After a long wait and several postponements, on 25 March 2023 Italian Legislative Decree no. 24 of 10 March 2023 (the “Decree”) was published in the Italian Official Gazette no. 63 of 15 March 2023. With the Decree the Italian legislator implemented Directive (EU) 2019/1937 “on the protection of persons who report breaches of Union law and laying down provisions concerning the protection of persons who report breaches of national legal provisions” (also known as the “Whistleblowing Directive”. Hereinafter, for the sake of brevity, Directive).

What is meant by the term “reporting person” or “whistleblower”? 

The term “reporting person” or “whistleblower” refers to the person who, in the general interest, reports unlawful conduct of which he or she has become aware in a work-related context.

It is worth making it clear from the outset that complaints of a personal nature that relate exclusively to individual employment relationships, the protection of forensic and medical professional secrecy and of the decisions of judicial bodies are not the subject of reporting, and therefore remain excluded from the scope of the legislation.

The protection measures for whistleblowers apply not only to employees and collaborators but also to apprentices, the self-employed, freelancers and consultants, volunteers and paid or unpaid trainees, shareholders, those who exercise functions of administration, management, control, supervision or representation (including if exercised on a de facto basis) and to anyone working under the supervision and direction of contractors, sub-contractors and suppliers.  

Protection must also be guaranteed even when the employment relationship has not yet been established – if the information was acquired during the selection process or in any case in the pre-contractual phase – during the trial period or after the termination of the relationship, where information on possible breaches has been acquired during the relationship.

Measures of protection also extend to the so-called “facilitators”, i.e. those who assist the worker in the reporting process, to persons who work in the same work-related context as the whistleblowers and who are linked to them by a stable emotional or family bond within the fourth degree, to the whistleblower’s work colleagues who work in the same work-related context and have a recurrent and ongoing relationship, or to entities  that the reporting persons own, work for or are otherwise connected with in a work-related context.  

Which private sector parties have to apply the new provisions and when will they take effect? 

The new provisions: 

  • apply to private sector entities that in the last year: 
  1. employed an average of at least 50 workers with permanent or fixed-term employment contracts;  
  2. have adopted an Organisational and Management Model provided for by Italian Legislative Decree no. 231/2001 (“OMM”) – even if they employed fewer than 50 workers – or  
  3. operate in sectors regulated at European level (e.g. financial or credit markets). 
  4. they will take effect from:  
  5. 15 July 2023 for private entities with 250 or more workers;  
  6. 17 December 2023 for companies that have employed an average of up to 249 workers, as well as for those that have adopted an organisational and management model provided for by Italian Legislative Decree no. 231/2001. 

How can reports be made? 

Reports can be made through: 

  • internal reporting channels. After consulting the trade unions, private sector entities should put in place internal reporting channels that ensure the highest level of confidentiality of (i) the identity of the reporting person, (ii) the person involved and mentioned in the report, and (iii) the content of the report and related documentation. Entities who have employed an average of 249 workers in the last year can share internal reporting channels. Internal reports can be made in written or oral form (through telephone lines or voice messages) or, on request, through a direct meeting. 
  • external reporting. The task of setting up and managing the external reporting channel is entrusted to the Italian National Anti-Corruption Authority (Autorità Nazionale Anticorruzione, ‘ANAC’) which, within three months of the entry into force of the Decree, will have to adopt specific guidelines but has already made the channel available on its institutional website. The use of an external reporting channel is envisaged if (i) in the work-related context of the whistleblower there is no obligation to activate an internal channel, or there is an obligation but the channel is not active or, if active, is not compliant; (ii) the whistleblower has already submitted a report through an internal channel but the report has not been acted upon; (iii) the whistleblower has reasonable grounds to believe that reporting through the internal channel will not be effective or may result in the risk of retaliation or (iv) in the event of imminent or obvious danger to the public interest. 
  • public disclosures that can be made through the press or electronic or dissemination media that can reach a large number of people. 

    Continue reading the full version published on AIDP

Protection also extends to shareholders, apprentices, the self-employed, and consultants.

Wide-ranging whistleblowing protection. In addition to their current employees and collaborators, private sector companies must also provide protection to employed workers, apprentices, self-employed workers, freelancers and consultants, volunteers and trainees (including unpaid ones), shareholders, those exercising administrative, management, control, supervisory or representative functions (including if those functions are exercised on a de facto basis) and all persons working under the supervision and direction of contractors, subcontractors and suppliers. This is provided for by Italian Legislative Decree No 24/2023 in which the Italian legislator implemented Directive (EU) 2019/1937 (the so-called Whistleblowing Directive). The provisions will be effective from 15 July 2023 or from 17 December thereafter for companies with an average number of employees of up to 249, as well as for companies that have adopted the organisational model required by Italian Legislative Decree No 231. The purpose of the provision is to oblige companies and other organisations covered by the regulation to activate computer tools to enable the reporting of breaches of regulatory provisions. The legislator, including the EU legislator, intended to protect potential whistleblowers. Protection must also be guaranteed even when the employment relationship has not yet been established, if the information was acquired during the selection process or in any case during the pre-contractual phase, during the probationary period or after termination of the relationship if the information on possible breaches was acquired during the course of the relationship. The protection measures for whistleblowers are also aimed at ‘facilitators’ (i.e. those who assist the worker in the reporting process), persons who work in the same work context as the whistleblowers and who are related to them by a stable emotional or familial relationship up to the fourth degree, work colleagues of the whistleblower who work in the same work context and who have a long-standing and ongoing relationship, or entities owned by and entities that work in the same context as these persons. Between now and the entry into force of the decree, recipient companies will have to i) identify and approve appropriate procedures to regulate the reporting process, ii) activate the aforementioned computerised reporting channels, iii) implement what is necessary to ensure protection and confidentiality for the reporting parties, and iv) provide for and regulate remedial initiatives in the event of reported breaches. This is without neglecting seemingly insignificant details, such as the finalisation and posting of the disciplinary code, which is often missing, incomplete or inadequately completed.

De Luca & Partners launches a new task force supporting companies grappling with the Whistleblowing legislative decree, which requires employers to implement a system of protection and safeguards for those who report crimes and irregularities within a public or private professional relationship.

The soon-to-be-adopted decree implementing the EU Directive 2019/1937 protecting those who report regulatory breaches, introduces important measures for the prevention and combating of corruption, under standards of absolute confidentiality of the whistleblower, parties involved and the report content. This involves the public and private sectors and includes the obligation to activate a channel for reporting offences for companies with more than 50 employees.

The task force set up by De Luca & Partners is a dedicated and  operational practice, even if the decree is not yet officialised. This sees the Firm’s expert compliance professionals working with HR Capital consultants – a Firm partner, and a leader in services for the management and administration of staff outsourcing.

The focus team created from this synergy can provide the necessary legal support to companies adopting the procedures to ensure corporate regulatory compliance, by providing an intuitive SAAS computer system with the features for implementing an abuse and harassment at work reporting system that protects whistleblowers and keeps their confidentiality. The task force provides constant monitoring to enable companies to correctly address and handle reports.

 De Luca & Partners Managing Partner Vittorio De Luca said: “We are proud to launch this Whistleblowing task force before the decree’s entry into force. This is a tangible sign of the Firm’s presence alongside its clients and our commitment to grasping and anticipating their needs and requirements. The focus team combines the De Luca & Partners and HR Capital’s knowledge and is already operational. It provides support in the future application of the decree and helps companies applying for UNI PDR 125/2022 certification, which requires an abuse and harassment at work anonymous reporting system.”

The draft legislative decree to transpose the EU directive on whistleblowing has been approved. As the fight against corruption and the protection of whistleblowers progresses this year, those who decide to report wrongdoing, whether in the public or private sector, will be able to do so relying on greater protection. In early December, the government approved the draft legislative decree transposing Directive [(EU) 2019/1937] on whistleblowing.  All that remains to be done is publication in the Italian Official Gazette, after which companies with more than 250 employees will have four months to comply with the new rules, while those with between 50 and 250 employees will have until 17 December 2023. This transposition is late, as the deadline was set for 17 December 2021, but Italy is not the only country to be late with compliance. The EU directive introduces important measures regarding preventing and combating corruption and prepares minimum standards for whistleblower protection; it applies to both the public and private sectors and provides legal protection to a large number of potential whistleblowers. It also establishes appropriate measures to ensure the protection of whistleblowers from retaliation and requires the creation of mechanisms to facilitate whistleblowing. ‘Since 2017, in Italy, the rules on whistleblowing in the private sector have been regulated exclusively by Italian Law No 179 of 2017, which introduced the possibility of establishing specific protection systems for those who report wrongdoing, better known by the English term “whistleblowers”’, explains Vittorio De Luca, managing partner of De Luca&Partners, ‘Compared to the national regulatory framework outlined by the 2017 law, the new legislation extends the obligation to establish a whistleblowing channel to all private sector companies with more than 50 employees. It can be established after hearing from the trade union representatives or organisations.’ The decree (and before it the EU directive) is expressly aimed at protecting those who report breaches of EU law in areas such as public procurement, services, financial products and markets, money laundering, environmental protection, public health and consumer protection. It requires that appropriate arrangements be identified so that the protection and confidentiality of whistleblowers is guaranteed, as well as, for workers, protection from any form of retaliation. ‘Under thedecree, retaliation constitutes, by way of example, a change in duties, dismissal, change of workplace, reduction in salary, change in working hours the non-renewal and early termination of a fixed-term employment contract,’ De Luca concludes. ‘Companies will therefore have to set up internal and external reporting channels by implementing management procedures that ensure the confidentiality of both the whistleblowers and the personal data, including storage, which will have to be carried out in accordance with the legislation on the protection of personal data now represented by Regulation (EU) 2016/679, better known as the GDPR’


Fonte: Repubblica Album Speciale Lavoro

In a press release dated 9 December 2022, the Italian Council of Ministers announced the approval of the draft Italian legislative decree transposing Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law. The new legislation extends the obligation to establish reporting channels to all private sector companies with more than 50 employees.

The main measures introduced provide, among other things, that:

  • reports of breaches must relate to national or EU regulatory provisions that harm the public interest or the integrity of the private entity;
  • in addition to employees who report breaches, the extension of protection was confirmed to collaborators, consultants, volunteers or trainees, shareholders and those with administrative, management, control, supervisory or representative functions, as well as to ‘probationary’ or former workers, if information on breaches was acquired in the course of the employment relationship;
  • private sector companies will have to ensure internal and external reporting channels that ensure the confidentiality of whistle blowers and any processing of personal data will have to comply with Regulation (EU) 2016/679 (the ‘GDPR’);
  • retaliation includes, but is not limited to, change of duties, dismissal, change of workplace, reduction of salary, change of working hours, non-renewal or early termination of a fixed-term employment contract;
  • the application by Italian National Anti-Corruption Authority (Autorità Nazionale Anti-Corruzione, ‘ANAC’) of administrative fines of up to EUR 50,000.

Other related insights:
Whistleblowing: la nuova scadenza per il Governo italiano  

Il commento di Vittorio De Luca sul tema Whistleblowing e tutela della privacy