Italian Legislative Decree no. 24 of 10 March 2023 (the ‘Decree’), implementing Directive (EU) 2019/1937 and ‘on the protection of persons who report breaches of Union law and containing provisions concerning the protection of persons who report breaches of national regulatory provisions’ (so-called Whistleblowing Directive),has been published in the Italian Official Gazette no. 63 of 15 March 2023.

The provisions referred to in the Decree apply, among others, to entities in the private sector that in the last year:

• have employed an average of at least 50 workers with permanent or fixed-term employment contracts;
• despite having employed fewer than 50 workers, adopt organization and management models envisaged by Italian Legislative Decree 231/2001 (Modelli di organizzazione e gestione – “MOG“).

Entities in the private sector, having heard the trade unions’ representatives or organisations, must set up and activate internal reporting channels that guarantee the confidentiality of the identity (i) of the reporting person, (ii) of the person concerned or of the person in any case referred to in the report as well as (iii) the content of the report and related documentation.

The management of the internal reporting channels can be entrusted (i) internally, to a person or to an autonomous internal office dedicated to this and made up of personnel specifically trained for the management of the reporting channel or (ii) externally to a third party, also autonomous and with specifically trained personnel. Furthermore, specific procedures for managing the internal reporting channels are envisaged which must be promptly implemented and applied by the employers and the information relating to the channel, the procedures and the conditions for making reports shall be displayed and made easily visible to all recipients.

Any processing of personal data must be carried out in compliance with current legislation on the protection of personal data, today represented by Regulation (EU) 2016/679 (the ‘GDPR’) and by Italian Legislative Decree 196/2003, as amended by Italian Legislative Decree 101/2018 (the ‘Privacy Code’). Employers addressees of the new legislation must therefore adopt all the necessary formalities required by the legislation on the subject of protection and safeguard of personal data processed.

For the violation of the provisions of the Decree, the imposition of administrative sanctions ranging from EUR 10,000 to 50,000 is envisaged:

• when retaliation is committed against the whistle-blowers, it is ascertained that the report has been obstructed, an attempt has been made to hinder it or the confidentiality obligation has been breaches;
• if reporting channels have not been established, procedures for making and managing reports have not been adopted or the adoption of the procedures does not comply with the provisions of the Decree.

Penalties ranging from EUR 500 to 2,500 are also envisaged in the cases in which the criminal liability of the whistle-blower for the crimes of defamation or slander is ascertained.

The provisions of the Decree take effect from 15 July 2023 (17 December 2023 for companies with over 249 employees).

Other related insights:

De Luca & Partners and HR Capital launch a new whistleblowing task force (Legalcommunity, 6 February 2023) – De Luca & Partners (delucapartners.it)

DID YOU KNOW THAT… The transposition of the (EU) Whistleblowing Directive will lead to new employer obligations?

It is unlawful to monitor the metadata of company e-mails assigned to employees that do not guarantee adequate protection of confidentiality and are carried out in breach of the rules limiting remote monitoring of workers. This was established by the Italian Data Protection Authority (Autorità Garante per la protezione dei dati personali – the Italian ‘DPA’), which, in an Injunction Order of 1 December 2022, imposed a fine of EUR 100,000 on the Lazio Region.

The preliminary investigation

The case arose from a report submitted to the Italian DPA by an independent trade union organisation that complained about the monitoring by the administration, which was the controller, of the e-mails of staff working in the offices of the regional lawyer’s office.

The monitoring, initiated as part of an internal investigation aimed at verifying a suspected disclosure of information protected by official secrecy, turned out to include information on times, recipients, subject matter of communications and size of attachments, the so-called ‘metadata’, of some employees who had been sending messages to a specific trade union. According to the investigation’s findings, it had been possible to monitor this information because, ‘as a matter of practice’ email traffic data were retained ‘for generic IT security purposes for 180 days’ before being permanently deleted.

The Italian DPA’s Order

On the basis of the investigation’s findings, the Italian DPA clarified, among other things, that:

• in breach of the principles of ‘lawfulness, fairness and transparency’, employees had not been provided with information on the processing of personal data in accordance with Articles 12 and 13 of the GDPR. And, as the Italian DPA noted, the fulfilment of the information obligations ‘constitutes a specific precondition for the lawful use of the data collected through technological tools, by the employer, including for all purposes related to the employment relationship (Article 4, paragraph 3, of Italian Law No 300/1970)’;
• given that ‘the generalised collection and extensive retention of e-mail metadata […] are not instrumental to the “employee’s work performance”, such data processing may entail an – albeit indirect – remote monitoring of the employees’ activities. Therefore, the employer breached not only the existing data protection legislation but also the regulations on remote monitoring of employees;
• the processing and monitoring carried out enabled the employer to acquire information on the employees’ private lives or on matters that were not in any way relevant to the assessment of their professional suitability;
• the processing of the metadata was carried out in breach of principles of data protection law, namely the principles of retention limitation, of data protection by design and by default, as well as of the principle of accountability;
• the processing of metadata was carried out in the absence of a prior data protection impact assessment.

On the basis of all of the above, the Italian DPA, in addition to ordering payment of the aforementioned administrative sanction, prohibited the employer, the controller, from any further processing operation applied to the (meta)data relating to the use of employees’ e-mails retained for a period exceeding seven days from the date of their collection, ordered the deletion of the data already collected and retained beyond the latter period and also ordered the publication of the order on its institutional website.

Other related insights:

An employer can monitor its employee’s corporate email account

Dismissal for just cause: monitoring the company chat without adequate information is unlawful

On 25 March, the European Commission and the United States of America announced that they had reached a new framework agreement on the cross-border transfer of personal data (the “Trans-Atlantic Data Privacy Framework”) that will be the basis for an adequacy decision by the European Commission. The new agreement was announced less than two years after the European Court of Justice ruled that the Privacy Shield was invalid. It ensures that the GDPR-guaranteed levels of data protection are not undermined by being transferred to the US and when European citizens’ data is processed. The agreement’s crucial points will be represented by binding rules and safeguards to limit the access to data by the US authorities, which assumed considerable importance in the cited Court of Justice decision. The authorities will be allowed to access and process personal data only to the extent that this is necessary and proportionate to protect and pursue the defined objectives of national security. The communiqué stated that this will be achieved by establishing an independent two-level review mechanism, to establish corrective measures and improve the strict and layered oversight of intelligence activities by ensuring compliance with limitations during surveillance. The Trans-Atlantic Data Privacy Framework will provide a basis for transatlantic data flows that is fundamental to protecting data subject rights. The communiqué confirmed that teams from the US government and the European Commission will continue their cooperation to turn this agreement into legal documents to be adopted by both sides. Once this process is completed, European and US data controllers and processors must comply with the framework agreement provisions.

Other related insights:

• Privacy Shield: la CPrivacy Shield: the Court of Justice of the European Union invalidates the EU – USA Agreement
• Privacy Shield: European Data Protection Board (EDPB) publishes a FAQ document on Court of Justice of the European Union (CJEU) judgement (Schrems)
• DID YOU KNOW THAT… the new Standard Contractual Clauses have been approved for the transfer of data to non-EU countries?

The Court of Venezia, in its ruling no. 494/2021, stated that a company that suffered a cyber-attack and was forced to pay a ransom to recover stolen data can fire an employee who has repeatedly surfed on unsafe sites for private purposes and put internal security at risk.

Facts of the case

The worker employed by a company operating as a shipping agency was dismissed for just cause, following a legitimate disciplinary procedure, for having improperly used a company personal computer.

The charges brought by the company against the employee were twofold:

1. having carried out activities outside of work during working hours, consulting personal e-mail, viewing photos and repeatedly and prolonged surfing on the internet on information websites, booking travel and shows and even on pornographic websites. This was in breach of Company Regulations, jeopardising the security of the computer system and taking time away from work (even on days when he had requested authorisation to work overtime);
2. having prepared and transmitted to third parties statements in the company’s name by misusing the company’s letterhead and stamp during working hours.

The employee challenged the company’s termination because it was retaliatory and discriminatory, with the sole aim of ousting him as a union representative (RSA) and therefore considered an “inconvenient employee.” The employee claimed that the misconduct was not attributable to him since the computer assigned to him did not have a password and any person could have accessed it.

The employer took legal action, rejecting the employee’s claims and emphasising the entirely causal nature of the discovery of the data since it emerged as a result of the necessary checks carried out following a hacking of its computer systems and the spread of the ransomware virus.

The Court’s decision

The Court of Venice – confirming the decision of the Judge in the summary stage of the proceedings – declared that there was just cause for termination and, consequently, the dismissal was lawful.

The Judge pointed out that the allegations against the employee had been acquired by the company under art. 4 of the Workers’ Statute. Under the above Article, the employer may legitimately acquire information from the company tools assigned to employees and use them for all purposes related to the employment relationship (including disciplinary purposes). This is on the condition that employees have been given adequate information on how to use such tools and control methods, under the Privacy Code. The company had adopted a Regulation on the use of the tools provided. Since its adoption, it had been posted on the notice board and published in a folder on the server accessible to all employees.

The Judge observed that even without considering the actual adoption of the regulation (which is the subject of censure by the employee), what mattered was the numerous and perpetual use for obvious (and not disputed) personal purposes of the computer, such that the disciplinary value of the facts existed.

Finally, the Judge rejected the employee’s complaint about the failure to place a personal password on the computer. According to the Judge, its improper use was undoubtedly attributable to the employee in question since he had: visited his account, booked trips in his name, used personal USB keys, visited social networks linked to him, etc.

In the Court’s opinion, the charges brought against the employee and legitimately acquired by the company became actual and were so severe as to justify his immediate dismissal.

Whistleblowing is being redefined . The Legislative Decree implementing the EU Directive 2019/1937 “on the protection of persons who report Union law violations” (the “Directive“) is almost ready. It will bring significant changes compared to the rules that came into force in 2012 (Law 6 November 2012, no. 190) in the public sector and at the end of 2017 (Law 30 November 2017, no. 179) in the private sector.

◊◊◊◊

Delegated Law

On 23 October 2019, the European Parliament and the Council adopted the Directive laying down “common minimum standards” to ensure adequate protection of whistleblowers in the Member States’ legal systems. The aim is to give consistency to heterogeneous or fragmented national regulations and enhance the value of this tool.

On 23 April 2021, Law no. 53/2021 (the European Delegation Law) was published in the Official Gazette. This Law consists of 29 articles containing delegated provisions for transposing European directives and adapting national legislation to certain EU regulations.

With this Law, the Parliament delegated the Government to adopt a legislative decree to implement the Directive. In art. 23 of the delegated law, it is stated that the Government, in the exercise of the delegation, must observe the following principles and directive criteria:

1. under the Directive, amend the existing legislation on the protection of those reporting violations of which they have become aware within a public or private working framework and those listed in Article 4, paragraph 4 of the same Directive;
2. ensure coordination with existing provisions, and a high level of protection and safeguard of those referred to in letter a), by carrying out the necessary repeals and adopting the appropriate transitional provisions;
3. exercise the option provided for in Art. 25 paragraph  1 of the Directive, which introduces or maintains provisions more favourable to the rights of those reporting and those listed in the Directive, to ensure the maximum level of protection and safeguard.

This rule will affect national regulations. The impact of the new European regulation seems to concern its extension more than its content. In the matters covered by the Directive, the protection of whistleblowers does not differentiate between the public and private sectors, as in Law no. 179/2017.

Having said this, let us go into detail on the main innovations introduced by the Directive.

Personal scope of application

The Directive better defines the reporting person, i.e. the individual who reports or discloses information on violations acquired in their working framework.

This includes (i) self-employed persons working for a public or private sector entity, (ii) shareholders and members of the administrative, management or supervisory body of a company, including non-executive members, volunteers and paid and unpaid trainees, and (iii) any person working under the supervision and direction of contractors, subcontractors and suppliers.

The protective measures may be applied to colleagues or relatives of whistleblowers where there is a risk of retaliation at work due to the report.

The personal scope of application is broader than under Italian Law and, therefore, the list of protected whistleblowers should be reviewed in the light of the new European rules.

Conditions for the protection of whistleblowers

Unlike the current Law 179/2017, for the application of the protections provided in favour of the reporting person, it will not be necessary for the reports to be based on unlawful conduct, relevant under Legislative Decree no. 231/2001 and based on precise and concordant facts.

It will be sufficient that the reporting person had, at the time of reporting, reasonable grounds to believe that the information reported was accurate and that the report or public disclosure was necessary to bring to light a violation of public interest falling within the scope of the Decree. The reasons underlying the whistleblower’s report are considered irrelevant to their protection.

Reporting channels

The Directive requires the establishment of internal reporting channels before reporting through external channels (i.e., reporting to the authorities designated by the Member States and relevant authorities at a European level), “where the breach can be effectively dealt with internally and the reporting person considers that there is no risk of retaliation.”

Companies with more than 50 employees, regardless of the nature of their activities, and legal entities in the public sector, including those owned or controlled by them, must have internal reporting channels. The exemption of small and medium-sized enterprises from this requirement does not apply to companies falling within the AML/CFT framework scope.

In addition, following an appropriate risk assessment, Member States may require companies with a smaller number of employees to establish internal reporting channels in some cases.

For public disclosures of wrongdoing, the Directive provides that the protection of the reporting person is triggered only if one of the following conditions is met:

• they have previously reported the offence internally or externally without adequate follow-up within the prescribed time limits; or
• at the time of the report, they have reasonable grounds to believe that:
• the breach may constitute an imminent or clear danger to the protected public interest or there is a risk of irreversible damage, including to the physical safety of one or more persons; or
• in the case of an internal or external report, there would have been a risk of retaliation, or the report would not have provided sufficient guarantees of effectiveness according to the case circumstances.

The above-mentioned public disclosure (under certain conditions) is not reflected in Italian Law.

Protection of whistleblowers

According to the Directive, Member States must ensure that the reporting person’s identity is not disclosed, without their explicit consent, to anyone other than the authorised personnel responsible for receiving or following up reports. This is without prejudice to specific exceptions. The same applies to any other information from which the reporting person’s identity can be deduced directly or indirectly.

Under the Directive, Member States must take the necessary measures to prohibit any form of retaliation against a whistleblower, including dismissal, change of job, reduction of salary or modification of working hours and imposition of disciplinary sanctions.

Personal data processing

Data collection and processing shall be carried out under Regulation (EU) 2016/679 on the protection of personal data.

Personal data that is manifestly not useful for the processing of a specific report, according to the Directive, must not be collected or, if accidentally collected, must be deleted without delay.

Sanctions

According to the Directive, high sanctions should be applied to those who obstruct reporting persons. Sanctions should be imposed on those who publicly report or disclose information about violations that is knowingly false.

◊◊◊◊

All that remains is to wait for the publication in the Official Gazette of the Legislative Decree transposing the Directive.

Other related insights:

• European Parliament approves whistleblowing directive
• Whistleblowing: Italian law and EU Directive compared
• Whistleblowing, secure channels in companies with over 50 employees

The Court of Cassation, IV Criminal Section, in its ruling no. 22256 of 3 March 2021 (filed on 8 June), ruled on the existence of the requisites of interest and advantage of the entity in cases of culpable offences for violation of accident prevention regulations under Legislative Decree no. 231/01 on administrative liability of entities.

Facts of the case

The case concerned a workplace accident involving a driver in a waste sorting plant, who got out of his vehicle while removing the cover of a container to unload the material coming from the sorted waste collection. The employee was hit by another worker’s forklift truck and suffered serious injuries.

The Court of First Instance and the Court of Appeal found the defendant employer guilty of the offence of culpable injury aggravated by breach of the rules on accident prevention.  This was because they were held to be consequential to the infringement of the combined provisions of Articles 63 and 64 paragraph 1 of Italian Legislative Decree no. 81/2008 (respectively under the headings “Health and safety requirements” and “Employer’s obligations“) for the employer’s failure to organise a safe road system by using signs and road markings, regulating traffic in the external yard of the waste sorting plant, separating the traffic lanes, indicating the storage areas and the lanes intended for forklifts and pedestrians, and areas for manoeuvring vehicles.

The judges declared that the company was liable for an administrative offence (under Articles 5, paragraph 1, letter a) and 25-septies, paragraph 3) of Legislative Decree no. 231/2001), while recognising an extenuating circumstance, the company was ordered to pay an administrative fine (of €12,900).

According to the Court, the company was guilty of failing to assess the risk of injury resulting from possible interference between the drivers of the forklift trucks and the workers unloading the material. This liability stemmed from the reduction in the costs of the consultant’s work for the revision of the DUVRI (single document on the assessment of risk from interference) and the increase in the speed of production due to the failure to take the necessary measures.

An appeal was lodged against the Court of Appeal’s ruling.

The Supreme Court of Cassation’s ruling

The Court of Cassation clarified that (i) the concepts of interest and advantage must necessarily refer to the conduct and not the event and, (ii) they are alternatively applicable. The interest requirement must be assessed at the time of the fact, while the advantage requirement must be evaluated later, based on the effects practically derived from the offence committed.

The Court of Cassation specified that:

• the interest requirement is met if the offender knowingly violates the precautionary rule to obtain a benefit for the organisation, while
• the advantage requirement exists when the party systematically violates the prevention rules, allowing a reduction in costs and a containment of expenditure with a consequent profit advantage.

According to the Court of Cassation, the appealed ruling did not clarify the evidence from which it deduced the advantage obtained by the organisation in terms of cost savings and acceleration of the production process. In its opinion, the cost savings were small, and the company had generally complied with the accident prevention regulations.

For these reasons, the Court of Cassation upheld the Court of Appeal’s ruling insofar as it had recognised the employer’s liability as an individual. It annulled the ruling where it had identified the entity administrative liability and referred the case back to the relevant Court of Appeal in a different composition.

Other related insights:

• Failure to take the measures provided for under the GDPR is comparable to the “fault on the organisation’s side” under Legislative Decree No. 231/2001

Decree-Law no.  82/2021 (the “Decree“) was published in the Official Gazette on 14 June, containing “urgent provisions on cyber-security – definition of the national cyber-security architecture and establishment of the National Cyber-security Agency” .

The term “Cyber-security” means “activities necessary to protect networks, information systems, computer services and electronic communications from cyber threats, ensuring their availability, confidentiality, integrity and resilience” (Art. 1, paragraph 1, letter a).

The Interministerial Committee on cyber-security

The Decree, which consists of 19 articles, institutionalises the “Interministerial Committee for cyber-security” (“CIC“). CIC performs advisory, proposal and supervisory functions in the field of cyber-security policies, including the protection of national security in cyberspace. In addition, CIC has the following tasks:

• advising the Prime Minister on general national cyber-security policies guidelines;
• supervising national cyber-security strategy;
• promoting the adoption of the necessary initiatives to (i) foster effective national and international cooperation, between institutional and private stakeholders in cyber-security, sharing information and (ii) adopting best practices and measures aimed at cyber-security and industrial, technological and scientific development in the cyber-security field;
• providing an opinion on the national cyber-security Agency’s budget and balance sheet.

National Cyber Security Agency

Among the Decree’s main features is the establishment of the “National Cyber-security Agency” (“NCA” or “Agency“). The Decree specifies its functions by clarifying its composition and organisation. A special regulation, to be approved within 120 days from the entry into force of the Decree, shall define the Agency’s functioning, which is composed of eight general management level offices and thirty non-general management level offices within the available resources (art. 12 paragraph 1).

The Agency is the main body in the cyber-security field, acting as a national authority and centralising the various expertise hitherto attributed to other bodies, including those of the Ministry of Economic Development. Its tasks include:

• protecting national interests and essential state functions from cyber threats;
• developing national prevention, monitoring, detection and mitigation capabilities to deal with cyber-security incidents and cyber-attacks;
• enhancing the security of Information and Communications Technology (“ICT”) systems of entities included in the national cyber security perimeter, public administrations, essential service operators and digital service providers;
• supporting the development of industrial, technological and scientific skills, promoting projects for innovation and development, while stimulating the growth of a solid national workforce in the cyber-security field aiming at national strategic autonomy;
• providing a single national stakeholder for public and private entities in the field of security measures and inspection activities in the national cyber-security perimeter, security of networks, information systems, and electronic communication networks.

Cyber-security Unit

The Agency is supported by the “Cyber-security unit“, which supports the Prime Minister, for aspects relating to the prevention and preparation for possible crises and the activation of warning procedures. The main tasks entrusted to this body include:

• formulating initiatives concerning the country’s cyber-security;
• promoting, programming and operational planning of the response to cyber crisis situations by administrations and private operators;
• conducting inter-ministerial exercises, i.e. national participation in international exercises involving the simulation of cyber events to increase the country’s resilience and involvement in cyber-security crises.

◊◊◊◊

By 30 April of each year, the Prime Minister must report to Parliament on the Agency’s activity in the previous year. As an Italian National Coordination Centre, the Agency will interface with the “European Cyber-security Industrial, Technology and Research Competence Centre“, contributing to increasing the European strategic autonomy in the sector.

Other related insights:

• Home working and Data Protection
• Data Breach: The European Data Protection Authority Guidelines for handling data breaches

The Court of Cassation, with order No. 18292 issued on 3 September 2020, has pointed out that failure to arrange the relevant technical and organisational measures safeguarding the protection of the personal data of the data subject is comparable to the organisational fault linked to the failure to adopt an organisational model pursuant to Legislative Decree No. 231/2001.

The facts of the case

In the case at issue, a local authority lodged an appeal before the Court of Cassation against an injunction order of the Italian Data Protection Authority with which a sanction had been inflicted thereto for having published the personal data of one of its civil servants beyond the 15 day term provided for under article 124 TUEL (“Local Authorities Consolidation Act”) in the online municipal notice board.

Indeed, it was ascertained that the City had kept some decisions visible for more than one year, from which the following were clear (i) name and surname of the data subject, (ii) existence of litigation between the data subject and the City, (iii) family certificate and (iv) the circumstances that the data subject lived by herself, had made a request for paying the amount due by instalments and that the request had not been accepted.

To back its own position, the City objected that the fault for the failure to cancel the data of the data subject from the online municipal city board needed to be attributed to an outside consultant who had been instructed to configure the Internet Website in compliance with the laws and regulations currently in force.

The decision of the Court of Cassation

In rejecting the appeal, the Court of Cassation clarified that the employee’s data did not concern any “aspect of the organisation”, they did not amount to “indicators concerning the operating trend and the use of resources”, nor did they even represent “results of the activity related to the measurement and assessment carried out by the competent bodies”. Therefore, the respective publication beyond the term fixed by law could not be deemed to be lawful.

Then, in so far as the liability of the outside consultant is concerned, the Court of Cassation has specified that the Data Controller, pursuant to article 4 of Regulation (EU) 2016/679 on the protection of personal data (hereinafter, the “GDPR”) is the legal entity and not the legal representative or the director, therefore, standalone liability precisely on the legal entity’s side takes shape. This liability, the judges carry on, must be understood as “fault on the organisation’s side”, that is “reprimand arising out of the breach by the authority of the obligation to take the necessary organisational and operating precautions to prevent the perpetration of the breaches of the law”, “just like under Legislative Decree No. 231/2001 on liability of entities arising out of crime”.

In light of the foregoing, the Court of Cassation reached the conclusion that the delay in removing the published data from the online municipal notice board is “may be fully traced back to the scope of authority of the Entity and of its own apparatus”.

Conclusions

With the order under examination, the Court of Cassation finds an important similarity between the subject matter of the protection of personal data and that of liability of entities arising out of crime, by precisely comparing and making the failure to adopt adequate technical and organisational measures (under article 32 GDPR) equal to the so-called “fault on the organisation’s side” foreseen by Legislative Decree No. 231/2001.

Others Insights related:

• Organisational Model: necessary risk analysis

• Authority: legal classification for the purposes of Supervisory Body privacy