How to mitigate Compliance requirements and Code of Conduct obligations with Data Protection regulation: Reed Smith Paris provided some illustrative examples
This post was written by Daniel Kadar.
Reed Smith Paris partner Daniel Kadar and counsel Séverine Martel hosted on 25 October 2012, a new edition of the conference cycle organized by Reed Smith Paris with the European American Chamber of Commerce, dedicated to the mitigation of Compliance obligations, particularly as set forth in Codes of Conduct, with data protection requirements.
After a general presentation of the data protection requirements in France, particularly with respect to notification duties with the French Data Protection Authority, the “Commission Nationale de l’Informatique et des Libertés” (CNIL), the panel, which included compliance directors of French health care giant SANOFI and General Electric Health, brought examples of how to mitigate compliance obligations, in particular as set forth in Codes of Conduct most International organisations have now adopted, with applicable data protection regulation.
The first example was dedicated to the New French Health Care Regulation and its transparency and disclosure requirements as to the existence (and the financial range) of agreements between the health care and cosmetics industry with health care professionals (including Medicine students), showing that the disclosure of financial and private information (such as the home address for the medicine students) had to be managed carefully with respect to the data owner’s information and access rights.
The second set of examples was dedicated to the implementation of whistle blowing hotlines in France, which need to have a restricted scope under French law: the grounds for this limited scope is that the French regulator has worked on the basis of the sole Sarbanes-Oxley (“SOX”) Act obligations limited to accounting and audit, and therefore mainly excluded the other fields of application the Code of Conduct generally also contain.
After having highlighted the major characteristics of the requirements under French law, taking into account specific labor law obligations, the panel concentrated on the ways and means of implementing such hotlines in France:
- Integrating them globally, or based on geographic regions
- Operating through third-party service providers or through in-house “mediators”
- Insisting on the necessity that such hotlines constitute only an alternative to more formal ways of notifications to the hierarchy, and excluding anonymous reports
The panel concluded by stating that there is no “one size fits all” Compliance recipe, and that Compliance remains a place of state-of-the-art mitigation of contradictious regulation.