Domitille Fontaine-Castets, is the Chief Compliance Officer of the renowned French hotel group Accor. For La Lettre du DPO, she looks back on her career in detail and shares her views on the subject of whistleblowers (and the processing of their data) within organisations.
1/- What is your background and what and what prompted your interest in data and the GDPR?
“During my practice of company law, while working on mergers and acquisitions, including of an international nature, I came across the key regulations under which governments (often working together on a regional or even international level) were trying to ‘clean up’ the business world by standards enacting formal obligations to collect and process information in order to better detect any undesirable behaviour (fraud, harassment, corruption, etc.), putting the authorities in a position to act according to a logic geared towards prevention and thus implying a change in such behaviour under the pressure of this formalism. This can be very burdensome, in particular with the adoption of Law n° 2016-1691 known as ‘Sapin 2’ in December 2016 which requires the collection and processing of data, some of which is sensitive due to the seriousness of the facts it reveals. It was therefore only natural that I should look into the GDPR, which came into force in 2018 and which also brought the protection of personal data within the scope of my responsibilities as DPO in my previous job.”
2/- What are your current responsibilities and what project(s) are you currently working on in relation to whistleblowers?
“All these regulations respond to ‘monumental goals’, to use Professor Frison-Roche’s expression (by which she means ‘concern for others’, aimed at making the world and human society more ‘sustainable’, such goals being threatened, for example, by corruption, damage to the environment or the rights of individuals through the processing of their data). They therefore follow a common philosophy, which has led to the emergence of the position of Compliance Officer. This position, which is my job today, leads me to work on the identification of risks and then responding to them through control and prevention measures, in line with the regulations and standards that Accor has adopted in six areas: the fight against corruption, compliance with international sanctions (e.g. those adopted against Russia), compliance with competition rules, compliance with payment standards in hotels, compliance with standards protecting human rights (involving the duty of care), and lastly the protection of personal data.
On a day-to-day basis, with regard to whistleblowers and the current legal issues on this subject, we have chosen, on the one hand, to open up this option to anyone (our suppliers and customers, for example), and not keep it for our employees alone; on the other hand, to enable alerts to be processed locally (without requiring them to be examined at HQ level); and lastly, to rework the retention periods and update the impact analysis imposed by the GDPR. On the whole, this whistleblowing system works well because, leaving aside the nonsensical accusations received from time to time, most whistleblowers enable us to identify genuine malfunctions, which we then deal with.
To encourage this, I think it is necessary to limit the use of anonymous alerts, because the investigation process, making it possible to rule out any dubious actions, very often requires us to contact the person who made the alert.”
3/- How do you see the future of these regulations?
“Digital technology, which has considerably facilitated means of communication, has also given rise to a world of absolute transparency, since our every move is now traceable. Secrecy and intimacy are gradually disappearing, if only through the data constantly collected by the digital tools we use, or simply present in our personal or professional environment. And, in my opinion, this sort of ‘tyranny’ of transparency will not be reversed. In this context, whistleblowers will continue to be protected, and probably increasingly so. To rebalance the protection of all those implicated in whistleblowing, compliance with the GDPR is one of the keys.”