There is no end to new initiatives on the subject of whistleblowing. While the provisions of Italian Legislative Decree no. 24 of 10 March 2023 are already in force for companies with 250 employees or more, for companies employing 50 to 249 employees this has only been the case since 17 December 2023, requiring them to equip themselves with whistleblowing systems. How does all this impact the work of specialised law firms?

We asked some of the firms that are supporting companies in complying with the law on the protection of persons who report breaches of national or EU regulatory provisions. Six months after its entry into force, De Luca & Partners’ dedicated task force has analysed companies’ actual application of the rule, and it emerges that they are still far from compliant with the provisions. “We notice a general tendency to underestimate the complexity of the activities to be carried out to comply with the provisions of the Whistleblowing Decree”, says Vittorio De Luca, managing partner of De Luca & Partners.

“Companies are lagging behind in carefully assessing which system, including IT systems, should be used to make reports, in full compliance with applicable privacy legislation. Not only that, but companies also need to ensure that the disciplinary code adopted is adequate to avoid frustrating disciplinary measures. And this is in a regulatory framework that establishes two particularly significant risks: a fine of up to EUR 50,000, and above all, failure to comply with the exemptions provided for by Italian Legislative Decree no. 231/01”.

The full version of the interview was published on ItaliaOggi7 of 19 February 2024.

Italian Legislative Decree no. 24/2023, which implements Directive (EU) 1937/2019 and introduces the new legal framework on whistleblowing has come into effect. Laws on whistleblowing have already been in force for some years in companies required to implement the 231 Models and detailed and specific provisions on procedure and sanctions now apply to all companies.

The term “whistleblowing’ refers to the activity of reporting breaches of national or EU regulatory provisions of which workers have become aware in the context of work. For companies with more than 250 employees, the obligation to adopt adequate reporting systems has been in force since 15 July 2023, while for small and medium-sized enterprises the obligation came into force on 17 December.

Conduct, acts or omissions that harm the public interest or the integrity of the public administration or private entity and that consist of breaches attributable to the specific cases listed in the decree must be reported.

A person who believes that the conditions for a report are met may use the following channels: (i) internal reporting; (ii) external reporting, if there is no mandatory activation of the internal reporting channel, or if this has already been done without follow-up, if the whistleblower has reasonable grounds to believe that the internal report would not be followed up or there would be a risk of retaliation or if the whistleblower has reasonable grounds to believe that the breach constitutes a danger to the public interest; (iii) public disclosure, if the whistleblower has already made an internal and/or external report without feedback, if there is reasonable ground to believe that the breach may constitute a danger to the public interest, or if there is reasonable ground to believe that the external report may involve the risk of retaliation or may be ineffective; (iv) complaint to the judicial authority, at any stage.

Internal channels must ensure the confidentiality of the reporting person, the content of the report, the facilitator and the person concerned. When establishing internal reporting channels, it is necessary to use suitable tools to receive reports both orally and in writing, as the whistleblower is guaranteed both methods.

In this regard, the Italian National Anti-Corruption Authority (Autorità Nazionale Anticorruzione, ‘ANAC’) with resolution 311 of 12 July 2023 considered that ordinary e-mail and certified e-mail (PEC) did not guarantee confidentiality, and thus required the use of online platforms. As far as the paper report is concerned, the ANAC has requested that it be placed in two sealed envelopes (one with the identification data and the second with the actual report), then both envelopes should be inserted in a third sealed envelope with the external wording “confidential” for the manager of the report.

To implement the new regulatory obligation, companies must identify the channel in an organisation specific document; inform trade union representatives; make clear information available to the reporting person about the channel, procedures and conditions for making internal or external reports (e.g. via the website or platform page); guarantee the training of those who are entrusted with the management of the reporting channel and of all internal staff; adapt the 231 organisational model (if adopted) and put in place all the measures required under the regulations on the protection of personal data and the processing carried out to comply with it. Finally, companies will have to adopt a sanctioning system in the event of breach of the decree provisions.

In conclusion, under the regulatory framework that arises from Italian Legislative Decree no. 24/2023, companies and operators must pay great attention to the preparation of policies and organisational and management tools necessary for the implementation of legal obligations to ensure the protection and enhancement of each organisation’s ethical principles.

The task force focus team highlights companies’ failure to adopt decree provisions.

Six months after the entry into force of the Italian legislative decree on Whistleblowing the dedicated task forceof De Luca & Partners’, a leading law firm in consultancy and assistance in employment law, analyses its actual implementation by Italian companies.

The decree requires employers to implement a system of protection and safeguards for those who report crimes and irregularities within the context of a public or private work relationship.

According to analysis by the De Luca & Partners task force, Italian companies are still far from compliant with the provisions which, from 17 December 2023, also affect smaller organisations with between 50 and 249 employees.

The task force noted that it is primarily in the field of dedicated company procedures – such as the identification of breaches that can become the subject of a report or the recipients of the reports themselves – that companies show general non-compliance.

Looking at companies’ behaviour to date, we notice a general tendency to underestimate the complexity of the activities to be carried out to comply with the provisions of the Whistleblowing Decree”, underlines Vittorio De Luca, Managing Partner of De Luca & Partners. “Just to mention the main areas, all aspects of the process must be detailed in specific company procedures. Companies are delaying the careful consideration necessary to assess through which system, including computerised systems, they should make reports, in full compliance with current privacy legislation. Not only that, but it is also necessary to ensure that the disciplinary code adopted is adequate to avoid invalidating any disciplinary measures taken. And this is all in the context of regulatory framework that contains two significant risks for the failure to adopt an appropriate report management process: a fine of up to EUR 50,000, and the loss of the exemptions provided for in Italian Legislative Decree no. 231/01”, adds Vittorio De Luca.

The task force launched by De Luca & Partners includes the Firm’s Compliance team and offers all aspects of legal support required by companies to adopt the procedures necessary to guarantee compliance with all aspects of the legislation.

Continue reading the full version on Norme & Tributi Plus Diritto of Il Sole 24 Ore.

Since the beginning of 2023, a task force at law firm De Luca & Partners has been entirely dedicated to the new decree on Whistleblowing which requires employers to implement a system of safeguards and protection for those who report crimes and irregularities in the workplace. The task force offers legal support to companies in adopting the necessary procedures to ensure compliance with all aspects of the legislation.
According to a task force survey on the current state of play of actual implementation of the regulations by Italian companies, it appears that they are still far from compliant with the provisions that, by 17 December 2023, must be adopted by even the smallest organisations, with between 50 and 249 employees. Specifically, it is in the area of company procedures, such as the identification of breaches that can become reportable or the recipients of reports, that companies show a general lack of compliance. “We note a general tendency to underestimate the complexity of the activities to be carried out to comply with the provisions of the Whistleblowing Decree”, notes Vittorio De Luca, managing partner of De Luca & Partners. “Just to mention the main areas, all aspects of the process must be detailed in specific company procedures. Companies are delaying the careful consideration necessary to assess through which system, including computerised systems, they should make reports, in full compliance with current privacy legislation. Not only that, but it is also necessary to ensure that the disciplinary code adopted is adequate to avoid invalidating any disciplinary measures taken. And this is all in the context of regulatory framework that contains two significant risks for the failure to adopt an appropriate report management process: a fine of up to EUR 50,000, and the loss of the exemptions provided for in Italian Legislative Decree no. 231/01”, concludes Mr De Luca.

Continue reading the full version on L’Economia of Il Corriere della Sera.

Vittorio De Luca took part in the conference promoted by RSM Studio tributario e societario entitled: “The new whistleblowing law: small step forward or breakthrough?”.

Focus

In the course of his speech, Vittorio addressed the employment law aspects of the whistleblowing regulations: in particular, he examined the measures put in place to protect those who report unlawful acts that have come to their knowledge in the work context (so-called whistleblowers) by Italian Legislative Decree no. 24/2023, as well as the burdens and obligations imposed on companies to comply with the regulations in force and to be able to handle any reports received in the best possible way.

In particular, the following topics were addressed:

  • The purpose and method;
  • The work context:
  • Whistleblowers;
  • The personal interest of the whistleblower;
  • ​The definition of retaliation; 
  • The prohibition of retaliation;
  • Breach of the prohibition of retaliation;​
  • The employer perspective;
  • Disciplinary sanctions.