Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Italy: National transposition of the Whistleblowing Directive - What you need to know

The Whistleblowing Directive is aimed at ensuring a higher degree of protection to individuals who report a violation of EU law and policies, introducing measures and requirements which foster the creation of a safe space for the reporters. The Whistleblowing Directive has been implemented in Italy through Legislative Decree No. 24 of March 10, 2023 (the Decree).

Francesca Gaudino, Partner at Baker McKenzie LLP, discusses key considerations of the Decree regarding whistleblowing systems and reports from a data protection perspective.

BrianAJackson / Essentials collection / istockphoto.com

Background

The rationale behind the Whistleblowing Directive is that the role of whistleblowers is key in ensuring the monitoring, but also the enforcement of EU laws and policies, since '[t]hey feed national and Union enforcement systems with information, leading to effective detection, investigation and prosecution of breaches of Union law, thus enhancing transparency and accountability' (Recital 2 of the Whistleblowing Directive).

The following laws previously governed whistleblowing systems in Italy:

  • Law No. 179 of November 30, 2017 (the Whistleblowing Law), in force as of December 29, 2017; and
  • Legislative Decree No. 231 of June 8, 2001 (the Corporate Liability Decree).

In line with the Whistleblowing Directive and in order to enhance the confidence of potential reporters to file a complaint, the Decree requires the set-up of a coherent and effective structure of reporting channels, ruling also on the terms of the functioning of the same; for example, how they should be set up, managed, and monitored. In parallel, the Decree also introduces a comprehensive and reliable set of guarantees to effectively protect the reporters against possible negative consequences, such as acts of retaliation.

Whistleblowing systems

With respect to the kind of whistleblowing systems available in Italy under the former legislative framework, the main game-changers introduced by the Decree include:

  • broadening the perimeter of application in terms of relevant laws and regulations which can be the subject matter of a report;
  • enlarging the spectrum of individuals who may file a report;
  • widening the availability and accessibility of the communication channels to be implemented to file a report; and
  • setting up a robust system of protection for the whistleblower, both in terms of requirements to be fulfilled to protect the relevant confidentiality, as well as specific measures to be adopted to protect the reporter against possible retaliation.

Looking through a data protection lens

From a data protection perspective, the Whistleblowing Directive specifically refers to the General Data Protection Regulation (GDPR) under two different perspectives: on the one hand, GDPR rules are recalled as requirements to be fulfilled for the data processing activities performed in the management of the reports; on the other hand, the breach of GDPR rules is among the conducts which are included in the scope of application of the same. Article 13 of the Decree expressly refers to GDPR compliance as well.

Generally speaking, the Whistleblowing Directive, and in turn the Decree, trigger a number of issues in respect of the processing of personal data of the reporter, the reported person, and third parties possibly involved, as applicable. Only focusing on the fact that the number of reportable conducts has been enlarged, as well as the number of potential reporters (and reported persons), translates to a higher number of personal data being processed, including special categories of data under Article 9 of the GDPR, and a higher number of data subjects potentially involved. Of course, there are also other important elements to be factored in, such as transparency, security and confidentiality, proportionality, and lawfulness of processing, among other principles.

It is worth noting that, on January 11, 2023, the Italian data protection authority (Garante) issued a favorable opinion (only available in Italian here) on the (at the time) draft Decree, which included most of the observations raised by the Garante.

Key considerations

Looking at the interplay between the Decree on the one side and the GDPR together with the Italian Legislative Decree No. 196/2003 (the Privacy Code) on the other, the main points of attention may be identified as the following four:

  • the set-up of the whistleblowing system;
  • the managing of the whistleblowing system;
  • the data subjects, intended as the reporting person, the reported person, and potential third parties who may be mentioned in the report or involved in the course of the relevant investigation; and
  • the managing of the reports, whether unsubstantiated or to be further investigated.

Set-up of whistleblowing systems

Starting from the whistleblowing system, this should be conceived and implemented having in mind the principles of Privacy by Default and by Design.

The Decree provides that the communication channels should allow the filing of reports in written form (also through information technology tools), in oral form (through telephone or other messaging systems), or as an in-person meeting, if so requested by the reporter.

The first concern for the 'owner' of the whistleblowing system is guaranteeing the security of all of these communication channels and relevant confidentiality, as referred to the reporting and reported persons, possible third parties involved, the content of the report itself, and relevant documentation. The Decree mentions cryptography as a means to ensure confidentiality of the same.

Before the implementation of the Decree, the Garante sanctioned some data controllers for breach of the GDPR and the Privacy Code in the managing of whistleblowing systems, as well as for lack of adequate security measures to guarantee the security and confidentiality of the data processed and the data subjects involved.

Article 13 of the Decree expressly provides that the whistleblowing systems should adopt technical and organizational security measures which are adequate in relation to the specific risks arising from the same, on the basis of a Data Protection Impact Assessment (DPIA).

Managing whistleblowing systems

For the managing of the whistleblowing system, Article 13 of the Decree specifies that the subjects adopting the whistleblowing system under the Decree act as data controllers; when sharing resources for receiving and managing reports with others (as allowed under the Decree), the privacy relationship should be that of joint controllers, thus triggering the obligation to have an agreement in place which defines relevant duties and responsibilities.

If the managing of the reporting channel is assigned to a third-party service provider, this should be engaged through a data processing agreement since it would act under the instructions of the relevant controller (or joint controllers). Considering the high attention on security and confidentiality (and also the previous decisions of the Garante mentioned above), the 'privacy vendor due diligence' should be carried out to set high criteria of compliance.

The persons involved in the collection and management of the reports should receive specific training, also in relation to security and confidentiality.

Involved individuals

For the data subjects involved in the managing of a report, the main requirements under the Decree concern the information and transparency obligations and the protection of the reporter's confidentiality. The controller has to provide clear and complete details on the whistleblowing system and applicable reporting channels. The information should be published and made easily available at the workplace, as well as accessible to persons who do not go to these. If the controller has a website, it should publish this information, more specifically in a dedicated section of the website.

Confidentiality of the identity of the reporter, together with the documentation and material relating to the report, are given high priority. On this, Article 2-undecies of the Privacy Code (formerly applied only under the Whistleblowing Law) has identified specific limitations of the enforcement of data privacy rights under the GDPR. The same indeed may be delayed, limited, or excluded for the time and within the limits which are necessary and proportionate to protect the reporter's confidentiality. In these circumstances, the privacy rights may be enforced through the Garante. Among the other requirements about information and transparency, the controller should also specify that privacy rights may be compressed, based on the fact that the Garante may be involved in the process.

Managing reports

The managing of the reports triggers issues, such as data accessibility, retention, and possible investigations. Accessibility should be granted on the basis of very strict and pre-defined need-to-know criteria. The proposal of the Garante for data retention periods has been adopted under Article 14 of the Decree, so that reports and relevant documentation may not be kept longer than five years after communication to the reporting person of the final output of the reporting procedure. Data that is not relevant, as well as unsubstantiated reports should be deleted immediately.

As to possible investigations following the filing of a report, the controller should pay attention to the 'usual' privacy issues triggered by an investigation, such as (to list some) conducting a DPIA, an effective chain of custody for evidentiary purposes, confidentiality, and compliance with the data processing principles under Article 5 of the GDPR.

Data transfers

Lastly, possible transfers of personal data to third countries should of course be accurately mapped and consequently carried out; the data processing records and the data retention policy/procedures should be updated to include the data processing triggered by the implementation of the whistleblowing system.

Francesca Gaudino Partner
[email protected]
Baker McKenzie LLP, Milan

Feedback