Italian Legislative Decree no. 24 of 10 March 2023 (the ‘Decree’), implementing Directive (EU) 2019/1937 and ‘on the protection of persons who report breaches of Union law and containing provisions concerning the protection of persons who report breaches of national regulatory provisions’ (so-called Whistleblowing Directive),has been published in the Italian Official Gazette no. 63 of 15 March 2023.
The provisions referred to in the Decree apply, among others, to entities in the private sector that in the last year:
- have employed an average of at least 50 workers with permanent or fixed-term employment contracts;
- despite having employed fewer than 50 workers, adopt organization and management models envisaged by Italian Legislative Decree 231/2001 (Modelli di organizzazione e gestione – “MOG“).
Entities in the private sector, having heard the trade unions’ representatives or organisations, must set up and activate internal reporting channels that guarantee the confidentiality of the identity (i) of the reporting person, (ii) of the person concerned or of the person in any case referred to in the report as well as (iii) the content of the report and related documentation.
The management of the internal reporting channels can be entrusted (i) internally, to a person or to an autonomous internal office dedicated to this and made up of personnel specifically trained for the management of the reporting channel or (ii) externally to a third party, also autonomous and with specifically trained personnel. Furthermore, specific procedures for managing the internal reporting channels are envisaged which must be promptly implemented and applied by the employers and the information relating to the channel, the procedures and the conditions for making reports shall be displayed and made easily visible to all recipients.
Any processing of personal data must be carried out in compliance with current legislation on the protection of personal data, today represented by Regulation (EU) 2016/679 (the ‘GDPR’) and by Italian Legislative Decree 196/2003, as amended by Italian Legislative Decree 101/2018 (the ‘Privacy Code’). Employers addressees of the new legislation must therefore adopt all the necessary formalities required by the legislation on the subject of protection and safeguard of personal data processed.
For the violation of the provisions of the Decree, the imposition of administrative sanctions ranging from EUR 10,000 to 50,000 is envisaged:
- when retaliation is committed against the whistle-blowers, it is ascertained that the report has been obstructed, an attempt has been made to hinder it or the confidentiality obligation has been breaches;
- if reporting channels have not been established, procedures for making and managing reports have not been adopted or the adoption of the procedures does not comply with the provisions of the Decree.
Penalties ranging from EUR 500 to 2,500 are also envisaged in the cases in which the criminal liability of the whistle-blower for the crimes of defamation or slander is ascertained.
The provisions of the Decree take effect from 15 July 2023 (17 December 2023 for companies with over 249 employees).
Other related insights: