Whistleblowing Decree: Key points for the pharmaceutical sector

A new regulation with significant impact on the operations of companies, including those in the pharmaceutical sector, was published on March 15, 2023 on the Official Journal of the Italian Republic: Legislative Decree No. 24 of March 10, 2023 (the “Decree”), implementing the EU Directive 2019/1937 on whistleblowing.

Indeed, large multinational companies that already adopted reporting systems based on procedures designed by foreign parent companies are now being called to assess the compatibility of existing reporting channels with the requirements of the new legislation. The Decree replaced the previous whistleblowing regulations, expanding the scope of the prohibition on retaliatory measures against whistleblowers and introducing specific obligations for both public and private companies.

The fifty-employee limit

Under the new provisions, any company (i) with an average of at least fifty employees and/or that (ii) operates in one of the specific sectors listed in the Decree (e.g., financial services, products and markets, prevention of money laundering and terrorist financing, transport safety, environmental protection, etc.) and/or (iii) has adopted an Organization, Management, and Control Model pursuant to the so called “Model 231” (Legislative Decree No. 231/2001) is required to establish specific internal reporting channels having the specific requirements established by the Decree. These channels are designed to give whistleblowers (e.g., employees, shareholders, directors, consultants, self-employed workers, etc.,) the opportunity to report potential wrongdoing and violation of rules in certain areas expressly provided in the Decree. These areas include relationships with public officials, consumer protection, protection of privacy and personal data, competition, and the environment. Whistleblowers may also report other offenses that could result in corporate criminal liability pursuant to Legislative Decree No. 231/2001, as well as any violation of the 231 Model.

The role of the Italian anti-corruption authority (ANAC)

If a company fails to comply with the requirements established by the Decree, it may (i) incur sanctions imposed directly by the ANAC, as well as (ii) face the risk of the whistleblower making an external report. Indeed, the Decree establishes a whistleblower’s right to report a potential violation directly to the ANAC if, for instance, the company has not established an internal channel that meets the legal requirements, has not followed up on a report, or if there is a risk of retaliation. Once a report is received, the ANAC has the power to directly conduct investigations of reported behavior or, if the report does not fall under its purview, it shall forward it to the relevant administrative or judicial authorities, which will then carry out the necessary investigations.

Privacy Aspects

The Decree also expressly regulates key privacy aspects for the processing of personal data related to reports, to which the provisions of Regulation (EU) 2016/679 (“GDPR”) and Legislative Decree No. 196/2003 and later measures apply in any case. For example, the Decree focuses on the need to implement adequate security measures (requiring a data protection impact assessment to be carried out), provides a maximum retention time for data related to reporting, and establishes the roles of those involved in the processing.

Key points for pharmaceutical companies

Companies in the pharmaceutical sector typically operate in multiple jurisdictions and have parent companies abroad. The changes imposed by the directive and the Decree have important consequences for them from an organizational and group governance perspective.

Channels sharing

The first issue arises from the fact that such companies, typically organized as large multinational groups, are unable to share reporting channels and related data. However, under the Decree, companies with an average of no more than 249 employees may share their reporting channels, provided that specific conditions are met. Namely:

• the reporting channels exist and are made available at the subsidiary level;
• the whistleblower is clearly informed that a designated person/department of the parent company will be authorized to access the report, and the whistleblower has the right to object and request that the reported conduct be investigated only at the local level;
• any follow-up and feedback to the whistleblower occur at the local level.

For their part, companies with an average of more than 250 employees are required to implement specific autonomous internal reporting channels at the local level. Therefore, the management of such reports at the local level requires careful internal assessments at a parent company management level. In addition, these types of groups typically have centralized procedures and policies, and the reporting investigations themselves are handled directly – or with the support of – the parent company. As a result, each subsidiary shall establish dedicated local reporting channels that have the specific characteristics required by the Decree. The local adjustment of the reporting channel could result in timelines that are not fully compatible with the deadlines provided in the same Decree since companies with 250 or more employees should have complied with the Decree by July 15, 2023, while companies with up to 249 employees have until December 17, 2023, to implement these internal reporting channels.

Multinational specifics

A significant issue for multinational groups with whistleblower management centralized at the foreign parent company concerns the ability to investigate reported conduct adequately, that sometimes may have multi-jurisdictional relevance (e.g., bribery/corruption of medical professionals who may qualify as foreign public officials under the U.S. Foreign Corrupt Practices Act – FCPA). In order to mitigate the potential risks stemming from handling reports locally, Italian companies could encourage potential whistleblowers to report globally, while still ensuring local reporting channels. Neither the directive nor the Decree prohibits maintaining whistleblowing channels at the central level parallel to the local ones and publicizing their availability and encouraging subsidiary whistleblowers to use them. Nevertheless, the report should be handled and investigated at the local/global level under full confidentiality and without sharing information, unless the whistleblower expressly consents to that.

When consent is needed to share the identity of the whistleblower

Exception made for entities with an average of fewer than 250 employees, the Decree requires the consent of the whistleblower for sharing with third parties his/her identity, as well as any other information from which such identity can be inferred, directly or indirectly. Therefore, subsidiaries can no longer rely on legitimate interest under Article 6(f) of the GDPR when sharing information about violations. This is without prejudice to a case where a third party with whom the information is shared is authorized under Article 29 of the GDPR or is a data processor under Article 28 of the GDPR. Moreover, even when a potential breach being reported is also relevant under foreign regulations applicable to the parent company, as mentioned above, the obligation to prosecute the relevant conduct under the foreign regulation does not per se legitimize the local company sharing data with the parent company. Indeed, in order to justify the data sharing, the obligation to prosecute the relevant conduct would have to fall on the data controller, i.e. the local company, under regulations applicable to the same.

Internal electronic reporting channels: Security measures

Article 4 of the Decree requires companies to implement special internal reporting channels that ensure the confidentiality, including through encryption, of the identity of the whistleblower, the reported person, and any individuals otherwise mentioned in the report and the contents of the report and accompanying documents. Lastly, the guidelines adopted by the ANAC with Resolution number 311 of July 12, 2023 and the related opinion of the Italian Data Protection Authority (measure No. 304 of July 6, 2023) specify that electronic channels such as ordinary and registered e-mail (PEC) are not adequate to guarantee confidentiality. In keeping with that, and based on the tenor of the guidelines themselves, it would seem that the ANAC identifies only online platforms as electronic channels.

Pharmaceutical companies that are part of multinational groups likely already have implemented group-wide reporting channels via online platforms. If so, the implementation of a local channel, as described in the previous section, could be entrusted to the same provider who manages the platform implemented at the group level so that the channels can either be integrated or kept separate as needed (e.g., depending on whether or not the whistleblower has given consent to share the reporting data with third parties). Such a solution allows coordinated management of reports, but prior verification of the adequacy of organizational and technical security measures ensured by the provider must be kept in mind. By way of illustration, in light of previous decisions of the Italian Data Protection Authority, as well as the aforementioned new ANAC guidelines and the related opinion of the Italian Data Protection Authority, as a general rule encryption is to be considered an adequate measure. Furthermore, when access to the channel comes from the company’s internal data network, the non-traceability of the whistleblower at the moment when the connection to these channels is established must be guaranteed, both on IT platforms and in any equipment (e.g., firewall or proxy) that may be involved.