Whistleblowing: a complete guide for companies and employers

Whistleblowing is the term used when a person reports misconduct that has come to their attention in the workplace. The person who makes the report is called the whistleblower.

The topic of whistleblower protection originated in the United States and became very prominent when the Sarbanes-Oxley Act was passed in 2002. This legislation introduced an obligation for publicly traded companies to put in place appropriate mechanisms to ensure protection against possible acts of retaliation against employees who report misconduct in the workplace.

At the international level, Article 33 of the United Nations «Convention against Corruption» of 31 October 2003 states that «Each State Party shall consider incorporating into its legal system appropriate measures to protect against unjustified treatment any person who, in good faith and on reasonable suspicion, reports to the competent authorities any fact concerning an offence established in accordance with this Convention».

Once the phenomenon had taken root in the United States, it slowly began to spread to Europe, especially in the United Kingdom.

In Italy, whistleblowing legislation has remained sectoral for a long time.

The first step towards the adoption of a regulation was taken with the so-called “Severino Law” (Law 190/2012), which introduced Article 54 bis of Legislative Decree 165/2001, T.U.P.I. (“Testo Unico sul Pubblico Impiego”), as part of the instruments against corruption in the public sector.

A first organic discipline on the matter was achieved with Law No. 179 of 30 November 2017, which introduced, for the first time, also in the private sector, specific protection for whistleblowers, by amending Article 6 of Legislative Decree 231/2001 on the administrative liability of companies and entities for offences, adding paragraphs 2-bis, 2-ter and 2-quater to the Article above mentioned.

From 2017 and until the adoption of new provisions at EU and national level, the addressees of the whistleblowing legislation were:

• Private organizations (companies, groups of companies, non-governmental organizations – NGOs, foundations, associations, etc.) WITH ORGANIZATIONAL MODEL 231 and
• Public administrations.

The Italian legislation on Whistleblowing

After a long wait and several postponements, on 25 March 2023, the Legislative Decree No. 24 of 10 March 2023 (the “Decree”) was published in Official Gazette No. 63 of 15 March 2023, by which the Italian legislator transposed Directive (EU) 2019/1937 “concerning the protection of persons who report breaches of Union law and laying down provisions regarding the protection of persons who report breaches of national laws” (also known as the “Whistleblowing Directive”. Hereinafter referred to as the “Directive”). 

The purpose of the Directive was to harmonise the individual national legislations by introducing common minimum standards to protect and safeguard individuals who, within companies in both the public and private sector, wish to report wrongdoing of various kinds, of which they have become aware in the course of their work.

The new provisions are applicable to private sector entities which, in the previous year:

1. Have employed an average of at least 50 employees on permanent or fixed-term contracts, 
2. Have adopted organizational and management models pursuant to the Italian Legislative Decree no. 231/2001 (“MOG”) – even if they employed less than 50 employees – or 
3. Operate in European regulated sectors (e.g. financial markets or credit sector). 

Objective scope

The Decree regulates the protection of persons who report violations of national or European Union law that harm the public interest or the integrity of the public administration or private entity, and which have come to their attention in the course of their work and in relation to the areas specified in the Decree and the Directive.

However, they are not covered by the new legislation:

• Disputes, claims or demands relating to a personal interest of the reporting person or of the person complaining to the judicial or accounting authorities and relating exclusively to their individual work or public employment relationship or to their work or public employment relationship with hierarchically superior persons,
• Reports of infringements, where these are already covered by mandatory European Union or national legislation,
• Reports on breaches of national security, as well as procurement with defence or national security aspects, unless if these aspects are covered by relevant EU secondary legislation.

This does not prejudge the application of national or European Union rules relating to:

• Classified information,
• Forensic and medical confidentiality,
• Secrecy of judicial deliberations.

Subjective scope

Private sector companies covered by the new provisions must ensure that, in addition to their current employees and workers, the provisions of the Decree also apply to apprentices, self-employed workers, freelancers and consultants, volunteers and trainees (including unpaid ones), shareholders, persons exercising functions of administration, management, control, supervision or representation (even if these functions are de facto exercised) and all persons working under the supervision and direction of contractors, subcontractors and suppliers.

Protection must be guaranteed even when the employment relationship has not yet been established – if the information was obtained during the selection process or, in any case, at the pre-contractual stage – during the probationary period or after the termination of the relationship, if the information about possible breaches was obtained during the course of the relationship.

Lastly, the protection measures for whistleblowers are also addressed to the so-called “facilitators” (those who assist the worker in the reporting process), also to persons working in the same work context as the whistleblowers and who are linked to them by a stable emotional or family relationship up to the fourth degree, to the whistleblower’s work colleagues which are in the same work context and who have a regular relationship, property entities or entities that operate in the same context as those persons.

The internal reporting channel

After consultation with trade unions, private sector companies should establish internal reporting channels that ensure maximum confidentiality, including the:

(i) Identity of the person making the report,  

(ii) Person involved and referred to in the report, and

(ii) Content of the report and related documentation.

Internal reports can be written, orally (through telephone lines or voice messages) or, upon request, through a face-to-face meeting.

The persons in charge of managing the internal reporting channel must:

1. Send a notice of receipt to the reporter within (7) days of receipt of the report,

2. Conduct a thorough investigation of the report,

3. Give feedback to the reporter within (3) months of the acknowledgement of receipt.

It is in any case understood that the reporter must be provided with clear information on the channel, also regarding the procedures and requirements for the preparation of reports, including through the creation of a dedicated section on its website.

The external reporting channel and public disclosure

Responsibility for setting up and managing the external reporting channel is entrusted to the National Anti-Corruption Authority (“ANAC”), which also adopted specific guidelines on the subject in Resolution No. 311 of July 12, 2023.

An external reporting channel will be provided if (i) there is no obligation in the reporting party’s work environment to activate an internal channel, or if there is the obligation but the channel is not active or, if active, is not compliant, (ii) the reporting party has already reported through an internal channel but the report has not been followed up, (iii) the reporting party has reasonable grounds to believe that reporting through the internal channel will not be effective or may result in a risk of retaliation, or (iv) there is an imminent or clear risk of harm to the public interest.

The possibility of public disclosure through print or electronic media or other means of dissemination likely to reach a large number of people is recognized as a residual measure.

Protection of personal data of whistleblowers

As part of the management of a report, any processing of personal data shall be carried out in accordance with the data protection rules now provided by (EU) Regulation 2016/679 (“GDPR”) and the Italian Legislative Decree no. 196/2003, as amended by the Italian Legislative Decree no. 101/2018 (the “Privacy Code”).

Public and private entities managing reporting channels are classified by the legislation as “data controllers” and they shall:

1. Design each operation in accordance with the principles of personal data protection,
2. Conduct a Data Protection Impact Assessment (DPIA),
3. Train and authorize the employees designated to manage the processing notification channel,
4. Designate as “data processors” any external suppliers that process personal data on their behalf.

Protective measures

The new legislation provides a series of protective measures in favour of the whistleblower, which include the obligation to protect the confidentiality of the whistleblower (confidentiality that must, however, also be guaranteed to the person involved/reported), a prohibition of retaliation and (iii) support measures in favour of the whistleblower.

The Decree, which expressly prohibits any form of retaliation against whistleblowers, provides an illustrative but not exhaustive list of cases of retaliation, including: 

• Dismissal,
• Suspension, including those of a disciplinary nature, or similar measures,
• Non-promotion or downgrading,
• Change of working duties/ assigned activities,
• Transfer,
• Change of working hours,
• Ostracism and harassment,
• Discrimination and unfavorable treatment,
• Non-renewal or early termination of a fixed-term contract.

It is responsibility of the person who has committed the prohibited acts to prove that they are unrelated to the report made and that the damage suffered is a result of the report, publication or denunciation. This reversal of the burden of proof does not apply to the persons referred to in Article 3 (paragraph 5) of the Decree (i.e. “facilitators”, persons who work in the same professional context as the whistleblower and are linked to them by a stable emotional or family relationship, colleagues of the whistleblower who work in the same professional context and have a habitual and current relationship, or property entities and entities operating in the same context as these persons). 

Sanctions for breach of the whistleblowing rules

In case of violation of the new whistleblowing rules, “ANAC” shall impose administrative sanctions ranging from EUR 10,000 to EUR 50,000.

Sanctions are provided if:

• There has been retaliation, it has been established that the whistleblowing has been obstructed (or an attempt has been made to obstruct it) or the confidentiality obligation has been breached,
• Internal reporting channels and procedures for making and handling reports have not been established or the procedures adopted do not comply.

Penalties of between EUR 500 and EUR 2,500 are also provided in cases where the reporting person is found to be criminally liable for offences of defamation or calumny.

Companies that have adopted a “MOG” must provide for sanctions against those responsible for offences sanctioned under the model’s disciplinary system.

Case law and insights

---

DOWNLOAD NOW

Enter your email address to receive these contents in pdf format.

*I consent to the processing of my personal data within the limits set out in the Privacy Policy

*I do not consent to the processing of my personal data

Send

We have sent the PDF to your email address

---