Whistleblower Systems - Assessment & Drafting

Overview

This Guide can help you (a) assess the compliance of an existing whistleblower system or (b) draft a reporting policy based on a provided template.

Legal Framework Covered

• EU Directive 2019/1937

• Amended Sapin II Law (Waserman Law 2022)

• Decree No. 2022-1284

• CNIL Professional Alerts Framework

Two Modes of Use

Mode Description Output

A. Compliance Assessment Audit an existing system Assessment report + action plan

B. Policy Drafting Create a system based on referenced sources Policy based on template

What This Skill Does / Does Not Do

What this skill does What it does not do

Assesses compliance of an existing system Provide definitive legal conclusions

Drafts a reporting policy based on the provided template Guarantee enforceability

Scope: Internal reporting systems subject to the amended Sapin II Law and Decree No. 2022-1284.

Variation Callouts:

• Public Sector: Coordination with Art. 40 CPP

• Duty of Vigilance: Companies with ≥ 5,000 / 10,000 employees

Contents

/ ├── SKILL.md ├── LICENSE.txt ├── README.md ├── assets/ ├── Template_Politique_Lanceur_Alerte.docx ← Template for Mode B ├── [PDF sources] └── references/ ├── TEXTES_LEGAUX.md ← Verbatim legal article citations ├── DECRET_PROCEDURE.md ← Mandatory elements (Decree 2022-1284) ├── RGPD_CNIL.md ← GDPR compliance and CNIL framework ├── FONCTION_PUBLIQUE.md ← Public sector specifics + Art. 40 CPP └── VIGILANCE.md ← Duty of vigilance coordination

DISCLAIMER

THIS IS NOT LEGAL ADVICE. This skill is provided for informational and educational purposes only. Laws vary by jurisdiction and individual circumstances, and only a qualified lawyer can provide advice tailored to your specific situation. This does not constitute legal advice or opinion—it is a Claude skill intended for legal professionals. All outputs from this skill must be reviewed by a qualified legal professional before any legal use.

Choosing the Mode of Use

Mode A: Compliance Assessment

When to use: The client already has a system and wants to verify its compliance.

→ Go to Section 3 (Inputs) then Section 5 (Assessment Workflow)

Mode B: Policy Drafting

When to use: The client does not have a system or wants to create a new one.

→ Go to Section 3 (Inputs) then Section 13 (Policy Drafting)

Template Format Usage

Template_Politique_Lanceur_Alerte.docx

Word Internal reporting policy template

IMPORTANT: The template must be used EXACTLY as provided. Only variable elements should be adapted.

Inputs to Collect (request before assessing)

A. Organizational Context (mandatory)

• Legal form and headcount (threshold ≥ 50 employees/agents?)

• Business sector and status (private/public/mixed)

• Group structure (pooling possible?)

• Existing system: implementation date, post-Waserman update?

B. Documentation to Request

• Internal reporting procedure

• Employee communication materials

• Templates used (acknowledgment, feedback, closure)

• Job description / designated officer appointment

• GDPR register / DPIA if existing

C. Practical Constraints (recommended)

• Pooling with other entities considered?

• Outsourcing of reception channel?

• Coordination with other systems (duty of vigilance)?

Deliverables - Mode A: Assessment

Quick Start (default output)

ALWAYS produce:

• Executive Summary (1 page)

• Phase-by-Phase Assessment Table (8 phases)

• Recommended Action Plan

A. Executive Summary

• Overall compliance: Compliant / Partially Compliant / Non-Compliant

• Top 5 gaps identified (ranked by priority)

• Recommendation: "Compliant" / "Correct before deployment" / "Escalate"

B. Detailed Assessment Table

Phase Checkpoint Compliant Gap Identified Priority Recommendation

1. Applicability

1.1 Headcount threshold met (≥ 50)

1.2 Entity type identified (private/public/mixed)

1.3 Pooling compliant if applicable (< 250, concurrent decision)

2. Reception Channel

2.1 Written OR oral channel provided (entity's choice)

2.2 If oral provided: telephone or voicemail mentioned

2.3 If oral provided: video/in-person meeting on request (20 business days)

2.4 Ability to transmit any type of document

2.5 Written acknowledgment within 7 business days

3. Designated Persons

3.1 Formal designation for receipt

3.2 Formal designation for processing

3.3 Sufficient competence

3.4 Sufficient authority

3.5 Sufficient resources

3.6 Impartiality safeguards in place

3.7 If outsourced: third-party obligations compliant

4. Verification / Processing

4.1 Admissibility criteria defined (Art. 6 + Art. 8 I.A.)

4.2 Reporter informed if inadmissible

4.3 Follow-up for non-compliant reports specified

4.4 Follow-up for anonymous reports specified

4.5 Written feedback within 3 months

4.6 Feedback content compliant (measures + reasons)

4.7 Reasoned closure provided

4.8 Written closure notification to reporter

5. Confidentiality

5.1 Information integrity guaranteed

5.2 Reporter identity confidentiality

5.3 Persons concerned confidentiality

5.4 Third parties mentioned confidentiality

5.5 Access restricted to authorized persons

5.6 Prompt transmission to designated persons

5.7 If oral: recording procedures defined

5.8 Reporter's right to verify/approve

5.9 Retention period limited

6. Dissemination / Information

6.1 Procedure disseminated with sufficient publicity

6.2 Permanently accessible to eligible persons

6.3 Whistleblower status conditions

6.4 Categories of eligible persons

6.5 Reporting procedures (form, channels)

6.6 Processing timelines (7-day acknowledgment, 3-month feedback)

6.7 Confidentiality guarantees

6.8 Protections granted

6.9 Information on external channels

6.10 GDPR information

7. GDPR Compliance (CNIL Ref. 06/07/2023)

7.1 Legal basis identified (legal obligation or legitimate interest)

7.2 Purposes defined with no incompatible reuse

7.3 Data minimization respected (by phase: collection, investigation, post-decision)

7.4 Anonymous reports possible, no re-identification

7.5 Authorized users documented, access logged

7.6 Disclosure rules followed (reporter: consent / subject: after substantiation)

7.7 Retention periods defined by phase and communicated

7.8 Data subject notification compliant (reporter at acknowledgment, subject within 1 month)

7.9 Data subject rights guaranteed (access, objection, rectification, restriction)

7.10 Security measures compliant (17 CNIL categories)

7.11 Processing register updated

7.12 DPIA completed (recommended)

8. Sector-Specific Requirements

8.1 Public sector: Art. 40 CPP coordination documented

8.2 Public sector: Designated officer informed of Art. 40 obligations

8.3 Vigilance: Consultation with representative unions

8.4 Vigilance: Extended scope (subsidiaries, subcontractors)

8.5 Vigilance: External stakeholders eligible

8.6 Regulated sectors: Sector-specific obligations coordinated

Assessment Workflow (Mode A)

Step 1 — Verify Applicability

IS THE ORGANIZATION SUBJECT TO THE OBLIGATION?

• Private legal entity ≥ 50 employees → YES

• Public legal entity ≥ 50 agents → YES

• Municipality ≥ 10,000 inhabitants → YES

• State administration → YES

• Other → CHECK sector-specific regulations

Pooling possible (< 250 employees/agents): See Art. 8 I. B. and C. of the amended Sapin II Law + Art. 7 II of the Decree

Step 2 — Assess Compliance (use references)

IMPORTANT - MANDATORY READING: Before any assessment, read IN FULL the file assets/Decret_2022_1284.pdf (Articles 1 to 8 + annex). Do not rely solely on summaries—the exact decree text is authoritative.

Assess the system systematically using the references:

Reference What it covers

assets/Decret_2022_1284.pdf

ALWAYS READ FIRST - Full decree text

DECRET_PROCEDURE.md Summary of mandatory elements (Art. 4-8 decree)

RGPD_CNIL.md GDPR compliance and CNIL framework

FONCTION_PUBLIQUE.md Public sector specifics + Art. 40 CPP

VIGILANCE.md Duty of vigilance coordination (if applicable)

TEXTES_LEGAUX.md Verbatim citations for verification

Assessment method:

• Read Decree 2022-1284 in full before starting the assessment

• Verify that all mandatory elements are present (completeness)

• Verify that each clause is compliant with the legal and regulatory framework (no contradictions)

• Use the Section 6 checklist to structure the assessment by phase

• When in doubt, always return to the exact text of the decree

Step 3 — Draft the Report

REPORT STRUCTURE:

1. Executive summary (overall compliance, strengths, priority areas)
2. Context and scope (organization, regulatory framework, documents analyzed)
3. Detailed results (cover all 8 checklist phases)
4. Gap summary table
5. Recommended action plan
6. Annexes (completed checklist, applicable texts)

Step 4 — Prioritize Recommendations

Priority Criterion Example

CRITICAL Absence of system, non-compliance with legal deadlines, confidentiality failure No acknowledgment of receipt

IMPORTANT Insufficient information, unidentified designated officer, GDPR non-compliance Impartiality risk with processing officer

IMPROVEMENT Procedure needs refinement, incomplete documentation, training to strengthen Communication materials to complete

Assessment Checklist (8 phases)

Phase 1: Applicability

See Art. 8 I. B. amended Sapin II Law + Art. 1 and 2 of the Decree

• Organization subject to obligation (threshold met)

• Entity type identified (private/public/mixed)

• Pooling compliant if applicable (< 250, concurrent decision)

Phase 2: Reception Channel

→ Detailed reference: DECRET_PROCEDURE.md - Section 1

• Written OR oral channel provided (entity's choice - Art. 4 I decree)

• If oral provided: telephone or voicemail mentioned

• If oral provided: video/in-person meeting on request (20 business days)

• Ability to transmit any type of document

• Written acknowledgment within 7 business days provided

Phase 3: Designated Persons

→ Detailed reference: DECRET_PROCEDURE.md - Section 3

• Formal designation in procedure (receipt AND processing)

• Sufficient competence, authority, and resources

• Impartiality safeguards in place

• If pooling (< 250 employees): Art. 7 II conditions met

• If outsourced: third-party obligations compliant with Art. 7 I

Phase 4: Verification and Processing

→ Detailed reference: DECRET_PROCEDURE.md - Section 2

VERIFICATION:

• Admissibility criteria defined (Art. 6 and Art. 8 I.A.)

• Reporter notification in case of inadmissibility provided

• Follow-up for non-compliant reports specified

• Follow-up for anonymous reports specified

PROCESSING:

• Written feedback within 3 months maximum provided

• Feedback content compliant (measures considered/taken + reasons)

• Reasoned closure provided (unfounded or moot allegations)

• Written closure notification to reporter provided

Phase 5: Confidentiality

→ Detailed reference: DECRET_PROCEDURE.md - Section 4

• Information integrity and confidentiality guaranteed

• Identity protection: reporter, persons concerned, third parties mentioned

• Access prohibited to unauthorized persons

• Prompt transmission to designated persons provided

• If oral: recording procedures defined

• Retention period limited to strict necessity

Phase 6: Dissemination and Information

→ Detailed reference: DECRET_PROCEDURE.md - Section 6

• Procedure disseminated with sufficient publicity

• Permanently accessible to eligible persons

• Complete information content (see Section 7 of decree)

• Information on external channels available

Phase 7: GDPR Compliance (CNIL Framework 06/07/2023)

→ Detailed reference: RGPD_CNIL.md

• Legal basis identified (legal obligation or legitimate interest)

• Purposes defined, no incompatible reuse

• Data minimization by phase (collection, investigation, post-decision)

• Anonymous reports possible, no re-identification

• Authorized users documented, access logged

• Disclosure rules followed (reporter: consent / subject: after substantiation)

• Retention periods defined by phase and communicated

• Data subject notification compliant (reporter at acknowledgment, subject within 1 month)

• Data subject rights guaranteed (access, objection, rectification, restriction)

• Security measures compliant (17 CNIL categories)

• Processing register updated

• DPIA completed (recommended)

Phase 8: Sector-Specific Requirements

→ Public sector → FONCTION_PUBLIQUE.md

• Coordination with Art. 40 CPP documented

• Designated officer informed of Art. 40 obligations

→ Duty of vigilance → VIGILANCE.md

• Mechanism established in consultation with representative unions

• Extended scope (subsidiaries, subcontractors, suppliers)

• External stakeholders eligible

→ Regulated sectors (financial, healthcare, etc.)

• Coordination with sector-specific obligations documented

The Three Reporting Channels (Art. 8 Sapin II Law)

┌──────────────────────────────────────────────────────────────────────────────┐ │ CHANNEL 1: INTERNAL REPORTING (Art. 8 I) │ │ ──────────────────────────────────────── │ │ WHEN: Can be used directly, without prior condition │ │ │ │ ELIGIBLE PERSONS (Art. 8 I.A. 1° to 5°): │ │ → Staff members (current or former) │ │ → Job applicants │ │ → Shareholders, partners, voting rights holders │ │ → Members of administrative, management, supervisory bodies │ │ → External and occasional collaborators │ │ → Contractors, subcontractors and their bodies/staff │ ├──────────────────────────────────────────────────────────────────────────────┤ │ CHANNEL 2: EXTERNAL REPORTING (Art. 8 II) │ │ ───────────────────────────────────────── │ │ WHEN: Can be used in two ways │ │ ✓ EITHER after making an internal report │ │ ✓ OR directly (without going through internal) │ │ │ │ POSSIBLE RECIPIENTS: │ │ 1° Competent authority (list in annex to Decree No. 2022-1284) │ │ 2° Defender of Rights │ │ 3° Judicial authority (Public Prosecutor) │ │ 4° Competent EU institution, body or agency │ ├──────────────────────────────────────────────────────────────────────────────┤ │ CHANNEL 3: PUBLIC DISCLOSURE (Art. 8 III) │ │ ───────────────────────────────────────── │ │ WHEN: Protection granted only in the following cases │ │ │ │ CASE 1 (Art. 8 III 1°) - Ineffective reports: │ │ → After external report (preceded or not by internal) │ │ → AND no appropriate measure taken at deadline expiry │ │ │ │ CASE 2 (Art. 8 III 2°) - Serious and imminent danger │ │ │ │ CASE 3 (Art. 8 III 3°) - Risks related to external reporting: │ │ → Risk of retaliation │ │ → OR impossibility of effective remedy │ │ │ │ DEROGATORY CASE (Art. 8 III penultimate paragraph): │ │ → IMMINENT or MANIFEST danger to the public interest │ │ │ │ ⚠️ EXCLUSION: Cases 2°, 3° and derogatory do NOT apply if │ │ disclosure harms national defense/security │ └──────────────────────────────────────────────────────────────────────────────┘

NOTE: Since the Waserman Law (2022), whistleblowers can freely choose between internal and external channels. They are no longer required to go through internal channels first.

Whistleblower Definition (Art. 6 Sapin II Law)

WHISTLEBLOWER = Natural person who:

• Reports or discloses WITHOUT DIRECT FINANCIAL CONSIDERATION

• In GOOD FAITH

• Information concerning:

• A crime or offense

• A threat or harm to the public interest

• A violation OR an attempt to conceal a violation of:

• an international commitment

• European Union law

• a law or regulation

Exclusions (Art. 6 II): National defense secrets, medical confidentiality, judicial deliberation secrecy, investigation/inquiry secrecy, attorney-client privilege.

Facilitators (Art. 6-1): Natural or legal person under private non-profit law who assists the whistleblower.

Whistleblower Protections

→ Detailed reference: TEXTES_LEGAUX.md - Article 10-1

Civil and criminal immunity (Art. 10-1 I) if reasonable grounds to believe the report was necessary.

Prohibited retaliation measures (Art. 10-1 II): suspension, dismissal, demotion, transfer of duties, discrimination, harassment, blacklisting, etc.

Reversal of burden of proof (Art. 10-1 III): the employer must prove their decision was justified.

Automatic nullity of any act taken in breach of these protections.

Common Errors

Error Risk Correction

System not updated since 2022 Waserman non-compliance Complete revision

Requiring internal channel first Contrary to free channel choice Remove this requirement

No automatic acknowledgment of receipt Non-compliance with 7-day deadline Automate sending

Confidentiality not technically guaranteed Compromise risk Encryption, partitioning

Designated officer = member of senior management Potential conflict of interest Appoint independent officer

No information on external channels Legal obligation Complete the information

Unlimited data retention GDPR non-compliance Apply CNIL retention periods

No oral reporting option Decree 2022-1284 requirement Provide oral channel

Penalties and Risks

Offense Penalty Legal Basis

Obstructing reporting 1 year prison + €15,000 fine Art. 13 Sapin II Law

Retaliation 3 years prison + €45,000 fine Art. 225-1 and 225-2 Criminal Code

Disclosing whistleblower identity 2 years prison + €30,000 fine Art. 9 Sapin II Law

Abusive reporting 5 years prison + €45,000 fine Art. 226-10 Criminal Code

Reference Texts

Text Date File

EU Directive 2019/1937 10/23/2019 assets/Directive_2019_1937.pdf

Law No. 2016-1691 (Sapin II) 12/09/2016 assets/Loi_Sapin_II_consolidee.pdf

Law No. 2022-401 (Waserman) 03/21/2022 assets/Loi_Waserman_2022.pdf

Decree No. 2022-1284 10/03/2022 assets/Decret_2022_1284.pdf

CNIL Framework 07/24/2023 assets/Referentiel_CNIL_alertes_professionnelles.pdf

Public Sector Circular 06/26/2024 assets/Circulaire_26_juin_2024.pdf

DREETS Summary 02/17/2025 assets/DREETS_synthese_2025.pdf

Law No. 2017-399 (Vigilance) 03/27/2017 assets/L225-102-1.pdf and assets/L225-102-2.pdf

EU Directive 2024/1760 (CS3D) 06/13/2024 assets/Directive_CS3D_2024_1760.pdf

Policy Drafting (Mode B)

Provided Template

Template Format Usage

Template_Politique_Lanceur_Alerte.docx

Word Internal reporting policy template

IMPORTANT: The template must be used EXACTLY as provided. Only variable elements should be adapted to the client's situation. Do not rephrase, delete, or reorganize template clauses.

Drafting Workflow

STEP 1 — Collect Client Information

• Legal form and headcount

• Channels chosen (written, oral, both)

• Identity of designated officer(s)

• Reporting channel contact details

• Scope of eligible persons

• Coordination with other systems (duty of vigilance)

STEP 2 — Adapt the Template

• Open Template_Politique_Lanceur_Alerte.docx

• Complete ONLY the variable elements

• Do NOT rephrase existing clauses

• Do NOT delete sections

• Add the mandatory clause on external channels

Example wording to insert in the policy:

Independently of this system, any person may submit an external report directly to the Defender of Rights, the judicial authority, or the competent authority according to the relevant domain. The list of external authorities is set by the annex to Decree No. 2022-1284 of October 3, 2022, available at: https://www.legifrance.gouv.fr/loda/id/JORFTEXT000046357368

STEP 3 — Verify Compliance → Use DECRET_PROCEDURE.md and TEXTES_LEGAUX.md to verify mandatory elements → Use RGPD_CNIL.md to verify GDPR compliance

STEP 4 — Add External Channel Information (Legal obligation - Art. 8 para. 3 of Decree No. 2022-1284)

Finalization

STEP 5 — Validation

• Have management review

• Consult the works council if applicable (≥ 50 employees)

• If duty of vigilance: consultation with representative unions

STEP 6 — Dissemination

• Choose dissemination channels (see Section 6 - Phase 6)

• Ensure permanent accessibility

• Train designated officers