Italian Legislative Decree no. 24 of 10 March 2023 (the ‘Decree’), implementing Directive (EU) 2019/1937 and ‘on the protection of persons who report breaches of Union law and containing provisions concerning the protection of persons who report breaches of national regulatory provisions’ (so-called Whistleblowing Directive),has been published in the Italian Official Gazette no. 63 of 15 March 2023.

The provisions referred to in the Decree apply, among others, to entities in the private sector that in the last year:

• have employed an average of at least 50 workers with permanent or fixed-term employment contracts;
• despite having employed fewer than 50 workers, adopt organization and management models envisaged by Italian Legislative Decree 231/2001 (Modelli di organizzazione e gestione – “MOG“).

Entities in the private sector, having heard the trade unions’ representatives or organisations, must set up and activate internal reporting channels that guarantee the confidentiality of the identity (i) of the reporting person, (ii) of the person concerned or of the person in any case referred to in the report as well as (iii) the content of the report and related documentation.

The management of the internal reporting channels can be entrusted (i) internally, to a person or to an autonomous internal office dedicated to this and made up of personnel specifically trained for the management of the reporting channel or (ii) externally to a third party, also autonomous and with specifically trained personnel. Furthermore, specific procedures for managing the internal reporting channels are envisaged which must be promptly implemented and applied by the employers and the information relating to the channel, the procedures and the conditions for making reports shall be displayed and made easily visible to all recipients.

Any processing of personal data must be carried out in compliance with current legislation on the protection of personal data, today represented by Regulation (EU) 2016/679 (the ‘GDPR’) and by Italian Legislative Decree 196/2003, as amended by Italian Legislative Decree 101/2018 (the ‘Privacy Code’). Employers addressees of the new legislation must therefore adopt all the necessary formalities required by the legislation on the subject of protection and safeguard of personal data processed.

For the violation of the provisions of the Decree, the imposition of administrative sanctions ranging from EUR 10,000 to 50,000 is envisaged:

• when retaliation is committed against the whistle-blowers, it is ascertained that the report has been obstructed, an attempt has been made to hinder it or the confidentiality obligation has been breaches;
• if reporting channels have not been established, procedures for making and managing reports have not been adopted or the adoption of the procedures does not comply with the provisions of the Decree.

Penalties ranging from EUR 500 to 2,500 are also envisaged in the cases in which the criminal liability of the whistle-blower for the crimes of defamation or slander is ascertained.

The provisions of the Decree take effect from 15 July 2023 (17 December 2023 for companies with over 249 employees).

Other related insights:

De Luca & Partners and HR Capital launch a new whistleblowing task force (Legalcommunity, 6 February 2023) – De Luca & Partners (delucapartners.it)

DID YOU KNOW THAT… The transposition of the (EU) Whistleblowing Directive will lead to new employer obligations?

It is unlawful to monitor the metadata of company e-mails assigned to employees that do not guarantee adequate protection of confidentiality and are carried out in breach of the rules limiting remote monitoring of workers. This was established by the Italian Data Protection Authority (Autorità Garante per la protezione dei dati personali – the Italian ‘DPA’), which, in an Injunction Order of 1 December 2022, imposed a fine of EUR 100,000 on the Lazio Region.

The preliminary investigation

The case arose from a report submitted to the Italian DPA by an independent trade union organisation that complained about the monitoring by the administration, which was the controller, of the e-mails of staff working in the offices of the regional lawyer’s office.

The monitoring, initiated as part of an internal investigation aimed at verifying a suspected disclosure of information protected by official secrecy, turned out to include information on times, recipients, subject matter of communications and size of attachments, the so-called ‘metadata’, of some employees who had been sending messages to a specific trade union. According to the investigation’s findings, it had been possible to monitor this information because, ‘as a matter of practice’ email traffic data were retained ‘for generic IT security purposes for 180 days’ before being permanently deleted.

The Italian DPA’s Order

On the basis of the investigation’s findings, the Italian DPA clarified, among other things, that:

• in breach of the principles of ‘lawfulness, fairness and transparency’, employees had not been provided with information on the processing of personal data in accordance with Articles 12 and 13 of the GDPR. And, as the Italian DPA noted, the fulfilment of the information obligations ‘constitutes a specific precondition for the lawful use of the data collected through technological tools, by the employer, including for all purposes related to the employment relationship (Article 4, paragraph 3, of Italian Law No 300/1970)’;
• given that ‘the generalised collection and extensive retention of e-mail metadata […] are not instrumental to the “employee’s work performance”, such data processing may entail an – albeit indirect – remote monitoring of the employees’ activities. Therefore, the employer breached not only the existing data protection legislation but also the regulations on remote monitoring of employees;
• the processing and monitoring carried out enabled the employer to acquire information on the employees’ private lives or on matters that were not in any way relevant to the assessment of their professional suitability;
• the processing of the metadata was carried out in breach of principles of data protection law, namely the principles of retention limitation, of data protection by design and by default, as well as of the principle of accountability;
• the processing of metadata was carried out in the absence of a prior data protection impact assessment.

On the basis of all of the above, the Italian DPA, in addition to ordering payment of the aforementioned administrative sanction, prohibited the employer, the controller, from any further processing operation applied to the (meta)data relating to the use of employees’ e-mails retained for a period exceeding seven days from the date of their collection, ordered the deletion of the data already collected and retained beyond the latter period and also ordered the publication of the order on its institutional website.

Other related insights:

An employer can monitor its employee’s corporate email account

Dismissal for just cause: monitoring the company chat without adequate information is unlawful

On 25 March, the European Commission and the United States of America announced that they had reached a new framework agreement on the cross-border transfer of personal data (the “Trans-Atlantic Data Privacy Framework”) that will be the basis for an adequacy decision by the European Commission. The new agreement was announced less than two years after the European Court of Justice ruled that the Privacy Shield was invalid. It ensures that the GDPR-guaranteed levels of data protection are not undermined by being transferred to the US and when European citizens’ data is processed. The agreement’s crucial points will be represented by binding rules and safeguards to limit the access to data by the US authorities, which assumed considerable importance in the cited Court of Justice decision. The authorities will be allowed to access and process personal data only to the extent that this is necessary and proportionate to protect and pursue the defined objectives of national security. The communiqué stated that this will be achieved by establishing an independent two-level review mechanism, to establish corrective measures and improve the strict and layered oversight of intelligence activities by ensuring compliance with limitations during surveillance. The Trans-Atlantic Data Privacy Framework will provide a basis for transatlantic data flows that is fundamental to protecting data subject rights. The communiqué confirmed that teams from the US government and the European Commission will continue their cooperation to turn this agreement into legal documents to be adopted by both sides. Once this process is completed, European and US data controllers and processors must comply with the framework agreement provisions.

Other related insights:

• Privacy Shield: la CPrivacy Shield: the Court of Justice of the European Union invalidates the EU – USA Agreement
• Privacy Shield: European Data Protection Board (EDPB) publishes a FAQ document on Court of Justice of the European Union (CJEU) judgement (Schrems)
• DID YOU KNOW THAT… the new Standard Contractual Clauses have been approved for the transfer of data to non-EU countries?

The Court of Venezia, in its ruling no. 494/2021, stated that a company that suffered a cyber-attack and was forced to pay a ransom to recover stolen data can fire an employee who has repeatedly surfed on unsafe sites for private purposes and put internal security at risk.

Facts of the case

The worker employed by a company operating as a shipping agency was dismissed for just cause, following a legitimate disciplinary procedure, for having improperly used a company personal computer.

The charges brought by the company against the employee were twofold:

1. having carried out activities outside of work during working hours, consulting personal e-mail, viewing photos and repeatedly and prolonged surfing on the internet on information websites, booking travel and shows and even on pornographic websites. This was in breach of Company Regulations, jeopardising the security of the computer system and taking time away from work (even on days when he had requested authorisation to work overtime);
2. having prepared and transmitted to third parties statements in the company’s name by misusing the company’s letterhead and stamp during working hours.

The employee challenged the company’s termination because it was retaliatory and discriminatory, with the sole aim of ousting him as a union representative (RSA) and therefore considered an “inconvenient employee.” The employee claimed that the misconduct was not attributable to him since the computer assigned to him did not have a password and any person could have accessed it.

The employer took legal action, rejecting the employee’s claims and emphasising the entirely causal nature of the discovery of the data since it emerged as a result of the necessary checks carried out following a hacking of its computer systems and the spread of the ransomware virus.

The Court’s decision

The Court of Venice – confirming the decision of the Judge in the summary stage of the proceedings – declared that there was just cause for termination and, consequently, the dismissal was lawful.

The Judge pointed out that the allegations against the employee had been acquired by the company under art. 4 of the Workers’ Statute. Under the above Article, the employer may legitimately acquire information from the company tools assigned to employees and use them for all purposes related to the employment relationship (including disciplinary purposes). This is on the condition that employees have been given adequate information on how to use such tools and control methods, under the Privacy Code. The company had adopted a Regulation on the use of the tools provided. Since its adoption, it had been posted on the notice board and published in a folder on the server accessible to all employees.

The Judge observed that even without considering the actual adoption of the regulation (which is the subject of censure by the employee), what mattered was the numerous and perpetual use for obvious (and not disputed) personal purposes of the computer, such that the disciplinary value of the facts existed.

Finally, the Judge rejected the employee’s complaint about the failure to place a personal password on the computer. According to the Judge, its improper use was undoubtedly attributable to the employee in question since he had: visited his account, booked trips in his name, used personal USB keys, visited social networks linked to him, etc.

In the Court’s opinion, the charges brought against the employee and legitimately acquired by the company became actual and were so severe as to justify his immediate dismissal.

Whistleblowing is being redefined . The Legislative Decree implementing the EU Directive 2019/1937 “on the protection of persons who report Union law violations” (the “Directive“) is almost ready. It will bring significant changes compared to the rules that came into force in 2012 (Law 6 November 2012, no. 190) in the public sector and at the end of 2017 (Law 30 November 2017, no. 179) in the private sector.

◊◊◊◊

Delegated Law

On 23 October 2019, the European Parliament and the Council adopted the Directive laying down “common minimum standards” to ensure adequate protection of whistleblowers in the Member States’ legal systems. The aim is to give consistency to heterogeneous or fragmented national regulations and enhance the value of this tool.

On 23 April 2021, Law no. 53/2021 (the European Delegation Law) was published in the Official Gazette. This Law consists of 29 articles containing delegated provisions for transposing European directives and adapting national legislation to certain EU regulations.

With this Law, the Parliament delegated the Government to adopt a legislative decree to implement the Directive. In art. 23 of the delegated law, it is stated that the Government, in the exercise of the delegation, must observe the following principles and directive criteria:

1. under the Directive, amend the existing legislation on the protection of those reporting violations of which they have become aware within a public or private working framework and those listed in Article 4, paragraph 4 of the same Directive;
2. ensure coordination with existing provisions, and a high level of protection and safeguard of those referred to in letter a), by carrying out the necessary repeals and adopting the appropriate transitional provisions;
3. exercise the option provided for in Art. 25 paragraph  1 of the Directive, which introduces or maintains provisions more favourable to the rights of those reporting and those listed in the Directive, to ensure the maximum level of protection and safeguard.

This rule will affect national regulations. The impact of the new European regulation seems to concern its extension more than its content. In the matters covered by the Directive, the protection of whistleblowers does not differentiate between the public and private sectors, as in Law no. 179/2017.

Having said this, let us go into detail on the main innovations introduced by the Directive.

Personal scope of application

The Directive better defines the reporting person, i.e. the individual who reports or discloses information on violations acquired in their working framework.

This includes (i) self-employed persons working for a public or private sector entity, (ii) shareholders and members of the administrative, management or supervisory body of a company, including non-executive members, volunteers and paid and unpaid trainees, and (iii) any person working under the supervision and direction of contractors, subcontractors and suppliers.

The protective measures may be applied to colleagues or relatives of whistleblowers where there is a risk of retaliation at work due to the report.

The personal scope of application is broader than under Italian Law and, therefore, the list of protected whistleblowers should be reviewed in the light of the new European rules.

Conditions for the protection of whistleblowers

Unlike the current Law 179/2017, for the application of the protections provided in favour of the reporting person, it will not be necessary for the reports to be based on unlawful conduct, relevant under Legislative Decree no. 231/2001 and based on precise and concordant facts.

It will be sufficient that the reporting person had, at the time of reporting, reasonable grounds to believe that the information reported was accurate and that the report or public disclosure was necessary to bring to light a violation of public interest falling within the scope of the Decree. The reasons underlying the whistleblower’s report are considered irrelevant to their protection.

Reporting channels

The Directive requires the establishment of internal reporting channels before reporting through external channels (i.e., reporting to the authorities designated by the Member States and relevant authorities at a European level), “where the breach can be effectively dealt with internally and the reporting person considers that there is no risk of retaliation.”

Companies with more than 50 employees, regardless of the nature of their activities, and legal entities in the public sector, including those owned or controlled by them, must have internal reporting channels. The exemption of small and medium-sized enterprises from this requirement does not apply to companies falling within the AML/CFT framework scope.

In addition, following an appropriate risk assessment, Member States may require companies with a smaller number of employees to establish internal reporting channels in some cases.

For public disclosures of wrongdoing, the Directive provides that the protection of the reporting person is triggered only if one of the following conditions is met:

• they have previously reported the offence internally or externally without adequate follow-up within the prescribed time limits; or
• at the time of the report, they have reasonable grounds to believe that:
• the breach may constitute an imminent or clear danger to the protected public interest or there is a risk of irreversible damage, including to the physical safety of one or more persons; or
• in the case of an internal or external report, there would have been a risk of retaliation, or the report would not have provided sufficient guarantees of effectiveness according to the case circumstances.

The above-mentioned public disclosure (under certain conditions) is not reflected in Italian Law.

Protection of whistleblowers

According to the Directive, Member States must ensure that the reporting person’s identity is not disclosed, without their explicit consent, to anyone other than the authorised personnel responsible for receiving or following up reports. This is without prejudice to specific exceptions. The same applies to any other information from which the reporting person’s identity can be deduced directly or indirectly.

Under the Directive, Member States must take the necessary measures to prohibit any form of retaliation against a whistleblower, including dismissal, change of job, reduction of salary or modification of working hours and imposition of disciplinary sanctions.

Personal data processing

Data collection and processing shall be carried out under Regulation (EU) 2016/679 on the protection of personal data.

Personal data that is manifestly not useful for the processing of a specific report, according to the Directive, must not be collected or, if accidentally collected, must be deleted without delay.

Sanctions

According to the Directive, high sanctions should be applied to those who obstruct reporting persons. Sanctions should be imposed on those who publicly report or disclose information about violations that is knowingly false.

◊◊◊◊

All that remains is to wait for the publication in the Official Gazette of the Legislative Decree transposing the Directive.

Other related insights:

• European Parliament approves whistleblowing directive
• Whistleblowing: Italian law and EU Directive compared
• Whistleblowing, secure channels in companies with over 50 employees