What are the changes introduced by the latest decree on Whistleblowing?

So-called whistleblowing was introduced for the first time in Italy in 2012 by the so-called Severino law in relation to the public sector only and was subsequently partially extended to the private sector by Law 179/2017.

On these bases and following the introduction of EU obligations deriving from directive (EU) n. 2019/1937, on 15 March, Italy implemented a comprehensive reform of the institute, promulgating legislative decree n. 24 dated 10 March 2023, concerning “protection of persons who report violations of the European Union law and [...] of domestic regulatory provisions".

In fact, in order to promote legality, the aim is to further encourage reporting through:

• the widening of the number of subjects who are allowed to make a report: while the legislation was previously almost only aimed  at employees and close collaborators, now, any person who has any working relationship with the entity is considered as a potential whistleblower (for example: employees, consultants, subcontractors, interns; candidates in the recruiting phase);
• the extension of the objective scope of application of the regulation to all of the most relevant sectors that are of interest of the EU law (e.g.: transport, procurement, environment, GDPR, consumer law, product conformity, competition, etc.)
• the introduction of measures aimed at preventing so-called «retaliations» (economic or employment consequences of an economic or employment nature, such as: job loss, demotion, ostracism, termination of contracts, etc.);
• the exemption from civil, administrative or criminal liability in relation to the disclosure of information (for the violation, for example, of the provisions on certain types of secrets, such as industrial secrets).

The provisions under Legislative Decree no. 24/2023 will enter into force according to two deadlines: 15 July 2023 for "private entities" having more than 249 employees and for all companies, regardless of their size, which have implemented an Organization, Management and Control Model, pursuant to Legislative Decree no. 231/01; and 17 December 2023 for "private entities" which have employed more than 49 and less than 250 employees in the last year.

The subjects concerned by the regulations are «public entities» (including: public service concessionaires, publicly controlled companies and in-house companies, even if listed) and, as regards «private subjects», companies which:

1. employed an average number of subordinate workers higher than 49 in the previous year;
2. regardless of the number of workers employed:
   • are subject to the application of the European Union acts referred to under parts I.B and II of the annex to Legislative Decree no. 24/2023 (regulations mostly concerning financial markets, prevention of money laundering and of financing to terrorism);
   • have adopted an organisation, management and control model pursuant to Legislative Decree no. 231/2001.

All these subjects are required to implement, after consulting the trade union representatives, an internal reporting channel which:

• guarantees the confidentiality – also by means of encryption – of the entire content of the report (including all related documents) and, in particular, of the identity of the "reporter" and of the other "involved persons";
• is managed by a dedicated person, office and/or external subject, having the proper autonomy and specific training, who must be able to: i) issue, within seven days of receipt, a notification of receipt of the report; ii) maintain communications with the whistleblower and, if necessary, request for integrations; iii) guarantee, from an investigation and management perspective, a "diligent follow-up" to reports; iv) provide «feedback» to the whistleblower within three months; v) provide clear information on the channel, procedures and prerequisites for making internal and external reports, also by displaying them in the workplace and publishing them on the website; vi) keep the report for the time necessary to process it and, in any case, no later than five years from the date of notification of the final outcome of the reporting procedure;
• allows the reporting to be made both in written and oral form, as well as, upon request of the reporting party, through a direct meeting;
• in the event of oral and/or face-to-face reports, after obtaining the whistleblower’s consent, guarantees the recording on a suitable device and/or written minutes of the conversation and, in the latter case, granting the whistleblower with the possibility to amend and/or modify the minutes, as well as to confirm their content by signing them;
• guarantees the person involved and/or in any case mentioned in the report with the possibility of exercising their right of defense if they expressly request it.

The general supervision on the compliance with the regulation is entrusted to ANAC (Italian anti-corruption authority), which also has the right to impose fines ranging from €10,000 to €50,000 if it ascertains that:

• retaliation has been committed or the report has been obstructed or an attempt has been made to obstruct it or the confidentiality obligation has been violated;
• no reporting channels have been set up, no procedures for making and managing reports have been adopted or they are not compliant.

Furthermore, the incompleteness of the internal reporting channel, the inability of the same to guarantee an effective follow-up to the report or the presence of well-founded reasons that suggest that retaliation will be suffered allow the whistleblower to make an external report directly to ANAC: if even in this case no response is given within the provided terms or there are well-founded reasons suggesting a risk to the public interest or retaliation, the whistleblower may publicly disclose information, without incurring any type of civil, administrative and/or criminal liability, even where the information is covered by secrecy.