Whistleblowing: New regulation calls for significant changes that require companies to create new reporting channels or upgrade existing channels.
WHAT DO COMPANIES DOING BUSINESS IN ITALY NEED TO KNOW?
Companies doing business in Italy must have appropriate channels for reporting violations both to avoid sanctions and to curtail the risk that reports are made externally. The Decree introduces a whistleblower’s right to report to the Italian National Anti-corruption Authority (“ANAC”) if, for instance, a company fails to organize an appropriate whistleblowing channel as required by law or in case of risk of retaliation. The ANAC then is entitled to investigate reported behavior or to submit the report to the appropriate administrative or judicial authorities that will take care of the necessary inquiries.
WHICH COMPANIES ARE INVOLVED?
The provisions of the Decree apply to public and private companies that:
- in the last year had an average of at least50 employees with permanent or fixed-term employment contracts;
- operate in certain industries(g., financial services, products, and markets; prevention of money laundering and terrorist financing; transport security and environmental protection);
- adopted compliance programspursuant to Legislative Decree No. 231/2001 (known as “Model 231”).
WHO QUALIFIES AS A “WHISTLEBLOWER”?
The Decree provides a broad definition of a “whistleblower,” a category that includes employees, self-employed workers, consultants, volunteers, interns, shareholders, and individuals with management, control, supervisory, or representative powers.
Moreover, individuals involved in recruitment, contract negotiations, and probationary periods and former employees can also be whistleblowers. Former employees can report facts learned during the course of their employment relationships.
WHAT TYPES OF VIOLATIONS CAN BE REPORTED BY WHISTLEBLOWERS?
Whistleblowers in the private sector can report the following violations:
- breaches of EU regulations, as well as the corresponding Italian implementing provisions in specific areas (e.g., public procurement, privacy, competition, consumer protection, tax matters, environmental protection, financial services, prevention of money laundering and terrorist financing, and EU financial interests);
- offenses that may entail corporate criminal liability pursuant to Legislative Decree No. 231/2001, as well as breaches of Model 231.
HOW CAN VIOLATIONS BE REPORTED?
The Decree introduced three different methods for reporting potential violations: internal reporting channels, external reporting channels, and public disclosure.
In any event, internal and external reporting channels must ensure confidentiality regarding the identities of whistleblowers and any other persons involved and the contents of reports.
Any personal data processing related to a whistleblowing report must be carried out in accordance with the GDPR and Italian data protection regulation (e.g., with respect to the minimization principle; rules on restriction of exercise of the data subject’s rights; information to be provided to the data subject pursuant to Sections 13 and 14 of the GDPR; privacy by design and by default principles).
1. INTERNAL REPORTING CHANNELS
The new whistleblowing regulation establishes an obligation for a company, upon consultation with trade unions, to establish an internal reporting channel that may be managed internally by a designated person or department or externally by knowledgeable third parties, including law firms. Appointing external lawyers to assess and investigate reports may have the advantage in certain circumstances of shielding investigation outcomes with legal privilege.
The channel shall provide the possibility to report in writing or orally or, upon request of the reporting person, through a face-to-face meeting.
The person or office designated to receive reports must:
- confirm receipt of the report to the whistleblower within seven days of receipt;
- communicate with the whistleblower to request further information, when necessary;
- assess the report and investigate the reported behaviors;
- provide feedback to the whistleblower within three months of confirmation of receipt.
Pursuant to the Decree, companies with up to 249 employees may share internal reporting channels and analysis and investigation of reports with holding companies and other group companies.
What does the regulation require of multinational companies organized at the holding level?
The Decree explicitly cites the possibility of using shared reporting channels only for companies with up to 249 employees. The EU Commission previously stated that if whistleblowing channels are organized at the holding level, a subsidiary may rely upon the investigative capacity of its parent company or other group companies, provided that:
- reporting channels exist and are made available at the subsidiary level;
- the whistleblower is clearly informed that a designated person/department at the parent company will be authorized to access the report, and the whistleblower has the right to object and request that the reported conduct be investigated only at the local level;
- any other follow-up measures taken and feedback to the reporting person are from the subsidiary.
Therefore, a multinational group may consider appointing a local reporting manager at an Italian branch with up to 249 employees or a local external office to maintain communication with whistleblowers and safeguard their rights at the local level. Subsidiaries with 250 or more employees must implement dedicated reporting channels.
EXTERNAL REPORTING CHANNELS
One of the most significant changes introduced by the Decree is the opportunity for whistleblowers to report potential violations directly to the ANAC, which has the power to conduct investigations of reported behavior:
- if the company fails to establish internal reporting channels compliant with the Decree;
- when a report has not been followed up;
- when the whistleblower has reasonable basis to believe that the internal report may result in risk of retaliation;
- when the internal report may trigger imminent danger to the public interest.
The ANAC is also entitled to submit reports to administrative/judicial authorities for violations falling under their purview. In such cases, these authorities will carry out the investigations.
Guidelines for the external reporting channel procedure shall be published by the ANAC within three months of the entry into force of the Decree.
Significantly, the explanatory report accompanying the Decree specifies that in addition to the ANAC, the Italian Competition Authority (“AGCM”) will also be in charge of the external reporting channel for antitrust violations. In this respect, it is worth noting that back in February 2023 the AGCM introduced a dedicated whistleblowing platform, following the best practices of the European Commission and multiple national competition authorities. This means that a whistleblower with knowledge of infringements of competition rules can interact directly with investigation offices on an anonymous basis.
Under certain conditions, the Decree provides whistleblowers the opportunity to disclose publicly the potential violations that they intend to report.
More specifically, this option may be used when:
- the whistleblower already has made an internal/external report, but appropriate follow-up action has not been taken;
- the relevant violation may constitute imminent or manifest danger to the public interest;
- the whistleblower has reasonable basis to believe that the external report may be ineffective or there may be risk of retaliation.
WHAT PROTECTIONS ARE ESTABLISHED FOR WHISTLEBLOWERS?
Companies should be aware that the Decree provides a series of protective measures for whistleblowers reporting potential violations.
This protection is extended to other parties connected to whistleblowers, i.e., the following:
- facilitators, meaning individuals assisting whistleblowers in the reporting process and operating in the same workplace;
- colleagues and relatives of whistleblowers;
- companies that whistleblowers own, work for, or with which they are otherwise connected.
The company is responsible for making it clear within the company that retaliation against whistleblowers and related parties is prohibited and if retaliation is reported, the employer bears the burden of proof and must demonstrate that the measures taken against a whistleblower are not the result of the reporting.
Whistleblowers can report any retaliatory measures to the ANAC, which will forward such reports to the National Labor Inspectorate (ITA).
WHEN CAN THE ANAC IMPOSE SANCTIONS?
The ANAC is entitled to impose pecuniary sanctions against companies and individuals ranging from EUR 10,000 to EUR 50,000 in cases of retaliation against whistleblowers and/or persons connected with them; hindering or attempting to hinder whistleblower reporting; violation of the obligation of confidentiality; failure to implement internal reporting channels or adopt procedures for their management in accordance with the Decree, as well as to assess and review reports received and diligently follow up on them.
In addition, the ANAC may impose fines ranging from EUR 500 to EUR 2,500 on whistleblowers if a report is deemed to be defamatory or slanderous.
By that same date, companies with up to 249 employees must implement external reporting channels, but they will have until December 17, 2023, to implement internal reporting channels.
 Regulatory references: On March 15, 2023, the Legislative Decree of March 10, 2023, No. 24 (the “Decree”), which transposes EU Directive No. 2019/1937 on whistleblowing, was published in the Official Journal of the Italian Republic.
 As an example, (i) companies will be required to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk arising from processing activities that shall be based on a data protection impact assessment according to Section 35 of the GDPR; and (ii) if external providers process personal data on behalf of the company, companies must appoint them as data processors pursuant to Section 28 of the GDPR.
 That includes the prohibition against lay-off, suspension, demotion, negative references, adoption of disciplinary measures, and other sanctions, including fines, coercion, intimidation, harassment, ostracism, discrimination, unfavorable treatment, failure to convert a fixed-term employment contract to a permanent employment contract when the employee had a legitimate expectation of such conversion, non-renewal or early termination of a fixed-term employment contract, early termination or cancellation of a supply agreement, or cancellation of a license or permit.