On March 9, 2023, the Council of Ministers approved Legislative Decree No. 24 of March 10, 2023 (the “Decree”) implementing Directive (EU) 2019/1937 on whistleblowing(the “Directive”), which partially amends the draft decree that was preliminarily approved on December 9, 2022 (the “Draft Decree”).

The Decree will enter into force on March 30, 2023 and apply from July 15, 2023 on.  For private entities with up to 249 employees, some provisions of the Decree will apply starting on December 2023.

The Decree is aimed at further strengthening domestic legislation on the protection of reporting persons.[1]  Its main new provisions include:

  • obligations to establish internal and external reporting channels for public and private entities with more than 50 employees or that have adopted an organizational model (“Model 231”) pursuant to Legislative Decree No. 231/2001 (“Decree 231”);
  • the right to report breaches of Union law (as provided by the Directive), and domestic law that may harm the public interest or the entity’s integrity (including breaches of Model 231);
  • protection of persons reporting through public disclosure;
  • an obligation to “diligently follow up” on reports, and
  • specific penalties in the case of breach of the Decree’s provisions (including for failure to follow up on reports).

1. The new rules provided by the Decree

After a long delay – which resulted in the opening of an infringement procedure against Italy – the Decree finally transposes the Directive into Italian law, introducing various amendments to legislation applicable to legal entities in the private sector.[2]  In so doing, the Decree partially extends the scope of measures provided by the Directive (which is allowed under Article 2(2) of the Directive), and reflects some of the critical remarks on the Draft Decree made by Confindustria[3] (the main association representing manufacturing and services companies in Italy) and other experts.

The key amendments introduced by the Decree are set out below.

A. Material and personal scope of the Decree

Unlike the Directive, the Decree’s material scope is not limited to reports of breaches of Union law in specific areas.[4]  Indeed, the Decree also provides for the possibility (at least within public entities)[5] to report breaches of domestic law that may harm the public interest or the entity’s integrity.[6] 

The Decree also extends the personal scope compared to that set out in the Directive.  Under the Decree, in addition to public entities, the following private entities will be required to comply with new whistleblowing rules:

  • private entities that have employed, in the last year, 50 or more workers with permanent or fixed-term employment contracts, regardless of whether they have adopted a Model 231 and limited to reports of breaches of Union law in the specific areas set out by the Decree;
  • private entities falling within the scope of Union acts referred to in Parts I.B and II of the Annex to the Decree (i.e., the acts on “financial services, products and markets, and prevention of money laundering and terrorist financing”, “transport safety” and “protection of the environment”), regardless of the number of workers employed and limited to reports of breaches of Union law in the specific areas set out by the Decree; and
  • private entities that have adopted a Model 231, regardless of the number of workers employed and limited to reports of (i) breaches of Union law in the specific areas set out by the Decree, and (ii) breaches of Decree 231 and of the Model 231.  However, if such entities have less than 50 workers, the obligation to comply with the Decree is limited to reports of breaches of Decree 231 and of the Model 231.[7]

The definition of “whistleblower” follows the Directive, and includes, among others, persons whose work-based relationship is yet to begin, where information on breaches has been acquired during the recruitment process or other pre-contractual negotiations, and former employees who report information on breaches acquired during their work-based relationship.

The Decree is aimed at protecting persons who report information on breaches through internal or external reporting channels, through public disclosures (see part B below), and through reports to the judicial or accounting authorities, where the information on breaches falls within the material scope of the Decree.  The Decree also protects persons strictly connected to the reporting person (e.g., facilitators, persons in the same work-related context of the reporting person who are connected with the reporting person by an emotional or family relationship, colleagues of the reporting person, and legal entities that the reporting person owns, works for or is otherwise connected to in a work-related context).

B. Reporting channels

The Decree requires public and private entities to establish both internal and external reporting channels.  

The internal reporting channel may be operated internally by a person or department designated for that purpose, or externally by an independent third party with specifically trained personnel.  The channel shall provide for the possibility to:

  • report in writing (including through online platforms), or orally, through telephone hotlines or voice messaging systems or, upon request of the reporting person, through a face-to-face meeting; and
  • share resources as regards the receipt of reports and any investigation to be carried out, between private entities with less than 250 workers.[8]

Regarding the external reporting channel, the Decree identifies the Italian Anticorruption Authority (“ANAC”) as the competent authority to receive external reports for both the public and private sectors.  Within private entities, the external reporting channel can only be used to make reports of breaches of Union law in the specific areas set out by the Decree.

In any event, the external channel can only be used: (a)in the case of a lack of an internal channel that complies with the Decree;(b)when the report made through the internal channel has not been followed up; (c)when the reporting person has reasonable grounds to believe that the report made through the internal channel will not be effectively followed up or result in a risk of retaliation;[9] or (d)when the reporting person has reasonable grounds to believe that the breach may constitute an imminent or manifest danger to the public interest.

Moreover, in accordance with the Directive, the Decree provides for the application of protective measures to persons who make public disclosures (i.e.,through the press or electronic media or otherwise through publicly available means”), but only when: (i)the reporting person first made an internal or external report that has not been followed up; (ii)the reporting person has reasonable grounds to believe that the breach may constitute an imminent or manifest danger to the public interest; (iii) the reporting person has reasonable grounds to believe that, in the case of external reporting, there is a risk of retaliationor a low prospect of the breach being effectively addressed, “due to the specific circumstances, such as those where evidence may be concealed or destroyed or where those who received the external report may be in collusion with the perpetrator of the breach or involved in the breach.”

C. The “diligent follow-up”

In line with the Directive, the Decree introduces a specific obligation to follow up on the reports.

In particular, the person designated to receive and manage the reports made through the internal reporting channel[10] shall, among other things:

give due acknowledgment of receipt of the report to the reporting person within seven days of that receipt;

maintain communication with the reporting person and, where necessary, ask for further information;

diligently follow up on the report, i.e. assess the existence of the reported facts by investigating the report and adopting any necessary remedial actions; and

provide feedback to the reporting person within three months from the acknowledgment of receipt or, if no acknowledgement was sent to the reporting person, within three months from the expiry of the seven-day period after the report was made.

D. Protection of personal data and confidentiality

In addition to the general obligation to process personal data in compliance with the relevant legislation, the Decree sets out specific requirements on the confidentiality regime applicable to the reporting persons, the persons involved and the persons concerned by the report.

In particular, public and private entities will be required:

  • with specific regard to external reports, to comply with the guidelines that will be adopted by ANAC within three months from the entry into force of the Decree and after consulting the Italian Authority for Privacy.  Such guidelines shall, among other things (i) regulate the use of computer-based reporting channels; and (ii) promote the use of encryption tools to ensure the confidentiality of the reporting person’s identity, as well as of the persons involved or concerned by the report, the content of the reports, and of the relevant documentation; and
  • to ensure confidentiality of the reporting person’s identity and of the persons involved or concerned by the report.[11]

Moreover, when processing personal data that is necessary for the receipt and management of internal reports, the person designated for that purpose, as Data Controller, shall: (i) identify the appropriate technical and organizational measures to ensure a level of security appropriate to the specific risks, and define their procedure for the receipt and management of internal reports; (ii) provide appropriate information to the reporting persons and other persons involved, pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (the “GDPR”); (iii) take appropriate measures to protect the rights and freedom of the interested parties; and (iv) regulate the relationship with any external processor of personal data pursuant toArticle 28 of the GDPR.

Entities sharing resources on the receipt and the management of reports shall transparently define, by internal agreements, their respective responsibilities for compliance with personal data protection obligations underArticle 26 of the GDPR.

Under the Decree, personal data that is manifestly not useful for the management of a specific report shall not be collected (and, if accidentally collected, shall be immediately deleted).  The exercise of data subjects’ rights under Articles 15 to 22 of the GDPR (including, for example, the right of the data subject to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her is being processed, and their right to access the personal data) will be subject to the limits set forth in Article 2-undecies of Legislative Decree No. 196 of June 30, 2003 (the “Privacy Code”).[12]  This means that, where there is a risk of actual prejudice to the confidentiality of the reporting person, the exercise of data subjects’ rights may be delayed, limited or excluded (to the extent that it constitutes a necessary and proportionate measure), without prejudice to the data subject’s ability to ask the Italian Authority for Privacy to exercise such rights on his/her behalf.  Data Controllers should inform data subjects of this option.

Lastly, in relation to reports and relevant documentation, the Decree provides for a retention period of up to five years from the date of the communication of the final outcome of the report.

E. Measures for the protection of reporting persons and persons connected to them

Regarding the measures for the protection of reporting persons (and persons connected to them), the Decree provides the following:

  • prohibition of retaliation against the reporting persons or those connected to them.  In case of proceedings and/or disputes concerning alleged retaliatory actions, the Decree provides both a rebuttable presumption that the retaliatory action is a consequence of the reporting, and a reversal of the burden of proof in the victim’s favor;
  • a list of non-profit entities, established at ANAC, providing support measures for the reporting persons (e.g., information, assistance and advice offered free of charge on how to report, protect from retaliation, on the rights of the concerned person, and on the terms and conditions of access to legal aid);
  • the ability for individuals who believe that they have suffered retaliation to report it to ANAC;[13] and
  • a special ground for exemption from criminal liability for the reporting person (with the exclusion of any further civil or administrative liability), for breach of secrecy,[14] breach of copyright, breach of data protection rules, or damage to the reputation of the person concerned by the report, when (i) at the time of the disclosure or dissemination of information, the reporting person had reasonable grounds to believe that the reporting or public disclosure was necessary for revealing a breach pursuant to the Decree, and (ii) the reporting person acted in good faith and in compliance with the Decree.  Liability is also excluded for the acquisition of or access to information on breaches, unless the fact amounts to a criminal offense.

The above protective measures are not granted when a criminal or civil court has ascertained that the reporting person, with intent or gross negligence, made a false or unfounded report.

F. Penalties

Among the most significant provisions, the Decree, in accordance with the Directive, introduces penalties against individuals and legal entities that fail to comply with the Decree.

In particular, ANAC may impose a fine of: (i) Euro10,000-50,000 on individuals or legal entities that retaliate against the reporting person (or those connected to him/her), hinder, or attempt to hinder, their reporting, or that breach their duty to maintain the confidentiality of the identity of reporting persons; (ii)Euro 10,000-50,000 on entities that fail to establish reporting channels, define procedures to receive, provide feedback and follow up on reports, or establish procedures which do not comply with the Decree, and/or fail to diligently follow up on the reports received; (iii)Euro 500-2,500 on the reporting person, when his/her bad faith has been ascertained by a criminal or civil court, unless he/she “has been convicted, even at first instance, for the criminal offenses of defamation or slander”.

Finally, entities that have adopted a Model 231 shall include, within their disciplinary system, specific disciplinary measures against those responsible for the above infringements.

2. Date of application

Public and private entities will be required to comply with the Decree by July 15, 2023.[15]  

Private entities with less than 249 workers will have until December 17, 2023 to establish an internal reporting channel in compliance with the Decree.  They will be required to establish the external one by July 15, 2023.

3. What to do next

In light of these developments, companies should consider updating or – where they do not already have one – adopting a whistleblowing management system.

Failure to comply with the Decree may result in heavy fines, not only for failure to establish reporting channels, but also for failure to handle reports properly or to follow up on reports.

Private entities that already have a whistleblowing management system in place will be required to:

  • adapt their internal reporting channels so as to: (i) ensure that they are operated internally by a person or department designated for that purpose, or externally by an independent third party with specifically trained personnel; (ii) ensure reporting in writing, orally or through physical meetings (and not only through an online platform); and (iii) allow such channels to be used by all the persons falling within the definition of “whistleblower”;
  • establish an external reporting channel operated by ANAC;
  • adopt – where lacking – a procedure for handling reports in compliance with the Decree, including its obligation to provide, within the abovementioned deadlines, feedback to the reporting persons on the receipt, handling and outcome of the report;
  • ensure that the persons connected to the reporting person are protected; and
  • schedule and conduct specific employee training on the new whistleblowing rules to ensure that all interested parties are fully aware of them.

[1]              The matter was already regulated in both the public and private sectors, by Legislative Decree Nos. 165/2001 (Article 54-bis) and 231/2001 (Article 6, para. 2-bis onwards), and by Law No. 179 of November 30, 2017.

[2]              In the public sector, domestic legislation was already in line with the Directive.  In the private sector, only companies that had adopted a Model 231 were required to establish a whistleblowingmanagement system which included (i) two reporting channels able to protect whistleblowers’ identity, of which at least one had to be computer-based; and (ii) the prohibition of retaliation or discrimination.

[3]              See Position Paper on the Draft Decree concerning the “Implementation of Directive (EU) 2019/1937 of the European Parliament and the European Council of October 23, 2019, on the protection of persons who report breaches of Union law and the protection of persons who report breaches of domestic law”, published by Confindustria on January 20, 2023.

[4]              In particular, the Decree provides for the protection of persons reporting the following breaches of Union law: (i) breaches falling within the scope of Union acts concerning the following areas: public procurement; financial services, prevention of money laundering and terrorist financing; product safety and compliance; transport safety; environmental protection; nuclear safety; food and feed safety, animal health and welfare; public health; consumer protection; privacy and personal data protection, and security of network and information systems; (ii) breaches affecting the financial interests of the Union as referred to in Article 325 of the Treaty on the Functioning of the European Union (“TFEU”) and, as further specified in relevant Union measures; (iii) breaches relating to the internal market, as referred to in Article 26(2) TFEU, including breaches of Union competition and State aid rules and breaches of State corporate tax law; and (iv) breaches that frustrate the object or purpose of the provisions set forth in the acts of the Union in all of the above areas.

[5]              Unlike the Draft Decree, the Decree does not include breaches of domestic law (other than breaches of Decree 231 and of the Model 231) among those which can be reported within private entities.

[6]              The material scope of the Decree does not include: (i) disputes, claims or requests in relation to a reporting person’s personal interest such as issues exclusively concerning his/her employment relationship, or relationship with senior colleagues; (ii) reports of breaches that are already mandatorily governed by Union or national acts falling within Part II of the Annex to the Decree, or national acts implementing Union acts which fall within Part II of the Annex to the Directive, although not expressly mentioned in Part II of the Annex to the Decree;and (iii)reports of breaches involving national security aspects, such as procurement rules involving defense or national security, unless they are covered by the Union’s relevant acts.

[7]              The Decree, by limiting the material scope of the reports, partly reflects Confindustria’s suggestion, which had suggested limiting the personal scope in the private sector to entities with a Model 231 and with more than 50 workers.

[8]              In this regard, the Decree does not expressly mention groups of companies, despite Confindustria’s suggestion.

[9]              This provision has been criticized by Confindustria due to the excessive discretion granted to the reporting person.

[10]             Similar obligations are placed on ANAC in the case of reports made through the external reporting channel (pursuant to Article 8 of the Decree).

[11]             Article 12 of the Decree prohibits disclosing the identity of the reporting person to persons other than those specifically authorized without the reporting person’s consent.  The identity of the reporting person shall also be kept confidential during criminal proceedings (according to Article 329 of the Italian Code of Criminal Procedure) and in proceedings before the Court of Auditors until the closure of the investigation phase.  In disciplinary proceedings, the identity of the reporting person can be disclosed, subject to his/her prior consent, only where the charge is based, in whole or in part, on the report and the identity of the reporting person is necessary for the defense of the accused.  The same protective measures apply to the identity of the persons involved and the persons concerned by the report.  

[12]             As amended by Article 24, para. 4 of the Decree.

[13]             The provision under Article 6, para. 2-ter of Decree 231, providing for the possibility to report any retaliatory action to the National Labor Inspectorate (now replaced by ANAC), is thus repealed.

[14]             The Decree does not affect the application of Union or national law relating to: (i) the protection of classified information; (ii) the protection of legal and medical professional privilege; and (iii) secrecy of judicial deliberations (pursuant to Article 1, para. 3 of the Decree).

[15]             Until that date, the pre-existing domestic legislation will continue to apply.