Menu
undefined undefined
My dashboard
My Content
My products (0) My insights (0) My events (0) My contacts (0)

EU Whistleblowing Directive - Italy

The implications of the EU Whistleblowing Directive in Italy.

04 August 2023

Publication

Existing whistleblower protection

In April 2018, Italy was among the EU Member States which the EU Commission considered to have comprehensive whistleblower protection. Whistleblowing regulations were adopted in Italy in December 2017.

Current implementation status

Alongside other Member States, Italy should have transposed the EU Directive into national law by December 2021. The Italian regime did not cover everything contained in the Directive and by the end of 2021, Italy had not met the deadline set by the Whistleblowing Directive, however, on 15 March 2023 the Italian law to implement the EU Whistleblowing Directive was finally published (Legislative Decree 10 March 2023, n. 24, hereafter the Decree).

The Decree does not prevent using a group’s shared resources to receive or to investigate whistleblowing reports. However, limitations could arise if group procedures based abroad are not compliant with Italian laws (e.g. for breaching data protection requirements).

The company should consult the unions on the implementation of internal reporting channel and the whistleblowing system should be included in the company’s 231 organisational model on corporate liability.

Companies with 250 employees or more will have to comply with the Decree by 15 July 2023, companies with fewer than 250 employees will have to comply by 17 December 2023.

The Decree is definitive and no amendments are expected in the short term.

On 12 July 2023, ANAC approved whistleblowing guidelines on the procedures for the submission and management of external reporting. The guidelines focus on reports made to the external channel set up by ANAC and provide:

  • limit on the matters that can be reported to ANAC (however, there is no public interest test);
  • possibility to access ANAC only if it is documented that (i) the local reporting channel is not active, or if active, is not compliant with the law; or (ii) the reporter previously made a report and there was no follow-up, or (iii) the reporter had good reasons to believe that if he made a report, there would have been no follow-up or this could have led to retaliation;
  • protection of the whistleblower’s confidentiality and data privacy;
  • protection of the whistleblower from retaliation;
  • technical modalities to access the ANAC external channel through the website , by phone or through a meeting in person; and
  • additional provisions applicable to the public sector (eg magistrates).

It is confirmed that:

  • All companies with 250 or more employees should already have an internal reporting channel in place since Saturday 15 July 2023, otherwise, they could be sanctioned by ANAC and a whistle-blower could make a report to the ANAC external reporting channel directly; and
  • Companies with fewer than 250 employees falling in the scope of the law can wait up to 17 December 2023 to implement the internal reporting channel.

The Italian Anti-Bribery Authority (ANAC) should issue guidelines to implement external and public reporting channels in addition to the internal ones, entrusted to independent authorities. The guidelines should cover:

  • Procedures to access the external reporting line and to protect the whistle-blower;
  • Procedures in which the external reporting line carries out the investigation;
  • Use of wider group resources; and
  • Measures to protect whistle-blowers from retaliation.

There are currently no reliable indications on timings, however the external reporting channel should be ready by 30 June 2023 (i.e., the cut-off date for companies with 250 employees or more is 15 July 2023).

No other relevant local guidance has been published at this stage. The current trend for companies is taking a ‘wait and see’ approach and (where applicable) applying existing global whistleblowing policies in Italy without adaptations.

We will monitor if the approval of the Decree will change this approach. We expect employers will be requiring a health check on their existing global whistleblowing policies.

Scope of application

  • Companies with 50 or more employees.
  • A number of sectors such as financial services, anti-money laundering, transport safety, environmental protection, data protection etc. (irrespective of the number of employees).
  • Companies subject to corporate criminal liability compliance rules (irrespective of the number of employees).

Whistleblowing policy requirements

Companies are required to set up internal reporting channels for employees and other stakeholders (freelancers, consultants, trainees, shareholders, directors, interns, suppliers) for voicing concerns regarding legal or regulatory compliance and/or for reporting suspected wrongdoings or unlawful or unethical conduct.

The Italian Anti-Corruption Authority (“ANAC”) has been tasked with issuing a set of guidelines on the implementation of external and public reporting channels in addition to internal policies.

Deadlines for rolling out whistleblowing policies

  • Companies with 250 employees or more: by 15 July 2023.
  • Other companies subject to the Decree (with fewer than 250 employees): by 17 December 2023.

The consequences for breaching the new rules

Breaches may be punished as an administrative offence with a fine of:

  • €10,000 to €50,000 in cases of retaliation against the whistle-blower, preventing reporting or the failure to set up internal reporting channels.
  • €500 to €2,500 if a company fails to adequately protect the identity of a whistle-blower.

Spotlight on whistleblowing

The Italian Data Protection Supervisory Authority (Garante Privacy) has recently had issued two decisions setting forth some requirements of existing whistleblowing policies in terms of protection of the whistle-blower. In one of those decisions on 11 May 2022, they sanctioned an IT company which had provided whistleblowing services to a hospital for a GDPR violation. The software provided to the hospital by the IT company did not guarantee anonymity in the case of the whistleblowing reports, but allowed through data recording, the identification of potential whistleblowers. The Italian Data Protection Authority imposed a fine of €40,000 to both the hospital and the IT company.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.

This website uses cookies and other similar technologies to ensure you get the best experience on our website. Please review our cookie policy and our data protection privacy notice for more information on how the data that is collected is used.