Italy: Data protection and corporate criminal liability: the implications of Model 231

This article has been first published by OneTrust Data Guidance on June 5, 2020.

Intersection of Decree 231 with data protection legislation

The provisions contained in the Decree 231 have been partially integrated and modified over time to respond to increasingly urgent national and international concerns. Some of these amendments have intensified the intersection of the provisions of the Decree 231 with data protection regulations, notably the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’)  and the Italian Personal Data Protection Code, Legislative Decree No. 196/2003, as amended by the Legislative Decree No. 101/2018 (‘the Privacy Code’), requiring a significant effort to balance different and sometimes opposing interests. This critical issue is particularly evident with regard to the following two aspects regulated by the Decree 231, which will be examined in more detail below:

  • the introduction of procedures aimed at preventing cybercrimes potentially committed by companies’ associates; and
  • the implementation of whistleblowing procedures involving transfers of personal data outside the European Union.

However, the contextual examination of these regulations is not only important to balance the different interests, but also to give coherence to companies’ compliance projects in order to use the contact points between disciplines for better compliance and resource savings.

Cybercrimes prevention and employees’ data protection rights

In 2008, the scope of Decree 231’s provisions on corporate criminal liability was extended to certain cybercrimes when committed by the entity’s personnel in the interest or for the advantage of the company[1]. These cybercrimes include, by way of example, unlawful access to an information system, the detention and dissemination of access codes to computer or telematics systems, and the damaging of software, information, data, IT programs, and telematics systems.

This means that when designing and implementing Model 231, companies must also address the most suitable countermeasures to prevent the commission of these cybercrimes, which might include the implementation of systems to monitor employees’ activities. The adoption of such measures, though, might be in contrast with the provisions both of the Law No. 300/1970 (‘the Workers’ Statute’) and of the Privacy Code – as clarified by the provisions of the Italian data protection authority (‘Garante’) – regarding the remote control of employees.

Firstly, the Workers’ Statute allows the use of tools that also enable the possibility of remote control of workers’ activity exclusively for organisational and productivity requirements, work safety, and the protection of the company’s assets, and they may be installed subject to a collective agreement entered into by the trade union representative; in the absence of such agreement, a prior authorisation of the Regional Office of the National Labour Inspectorate is required. Secondly, the monitoring tools must always comply with the applicable data protection provisions, as explicitly mentioned by the Workers’ Statute itself. In particular, the monitoring of internet and email use could entail the processing of personal data – and even of special categories of data – requiring the employer to comply with specific data protection provisions that could jeopardise the effectiveness of the measures adopted to prevent the cybercrimes.

Indeed, the Garante’s Guidelines Applying to the Use of Emails and the Internet in the Employment Context[2](‘the Guidelines’) state that the processing must be carried out under the principles of necessity, fairness, relevance and minimisation for specific, explicit and legitimate purposes. It implies that the monitoring cannot be prolonged, constant, and indeterminate and that the employees must be informed of the existence of the monitoring activity, including the modalities and the characteristics of it. Furthermore, the Garante clarified that the general prohibition of remote control of the work activity must be respected also in case of video surveillance, therefore the installation of equipment specifically designed to verify the correctness in the performance of the work is not allowed and the sole suitability of the system to remotely monitor the employees means that the requirements set out in the Workers’ Statute must be met[3].

On the other side, some data protection provisions may support the prevention of cybercrimes. Firstly, the computer systems should be designed to minimise the processing of employees’ personal data, for example by installing proper filters that preclude access to certain sites or features, secondly, the employer should adopt an internal policy governing the use of IT resources in detail. These measures could corroborate the Model 231 by limiting ex ante the activities that the employee can carry out and by setting clear rules on the use of the IT resources.

In the light of the above, the collective agreement (i.e. contracts entered by and between trade unions representatives and certain categories of employers at a national level) could be the privileged instrument to reconcile opposing interests: during the negotiations, employers could specify the methods and purposes of the measures necessary in order to implement a Model 231 preventing cybercrimes and trade unions could ensure compliance of such measures  with the requirements imposed by the applicable laws.

Whistleblowing procedures involving transfers of personal data outside the EU

In addition to the above, there is an interplay between the provisions on corporate criminal liability and the data protection regulations in relation to whistleblowing procedures, which might be implemented within Model 231 as of 2017. According to the amended Decree 231, companies must provide employees with one or more communication channels to report unlawful conducts and irregularities relevant under Decree 231 of which they have become aware as a result of their working activities. In order to do so, it is necessary to assess the compatibility of data protection rules with company’s whistleblowing reporting channels (including internal investigations which follow the whistleblower’s report).

As to international data transfers within whistleblowing channels, the Article 29 Working Party (‘WP29’) established, in its Opinion 1/2006 on the Application of EU Data Protection Rules to Internal Whistleblowing Schemes in the Fields of Accounting, Internal Accounting Controls, Auditing Matters, Fight Against Bribery, Banking and Financial Crime, a ‘principle of investigation in the EU for EU companies’ according to which multinationals should deal with reports in one country rather than share the information with other companies in their group. However, the WP29 acknowledges that the nature and structure of multinational businesses could entail the need to disseminate the information about alleged wrongdoing outside the EU. The necessity of this communication should be assessed based on the nature or seriousness of the reported misconduct, or the (company) group internal structure. In this case, personal data must only be communicated under confidential and secure conditions to the non-EU recipient legal entity, which must ensure guarantees equivalent to those provided by the EU-based entity.

Indeed, the transfer of personal data outside the EU must comply with the relevant GDPR provisions (Articles 44 et seq) which only allow the transfer based on specific legal grounds (such as an adequacy decision of the European Commission on the recipient  country or Standard Contractual Clauses or Binding Corporate Rules). Thus, a case-by-case assessment should be carried out to evaluate which is the suitable legal ground for the transfer.

As a last remark, when multinational businesses need to transfer the information about the alleged wrongdoing outside the EU, it would be advisable to design a ‘two-step channel’ by implementing a first channel of communication in the EU in charge of gathering the information and selecting the relevant ones which will be transferred to the non-EU company. This approach also meets the data minimisation principle, which is highlighted as an important consideration for a whistleblowing procedure in the European Data Protection Supervisor’s (‘EDPS’) Guidelines on Processing Personal Information within a Whistleblowing Procedure[4].

Call to action: comprehensive compliance is better compliance

The intersections between data protection compliance and Model 231 not only lead to friction, but also to an overlap that can be exploited by companies to streamline compliance projects, making them more efficient. As a matter of fact, some of the assessments required under Model 231 can be useful also to carry out data protection assessments. Thus, when designing the company’s compliance project it would be advisable to take into account the full picture in order to optimise the use of resources and achieve a coherent and complete project.

By way of example, the main element common to the two disciplines is the analysis aimed at mapping the risks that the businesses and/or the data processing may entail; risks that, in relation to the GDPR, concern breaches in the processing of data, and, with respect to the Decree 231, the commission of crimes in the interest or to the benefit of the company. In both cases there will be:

  • the mapping of the activities;
  • the assessment of risks and internal rules and controls aimed at minimising them; and
  • a strengthening of the rules of conduct and controls where a weakness arises (or the execution of specific procedures, such as the Data Protection Impact Assessment (‘DPIA’)).

The overlap is even clearer when risks related to cybercrimes are taken into account. Indeed, the scope of cybercrime offences often extends to the security and integrity of personal data. Consequently, the risk assessment carried out for the Model 231 may be used in GDPR compliance, and vice versa, or they may also be carried out simultaneously.

[1]The general principle applicable to organisations for crimes and cybercrimes is that criminal liability is always personal (i.e. held by employees, directors or managers who commit the criminal offences), whereas corporate criminal liability has an administrative character impacting the organisation as a whole by means of fines or disqualification sanctions, and shall be recognised only if the entity’s personnel have committed the crime in the interest or to the benefit of the company.

[2]Avaialble at:

[2]Available, only in Italian, at:

[4]The EDPS provide the following example: ‘A whistleblower reports that a colleague has committed fraud. Within his statement, the whistleblower happens to disclose information about his colleague’s health situation. It is clear to the institution that this information is completely irrelevant to the reported wrongdoing, and therefore it should not be further processed or returned to the sender.’

Seguici su