Italian Legislative Decree no. 24 of 10 March 2023 (the ‘Decree’), implementing Directive (EU) 2019/1937 and ‘on the protection of persons who report breaches of Union law and containing provisions concerning the protection of persons who report breaches of national regulatory provisions’ (so-called Whistleblowing Directive),has been published in the Italian Official Gazette no. 63 of 15 March 2023.

The provisions referred to in the Decree apply, among others, to entities in the private sector that in the last year:

• have employed an average of at least 50 workers with permanent or fixed-term employment contracts;
• despite having employed fewer than 50 workers, adopt organization and management models envisaged by Italian Legislative Decree 231/2001 (Modelli di organizzazione e gestione – “MOG“).

Entities in the private sector, having heard the trade unions’ representatives or organisations, must set up and activate internal reporting channels that guarantee the confidentiality of the identity (i) of the reporting person, (ii) of the person concerned or of the person in any case referred to in the report as well as (iii) the content of the report and related documentation.

The management of the internal reporting channels can be entrusted (i) internally, to a person or to an autonomous internal office dedicated to this and made up of personnel specifically trained for the management of the reporting channel or (ii) externally to a third party, also autonomous and with specifically trained personnel. Furthermore, specific procedures for managing the internal reporting channels are envisaged which must be promptly implemented and applied by the employers and the information relating to the channel, the procedures and the conditions for making reports shall be displayed and made easily visible to all recipients.

Any processing of personal data must be carried out in compliance with current legislation on the protection of personal data, today represented by Regulation (EU) 2016/679 (the ‘GDPR’) and by Italian Legislative Decree 196/2003, as amended by Italian Legislative Decree 101/2018 (the ‘Privacy Code’). Employers addressees of the new legislation must therefore adopt all the necessary formalities required by the legislation on the subject of protection and safeguard of personal data processed.

For the violation of the provisions of the Decree, the imposition of administrative sanctions ranging from EUR 10,000 to 50,000 is envisaged:

• when retaliation is committed against the whistle-blowers, it is ascertained that the report has been obstructed, an attempt has been made to hinder it or the confidentiality obligation has been breaches;
• if reporting channels have not been established, procedures for making and managing reports have not been adopted or the adoption of the procedures does not comply with the provisions of the Decree.

Penalties ranging from EUR 500 to 2,500 are also envisaged in the cases in which the criminal liability of the whistle-blower for the crimes of defamation or slander is ascertained.

The provisions of the Decree take effect from 15 July 2023 (17 December 2023 for companies with over 249 employees).

Other related insights:

De Luca & Partners and HR Capital launch a new whistleblowing task force (Legalcommunity, 6 February 2023) – De Luca & Partners (delucapartners.it)

DID YOU KNOW THAT… The transposition of the (EU) Whistleblowing Directive will lead to new employer obligations?

On 8 November, the national legislature approved two separate legislative decrees introducing new predicate offences to the list of administrative liability of entities under Legislative Decree no. 231/2001. These are:

• Legislative Decree no. 184, which transposed European Directive no. 2019/713 “on combating fraud and counterfeiting of non-cash means of payment” and
• Legislative Decree no. 195, which transposed European Directive no. 2018/1673 “on combating money laundering by means of criminal law”,

published in the Official Gazette, respectively, last 29 and 30 November 2021 and entered into force, respectively, on 14 and 15 December.

Going into detail, Legislative Decree no. 184/2021 introduced into the Legislative Decree no. 231/2001 in art. 25 octies.1 “Offences relating to non-cash means of payment.”  This sanctions the entity in whose interest the following offences are committed:

• improper use and falsification of non-cash payments;
• possession and dissemination of IT equipment, devices or programs aimed at committing offences concerning non-cash payment means;
• computer fraud in cases aggravated by the transfer of money, monetary value or virtual currency.

Legislative Decree no. 195/2021, extends art. 25-octies Legislative Decree no. 231/2001, by including the offences of receiving, laundering, self-laundering and using money, goods or benefits of unlawful origin, violators face imprisonment from six months to a maximum of a year. This applies to culpable offences for money laundering and self-laundering.

Other related insights:

• DO YOU KNOW THAT… The offence of trading in influence is now included in the list of predicate offences in model “231”?
• Failure to take the measures provided for under the GDPR is comparable to the “fault on the organisation’s side” under Legislative Decree No. 231/2001

The Court of Cassation, IV Criminal Section, in its ruling no. 22256 of 3 March 2021 (filed on 8 June), ruled on the existence of the requisites of interest and advantage of the entity in cases of culpable offences for violation of accident prevention regulations under Legislative Decree no. 231/01 on administrative liability of entities.

Facts of the case

The case concerned a workplace accident involving a driver in a waste sorting plant, who got out of his vehicle while removing the cover of a container to unload the material coming from the sorted waste collection. The employee was hit by another worker’s forklift truck and suffered serious injuries.

The Court of First Instance and the Court of Appeal found the defendant employer guilty of the offence of culpable injury aggravated by breach of the rules on accident prevention.  This was because they were held to be consequential to the infringement of the combined provisions of Articles 63 and 64 paragraph 1 of Italian Legislative Decree no. 81/2008 (respectively under the headings “Health and safety requirements” and “Employer’s obligations“) for the employer’s failure to organise a safe road system by using signs and road markings, regulating traffic in the external yard of the waste sorting plant, separating the traffic lanes, indicating the storage areas and the lanes intended for forklifts and pedestrians, and areas for manoeuvring vehicles.

The judges declared that the company was liable for an administrative offence (under Articles 5, paragraph 1, letter a) and 25-septies, paragraph 3) of Legislative Decree no. 231/2001), while recognising an extenuating circumstance, the company was ordered to pay an administrative fine (of €12,900).

According to the Court, the company was guilty of failing to assess the risk of injury resulting from possible interference between the drivers of the forklift trucks and the workers unloading the material. This liability stemmed from the reduction in the costs of the consultant’s work for the revision of the DUVRI (single document on the assessment of risk from interference) and the increase in the speed of production due to the failure to take the necessary measures.

An appeal was lodged against the Court of Appeal’s ruling.

The Supreme Court of Cassation’s ruling

The Court of Cassation clarified that (i) the concepts of interest and advantage must necessarily refer to the conduct and not the event and, (ii) they are alternatively applicable. The interest requirement must be assessed at the time of the fact, while the advantage requirement must be evaluated later, based on the effects practically derived from the offence committed.

The Court of Cassation specified that:

• the interest requirement is met if the offender knowingly violates the precautionary rule to obtain a benefit for the organisation, while
• the advantage requirement exists when the party systematically violates the prevention rules, allowing a reduction in costs and a containment of expenditure with a consequent profit advantage.

According to the Court of Cassation, the appealed ruling did not clarify the evidence from which it deduced the advantage obtained by the organisation in terms of cost savings and acceleration of the production process. In its opinion, the cost savings were small, and the company had generally complied with the accident prevention regulations.

For these reasons, the Court of Cassation upheld the Court of Appeal’s ruling insofar as it had recognised the employer’s liability as an individual. It annulled the ruling where it had identified the entity administrative liability and referred the case back to the relevant Court of Appeal in a different composition.

Other related insights:

• Failure to take the measures provided for under the GDPR is comparable to the “fault on the organisation’s side” under Legislative Decree No. 231/2001