Italian Whistleblowing Decree published in the Official Journal


published on 14 April 2023 | reading time approx. 5 minutes

After a long lead time and several postponements, on 15 March 2023, the Legislative Decree No. 24 of 10 March 2023 transposing the (EU) Directive 2019/1937 was published in the Italian Official Gazette, in force as of 30 March (hereinafter, the “Whistleblowing Decree” or “Decree”). 


The Whistleblowing Decree will have a significant and immediate impact on companies’ organisation. The mandatory implementation of whistleblowing channels will require very careful handling of a multitude of closely related issues of corporate governance, risk management, data protection and workers’ rights. 
Setting a whistleblowing system is an enabling and qualifying governance and compliance issue also under the ESG profile, contributing significantly to the pursuit of targets traceable to multiple goals of the 2030 Agenda for Sustainable Development.
Without any pretense of completeness, below we answer some very first questions.

What is the purpose of the Whistleblowing Decree?

The purpose of the Whistleblowing Decree is to protect persons who report violations of national or European Union law that harm the public interest or the integrity of the public administration or private entity, of which they have become aware in their work context.
Protection does not apply to:
  1. disputes, claims or demands linked to an exclusively personal interest of the whistleblower;
  2. reports of violations already mandatorily regulated by European Union or national acts;
  3. reports of breaches of national security, procurement relating to defence or national security aspects, unless these aspects are covered by the relevant secondary legislation of the European Union.

How can reports be submitted?

Reports can be submitted via:
  1. internal reporting channels, implemented by private sector entities or public administrations;
  2. external reporting channel, set up by the National Anti-Corruption Authority (ANAC);
  3. public disclosures, through the mass media.

Who are the obliged parties in the private sector?

In the private sector, the obligation to implement reporting channels, adopt procedures for making and handling reports, and ensure safeguards applies to private entities (including companies) that:
  1. in the last year, employed an average of at least 50 employees with permanent or fixed-term employment contracts, regardless of their sector;
  2. adopted an organisational model pursuant to Legislative Decree 231/2001 (“Model 231”), regardless of the number of employees and the sector to which they belong; 
  3. fall within the scope of the acts of the European Union – listed in the annex to the Decree – concerning financial services, products and markets, prevention of money laundering and financing of terrorism, transport safety and environmental protection, irrespective of the number of employees.
Please note that groups whose companies have employed an average of no more than 249 employees under permanent or fixed-term employment contracts in the last year may share the internal reporting channel and its management.

What is the deadline for private entities?

The obligation to implement reporting channels starts:
  • 15 July 2023, for private entities with 250 or more employees; 
  • 17 December 2023, for private entities with 50 or more employees. 

Who are the protected whistleblowers?

The Whistleblowing Decree significantly broadens the range of persons protected in the event of reporting to include, in addition to employees: self-employed workers; freelancers and consultants; volunteers and trainees; shareholders and persons with administrative, management, control and supervisory or representative functions; candidates; probationary workers; former employees; facilitators; relatives or work colleagues of the whistleblower; entities owned by the whistleblower or operating in the same work environment as the whistleblower.

What protection measures are envisaged?

Who, under the conditions laid down in the Decree, makes the report:
  • is protected by the prohibition of retaliation, even indirect, against him/her (including dismissal, suspension, downgrading or non-promotion, demotion, negative references, intimidation or harassment, reputational damage, etc.);
  • benefits from support measures provided by Third sector organisations (information, assistance and advice free of charge on how to report and on protection from retaliation, on the rights of the person concerned, and on the terms and conditions of access to legal aid).

What sanctions are applicable?

Without prejudice to other liability profiles, ANAC applies administrative fines of up to EUR 50,000 to the person responsible when it finds, inter alia, that:
  • retaliation was committed;
  • the report was obstructed/attempted to obstruct it;
  • the duty of confidentiality was breached;
  • no reporting channels have been established;
  • procedures for making and handling reports have not been adopted or the procedures adopted do not comply with the Decree;
  • verification and analysis of the reports received was not carried out.

What to do now?

Step 1: Establishing reporting channels | Compliance

Obliged persons, after consulting the representatives or trade unions, must implement their own reporting channels that guarantee, also through the use of encryption tools, the confidentiality of the identity of the reporting person, of the person involved and of the person in any case mentioned in the report, as well as of the content of the report and of the relevant documentation.
In particular, entities and companies with Models 231 will have to adapt the reporting channels already adopted, so as to harmonise their use with the broader purposes of the Whistleblowing Decree.

Step 2: Organising the management of reporting channels | Governance

The governance of whistleblowing is a priority issue. The management of the reporting channels should be regulated with a procedure and entrusted either to a dedicated autonomous internal office with staff specifically trained to manage the reporting channel or to an external party.
Please note: the Whistleblowing Decree provides that reports may be made in writing, also (and therefore not only) by computer, or orally, through telephone lines or voice messaging systems or, at the request of the reporting person, by means of a face-to-face meeting set within a reasonable period of time.
In this respect, technological platforms can offer valuable support for the organised management of whistleblowing, but they do not exhaust the subject of whistleblowing, which must instead be addressed and governed in compliance with all applicable laws and with an ESG-inspired vision.

Step 3: applying data protection and cyber security measures | Data Protection & Cyber Security

With respect to data protection requirements, data controllers are called upon to apply a series of measures of both an organisational and technical nature, in order to protect the confidentiality of the whistleblower and the integrity, as well as the confidentiality, of the reported personal data. 
The evidence of these requirements is set out in Article 13 of the Decree, under the heading “Processing of personal data”, which expressly calls for compliance with the principles set out in Articles 5 and 25 of Regulation (EU) 2016/679 (“GDPR”) and privacy by design and by default.
Particular attention must be paid to the risk-based approach with respect to the obligation to carry out risk analysis and data protection impact assessment, also taking into account the retention period for processed data identified as 5 years following the date of communication of the final outcome of the reporting procedure.
At the same time, the security of the reporting channel must also be ensured in terms of confidentiality, integrity and availability of information, both as regards the subject of the report and the personal data of the whistleblower. 

Step 4: informing and raising awareness | Governance, Compliance & Sustainability

Companies must inform and raise awareness among employees and third parties through whistleblowing policies that define in a simple and understandable way the purpose and method of using whistleblowing channels. Companies must disseminate a whistleblowing culture as a tool for compliance, social responsibility and sustainability.
Deutschland Weltweit Search Menu