Last March 15, Legislative Decree No. 24 of March 10, 2023, on “Implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law and containing provisions regarding the protection of persons who report violations of national regulatory provisions” (so-called Whistleblowing Decree) was published in the Official Gazette.
The intervention of the legislator, in fulfillment of supranational requests, complements and strengthens a regulatory system aimed at incentivizing reports on illegal conduct that have arisen in the exercise of a collective activity, whether public or private, as well as protecting the individual who determines to report them against possible retaliation.
The piece of legislation is of great importance especially for private sector companies, which will inevitably have to comply with the regulations also in order to achieve corporate compliance in accordance with the provisions of Legislative Decree 231/2001: it is no coincidence that, in order to allow companies to comply, the entry into force of the Decree has been postponed to July 15, 2023 and, for private entities that have employed an average of up to 249 workers in the last year, to December 17, 2023.
SCOPE OF APPLICATION FOR THE PRIVATE SECTOR
The provisions of the Decree regulate “the protection of persons who report breaches of national or European Union regulatory provisions that harm the public interest or the integrity of the public administration or of private entities, of which they have become aware in a public or private employment context.”
As for the subjective scope of application, the Decree identifies “private sector entities” (Art. 2, par. 1, letter q)) as those “subjects, other than those covered by the definition of public sector subjects” which:
- have employed, in the past year, at least fifty subordinate workers;
- regardless of the number of workers employed, operate in specific areas (g., prevention of terrorism financing);
- or, again regardless of the number of workers employed, “fall within the scope of Legislative Decree No. 231 of June 8, 2001, and adopt organization and management models”.
ORGANIZATIONAL OBLIGATIONS
The Decree imposes several organizational obligations for recipient entities, such as:
- the activation of “their own [internal] reporting channels, which guarantee, including through the use of encryption tools, the confidentiality of the identity of the reporting person, the person concerned and the person in any way mentioned in the report, as well as the content of the report and related documentation”;
- the provision of such reporting channels in the Organization, Management and Control Models under Legislative Decree 231/2001;
- entrusting the management of internal reporting channels “to a dedicated autonomous internal person or office with specifically trained staff to manage the reporting channel, or […] to an external entity, also autonomous and with specifically trained staff”.
INTERNAL REPORTING PROCEDURES AND FOLLOW-UP
Pursuant to Article 4 of the Decree, internal reports “shall be made in writing, including by electronic devices, or orally”, provided that in the latter case they are made “telephone hotline or other voice messaging system, or, at the request of the reporting person, through a face-to-face meeting set within a reasonable time.”
The Decree also provides that once the report is received, those in charge of the follow-up should:
- issue, “within seven days from the date of receipt”, an acknowledgement of receipt to the reporting person;
- maintain interlocutions with the reporting person and request additions if necessary;
- give “diligent follow-up to the reports received”;
- provide acknowledgement of the report “within three months from the date of the acknowledgment of receipt or, in the absence of such acknowledgment, within three months from the expiration of the seven-day period from the submission of the report”;
- make available “clear information on the channel, procedures and prerequisites for making internal reports, as well as the channel, procedures and prerequisites for making external reports”, through display in workplaces, as well as make it available to “persons who, although not frequenting workplaces, have a legal relationship” with the private entity. It is also mandatory to publish this information in a “dedicated section” of the corporate website.
EXTERNAL REPORTS
An “external reporting channel” is established at ANAC (the Italian National Anti-Corruption Authority) that “guarantees, including through the use of encryption tools, the confidentiality of the identity of the reporting person, the person concerned and the person mentioned in the report, as well as the content of the report and the related documentation”, at which reports can be made in the same manner as for internal reports (in written form on an IT platform or orally).
The reporting person may use the external channel when:
- “there is no provision within his/her work context for the mandatory activation of the internal reporting channel, or this channel, even if mandatory, is not active or, even if activated, does not comply with the provisions” of the Decree;
- “the reporting person has already made an internal report […] and it has not been followed up.”
- “the reporting person has reasonable grounds to believe that if he or she were to make an internal report, the report would not be effectively followed up or that the report itself may result in the risk of retaliation”;
- “the reporting person has reasonable grounds to believe that the breach may constitute an imminent or manifest danger to the public interest”.
PROHIBITION OF RETALIATION
Obviously, the Decree prohibits any retaliation against the whistleblower, to be understood, according to Article 2, as “any conduct, act or omission, even if only attempted or threatened, prompted by the report, the complaint to the judicial or accounting authority, or public disclosure, and which causes or may cause the whistleblower or the person who made the complaint, directly or indirectly, unjustified detriment”.
The Decree also lists a range of conduct that constitutes retaliation, such as dismissal, demotion in rank or change in function, but also coercion, intimidation or harassment.
PROTECTED SUBJECTS
According to Article 3, par. 5, protection against retaliation will be guaranteed to the whistleblower, but also extended to the following categories of individuals:
- the facilitator, to be understood as the natural person who “assists a reporting person in the reporting process, operating within the same work context and whose assistance is to be kept confidential”;
- the “persons in the same work environment as the reporting person, the person who made a complaint to the judicial or accounting authority, or the person who made a public disclosure and who are related to them by a stable emotional or kinship relationship within the fourth degree”;
- the “co-workers of the reporting person or the person who has made a complaint to the judicial or accounting authority or made a public disclosure, who work in the same work environment as the reporting person and who have a usual and current relationship with that person”;
- the “entities owned by the reporting person or the person who filed a complaint with the judicial or accounting authority or made a public disclosure or for which the same persons work, as well as entities operating in the same work environment as the aforementioned persons”;
SANCTIONS
One of the most significant new features of the Decree is the introduction of a special penalty system for violations of the regulation.
It is provided that, “without prejudice to other profiles of responsibility” (such as, for example, the administrative liability for crimes of the entity under Legislative Decree 231/2001), ANAC may impose the following administrative pecuniary sanctions:
- 10,000 to 50,000 euros when it determines that retaliation has been committed or when it determines that reporting has been obstructed or attempted to be obstructed or that the duty of confidentiality has been violated;
- 10,000 to 50,000 euros when it determines that reporting channels have not been established, that procedures for making and handling reports have not been adopted, or that the adoption of such procedures does not comply with the provisions of the Decree, as well as when it determines that the verification and analysis of the reports received has not been carried out;
- 500 to 2,500 euros if the reporting person is found to be criminally liable for the crimes of defamation or slander.