At a glance
- On 15 March 2023, Legislative Decree no. 24 dated 10 March 2023 (the Decree) was published in the Italian Official Gazette, implementing the Whistleblowing Directive.
- The Decree will be effective as of 15 July 2023. Below, we provide more detail on what the new law sets out.
Who does the new law apply to?
The Decree applies to all legal entities of the public sector and all legal entities of the private sector that:
- Staff more than 50 employees; or
- Staff less than 50 employees and operates in the European regulated markets (e.g. financial markets, credits); or
- Voluntary decide to apply the regulation.
What must employers do?
Pursuant to newly introduced regulation employers must adopt a proper reporting channel by 15 July 2023 (when an average of more than 249 employees is employed) or 17 December 2023, when such threshold is not met.
The purpose of the Decree is to establish a minimum standard of protection for whistleblowers, who are employees, self-employed workers, consultants, and other individuals who report and disclose violations of EU and / or national law that affect public or private interests within their work context.
Previously, whistleblowing legislation was primarily concerned with entities that had an organisational model pursuant to Legislative Decree 231/2001. However, this provision has now been superseded, and now – as indicated above – the decree provides that whistleblower’s protection needs to be related to the size of the company or the sector in which it operates.
In addition, the decree provides for various reporting channels, including an internal reporting channel, which allows reports to be made in writing or orally, and an external reporting channel managed by ANAC (National Anti-Corruption Authority). The ANAC can be used if the internal channel is not activated or does not comply with the law, or if the whistleblower fears retaliation for using the internal channel. The possibility of public disclosure through the press or by electronic means capable of reaching multiple individuals is also provided.
Data protection
Finally, the decree explicitly refers to the protection of the personal data of whistleblowers / reported person, and compliance with the GDPR in the reporting procedure.
Protections are not limited to reporters
It is essential to note that these protection measures are also extended to so-called "facilitators," such as colleagues, relatives, or stable relatives of the person who reported.
Failure to establish reporting lines
Administrative fines ranging between EUR 10,000 and EUR 50,000 apply to companies that do not establish whistleblowing channels and procedures within the mandatory timeframe indicated above. Administrative fines between EUR 500 and EUR 2,500 are also applied to whistleblowers in the event of false reports.
