Italy - Whistleblowing Laws in Europe: An international guide

By:

1) Local Laws

a) Has the country implemented any laws / regulations on whistleblowing (Local Law)?

Whistleblowing in Italy is regulated by Law No. 179 of November 30, 2017 (Law 179/2017) that sets out protective measures for workers in both the private and public sector.

In particular, Article 1 of Law 179/2017 amended the whistleblowing system set out by Article 54-bis of Legislative Decree no. 165 of March 30, 2001 that regulates public employment, while Article 2 introduced whistleblowing protection in the private sector by amending Article 6 of Legislative Decree no. 231 of June 8, 2001 (Decree 231) concerning the administrative liability of legal entities.

In the private sector, protective measures provided for under Law 179/2017 are applicable only when the private company (i.e. the employer) has adopted a Model 231 (i.e. the company’s compliance program). In particular, Law 179/2017 requires companies that have implemented or intend to implement such Model 231 to set up a reporting system and ensure the protection of whistleblowers.

Additional provisions regulate whistleblowing procedures in specific sectors. In particular:

  • Article 52-bis of Legislative Decree no. 385/1993 (TUB, the Consolidated Law on Banking which regulates the allocation of powers, sets out basic rules and standards, and defines the competences of credit authorities) requires banks to define specific procedures for internal reporting by employees of acts or facts that may constitute a violation of the rules governing banking. Such procedures shall ensure “a specific, independent and autonomous channel” for reporting.
  • Article 4-undecies of Legislative Decree no. 58/1998 (TUF, the Consolidated Law on Finance which is the fundamental law governing financial markets that applies to authorized operators such as banks, asset management companies and brokerage firms) requires authorized operators subject to TUF provisions to adopt specific procedures for internal reporting by employees of acts or facts that may constitute a violation of the rules of Regulation 596/2014 (Market Abuse Regulation). Such procedures shall ensure “a specific, independent and autonomous channel for reporting”.
  • Article 48 of Legislative Decree No. 231/2007 (Anti-Money Laundering Law) requires the recipients of the legislation to define procedures for internal reporting by employees or persons in comparable positions of potential or actual violations of the provisions on the prevention of money laundering and terrorist financing. It requires “the development of a specific reporting channel, anonymous and independent, proportionate to the nature and size of the obligated party”.
  • Article 10-quarter of Legislative Decree no. 209/2005 (Code of Private Insurances) requires insurance/reinsurance companies and intermediaries to adopt specific procedures for the internal reporting by employees of any acts or facts that may constitute a breach of the rules governing their business, as referred to in the Code, suitable to ensure “a specific, independent and autonomous channel”. In addition, in 2019 the Italian Institute for the Supervision of Insurance (IVASS) published a draft regulation on whistleblowing.

Several authorities have also published guidelines and best practice in this area, such as Confindustria, the Bank of Italy, Transparency International Italy (TI) and the Italian Anti-Corruption Authority (ANAC) with regard to public entities.

2) Scope of application

a) What types of wrongdoings are covered by the Local Law? Does it cover breaches of EU law?

Under Law 179/2017, public employees can report any “unlawful conduct that they become aware of by reason of their employment”. ANAC clarified that this includes not only crimes against the public administration but also situations where in the course of administrative activity, it is found the abuse by a subject of the power entrusted to them in order to obtain private advantages; and cases, regardless of the criminal relevance, where a malfunctioning of the administration is revealed due to the use for private purposes of functions assigned. For example, cases of waste, nepotism, repeated failure to comply with procedural deadlines, non-transparent recruitment, accounting irregularities, false declarations, and violation of environmental and safety at work regulations.

In the private sector, protective measures only apply if whistleblowers report illegal conduct relevant under Decree 231, i.e. any conduct that may entail the company’s liability for any of the crimes relevant under Decree 231 itself, such as corruption-related crimes, counterfeiting, money laundering, crimes against industry and trade, fraud against the state, IT crimes; and/or violations of the company’s Model 231 of which whistleblowers have become aware as a result of their employment. Reports must be grounded on “accurate and consistent elements of fact” (Article 6, paragraph 2-bis, lett. a, Decree 231).

b) Personal scope

  1. Does the Local Law apply to reporting persons working in both the private and public sectors?

  2. Yes. Under Law 179/2017, in the public sector, whistleblowers’ protection covers public employees/managers as well as employees of state-owned companies and workers/collaborators of private companies providing goods or services and carrying out activities for the public administration.

    In the private sector, Article 6, paragraph 2 bis, of Decree 231 (introduced by Law 179/2017) expressly refers to senior managers and their subordinates, as defined by Article 5, paragraph 1, letters a) and b) of Decree 231. However, according to TI’s guidelines, whistleblowing procedures should also be addressed to third parties including collaborators, consultants with any type of contract or assignment, persons acting on behalf of the organization as intermediaries and agents, and suppliers of products or services.

  3. Does the Local Law apply only to breaches that the reporting person became aware of in a work-related context?

  4. Yes, Local Law applies only to breaches the reporting person becomes aware of in a work-related context.

  5. Does the Local Law also protect: facilitators; people connected to the whistleblower and who could suffer retaliation in a work-related context; and legal entities the whistleblower owns, works for, or is otherwise connected with?

  6. No, the Local Law does not extend to such facilitators.

c) Does the Local Law require specific conditions to protect reporting persons?

In the public sector, the protection provided for by Law 179/2017 is applicable when the conduct of the reporting person does not involve a crime of slander or defamation, or is in good faith, to be understood as a lack on their part of the will to make what is defined as a malicious report. The protection does not apply in cases where the report contains false information made with intent or negligence.

Similar requirements apply in the private sector, where Law 179/2017 requires disciplinary systems to provide for sanctions against “those who make with intent or gross negligence reports that prove to be unfounded”.

3) Reporting channels

a) Does the Local Law allow anonymous reports? How are companies/agencies meant to handle them?

Law 179/2019 does not provide any indications on whether anonymous reports are allowed.

In the public sector, ANAC explains in its guidelines on whistleblowing that anonymous reports – that in particular cases may be considered by ANAC – do not fall, by express will of the legislator, directly within the scope of Article 54-bis of Legislative Decree no. 165/2001. Therefore, the protection provided by such provision can only concern civil servants who identify themselves (otherwise, protection cannot be assured) and, in any case, according to the wording of the provision, the protection granted is limited only to retaliation that may take place in the context of the employment relationship.

In the private sector, the issue remains open. The increased protection in favour of whistleblowers introduced by Law 179/2017 does not seem to exclude that Model 231 can allow anonymous reports, provided they are “circumstantiated” and “based on precise and concordant factual elements”. However, Law 179/2017 requires that the disciplinary systems adopted by the companies also provide for sanctions against “those who filed with intent or gross negligence reports that prove to be ungrounded” and in the case of anonymous reports it may be difficult if not impossible to trace the identity of the reporting person, rendering the disciplinary system ineffective.

According to TI guidelines, whistleblowing procedures should always allow anonymous reports and, at the same time, they should inform all recipients that: anonymous reports could be more difficult to ascertain, since it may be more complicated for the company to maintain contact with anonymous reporting persons and ask, where necessary, for their co-operation as well as providing feedback; and it is not possible for companies to prepare the appropriate protection instruments provided for by the law if they have no knowledge of the identity of the reporting person.

b) Is there a duty of confidentiality and any derogation from this duty?

In both the private and the public sector, entities need to guarantee the confidentiality of a whistleblower’s identity.

For the public sector, Law 179/2017 expressly provides that the identity of the reporting person cannot be revealed. In particular:

  • In the context of criminal proceedings, the identity of the whistleblower shall be kept secret in the manner and within the limits laid down in Article 329 of the Code of Criminal Procedure, which regulates judicial confidentiality in the preliminary investigation phase.
  • As part of the proceedings before the Court of Auditors, the identity of the whistleblower may not be revealed until the investigation phase has been completed.
  • In the context of disciplinary proceedings, the identity of the whistleblower cannot be revealed if the allegation of a disciplinary charge is based on separate and additional findings as compared to the report, even if they are a consequence to the report itself. However, if the allegation is based in whole or part on the report, and knowledge of the whistleblower’s identity is essential for the defense of the accused, the report can be used in disciplinary proceedings only if the whistleblower consents to the disclosure of their identity.

The guidelines issued by the ANAC include information on how to ensure the confidentiality of a whistleblower’s identity.

In the private sector, a compliance program must provide for more than one reporting channel that is able to protect a whistleblower’s identity, with at least one allowing the electronic filing of reports.

c) Public disclosures: does the Local Law provide for this possibility?

No, there are no specific provisions on public disclosure.

4) Reporting channels: internal

a) Is there an obligation for private and/or public legal entities to establish channels and procedures for internal reporting and follow-ups?

Under Law 179/2017, implementing channels for internal reporting in the public sector is mandatory for all public entities, including private entities owned by public entities.

In the private sector, only companies that voluntarily decide to adopt and implement a Model 231 must comply with rules on whistleblower protection. However, specific obligations are imposed on private entities operating in particular sectors (e.g. banks pursuant to the provisions set forth by the Consolidated Law on Banking).

b) Do internal reporting channels need to allow reporting in writing, orally or both?

Law 179/2017 does not set forth any specific requirements in this respect.

In relation to the private sector only, Law 179/2017 requires private entities to implement at least one channel allowing the electronic filing of reports. According to Confindustria guidelines, these methods can also be implemented using computer platforms managed by the company or by independent and specialized third parties, and by using dedicated mailboxes.

TI guidelines also maintain that companies should identify and indicate specific channels that are managed only by the subjects identified by the organization as in charge of receiving the reports, such as dedicated email addresses, internal software, fax numbers, or addresses for written communications.

In the public sector, ANAC has clarified that to protect the confidentiality of reporting persons’ identities, the management of reports using computer procedures is largely preferable to the acquisition and management of reports involving the physical presence of a whistleblower.

c) Procedures for internal reporting and follow-up: does the Local Law require legal entities to adopt internal reporting systems with the following elements?

  1. Channels able to ensure the confidentiality of the identity of the reporting person and the protection of third parties mentioned in the report:

  2. The confidentiality of the reporting person’s identity must always be ensured. According to ANAC guidelines, the same confidentiality should apply to reported persons and other third parties mentioned in the report.

    TI guidelines also suggest that private companies ensure the confidentiality of both whistleblower and reported person, pending verification of possible liability. In particular, the names of both the reporting and the reported persons must not be disclosed without their consent (unless the law requires it expressly) to protect them from possible speculation and retaliation by colleagues or superiors. The person in charge of receiving, examining and evaluating reports has the obligation to ensure the confidentiality of the information received.

  3. Acknowledgement of receipt of the report to the whistleblower within seven days of receipt:

  4. Law 179/2017 does not make any reference to acknowledgement of receipt.

    In the public sector, according to ANAC guidelines, reporting channels should allow whistleblowers to check the progress of their reports.

    In the private sector, according to TI guidelines, procedures should at least provide that the reporting person be informed: when the report is analyzed or if additional details are required; and when the audit on the report is completed. Procedures should allow the reporting person to request updates or responses to their report, and also to provide further information if the reported incident has been continued, disrupted or aggravated.

  5. The designation of an impartial function/team to manage follow-ups on reports and maintain communication with the whistleblower:

  6. In the private sector, Law 179/2017 does not specify how whistleblower reports should be escalated or who within a company must review them.

    However, best practice suggest Models 231 to clearly identify the person or body to whom reports should be addressed. For example, reports should be escalated to the Supervisory Body (Organismo di Vigilanza) that must be appointed by companies under Decree 231.

    Alternatively, companies may appoint an internal function or a committee comprising independent internal functions to receive and evaluate reports (such as the compliance function) or a qualified external entity who will receive and manage the first phase of the process in co-ordination with the company.

    In the public sector, internal reports should be addressed to the official responsible for the prevention of corruption and transparency (Responsabile della prevenzione della corruzione e della trasparenza, RPCT).

  7. Any other follow-up requirements including those for anonymous complaints:

  8. Please see the previous answer.

  9. A reasonable timeframe to provide feedback, not exceeding three months from acknowledgment of receipt or if no acknowledgement was sent, three months from the expiry of the seven-day period after a report is made:

  10. No time frame for feedback is provided.

  11. Providing clear and easily accessible information on internal reporting procedures and external reporting procedures to competent authorities and/or EU institutions/bodies:

  12. Law 179/2017 does not make reference to this. However, best practice suggests:

    • Carrying out specific training on whistleblowing procedures.
    • Organizing meetings with staff to stress the importance of whistleblowing.
    • Posting messages on bulletin boards.
    • Using the company intranet and creating a special newsletter and FAQ aimed at explaining reporting procedures.
  13. Should legal entities take any additional measures in order to comply with the above requirements?

  14. Following implementation of the EU Directive, private companies with more than 50 employees and regardless of whether they have adopted a Model 231 will have to implement at least one reporting channel and/or adapt existing channels to the requirements in the Directive.

    In particular, when drafting or amending whistleblowing procedures, companies will need to consider the following additional requirements:

    1. Reporting persons will include not only employees but also self-employed workers, volunteers, trainees, shareholders, etc.
    2. Reports will concern not only illegal conducts relevant under Decree 231 and/or violations of the company’s Model 231 but all breaches as defined by the EU Directive.
    3. Whistleblowers must be protected from retaliation, both directly and indirectly. This includes colleagues and relatives. In this respect, the Directive provides for a wider list of prohibited behaviours that constitute retaliation compared to those considered by Law 179/2017, such as providing negative performance ratings, discrimination and transfer of duties.

    Regarding the structure of such channels, companies will need to allow whistleblowers to report orally by free telephone line or other voice messaging system, or both. At the request of the reporting person, it must also be possible to make reports through face-to-face meetings.

    Regardless of whether the company decides to appoint an internal function to receive reports or rely on third parties, it will need to designate an impartial person or service to follow up on the report within the time frame set out by the EU Directive as well as maintaining contact with the reporting person. The company will have to keep track and archive all reports and related follow-ups.

    Moreover, companies will have to inform all concerned subjects regarding the implemented procedures as well as procedures for external reporting to competent authorities.

5) Reporting channels: external

a) Has the country designated a competent authority to receive and investigate whistleblower disclosure and retaliation complaints?

Law 179/2017 identifies competent external authorities only with regards to the public sector. In particular, public employees can externally report violations to ANAC or to judicial or accounting authorities.

b) Is an independent and autonomous external reporting channel already established in the country?

According to specific regulations, ANAC, the Bank of Italy and CONSOB have implemented reporting channels that can be activated to report violations indicated in the respective procedures.

6) Processing of personal data

a) Is personal data concerning the reports processed in compliance with local and EU legislation such as EU Regulation 2018/1725 and local privacy laws?

Although Law 179/2017 does not provide any guidance in this area, entities are required to treat data in compliance with applicable data protection laws.

7) Record keeping of reports

a) Is there any obligation regarding record keeping of reports as provided for by the EU Directive?

No. However, best practice suggests keeping track of all reports, investigations and follow-ups.

8) Protection

a) Is there any difference between whistleblower protections in the private and public sectors?

Under Law 179/2017, reporting persons in the public sector cannot be sanctioned, demoted, dismissed, transferred, or subjected to any other organizational measure having negative effects, direct or indirect, on working conditions. It is up to the entity that the reporting person works for to prove that the discriminatory or retaliatory measures taken against the reporting person were motivated by reasons unrelated to the report. Any discriminatory or retaliatory action taken by the administration or body is null and void and whistleblowers dismissed on the basis of the report shall be reinstated in their jobs.

In the private sector, Law 179/2017 prohibits any act of retaliation or discrimination, direct or indirect, against the reporting person for reasons directly or indirectly related to the report.

Any alleged infringement of this protection may be reported to the National Labour Inspectorate by the whistleblower or by their union representative (relating to employment law).

Companies’ disciplinary systems should provide for sanctions against the person infringing the protective measures that exist in favour of the whistleblower.

Retaliatory or discriminatory dismissal of whistleblowers is null and void. In the event of disputes relating to the imposition of disciplinary sanctions or to dismissals, transfers or the submission of the reporting person to another organizational measure with direct or indirect negative effects on working conditions after a report has been submitted, it is up to the employer to demonstrate that such measures are based on reasons unrelated to the report.

b) Are whistleblowers protected against all forms of retaliation including threats and attempts of retaliation? Which forms of retaliation are expressly indicated?

Please see the answer directly above.

c) Does the Local Law provide for any other measures of support such as those indicated in the EU Directive?

There are no additional measures of support.

d) Does the Local Law provide for the necessary measures to prohibit any form of retaliation against whistleblowers?

In the public sector, Law 179/2017 sets forth the following sanctions:

  • A fine of between EUR5,000 and EUR30,000 to the person who adopted a discriminatory measure if, as a result of its investigation of the report, ANAC finds that discriminatory measures have been taken against the reporting person.
  • A fine of between EUR10,000 and EUR50,000 if the absence of procedures for the forwarding and management of reports is ascertained, or the adoption of procedures that do not comply with the requirements set forth by the law.
  • A fine between EUR10,000 and EUR50,000 if it is ascertained that the person responsible has failed to carry out verification and analysis of reports received.

ANAC determines the amount of the sanction, taking into account the size of the administration or the body to which the report refers.

Private companies need to introduce in their disciplinary systems sanctions against those who violate measures for the protection of whistleblowers.

e) Does the Local Law provide for any remedial measures, including interim relief measures?

No, the Local Law does not provide for such remedial measures.

f) Does the Local Law provide for exemptions from liability for whistleblowers?

Under Law 179/2917, the integrity of public administrations or private companies and therefore the fight against corruption constitutes a just objective cause to derogate from the obligations of secrecy provided for in the Italian legal system:

  • Official secrecy pursuant to Article 326 of the Italian Criminal Code.
  • Professional secrecy pursuant to Article 622 of the Italian Criminal Code.
  • Scientific or industrial secrets pursuant to Article 623 of the Italian Criminal Code or information relating to the organization and production methods of the company pursuant to Article 2105 of the Italian Civil Code.

Such provision does not apply when the obligation of professional secrecy concerns the person that became aware of the violation because of a consulting or assistance relationship with the interested body, firm or person.

When information and documents reported by the whistleblower are subject to corporate, professional or official secrecy, it is a breach of the relevant obligation to secrecy the act of disclosing them in a manner that goes beyond the purposes of eliminating the wrongdoing and, in particular, the act of disclosing them outside the communication channel specifically arranged for that purpose.

g) Does the Local Law provide for sanctions against natural and legal persons that violate whistleblowers’ protection or the duty of maintaining the confidentiality of their identity?

Please see previous answer 8) d).

h) Does the Local Law provide for sanctions in case of false reports?

Whistleblowers working in the public sector are excluded from the protective measures set forth by Law 179/2017 in case of conviction – also by a court of first instance – for the crimes of slander or defamation, or when their civil liability is established in the case of intent or gross negligence.

In the private sector, companies need to introduce sanctions in their disciplinary systems against whistleblowers that file intentional or grossly negligent reports that prove to be groundless.

9) Other issues

a) Under the Local Law, is adopting a whistleblowing system relevant to assess the adequacy of a compliance program? Does this have any value to mitigate or eliminate criminal liability for legal entities?

In assessing the suitability of a Model 231 for the purpose of exemption from criminal liability, judges will also need to consider if the company has foreseen and implemented reporting channels compliant with the requirements set forth by Law 179/2017. Whistleblowing systems are fundamental and necessary elements of Models 231.

b) Does the Local Law or another law in your country provide for whistleblower reward programs?

No reward programs are envisaged.

c) Can companies benefit from any incentives in the case of voluntary self-disclosure of violations they became aware of following an internal report?

No such incentives or benefits are available.

d) Will implementing the EU Directive create any issues with obligations provided for under other laws / regulations?

A potential problem concerns co-ordination between reporting systems and the mandatory flows of information towards the Supervisory Body, pursuant to Decree 231.

Under Decree 231, for the purpose of exemption from criminal liability, companies need to appoint a Supervisory Body to oversee the functionality and effectiveness of the company’s Model 231 and compliance, in addition to being responsible for revision of the Model 231 itself. For such a body to carry out its tasks, companies need to ensure mandatory flows of information towards the Supervisory Body so it is informed of all facts/circumstances that may trigger the company’s criminal liability.

When implementing adequate internal whistleblowing channels as provided for by the Directive, companies will have to consider that they still need to ensure the appropriate flows of information to the Supervisory Body. This may be particularly challenging in transnational groups that have or intend to implement centralized whistleblowing channels.

Companies will, therefore, need to ensure appropriate co-ordination between that channel and the one to be implemented according to the requirements of the EU Directive.


Return to Overview page

For a pdf of the full guide please click on the button below.

Issue contents