Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Italy: Main features of the whistleblowing legislative decree and its interplay with Models 231

At long last, on March 15, 2023, the Legislative Decree No. 24 of March 10, 2023 (the Decree), transposing the Whistleblowing Directive, was published in the Official Journal of the Italian Republic (only available in Italian here).

The Decree replaced Law No. 179 of November 30, 2017 (the Whistleblowing Law) and includes important changes, requiring companies to create new reporting channels or update existing ones in compliance with the new provisions.

Ilaria Curti, Laura Liguori, Gaia Accetta, and Livia Petrucci, from Portolano Cavallo Studio Legale, discuss the Decree's key features and analyze its interplay with Legislative Decree No. 231 of June 8, 2001 (Decree 231).

thomas-bethge / Essentials collection / istockphoto.com

General background

Indeed, under the Whistleblowing Law, only those companies that voluntarily had chosen to adopt compliance programs (Models 231) pursuant to Decree 231, aimed at preventing corporate criminal liability were obliged to:

  • implement appropriate channels in such Models 231 aimed at reporting potential compliance violations and offenses entailing corporate criminal liability; and
  • guarantee protection against retaliation in favor of the reporting person.

Such connection has been partly overcome by the Decree, which extended the scope of the matters that can be reported, as well as the persons protected, and provided further obligations for companies (i.e., facilitators, colleagues, and relatives of whistleblowers and companies that whistleblowers own, work for, or with which they are otherwise connected). In addition, the Decree requires to take action also from a Decree 231 perspective, as companies will have to update their Models 231 in accordance with the new provisions.

Which companies are in the scope of the Decree?

The Decree addresses public companies, as well as companies in the private sector that:

  • in the last year had an average of at least 50 employees with permanent or fixed-term employment contracts;
  • operate in certain industries (i.e., financial services, products, and markets; prevention of money laundering and terrorist financing; transport security; and environmental protection); and/or
  • adopted Models 231.

Who can be qualified as whistleblower?

The Decree provides for a broad definition of a whistleblower entitled to report the above violations, which includes employees, self-employed workers and consultants, volunteers and interns, shareholders, and individuals with management, control, supervisory, or representative powers. Moreover, individuals involved in recruitment, contract negotiations, and probationary periods, as well as former employees can all be whistleblowers. Former employees can report facts learned during the course of their employment relationships.

What types of violations can be reported by whistleblowers?

Violations that whistleblowers in the private sector can report pursuant to the Decree are the following:

  • breaches of EU regulations, as well as the corresponding Italian implementing provisions in specific areas (e.g., public procurement, privacy, competition, consumer protection, tax matters, environmental protection, financial services, prevention of money laundering and terrorist financing, as well as acts or omissions in breach of EU financial interests); and
  • offenses that may entail corporate criminal liability pursuant to the Corporate Liability Decree, that are not included in the point above, as well as breaches of the compliance system established with Models 231.

How can violations be reported?

The Decree provides for three different ways of reporting potential violations - i.e., internal and external reporting channels and public disclosure. Regarding the latter, external channels refer to the report to be made directly to the Italian National Anti-Corruption Authority (ANAC) if, for instance, a company fails to organize an appropriate whistleblowing channel as required by law or in case of risk of retaliation. The ANAC is then entitled to investigate reported behavior or to submit the report to the appropriate administrative or judicial authorities that will take care of the necessary inquiries.

Subsidiaries of multinational groups with an average of up to 249 employees are allowed to share their reporting channels, provided that specific conditions are met, including when:

  • reporting channels exist and are made available at the subsidiary level;
  • the whistleblower is clearly informed that a designated person/department at the parent company will be authorized to access the report, and the whistleblower has the right to object and request that the reported conduct be investigated only at the local level; and
  • any other follow-up measures taken and feedback to the reporting person are from the subsidiary.

Conversely, subsidiaries with an average of more than 250 employees are required to implement autonomous local internal reporting channels. However, neither the Whistleblowing Directive, nor the Decree prohibits maintaining whistleblowing channels at a central level in parallel to the local ones, as well as publicizing their availability and encouraging reporting persons to use them. Nevertheless, the report needs to be managed and investigated respectively at local/global level in full confidentiality and without sharing information, exceptions made for the outcome of the report, unless the reporting person allows it.

Note that, pursuant to the Decree companies that adopted Models 231 having an average of up to 49 employees in the last year may only use the internal channel to make the report, while it seems that the other channels could be used only in case these companies achieved the average of at least 50 employees. However, ANAC interpreted the provision by intending that violations of Models 231 can be reported only internally in all circumstances.

Internal reporting channels shall be managed by the company's independent functions and specifically trained employees, or external knowledgeable third parties, including law firms. In this respect, appointing external lawyers to assess and investigate reports may have the advantage in certain circumstances of shielding investigation outcomes with legal privilege.

When can data related to the report be shared?

Generally speaking, Article 4 of the Decree provides that the internal channel shall ensure the confidentiality of the reporting and the reported persons, the content of the report itself, as well as of any other person mentioned. Furthermore, Article 12 of the Decree establishes that the identity of the reporting person and any other information from which such identity may be inferred, directly or indirectly, may be disclosed to a third party exclusively with the prior express consent of the reporting person. Therefore, except for entities with less than 250 employees that can share the reporting channel (as well as the relevant data), under the Decree, consent is necessary for the sharing of data related to the report: as such, subsidiaries cannot rely anymore on legitimate interest according to Article 6(f) of the General Data Protection Regulation (GDPR) to share information about a violation - except, of course, in case of authorizations under Articles 29 of the GDPR and relationships under Article 28 of the GDPR.

Such an approach aims at ensuring that people still feel free to report at a local level because they know that the information related to the report will not be shared with other entities of the same group without their consent. However, in this case, anchoring data sharing in consent has downsides. For instance, if the reporting person is an employee, the longstanding issue of the legitimacy of consent as a legal basis for employee-related processing carried out by the employer arises (e.g., see European Data Protection Board Guidelines (EDPB) 05/2020 on consent under Regulation 2016/679).

Moreover, before the Decree, the sharing of personal data related to the reports between entities of the same group was mainly based on the legitimate interest of such entities to manage the investigation efficiently. The question then arises as to whether consent is the appropriate solution to protect the reporting person from retaliation while not frustrating better management of the investigation.

From a practical standpoint, this approach entails that the same reporting channel should allow the owner to split the processing of reports' data between those that can be shared, since the consent was collected, and those that cannot be shared. This will likely require rethinking or replacing the existing channels, as well as implementing overcomplex organizational measures.

Is the Supervisory Board still eligible to be in charge of managing internal reporting channels?

Under the previous regulation, the Supervisory Board (SB) might be the subject designated to receive reports, being an independent body that handles compliance matters with Decree 231.

With the entry into force of the Decree, no concerns seem to arise for companies with an average of less than 50 employees, since in such cases the matters that can be reported will be in any event limited to those related to issues under Decree 231. The same approach, however, does not seem to be applicable to those companies with more than 50 employees, as in this case the potential violations to be reported may also be unrelated to Decree 231; therefore, the SB may not be the proper subject designated for handling whistleblowing report.

What are the amendments to be made to Models 231?

In addition to the above, the Decree has an impact also with respect to Models 231 that need to be updated with information related to:

  • the reporting channels;
  • the non-retaliation principle; and
  • the disciplinary sanctions in case of specific violations (e.g., non-compliance of the internal reporting channel with the provisions of the Decree; violation of non-retaliatory principles; or failure to ensure confidentiality).

Indeed, Article 24(5) of the Decree expressly amends Article 6(2-bis) of Decree 231, by providing that Models 231 shall establish internal reporting channels, the prohibition of retaliation, and the disciplinary system in accordance with the Decree.

Next steps from a data protection perspective

Any processing of personal data under the Decree shall be carried out in accordance with the GDPR and Italian Legislative Decree No. 196/2003 (the Privacy Code). Specifically, Article 13 of the Decree is dedicated to the processing of personal data, with Articles 12 and 14 providing further specifications.

The Decree focuses on the principles under Article 5 of the GDPR, as well as on the Data Protection by Design and by Default principle. For instance, the Decree requires the data controller, owning the reporting channel, to duly inform the data subject about the data processing, to implement adequate technical and organizational security measures, and to carry out a Data Protection Impact Assessment (DPIA). The Decree also identifies the data retention period for data related to the report in a maximum of five years from the date of the communication of the final outcome of the reporting procedure.

Moreover, the Decree determines the roles of the parties involved in the data processing: in case of a shared channel for entities with 249 or fewer employees, the channel's owners will be joint controllers; the relationship with external providers shall be regulated pursuant to Article 28 of the GDPR (e.g., in case the reporting channel is technically supplied by a third party). Persons responsible for receiving or managing the report shall be expressly authorized and instructed by the controller to process personal data under Article 29 of the GDPR and Article 2-quaterdecies of the Privacy Code.

In addition, the Decree establishes that data subjects cannot exercise their rights under Articles 15 to 22 of the GDPR if this may result in actual and concrete prejudice to the confidentiality of the identity of the reporting person pursuant to the Decree (see also the amended Article 2-undecies of the Privacy Code).

Ilaria Curti Partner
[email protected]
Laura Liguori Partner
[email protected]
Gaia Accetta Associate
[email protected]
Livia Petrucci Associate
[email protected]
Portolano Cavallo Studio Legale, Milan

Feedback