Internal reporting (whistleblower)

Privacy notice: internal reporting (whistleblower)


The purpose of this notice is to inform you, in full transparency, on the way in which your personal data is processed.


  • Data controller:

The LFB entity having received the internal reporting acts acts as a data controller as defined in General Data Protection Regulation (GDPR).


  • Purpose of the processing:

We process your personal data for the following purpose: collection and processing of internal whistleblowing in order to comply with the French law  Sapin II (law n°2016-1691 of December 9, 2016), the French law Waserman (law n°2022-401 of March 21, 2022) and its application decrees.

For more information, you may consult procedure GC03 – Whistleblowing systme.


  • Legal basis:

We can only process your personal data if it is lawful. Processing is only lawful insofar as it based on one of the legal bases mentioned in the applicable law (GDPR).

The processing of your personal data is based on the following legal bases:

  • Legal obligation (French laws Sapin II and Waserman) for LFB entitees subject to these laws (e.g.: LFB BIOMEDICAMENTS / LFB BIOTECHNOLOGIES / LFB BIOMANUFACTURING).
  • Legitimate interest: for example, LFB SA and LFB GLOBAL PLASMA have a legitimate interest in processing your data in order to implement whistleblowing system common to all LFB entities (procedure GC03). This system involves processing your personal data. The legitimate interests we pursue are balanced against your interests, freedoms and fundamental rights that require protection of personal data. You can obtain information about this balancing by contacting us using the contact details given below.

In a marginal way and depending on the nature of the report and the associated internal investigation, we may be led, in the context of this processing, to process health data constituting sensitive data.

The processing of your health data has the following legal basis: Article 9-2-f of the GDPR – processing necessary for the establishment, exercise or defense of legal claims.

Similarly, data relating to offences, convictions and security measures may be processed under the conditions set out in Article 10 of the RGPD and 46 3° of the French Data Protection Act.


  • Data subject:

This processing of personal data concerns the following data subject:

  • The author of the report (also called whistleblower)
  • The respondent(s)
  • The witness(es)


  • Categories of personal data concerned:

The following categories of personal data are concerned by the processing:

  • Identity, position and contact information of the person who reported the incident,
  • Identity, function and contact information of the respondent
  • Identity, function and contact details of witnesses
  • Identity, function and contact details of persons involved in the collection or processing of the report
  • Information gathered in the context of the verification of the reported facts
  • Reports, content of the investigation
  • Follow-up of the report.
  • Source of the personal data:

Personal data come:

  • Directly from you
  • From alternative sources including whistleblower, respondent(s), witness(es)


  • Obligation to provide your personal data:

The processing of your personal data is necessary to carry out the processing referred above. Failure to provide this data would not allow the report to be processed and the associated investigation to be conducted.


  • Recipients of personal data:

Only persons authorized by their missions or functions have access to the personal data processed.

According to their respective needs, the following recipients receive all or part of the personal data:

  • Investigators in charge of processing the alert
  • Decision-makers (Director of Legal Affairs and Compliance and/or Director of Human Resources)
  • Employees who can provide support for the internal investigation (e.g., the IT Department when looking for emails). Please note that only the data necessary to provide support will be communicated.
  • Our service providers acting as subcontractors on our behalf (to the extent necessary to complete the work we have entrusted to them). This may include, for example, our data host.
  • In the event that personal data is entrusted to a subcontractor, an agreement will be concluded with the subcontractor in order to ensure and guarantee that personal data is processed in accordance with our instructions and that adequate technical and organizational measures are taken to protect it.
  • Public authorities, government agencies…


  • Data transfers outside the European union:

Your personal data is processed in the European Union but may be transferred to countries outside the European Union. We transfer your data to countries with an adequate level of protection to that provided within the European Union.
When we transfer your data to countries which do not offer a level of protection equivalent to that implemented within the European Union, we put in place appropriate technical and legal guarantees in order to protect your data against any access, use or unauthorized disclosure.


  • Period for which the personal data will be stored:

Your personal data are kept for different periods of time depending on the outcome of the report:

  The alert is not concerned by this procedure The alert did not give rise to any consequences When disciplinary or legal proceedings are initiated
The data are destroyed or anonymised… immediately within 2 months of completion of the verification operations at the end of the procedure or of the statute of limitations for appeals against the decision


In certain cases, LFB may keep the data collected for an additional period of time for the purpose of ensuring protection of the whistleblower or to allow for the observation of continued violations. In that case, this extended retention period will be brought to the attention of the persons concerned.

Once the retention period has been reached, the personal data is either destroyed or anonymized. In the latter case, this means that it will be impossible to identify you from this data.


  • Security:

We put in place technical and organisational measures allowing the protection of your personal data. We take reasonable steps to protect your data from loss, misuse, unauthorised access, disclosure, modification or destruction of your data.


  • Your rights:

Within the conditions and limits of the applicable regulations, you have the following rights:

– Right of access: you can access the personal data that we hold about you.

– Right of rectification: you can ask us to correct data that is inaccurate or incomplete.

– Right to erasure (right to be forgotten): you have the possibility under certain conditions to obtain the erasure of the personal data that we hold about you. However, we have the possibility of not responding favourably to your request, in particular in the event that we need your personal data to meet a legal obligation.

– Right to restriction of processing, in particular in the event that you dispute the accuracy of the personal data that we hold about you.

– Right to object: you can object, for reasons relating to your particular situation and under certain conditions, to the processing of data concerning you.

Under certain circumstances, we will not be able to respond to your request if you want to exercise your rights. In such a case, we will explain the reasons for our refusal.


  • Contact and reclamation:

To exercise the above rights or for any questions in connection with personal data, please send any request to the LFB Group Entity’s Data Protection Officer, in priority by email: or by post to the following address: LFB BIOMEDICAMENTS, Data Protection Officer, Legal Affairs and Compliance Department, ZA de Courtabœuf, 3 avenue des Tropiques, 91940 LES ULIS – France. 

If the data subjects consider, after contacting us at the contact details above, that their rights are not respected or that data processing does not comply with data protection rules, they may lodge a complaint with a supervisory authority in particular in the Member State in which their habitual residence, place of work or the place where they consider that a breach of the regulations has been committed.

Version: January 2023