News

On March 15, 2023, Legislative Decree No. 24 of March 10, 2023 (the »Whistleblowing Decree«) was published in the Italian Official Gazette. The new decree implements the provisions of Directive (EU) 2019/1937 of the European Parliament and of the Council on »the protection of persons who report breaches of Union law« and regulates the manner of reporting said breaches through the so-called Whistleblowing channels.

Here is a summary of the main new features:

Whom does the Decree apply to?

The Decree affects all private employers who have employed »on average at least fifty subordinate workers under permanent or fixed-term employment contracts«, regardless of whether or not they have adopted an Organizational Model pursuant to Legislative Decree No. 231/2001.

In addition to the foregoing employers, the Whistleblowing Decree concerns entities that, although their staff is comprised of less than 50 subordinate workers, are engaged in particular activities (financial services, products and markets, prevention of money laundering and financing of terrorism; transportation safety and environmental protection) as well as entities that adopt organizational and management models pursuant to Legislative Decree No. 231/2001.

Effective date of the provisions

»The provisions of this decree shall become effective as of July 15, 2023« for private entities that have employed, in the last year, more than 249 workers on average.

»For private entities that have employed, in the last year, an average number of employees, under permanent or fixed-term employment contracts, of up to two hundred and forty-nine units, the obligation to establish the internal reporting channel pursuant to this decree shall become effective as of December 17, 2023.«

What steps should be taken?

The above-mentioned entities, »having consulted with the representatives or trade union organizations referred to in Article 51 of Legislative Decree 81/2015« shall set up appropriate internal channels for reporting illegal activities, as better specified below, »which will ensure, including through the use of cryptography tools, the confidentiality of the identity of the reporting person, the person concerned and the person in any case mentioned in the report, as well as the content of the report and the related documentation«.

Type of conduct to be reported

Breaches that may be reported include, among others, »administrative, accounting, civil or criminal offenses«, »unlawful conduct considered material under Legislative Decree 231/2001 or violations of organizational and management models«, as well as »offenses that fall within the scope of application of European Union or national acts indicated in the annex to this decree« or »actions or omissions that harm the financial interests of the Union«.

Subjective Scope of Application

Pursuant to Article 3 of the Decree, the subjective scope of application include, among those who can report/disclose: employees, collaborators, persons having self-employed status, volunteers, directors, shareholders, etc.

Management of reporting channels

Management of the above-mentioned channels may be carried out:

• through internal reporting channels, by appointing "a dedicated autonomous internal person or an office with personnel specifically trained to manage the reporting channel."
• through an »external entity, also autonomous and with specifically trained personnel.«

Form of reporting

Reports may be made:

• in writing, including with computer-based methods;
• orally. Oral reporting shall be made by telephone or through voice messaging systems or, upon request by the reporting person, by means of a physical meeting within a reasonable timeframe.

Ways of communicating the existence of channels

The companies concerned »shall make available clear information on the channel, procedures and prerequisites for making internal reports, as well as on the channel, procedures and prerequisites for making external reports.«

Such information shall be »displayed and made easily visible in workplaces, as well as made accessible to persons who, although not attending the above-mentioned workplaces, have a contract-based relationship in one of the forms referred to in Article 3, paragraphs 3 or 4.«

»If they have their own website, public and private sector entities shall also publish the information [...] in a dedicated section of their website.«

Protection of confidentiality

Reports may not be used »beyond what is necessary to adequately follow up on them.«

The identity of the reporting person and any other information from which such identity may be inferred, directly or indirectly, should not be disclosed - without the express consent of the reporting person - to any individuals other than those responsible for receiving or following up the reports and who are expressly authorized to process such data [...]

In addition, the person or internal office or external entity entrusted with the management of the internal reporting channel »shall issue to the reporting person a notice of receipt of the report within seven days of the date of receipt« and, within three months, they shall »provide feedback on the report« and about the progress of the procedure.

Sanctions

The ANAC (anti-corruption authority) may impose administrative monetary penalties as follows:

(a) from 10,000 to 50,000 euros when it determines that retaliation has been committed or that reporting has been hindered or an attempt has been made to hinder the reporting, or that the confidentiality obligation under Article 12 has been breached;

(b) from 10,000 to 50,000 euros when it finds that reporting channels have not been established, that procedures for making and handling reports have not been put in place, or that the adoption of such procedures does not comply with those referred to in Articles 4 and 5, as well as when it finds that the verification and analysis of the reports received has not been carried out;

(c) from 500 to 2,500 euros, in the event referred to in Article 16, paragraph 3, unless the reporting person has been convicted, even at first instance, of the offenses of defamation or slander or otherwise of the same offenses reported to the judicial or accounting authorities.

Protection of the »whistleblower«-Art. 17

The employer shall not engage in retaliatory conduct against the whistleblower and, in case of litigation, the decree provides for simplified evidential burdens on the whistleblower.

Conclusion

The changes reported above are significant and will certainly have an impact on companies (including medium-sized ones). It is now up to them - where they have not already done so - to take action to be compliant with the provisions of the aforementioned Decree.

Certainly, the experience gained since the enactment of the 2019 Directive (and, before then, with Law 179/2017) offers several insights to be taken as a basis to implement or supplement the operational systems required to comply with the decree provisions. However, ANAC's intervention through specific Guidelines that can provide useful clarifications and operational details is desirable.