)

### A. Organizational Context (mandatory)
- [ ] Legal form and headcount (threshold ≥ 50 employees/agents?)
- [ ] Business sector and status (private/public/mixed)
- [ ] Group structure (pooling possible?)
- [ ] Existing system: implementation date, post-Waserman update?

### B. Documentation to Request
- [ ] Internal reporting procedure
- [ ] Employee communication materials
- [ ] Templates used (acknowledgment, feedback, closure)
- [ ] Job description / designated officer appointment
- [ ] GDPR register / DPIA if existing

### C. Practical Constraints (recommended)
- [ ] Pooling with other entities considered?
- [ ] Outsourcing of reception channel?
- [ ] Coordination with other systems (duty of vigilance)?

## Deliverables - Mode A: Assessment

### Quick Start (default output)

ALWAYS produce:
1) **Executive Summary** (1 page)
2) **Phase-by-Phase Assessment Table** (8 phases)
3) **Recommended Action Plan**

### A. Executive Summary
- [ ] Overall compliance: Compliant / Partially Compliant / Non-Compliant
- [ ] Top 5 gaps identified (ranked by priority)
- [ ] Recommendation: "Compliant" / "Correct before deployment" / "Escalate"

### B. Detailed Assessment Table

| Phase | Checkpoint | Compliant | Gap Identified | Priority | Recommendation |
|-------|-----------|:--------:|----------------|:--------:|----------------|
| **1. Applicability** | | | | | |
| 1.1 | Headcount threshold met (≥ 50) | | | | |
| 1.2 | Entity type identified (private/public/mixed) | | | | |
| 1.3 | Pooling compliant if applicable (< 250, concurrent decision) | | | | |
| **2. Reception Channel** | | | | | |
| 2.1 | Written **OR** oral channel provided (entity's choice) | | | | |
| 2.2 | *If oral provided*: telephone or voicemail mentioned | | | | |
| 2.3 | *If oral provided*: video/in-person meeting on request (20 business days) | | | | |
| 2.4 | Ability to transmit any type of document | | | | |
| 2.5 | Written acknowledgment within 7 business days | | | | |
| **3. Designated Persons** | | | | | |
| 3.1 | Formal designation for receipt | | | | |
| 3.2 | Formal designation for processing | | | | |
| 3.3 | Sufficient competence | | | | |
| 3.4 | Sufficient authority | | | | |
| 3.5 | Sufficient resources | | | | |
| 3.6 | Impartiality safeguards in place | | | | |
| 3.7 | If outsourced: third-party obligations compliant | | | | |
| **4. Verification / Processing** | | | | | |
| 4.1 | Admissibility criteria defined (Art. 6 + Art. 8 I.A.) | | | | |
| 4.2 | Reporter informed if inadmissible | | | | |
| 4.3 | Follow-up for non-compliant reports specified | | | | |
| 4.4 | Follow-up for anonymous reports specified | | | | |
| 4.5 | Written feedback within 3 months | | | | |
| 4.6 | Feedback content compliant (measures + reasons) | | | | |
| 4.7 | Reasoned closure provided | | | | |
| 4.8 | Written closure notification to reporter | | | | |
| **5. Confidentiality** | | | | | |
| 5.1 | Information integrity guaranteed | | | | |
| 5.2 | Reporter identity confidentiality | | | | |
| 5.3 | Persons concerned confidentiality | | | | |
| 5.4 | Third parties mentioned confidentiality | | | | |
| 5.5 | Access restricted to authorized persons | | | | |
| 5.6 | Prompt transmission to designated persons | | | | |
| 5.7 | If oral: recording procedures defined | | | | |
| 5.8 | Reporter's right to verify/approve | | | | |
| 5.9 | Retention period limited | | | | |
| **6. Dissemination / Information** | | | | | |
| 6.1 | Procedure disseminated with sufficient publicity | | | | |
| 6.2 | Permanently accessible to eligible persons | | | | |
| 6.3 | Whistleblower status conditions | | | | |
| 6.4 | Categories of eligible persons | | | | |
| 6.5 | Reporting procedures (form, channels) | | | | |
| 6.6 | Processing timelines (7-day acknowledgment, 3-month feedback) | | | | |
| 6.7 | Confidentiality guarantees | | | | |
| 6.8 | Protections granted | | | | |
| 6.9 | Information on external channels | | | | |
| 6.10 | GDPR information | | | | |
| **7. GDPR Compliance (CNIL Ref. 06/07/2023)** | | | | | |
| 7.1 | Legal basis identified (legal obligation or legitimate interest) | | | | |
| 7.2 | Purposes defined with no incompatible reuse | | | | |
| 7.3 | Data minimization respected (by phase: collection, investigation, post-decision) | | | | |
| 7.4 | Anonymous reports possible, no re-identification | | | | |
| 7.5 | Authorized users documented, access logged | | | | |
| 7.6 | Disclosure rules followed (reporter: consent / subject: after substantiation) | | | | |
| 7.7 | Retention periods defined by phase and communicated | | | | |
| 7.8 | Data subject notification compliant (reporter at acknowledgment, subject within 1 month) | | | | |
| 7.9 | Data subject rights guaranteed (access, objection, rectification, restriction) | | | | |
| 7.10 | Security measures compliant (17 CNIL categories) | | | | |
| 7.11 | Processing register updated | | | | |
| 7.12 | DPIA completed (recommended) | | | | |
| **8. Sector-Specific Requirements** | | | | | |
| 8.1 | *Public sector*: Art. 40 CPP coordination documented | | | | |
| 8.2 | *Public sector*: Designated officer informed of Art. 40 obligations | | | | |
| 8.3 | *Vigilance*: Consultation with representative unions | | | | |
| 8.4 | *Vigilance*: Extended scope (subsidiaries, subcontractors) | | | | |
| 8.5 | *Vigilance*: External stakeholders eligible | | | | |
| 8.6 | *Regulated sectors*: Sector-specific obligations coordinated | | | | |

## Assessment Workflow (Mode A)

### Step 1 — Verify Applicability

 > IS THE ORGANIZATION SUBJECT TO THE OBLIGATION?

- [ ] Private legal entity ≥ 50 employees → YES
- [ ] Public legal entity ≥ 50 agents → YES
- [ ] Municipality ≥ 10,000 inhabitants → YES
- [ ] State administration → YES
- [ ] Other → CHECK sector-specific regulations

> **Pooling possible** (< 250 employees/agents): See Art. 8 I. B. and C. of the amended Sapin II Law + Art. 7 II of the Decree

### Step 2 — Assess Compliance (use references)

> **IMPORTANT - MANDATORY READING**: Before any assessment, read **IN FULL** the file `assets/Decret_2022_1284.pdf` (Articles 1 to 8 + annex). Do not rely solely on summaries—the exact decree text is authoritative.

Assess the system **systematically** using the references:

| Reference | What it covers |
|---|---|
| **`assets/Decret_2022_1284.pdf`** | **ALWAYS READ FIRST** - Full decree text |
| [DECRET_PROCEDURE.md](references/DECRET_PROCEDURE.md) | Summary of mandatory elements (Art. 4-8 decree) |
| [RGPD_CNIL.md](references/RGPD_CNIL.md) | GDPR compliance and CNIL framework |
| [FONCTION_PUBLIQUE.md](references/FONCTION_PUBLIQUE.md) | Public sector specifics + Art. 40 CPP |
| [VIGILANCE.md](references/VIGILANCE.md) | Duty of vigilance coordination (if applicable) |
| [TEXTES_LEGAUX.md](references/TEXTES_LEGAUX.md) | Verbatim citations for verification |

**Assessment method**:
1. **Read Decree 2022-1284 in full** before starting the assessment
2. Verify that **all mandatory elements** are present (completeness)
3. Verify that each clause is **compliant** with the legal and regulatory framework (no contradictions)
4. Use the **Section 6 checklist** to structure the assessment by phase
5. When in doubt, always **return to the exact text** of the decree

### Step 3 — Draft the Report

```
REPORT STRUCTURE:
1. Executive summary (overall compliance, strengths, priority areas)
2. Context and scope (organization, regulatory framework, documents analyzed)
3. Detailed results (cover all 8 checklist phases)
4. Gap summary table
5. Recommended action plan
6. Annexes (completed checklist, applicable texts)
```

### Step 4 — Prioritize Recommendations

| **Priority** | **Criterion** | **Example** |
|--------------|---------------|-------------|
| CRITICAL | Absence of system, non-compliance with legal deadlines, confidentiality failure | No acknowledgment of receipt |
| IMPORTANT | Insufficient information, unidentified designated officer, GDPR non-compliance | Impartiality risk with processing officer |
| IMPROVEMENT | Procedure needs refinement, incomplete documentation, training to strengthen | Communication materials to complete |

## Assessment Checklist (8 phases)

### Phase 1: Applicability

> See Art. 8 I. B. amended Sapin II Law + Art. 1 and 2 of the Decree

- [ ] Organization subject to obligation (threshold met)
- [ ] Entity type identified (private/public/mixed)
- [ ] Pooling compliant if applicable (< 250, concurrent decision)

### Phase 2: Reception Channel

> **→ Detailed reference**: [DECRET_PROCEDURE.md - Section 1](references/DECRET_PROCEDURE.md)

- [ ] Written OR oral channel provided (entity's choice - Art. 4 I decree)
- [ ] If oral provided: telephone or voicemail mentioned
- [ ] If oral provided: video/in-person meeting on request (20 business days)
- [ ] Ability to transmit any type of document
- [ ] Written acknowledgment within 7 business days provided

### Phase 3: Designated Persons

> **→ Detailed reference**: [DECRET_PROCEDURE.md - Section 3](references/DECRET_PROCEDURE.md)

- [ ] Formal designation in procedure (receipt AND processing)
- [ ] Sufficient competence, authority, and resources
- [ ] Impartiality safeguards in place
- [ ] If pooling (< 250 employees): Art. 7 II conditions met
- [ ] If outsourced: third-party obligations compliant with Art. 7 I

### Phase 4: Verification and Processing

> **→ Detailed reference**: [DECRET_PROCEDURE.md - Section 2](references/DECRET_PROCEDURE.md)

**VERIFICATION:**
- [ ] Admissibility criteria defined (Art. 6 and Art. 8 I.A.)
- [ ] Reporter notification in case of inadmissibility provided
- [ ] Follow-up for non-compliant reports specified
- [ ] Follow-up for anonymous reports specified

**PROCESSING:**
- [ ] Written feedback within 3 months maximum provided
- [ ] Feedback content compliant (measures considered/taken + reasons)
- [ ] Reasoned closure provided (unfounded or moot allegations)
- [ ] Written closure notification to reporter provided

### Phase 5: Confidentiality

> **→ Detailed reference**: [DECRET_PROCEDURE.md - Section 4](references/DECRET_PROCEDURE.md)

- [ ] Information integrity and confidentiality guaranteed
- [ ] Identity protection: reporter, persons concerned, third parties mentioned
- [ ] Access prohibited to unauthorized persons
- [ ] Prompt transmission to designated persons provided
- [ ] If oral: recording procedures defined
- [ ] Retention period limited to strict necessity

### Phase 6: Dissemination and Information

> **→ Detailed reference**: [DECRET_PROCEDURE.md - Section 6](references/DECRET_PROCEDURE.md)

- [ ] Procedure disseminated with sufficient publicity
- [ ] Permanently accessible to eligible persons
- [ ] Complete information content (see Section 7 of decree)
- [ ] Information on external channels available

### Phase 7: GDPR Compliance (CNIL Framework 06/07/2023)

> **→ Detailed reference**: [RGPD_CNIL.md](references/RGPD_CNIL.md)

- [ ] Legal basis identified (legal obligation or legitimate interest)
- [ ] Purposes defined, no incompatible reuse
- [ ] Data minimization by phase (collection, investigation, post-decision)
- [ ] Anonymous reports possible, no re-identification
- [ ] Authorized users documented, access logged
- [ ] Disclosure rules followed (reporter: consent / subject: after substantiation)
- [ ] Retention periods defined by phase and communicated
- [ ] Data subject notification compliant (reporter at acknowledgment, subject within 1 month)
- [ ] Data subject rights guaranteed (access, objection, rectification, restriction)
- [ ] Security measures compliant (17 CNIL categories)
- [ ] Processing register updated
- [ ] DPIA completed (recommended)

### Phase 8: Sector-Specific Requirements

> **→ Public sector** → [FONCTION_PUBLIQUE.md](references/FONCTION_PUBLIQUE.md)

- [ ] Coordination with Art. 40 CPP documented
- [ ] Designated officer informed of Art. 40 obligations

> **→ Duty of vigilance** → [VIGILANCE.md](references/VIGILANCE.md)

- [ ] Mechanism established in consultation with representative unions
- [ ] Extended scope (subsidiaries, subcontractors, suppliers)
- [ ] External stakeholders eligible

> **→ Regulated sectors** (financial, healthcare, etc.)

- [ ] Coordination with sector-specific obligations documented

## The Three Reporting Channels (Art. 8 Sapin II Law)

```
┌──────────────────────────────────────────────────────────────────────────────┐
│  CHANNEL 1: INTERNAL REPORTING (Art. 8 I)                                    │
│  ────────────────────────────────────────                                    │
│  WHEN: Can be used directly, without prior condition                         │
│                                                                              │
│  ELIGIBLE PERSONS (Art. 8 I.A. 1° to 5°):                                    │
│  → Staff members (current or former)                                         │
│  → Job applicants                                                            │
│  → Shareholders, partners, voting rights holders                             │
│  → Members of administrative, management, supervisory bodies                 │
│  → External and occasional collaborators                                     │
│  → Contractors, subcontractors and their bodies/staff                        │
├──────────────────────────────────────────────────────────────────────────────┤
│  CHANNEL 2: EXTERNAL REPORTING (Art. 8 II)                                   │
│  ─────────────────────────────────────────                                   │
│  WHEN: Can be used in two ways                                               │
│    ✓ EITHER after making an internal report                                  │
│    ✓ OR directly (without going through internal)                            │
│                                                                              │
│  POSSIBLE RECIPIENTS:                                                        │
│  1° Competent authority (list in annex to Decree No. 2022-1284)              │
│  2° Defender of Rights                                                       │
│  3° Judicial authority (Public Prosecutor)                                   │
│  4° Competent EU institution, body or agency                                 │
├──────────────────────────────────────────────────────────────────────────────┤
│  CHANNEL 3: PUBLIC DISCLOSURE (Art. 8 III)                                   │
│  ─────────────────────────────────────────                                   │
│  WHEN: Protection granted only in the following cases                        │
│                                                                              │
│  CASE 1 (Art. 8 III 1°) - Ineffective reports:                               │
│    → After external report (preceded or not by internal)                     │
│    → AND no appropriate measure taken at deadline expiry                     │
│                                                                              │
│  CASE 2 (Art. 8 III 2°) - Serious and imminent danger                        │
│                                                                              │
│  CASE 3 (Art. 8 III 3°) - Risks related to external reporting:               │
│    → Risk of retaliation                                                     │
│    → OR impossibility of effective remedy                                    │
│                                                                              │
│  DEROGATORY CASE (Art. 8 III penultimate paragraph):                         │
│    → IMMINENT or MANIFEST danger to the public interest                      │
│                                                                              │
│  ⚠️ EXCLUSION: Cases 2°, 3° and derogatory do NOT apply if                   │
│     disclosure harms national defense/security                               │
└──────────────────────────────────────────────────────────────────────────────┘
```

> **NOTE**: Since the Waserman Law (2022), whistleblowers can **freely choose** between internal and external channels. They are no longer required to go through internal channels first.

## Whistleblower Definition (Art. 6 Sapin II Law)

**WHISTLEBLOWER = Natural person who:**
- [ ] Reports or discloses WITHOUT DIRECT FINANCIAL CONSIDERATION
- [ ] In GOOD FAITH
- [ ] Information concerning:
    - A crime or offense
    - A threat or harm to the public interest
    - A violation OR an attempt to conceal a violation of:
         - an international commitment
         - European Union law
         - a law or regulation

**Exclusions (Art. 6 II)**: National defense secrets, medical confidentiality, judicial deliberation secrecy, investigation/inquiry secrecy, attorney-client privilege.

**Facilitators (Art. 6-1)**: Natural or legal person under private non-profit law who assists the whistleblower.

## Whistleblower Protections

> **→ Detailed reference**: [TEXTES_LEGAUX.md - Article 10-1](references/TEXTES_LEGAUX.md)

**Civil and criminal immunity** (Art. 10-1 I) if reasonable grounds to believe the report was necessary.

**Prohibited retaliation measures** (Art. 10-1 II): suspension, dismissal, demotion, transfer of duties, discrimination, harassment, blacklisting, etc.

**Reversal of burden of proof** (Art. 10-1 III): the employer must prove their decision was justified.

**Automatic nullity** of any act taken in breach of these protections.

## Common Errors

| **Error** | **Risk** | **Correction** |
|-----------|----------|----------------|
| System not updated since 2022 | Waserman non-compliance | Complete revision |
| Requiring internal channel first | Contrary to free channel choice | Remove this requirement |
| No automatic acknowledgment of receipt | Non-compliance with 7-day deadline | Automate sending |
| Confidentiality not technically guaranteed | Compromise risk | Encryption, partitioning |
| Designated officer = member of senior management | Potential conflict of interest | Appoint independent officer |
| No information on external channels | Legal obligation | Complete the information |
| Unlimited data retention | GDPR non-compliance | Apply CNIL retention periods |
| No oral reporting option | Decree 2022-1284 requirement | Provide oral channel |

## Penalties and Risks

| **Offense** | **Penalty** | **Legal Basis** |
|-------------|-------------|-----------------|
| Obstructing reporting | 1 year prison + €15,000 fine | Art. 13 Sapin II Law |
| Retaliation | 3 years prison + €45,000 fine | Art. 225-1 and 225-2 Criminal Code |
| Disclosing whistleblower identity | 2 years prison + €30,000 fine | Art. 9 Sapin II Law |
| Abusive reporting | 5 years prison + €45,000 fine | Art. 226-10 Criminal Code |

## Reference Texts

| Text | Date | File |
|------|------|------|
| EU Directive 2019/1937 | 10/23/2019 | `assets/Directive_2019_1937.pdf` |
| Law No. 2016-1691 (Sapin II) | 12/09/2016 | `assets/Loi_Sapin_II_consolidee.pdf` |
| Law No. 2022-401 (Waserman) | 03/21/2022 | `assets/Loi_Waserman_2022.pdf` |
| Decree No. 2022-1284 | 10/03/2022 | `assets/Decret_2022_1284.pdf` |
| CNIL Framework | 07/24/2023 | `assets/Referentiel_CNIL_alertes_professionnelles.pdf` |
| Public Sector Circular | 06/26/2024 | `assets/Circulaire_26_juin_2024.pdf` |
| DREETS Summary | 02/17/2025 | `assets/DREETS_synthese_2025.pdf` |
| Law No. 2017-399 (Vigilance) | 03/27/2017 | `assets/L225-102-1.pdf` and `assets/L225-102-2.pdf` |
| EU Directive 2024/1760 (CS3D) | 06/13/2024 | `assets/Directive_CS3D_2024_1760.pdf` |

## Policy Drafting (Mode B)

### Provided Template

| Template | Format | Usage |
|:---------|:-------|:------|
| `Template_Politique_Lanceur_Alerte.docx` | Word | Internal reporting policy template |

> **IMPORTANT**: The template must be used **EXACTLY** as provided. Only variable elements should be adapted to the client's situation. Do not rephrase, delete, or reorganize template clauses.

### Drafting Workflow

**STEP 1 — Collect Client Information**
- [ ] Legal form and headcount
- [ ] Channels chosen (written, oral, both)
- [ ] Identity of designated officer(s)
- [ ] Reporting channel contact details
- [ ] Scope of eligible persons
- [ ] Coordination with other systems (duty of vigilance)

**STEP 2 — Adapt the Template**
- [ ] Open Template_Politique_Lanceur_Alerte.docx
- [ ] Complete ONLY the variable elements
- [ ] Do NOT rephrase existing clauses
- [ ] Do NOT delete sections
- [ ] Add the mandatory clause on external channels

*Example wording to insert in the policy:*
```
Independently of this system, any person may submit an external report
directly to the Defender of Rights, the judicial authority, or the
competent authority according to the relevant domain. The list of
external authorities is set by the annex to Decree No. 2022-1284 of
October 3, 2022, available at:
https://www.legifrance.gouv.fr/loda/id/JORFTEXT000046357368
```

**STEP 3 — Verify Compliance**
→ Use [DECRET_PROCEDURE.md](references/DECRET_PROCEDURE.md) and [TEXTES_LEGAUX.md](references/TEXTES_LEGAUX.md) to verify mandatory elements
→ Use [RGPD_CNIL.md](references/RGPD_CNIL.md) to verify GDPR compliance

**STEP 4 — Add External Channel Information**
(Legal obligation - Art. 8 para. 3 of Decree No. 2022-1284)

### Finalization

**STEP 5 — Validation**
- [ ] Have management review
- [ ] Consult the works council if applicable (≥ 50 employees)
- [ ] If duty of vigilance: consultation with representative unions

**STEP 6 — Dissemination**
- [ ] Choose dissemination channels (see Section 6 - Phase 6)
- [ ] Ensure permanent accessibility
- [ ] Train designated officers