The law n°2016-1691of 9 December 2016 targeting transparency, anti-bribery and the modernization of the economic life, known as "Loi Sapin II" imposes new requirements for some companies and notably:

1.         for companies having at least 50 employees, the duty to determine appropriate procedures to receive concerns from whistleblowers (article 8 of Sapin II Law).

This obligation, which will be effective from the 1^st of January 2018, has been specified by the decree n°2017-564 of 19 April 2017 relating to the procedures to receive alerts from employees and external and occasional collaborators within public or private legal entity or administrations of the State. This decree provides notably:

• the conditions under which the whistleblowers can issue an alert and
• the conditions intended to ensure the respect of confidentiality.

2.         for companies having or belonging to any group which has at least 500 employees and whose annual turnover is more than 100 million euros, the obligation to establish a program for anti-bribery and against influence peddling (article 17 of Sapin II Law which has been effective since the 1^st of June 2017).

In order to prevent bribery and influence peddling, the concerned companies must implement the following measures:

• a code of conduct defining and illustrating the different types of bribery and influence peddling facts;
• an internal system of alerts for the purpose of collecting the alert from employees concerning any violations of the code of conduct;
• a risk mapping;
• an assessment procedure of clients, providers and intermediaries in the light of the risk mapping;
• an accounting control procedure;
• a training system for managers and employees exposed to the risk of bribery and influence peddling and
• an internal control procedure to assess the efficiency of measures implemented.

In case of failure to fulfil the obligations provided under article 17, the sanction commission of the French anti-bribery Agency (AFA) can issue injunctions to ensure conformity and pronounce sanctions (up to 1.000.000 euros) possibly accompanied by publication measures.

Implementation of these obligations raises some questions concerning personal data processing. Companies must, for this purpose, notably make sure to respect the provisions of the Autorisation unique 004 of the French data protection authority (Commission Nationale de l’Informatique et des Libertés - CNIL) as amended by the deliberation n°2017-191 of 22 June 2017 in order to take into account the provisions of the Sapin II Law.

To comply with the provisions of this new legal framework, the concerned companies should launch an action plan without delay.