🛡️🔍 SIRENA: a unified national system for managing complaints and reporting abuse in the health, social and medico‑social sectors. The tool centralises, assigns and monitors situations of vulnerability involving older people and persons with disabilities.
Summary
🔴🔑AT THE HEART OF THE SUBJECT: Analytical summary, Key points to remember, Courses of action for stakeholders, Additional references
➕🛠️ ADDITIONAL RESOURCES: Cross-sectional analysis, Multiple choice questions, Frequently asked questions, Easy to read and understand
Source: 📒 Decree No. 2026-139 of February 27, 2026 creating a processing of personal data called “National complaints information system 📜🔗LINK
Analytical summary
Context and issues
This decree establishes SIRENA (National Complaints Information System), a personal data processing system used by regional health agencies, departmental councils and State decentralised services to manage complaints from users of the health, social and medico-social systems, including reports of abuse against vulnerable adults due to age or disability. It is adopted under Law No. 2024-317 of 8 April 2024 on building a society of healthy ageing and autonomy and aims to strengthen the protection and monitoring of situations of abuse. The system centralises complaints, assigns them to the competent authorities and supports the production of statistics to inform public policies.
Operational contributions
The decree precisely defines the purposes of the processing, the categories of personal data collected, the authorised users and access rules, the retention periods (one year in active database, then up to six years in intermediate archiving) and the rights of data subjects. It also creates regional abuse reporting units within regional health agencies and provides for cooperation protocols between regional health agencies, departmental councils and State decentralised services. The system is implemented as a public interest processing under the GDPR and provides a national, standardised framework for handling complaints and reports of abuse.
Key strengths of the document
The decree clearly states four main purposes for SIRENA: collecting and centralising complaints, assigning them to the competent administrative authorities, enabling them to manage and follow up cases, and producing statistics to improve protection and care policies for vulnerable adults.
It provides a detailed and exhaustive list of personal data categories processed, including information on the person concerned, the complainant, alleged facts, alleged perpetrators, witnesses and prior steps. It strictly frames access to data on a “need-to-know” basis and designates joint controllers (DGCS and the General Secretariat of the social ministries), ensuring clear governance of the system.
It specifies data retention periods and technical traceability requirements, which supports compliance with GDPR and national data protection law. Finally, by inserting new regulatory articles D.119-1 and D.119-2 into the Social Action and Families Code, it formally organises regional abuse reporting units and obliges them to inform reporters of the follow-up to their reports where contact details are provided.
Actionable recommendations for local actors
Local actors should identify and designate the professionals within their organisations who will be authorised to access SIRENA, ensuring that access rights are strictly aligned with their responsibilities and the “need-to-know” principle set out in the decree.
Regional health agencies, departmental councils and State decentralised services should draw up or update written cooperation protocols to clarify responsibilities, information flows and timeframes for handling complaints and abuse reports.
Teams should be trained on the categories of data to be collected, the conditions for processing sensitive data and the retention periods, in order to ensure compliant and consistent data entry into SIRENA.
Finally, regional abuse reporting units must organise procedures to systematically inform persons who reported abuse of the outcome of their report when they provided contact details, thereby reinforcing transparency and trust in the system.
