IT and Data

Whistleblower protection in the Italian private sector

A January 2018 Nctm workshop on whistleblower protection in the Italian private sector brought together representatives of the key public and private institutions dealing with the issue, including the heads of the Italian Anticorruption Authority, the Data Protection Authority, Transparency International, Confindustria and lawyers from Nctm. The programme and participants can be found on Nctm website at the following link:

The workshop examined the new Whistleblowing law 30 November 2017, n. 179, which came into force on 29 December 2017, and how it would interact with the administrative liabilities of legal entities for certain offences pursuant to the Legislative Decree no. 231/2001 (“Decree 231”) and on the data protection regulation set forth in the Legislative Decree no. 196/2003 (“Privacy Code”).


The background on whistleblower protection

There is no definitive definition of what whistleblower protection is. The OECD defines it as:

Legal protection from discriminatory or disciplinary action of employees who disclose to the competent authorities, in good faith and on reasonable grounds, wrongdoing of whatever kind in the context of their workplace.”

That being said, the importance of whistleblower protection has been recognized by many international institutions, such as, OECD, UNCAC and Council of Europe. Many countries have introduced whistleblower protection legislation but often in different ways: some have provided for a specific regulation for protection in labour law, some others in public service law or, still others, in criminal codes or in specific sector regulations.

Italy is one of the 14 Countries, out of the 43 members of the Anti-Bribery Convention, that have adopted a specific regulation for a private sector whistleblower protection. In contrast many OECD Countries whistleblower protection is still absent or is limited to the public sector’s employees.

According to the OECD guidelines and recommendations, the features of whistleblower protection mechanisms, which can be reflected in both private and public sectors, are mainly the following:

  • clear definition of what is meant for protected disclosures;
  • clear indication of who will be afforded of protection;
  • clear definition of reporting channels of disclosure and providing various channels, internal or external, as the case may be;
  • ensuring confidentiality reports;
  • ensuring data protection does not undermine confidentiality of the whistleblower;
  • financial incentives, which is an highly controversial theme and very discussed in the framework of international institutions and recommendations. Of course, it is demonstrated that financial incentives in favour of whistleblowers could eventually encourage employees to report misconducts, but at the same time is a measure somehow controversial because it may affect the vision that the public may have in whistleblowers motivation, furthermore in many Countries is hard to imagine providing for financial incentives to whistleblowers (currently in place only in two OECD Countries, South Korea and U.S.A.);
  • company measures as mitigating circumstances.


The Italian Whistleblowing law for the private sector

The Whistleblowing law has introduced for the first time a specific regulation on the whistleblower protection in private sector. Prior to the 2017 law, whistleblower protection was not completely unknown. A preliminary regulation was introduced back in 2012 by the Law no. 190/2012 (so-called Anticorruption Law). However its ambit was restricted to the public sector.

In addition, there was some protection in the private sector within the terms of Decree 231 and the Whistleblowing law builds on this. Article 2 of the Whistleblowing law applies to those companies which have implemented an organizational model in compliance with the Decree 231 system by integrating the requirements for the eligibility and effectiveness of the organizational models set forth in Article 6 of the Decree 231 and providing for certain further mandatory requirements for those companies which have chosen (or choose) to implement such organizational models. In addition to the standards currently required to comply with the Decree 231, companies may also provide the following:

  • one or more channels enabling senior managers and subordinates to raise detailed disclosures of unlawful conducts relevant pursuant to Decree 231 and based on precise and congruous facts, or breaches of the organizational model of the company, which they witnessed in the carrying out of their functions; such channels must assure confidentiality of the identity of the whistleblower when handling the disclosure;
  • at least one alternative reporting channel suitable to assure, through IT means, the confidentiality of the identity of the whistleblower;
  • prohibition against retaliation or discriminatory acts, whether direct or indirect, towards the whistleblower for reasons, directly or indirectly, connected to the disclosure;
  • within the disciplinary system adopted, sanctions against those infringing the measures for the protection of the whistleblower, as well as those making, maliciously or negligently, disclosures that turn out to be unfounded.

Under the Whistleblowing law, people who blow the whistle are now protected against any sanction, reprisal or other discriminatory measures (including dismissal or workplace re-organizations that impact negatively on their working conditions), due to the report of any wrongful behaviour of another person linked to the company and anyhow connected to the Decree 231 in the context of the workplace.

The new Whistleblowing law supports and fosters the creation of an organizational culture of transparency that supports whistleblowing but it still leaves a series of open issues and challenges. The workshop was mainly aimed at discussing and increasing awareness among the public of the most challenging issues in the field of whistleblower protection and the relationship between the new law and existing provisions such as  Decree 231 and the Privacy Code. We address both of these issues below.


Whistleblower protection and data protection regulation

The Whistleblowing law raises several issues in relation to rights and obligations deriving from the current data protection regulation.

The core issue here is how to balance the right of the whistleblowers to protect their identity under the Whistleblower law and the right of individuals to have access to their personal data under the Data Protection rules. The Whistleblowing law does not provide for a solution. The Data Protection Authority is expected to publish its views on the matter in the course of 2018. It is most likely that the right of the individual to have access to its personal data will be limited where such disclosure could allow the identification of the whistleblower, either directly or indirectly.

A further complex issue concerns the necessity, or not, to obtain the consent – required under the data protection regulation – of the individual of the disclosure for the processing of its personal data. Since the Whistleblowing law does not introduce obligations but simple duties, the processing cannot be considered as based on the fulfilment of a legal obligation or on the purposes of the legitimate interest of the controller (which occurs only in certain specific cases indicated by the Data Protection Authority). On the other hand, it would be unreasonable to require companies to obtain the consent of its employees to the processing of their personal data within whistleblowing systems. The situation may change with the entry into force, next 25 May 2018, of the new data protection rules set out in Regulation (EU) no. 2016/279.

Participants in the workshop believed that challenges may be avoided or overcome by means of education, awareness-raising of rules and procedures through trainings and conferences, but also ensuring effective protection and by creating an organizational culture of transparency that supports whistleblowing. Indeed, putting in place channels for protection of whistleblowers is considered to be of benefit for the companies concerned.

The Italian Anticorruption Authority (ANAC) and the Data Protection Authority are expected to publish their views in the near future but there was general consensus among the participants including representatives from these agencies that more legislation may be needed.


Whistleblower protection and Decree 231

Another controversial issue for the protection of whistle-blowers in private sector, was the decision to place the protection within the scope of the Decree 231, which provides the framework for non-mandatory compliance systems to be adopted by companies and indeed often only implemented after the commission of an offence by the company. Therefore, the non-adoption of a whistleblowing system has no consequences for those companies that have not implemented a Decree 231 compliance system. Rather, the whistleblower protection creates obligations only for those companies which have voluntarily chosen to comply with Decree 231. In this case, should company be sued in court, and if the existing in-house protection system does not comply with the new requirements set out in the Whistleblowing law, there may be a finding that the in-house model are not sufficient and, in the worst scenario, the company may be deemed liable for under the Decree 231.

Some participants at the workshop saw advantages in bringing the protection within the scope of Decree 231 because a strong mechanism to protect disclosure of information of wrongdoing by virtuous employees may only happen in those companies that have already adopted a culture of ethics, legality and transparency, which the voluntary Decree 231 systems aim at.

Notwithstanding the above, the inequality of treatment of whistleblower protection for employees of those companies that have complied with the Decree 231 and non-protection for employees of those companies that have not complied with the Decree 231 may cause issues in the implementation of the Whistleblowing law. This problem is likely to be played out in labour disputes.


To whom the disclosures must be addressed

A further relevant issue concerns the identification of the addressee of complaints. Indeed, while for the public sector the Whistleblowing law indicates ANAC as the exclusive addressee, nothing is mentioned for the private sector in such law.

At present, it is not possible to predict what solution will be found but it is clear that, whatever the choice will be, the supervisory body appointed by the companies pursuant to the Decree 231 (so called Organismo di Vigilanza) will have to be involved in some way, as also confirmed by a note on whistleblowing published by Confindustria in January 2018 and by Transparency International’s Italian Guidelines on whistleblowing. In fact, although the Whistleblowing law does not provide for any mandatory provision, not informing the supervisory body would compromise the flow of information which represents the core of the efficiency and effectiveness of the organizational models. In addition to the supervisory board, the current practices in private with voluntary schemes is to entrust to a third-party body or an ad hoc committee, the role to receive complaints.

The workshop was an opportunity for experts in the field, in the competent authorities, in the private sector and in Nctm to share an understanding of the current state of the law in Italy.




This article is for information purposes only and is not intended as a professional opinion.
For further information, please contact Raffaele Caldarone.

Get our latest news