Specific provisions are introduced to protect individuals involved in reporting, including:
- explicit ban on retaliation against the person who made a report, public disclosure or complaint to the authorities. Retaliatory acts are all actions implemented (or even only attempted or threatened) with the aim of jeopardizing in any way the whistleblower's interests or rights. This includes dismissal, suspension, demotion, adoption of disciplinary measures, request for medical examination etc.;
- voidness of actions taken in breach of the ban on retaliation and right to reinstatement of employees dismissed as a result of said prohibited actions;
- in case of retaliatory actions in private companies and reported to the National Anti-Corruption Authority (ANAC), the ANAC shall inform the National Labor Inspectorate. In addition, courts may take all measures to ensure that the whistleblower's rights are protected. This includes compensation for damages and reinstatement in the workplace, as well as termination and/or declaration of voidness of retaliatory conduct;
- in court proceedings concerning such discriminatory or retaliatory actions, the company bears the burden of proving the non-discriminatory or retaliatory nature of its actions against the whistleblower;
- invalidity of full or partial waivers and settlements concerning the rights and protections recognized by the Whistleblowing Decree. This provision, however, does not apply in if the employee's waivers and settlements are entered into in specific protected venues.
The Decree confirms the principles set forth in EU Regulation 2016/679 ("GDPR"), including the principles of necessity and proportionality of the processing of personal data of individuals involved in the reporting process. In addition, specific guidance is provided with respect to the profile of confidentiality and security, including:
- the avoidance of collection or the immediate deletion of personal data, including those collected incidentally, that are not useful for the investigation of a specific report;
- prohibition to disclose the identity of the whistleblower and/or any other information from which it can be detected, without the explicit whistleblower's consent, except only in cases provided for by law (e.g., criminal/disciplinary proceedings);
- adoption of appropriate technical and organizational measures (including the letter of assignment and instructions to personnel authorized to handle reports);
- the limitation on the exercise of the data subject's rights as provided for in the Italian Privacy Code;
- identification of privacy roles and related responsibilities with respect to the handling of reports, which must be regulated through the adoption of appropriate legal documents;
- obligations provided to protect the rights and freedoms of data subjects, including information obligations and those arising from a risk-based approach.
Please also note that reports (internal and external) and related documentation shall be retained for as long as necessary for the handling of the report and in any case no longer than five years from the date of the communication of the final outcome of the reporting procedure, subject to confidentiality obligations.
The Decree also concerns the administrative liability of companies. Indeed, the decree: (i) provides for the abolishment of the previous rules on prevention of discriminatory measures and retaliatory acts toward whistleblowers (superseded by the new decree); and (ii) introduces new obligations for companies that have an Organization Model in place, regardless of the size of the company. New obligations are also introduced for all private companies that, even if without an Organizational Model, have specific size characteristics or operate in specific fields. In particular:
- the adoption of internal reporting channels is required, in consultation with representatives or labor organizations. These channels must ensure the confidentiality of the identity of the reporting person, the person involved and the person in any case mentioned in the report, as well as the content of the report itself and related documentation;
- for private sector entities that have employed, in the last year, an average of up to 249 employees under permanent or fixed-term employment contracts, the obligation to establish the internal reporting channel under the Decree takes effect on 17 December 2023, and until then, the rules now abolished by the Whistleblowing Decree continue to apply;
- for private sector entities that have employed an average of 250 or more employees under permanent or fixed-term employment contracts in the last year, the obligation to establish the internal reporting channel pursuant to the Decree shall take effect as of 15 July 2023;
- definition of " breaches" under the Whistleblowing Decree also includes unlawful conducts relevant under Legislative Decree no. 231/2001, or breaches of the so called "231 Model", with limited exceptions;
- "Private-sector companies" covered by the new Whistleblowing Decree include companies that: (i) have employed in the last year an average of at least 50 employees with permanent or fixed-term employment contracts, and/or (ii) fall within the scope of application of the Union acts referred to in Parts I.B and II of the Annex to the Decree; and/or (iii) fall within the scope of application of Legislative Decree No. 231/2001, and adopt organizational and management models provided therein;
- activities entrusted to those managing the internal reporting channel include providing clear information about the channel, procedures, and prerequisites for making both internal and external reports;
- in case of breaches of the new provisions (including retaliation against the whistleblower, obstacles to the reporting, breach of confidentiality, missed analysis of the reports etc.), the ANAC may impose sanctions between EUR 10,000 and EUR 50,000.
The external reporting channel (which will be activated and managed at ANAC) may also be used by employees of private companies under certain conditions. By way of example, this may be the case if the entity does not have an internal reporting channel, or the person has reasonable grounds to believe that the internal report would not be effectively followed up or that the report may result in the risk of retaliatory acts.
Therefore, considering the direct and indirect impact that the aforementioned novelties will have, it is appropriate for all Companies affected by the Decree and in particular for those that have already adopted an Organizational Model 231, to carry out an assessment of (i) their internal reporting channels, (ii) the provisions of the Organizational Model, so as to update their compliance systems and adapt them to the changed regulatory framework.