There is no end to new initiatives on the subject of whistleblowing. While the provisions of Italian Legislative Decree no. 24 of 10 March 2023 are already in force for companies with 250 employees or more, for companies employing 50 to 249 employees this has only been the case since 17 December 2023, requiring them to equip themselves with whistleblowing systems. How does all this impact the work of specialised law firms?
We asked some of the firms that are supporting companies in complying with the law on the protection of persons who report breaches of national or EU regulatory provisions. Six months after its entry into force, De Luca & Partners’ dedicated task force has analysed companies’ actual application of the rule, and it emerges that they are still far from compliant with the provisions. “We notice a general tendency to underestimate the complexity of the activities to be carried out to comply with the provisions of the Whistleblowing Decree”, says Vittorio De Luca, managing partner of De Luca & Partners.
“Companies are lagging behind in carefully assessing which system, including IT systems, should be used to make reports, in full compliance with applicable privacy legislation. Not only that, but companies also need to ensure that the disciplinary code adopted is adequate to avoid frustrating disciplinary measures. And this is in a regulatory framework that establishes two particularly significant risks: a fine of up to EUR 50,000, and above all, failure to comply with the exemptions provided for by Italian Legislative Decree no. 231/01”.
The full version of the interview was published on ItaliaOggi7 of 19 February 2024.
Italian Legislative Decree no. 24/2023, which implements Directive (EU) 1937/2019 and introduces the new legal framework on whistleblowing has come into effect. Laws on whistleblowing have already been in force for some years in companies required to implement the 231 Models and detailed and specific provisions on procedure and sanctions now apply to all companies.
The term “whistleblowing’ refers to the activity of reporting breaches of national or EU regulatory provisions of which workers have become aware in the context of work. For companies with more than 250 employees, the obligation to adopt adequate reporting systems has been in force since 15 July 2023, while for small and medium-sized enterprises the obligation came into force on 17 December.
Conduct, acts or omissions that harm the public interest or the integrity of the public administration or private entity and that consist of breaches attributable to the specific cases listed in the decree must be reported.
A person who believes that the conditions for a report are met may use the following channels: (i) internal reporting; (ii) external reporting, if there is no mandatory activation of the internal reporting channel, or if this has already been done without follow-up, if the whistleblower has reasonable grounds to believe that the internal report would not be followed up or there would be a risk of retaliation or if the whistleblower has reasonable grounds to believe that the breach constitutes a danger to the public interest; (iii) public disclosure, if the whistleblower has already made an internal and/or external report without feedback, if there is reasonable ground to believe that the breach may constitute a danger to the public interest, or if there is reasonable ground to believe that the external report may involve the risk of retaliation or may be ineffective; (iv) complaint to the judicial authority, at any stage.
Internal channels must ensure the confidentiality of the reporting person, the content of the report, the facilitator and the person concerned. When establishing internal reporting channels, it is necessary to use suitable tools to receive reports both orally and in writing, as the whistleblower is guaranteed both methods.
In this regard, the Italian National Anti-Corruption Authority (Autorità Nazionale Anticorruzione, ‘ANAC’) with resolution 311 of 12 July 2023 considered that ordinary e-mail and certified e-mail (PEC) did not guarantee confidentiality, and thus required the use of online platforms. As far as the paper report is concerned, the ANAC has requested that it be placed in two sealed envelopes (one with the identification data and the second with the actual report), then both envelopes should be inserted in a third sealed envelope with the external wording “confidential” for the manager of the report.
To implement the new regulatory obligation, companies must identify the channel in an organisation specific document; inform trade union representatives; make clear information available to the reporting person about the channel, procedures and conditions for making internal or external reports (e.g. via the website or platform page); guarantee the training of those who are entrusted with the management of the reporting channel and of all internal staff; adapt the 231 organisational model (if adopted) and put in place all the measures required under the regulations on the protection of personal data and the processing carried out to comply with it. Finally, companies will have to adopt a sanctioning system in the event of breach of the decree provisions.
In conclusion, under the regulatory framework that arises from Italian Legislative Decree no. 24/2023, companies and operators must pay great attention to the preparation of policies and organisational and management tools necessary for the implementation of legal obligations to ensure the protection and enhancement of each organisation’s ethical principles.
Six months after the entry into force of the Italian legislative decree on Whistleblowing the dedicated task forceof De Luca & Partners’, a leading law firm in consultancy and assistance in employment law, analyses its actual implementation by Italian companies.
The decree requires employers to implement a system of protection and safeguards for those who report crimes and irregularities within the context of a public or private work relationship.
According to analysis by the De Luca & Partners task force, Italian companies are still far from compliant with the provisions which, from 17 December 2023, also affect smaller organisations with between 50 and 249 employees.
The task force noted that it is primarily in the field of dedicated company procedures – such as the identification of breaches that can become the subject of a report or the recipients of the reports themselves – that companies show general non-compliance.
“Looking at companies’ behaviour to date, we notice a general tendency to underestimate the complexity of the activities to be carried out to comply with the provisions of the Whistleblowing Decree”, underlines Vittorio De Luca, Managing Partner of De Luca & Partners. “Just to mention the main areas, all aspects of the process must be detailed in specific company procedures. Companies are delaying the careful consideration necessary to assess through which system, including computerised systems, they should make reports, in full compliance with current privacy legislation. Not only that, but it is also necessary to ensure that the disciplinary code adopted is adequate to avoid invalidating any disciplinary measures taken. And this is all in the context of regulatory framework that contains two significant risks for the failure to adopt an appropriate report management process: a fine of up to EUR 50,000, and the loss of the exemptions provided for in Italian Legislative Decree no. 231/01”, adds Vittorio De Luca.
The task force launched by De Luca & Partners includes the Firm’s Compliance team and offers all aspects of legal support required by companies to adopt the procedures necessary to guarantee compliance with all aspects of the legislation.
Continue reading the full version on Norme & Tributi Plus Diritto of Il Sole 24 Ore.
Since the beginning of 2023, a task force at law firm De Luca & Partners has been entirely dedicated to the new decree on Whistleblowing which requires employers to implement a system of safeguards and protection for those who report crimes and irregularities in the workplace. The task force offers legal support to companies in adopting the necessary procedures to ensure compliance with all aspects of the legislation.
According to a task force survey on the current state of play of actual implementation of the regulations by Italian companies, it appears that they are still far from compliant with the provisions that, by 17 December 2023, must be adopted by even the smallest organisations, with between 50 and 249 employees. Specifically, it is in the area of company procedures, such as the identification of breaches that can become reportable or the recipients of reports, that companies show a general lack of compliance. “We note a general tendency to underestimate the complexity of the activities to be carried out to comply with the provisions of the Whistleblowing Decree”, notes Vittorio De Luca, managing partner of De Luca & Partners. “Just to mention the main areas, all aspects of the process must be detailed in specific company procedures. Companies are delaying the careful consideration necessary to assess through which system, including computerised systems, they should make reports, in full compliance with current privacy legislation. Not only that, but it is also necessary to ensure that the disciplinary code adopted is adequate to avoid invalidating any disciplinary measures taken. And this is all in the context of regulatory framework that contains two significant risks for the failure to adopt an appropriate report management process: a fine of up to EUR 50,000, and the loss of the exemptions provided for in Italian Legislative Decree no. 231/01”, concludes Mr De Luca.
Continue reading the full version on L’Economia of Il Corriere della Sera.
Vittorio De Luca took part in the conference promoted by RSM Studio tributario e societario entitled: “The new whistleblowing law: small step forward or breakthrough?”.
In the course of his speech, Vittorio addressed the employment law aspects of the whistleblowing regulations: in particular, he examined the measures put in place to protect those who report unlawful acts that have come to their knowledge in the work context (so-called whistleblowers) by Italian Legislative Decree no. 24/2023, as well as the burdens and obligations imposed on companies to comply with the regulations in force and to be able to handle any reports received in the best possible way.
In particular, the following topics were addressed:
After a long wait and several postponements, on 25 March 2023 Italian Legislative Decree no. 24 of 10 March 2023 (the “Decree”) was published in the Italian Official Gazette no. 63 of 15 March 2023. With the Decree the Italian legislator implemented Directive (EU) 2019/1937 “on the protection of persons who report breaches of Union law and laying down provisions concerning the protection of persons who report breaches of national legal provisions” (also known as the “Whistleblowing Directive”. Hereinafter, for the sake of brevity, “Directive”).
What is meant by the term “reporting person” or “whistleblower”?
The term “reporting person” or “whistleblower” refers to the person who, in the general interest, reports unlawful conduct of which he or she has become aware in a work-related context.
It is worth making it clear from the outset that complaints of a personal nature that relate exclusively to individual employment relationships, the protection of forensic and medical professional secrecy and of the decisions of judicial bodies are not the subject of reporting, and therefore remain excluded from the scope of the legislation.
The protection measures for whistleblowers apply not only to employees and collaborators but also to apprentices, the self-employed, freelancers and consultants, volunteers and paid or unpaid trainees, shareholders, those who exercise functions of administration, management, control, supervision or representation (including if exercised on a de facto basis) and to anyone working under the supervision and direction of contractors, sub-contractors and suppliers.
Protection must also be guaranteed even when the employment relationship has not yet been established – if the information was acquired during the selection process or in any case in the pre-contractual phase – during the trial period or after the termination of the relationship, where information on possible breaches has been acquired during the relationship.
Measures of protection also extend to the so-called “facilitators”, i.e. those who assist the worker in the reporting process, to persons who work in the same work-related context as the whistleblowers and who are linked to them by a stable emotional or family bond within the fourth degree, to the whistleblower’s work colleagues who work in the same work-related context and have a recurrent and ongoing relationship, or to entities that the reporting persons own, work for or are otherwise connected with in a work-related context.
Which private sector parties have to apply the new provisions and when will they take effect?
The new provisions:
How can reports be made?
Reports can be made through:
Protection also extends to shareholders, apprentices, the self-employed, and consultants.
Wide-ranging whistleblowing protection. In addition to their current employees and collaborators, private sector companies must also provide protection to employed workers, apprentices, self-employed workers, freelancers and consultants, volunteers and trainees (including unpaid ones), shareholders, those exercising administrative, management, control, supervisory or representative functions (including if those functions are exercised on a de facto basis) and all persons working under the supervision and direction of contractors, subcontractors and suppliers. This is provided for by Italian Legislative Decree No 24/2023 in which the Italian legislator implemented Directive (EU) 2019/1937 (the so-called Whistleblowing Directive). The provisions will be effective from 15 July 2023 or from 17 December thereafter for companies with an average number of employees of up to 249, as well as for companies that have adopted the organisational model required by Italian Legislative Decree No 231. The purpose of the provision is to oblige companies and other organisations covered by the regulation to activate computer tools to enable the reporting of breaches of regulatory provisions. The legislator, including the EU legislator, intended to protect potential whistleblowers. Protection must also be guaranteed even when the employment relationship has not yet been established, if the information was acquired during the selection process or in any case during the pre-contractual phase, during the probationary period or after termination of the relationship if the information on possible breaches was acquired during the course of the relationship. The protection measures for whistleblowers are also aimed at ‘facilitators’ (i.e. those who assist the worker in the reporting process), persons who work in the same work context as the whistleblowers and who are related to them by a stable emotional or familial relationship up to the fourth degree, work colleagues of the whistleblower who work in the same work context and who have a long-standing and ongoing relationship, or entities owned by and entities that work in the same context as these persons. Between now and the entry into force of the decree, recipient companies will have to i) identify and approve appropriate procedures to regulate the reporting process, ii) activate the aforementioned computerised reporting channels, iii) implement what is necessary to ensure protection and confidentiality for the reporting parties, and iv) provide for and regulate remedial initiatives in the event of reported breaches. This is without neglecting seemingly insignificant details, such as the finalisation and posting of the disciplinary code, which is often missing, incomplete or inadequately completed.
De Luca & Partners launches a new task force supporting companies grappling with the Whistleblowing legislative decree, which requires employers to implement a system of protection and safeguards for those who report crimes and irregularities within a public or private professional relationship.
The soon-to-be-adopted decree implementing the EU Directive 2019/1937 protecting those who report regulatory breaches, introduces important measures for the prevention and combating of corruption, under standards of absolute confidentiality of the whistleblower, parties involved and the report content. This involves the public and private sectors and includes the obligation to activate a channel for reporting offences for companies with more than 50 employees.
The task force set up by De Luca & Partners is a dedicated and operational practice, even if the decree is not yet officialised. This sees the Firm’s expert compliance professionals working with HR Capital consultants – a Firm partner, and a leader in services for the management and administration of staff outsourcing.
The focus team created from this synergy can provide the necessary legal support to companies adopting the procedures to ensure corporate regulatory compliance, by providing an intuitive SAAS computer system with the features for implementing an abuse and harassment at work reporting system that protects whistleblowers and keeps their confidentiality. The task force provides constant monitoring to enable companies to correctly address and handle reports.
De Luca & Partners Managing Partner Vittorio De Luca said: “We are proud to launch this Whistleblowing task force before the decree’s entry into force. This is a tangible sign of the Firm’s presence alongside its clients and our commitment to grasping and anticipating their needs and requirements. The focus team combines the De Luca & Partners and HR Capital’s knowledge and is already operational. It provides support in the future application of the decree and helps companies applying for UNI PDR 125/2022 certification, which requires an abuse and harassment at work anonymous reporting system.”