Setting up a whistleblowing scheme is now mandatory in Italy for private and public entities, but what needs to be done?
Italy already provides a very stringent corporate criminal liability regime that I had discussed for Internet service providers and gaming operators in the past. The solely available defense against potential corporate criminal liabilities is to adopt an internal corporate model of organization and management of the company (or of the group if more companies are involved) aimed at preventing the commission of crimes (the so-called “231 Corporate Model of Compliance“). But such a regime of criminal corporate liability now requires also the setting up of a whistleblowing scheme.
The extension of the regime to whistleblowing
The major change introduced as a consequence of a law approved in 2017 in Italy was that both public and private companies are obliged to set up a whistleblowing scheme to handle notifications and ensure that no discriminatory actions are taken against whistleblowers.
In particular, the internal corporate model of organization and management of the company shall provide in the case of private companies
- one or more channels enabling top managers and their subordinates to report misbehaviors or breach of the 231 Corporate Model of Compliance, providing the relevant details;
- at least one alternative reporting channel;
- the prohibition of adopting discriminatory conducts against the whistleblower; and
- penalties against whoever breaches the measures adopted to protect whistleblowers and those that report ungrounded misconducts with gross negligence or wilful misconduct.
The latter safeguard is particularly relevant since it is meant to avoid abuses of the reporting system.
What are employment law consequences?
Any discriminatory measure (i.e., dismissal, demotion, but also any other change that can be deemed discriminatory) against the whistleblower is considered to be null and void. And the peculiarity of this safeguard is that the relevant employer shall prove to have adopted the challenged measure for reasons other than those linked to the whistleblowing notification.
The provision above inevitably requires a higher level of internal compliance since employees might report a lack of compliance as a defense to challenge potential dismissals/discriminatory actions.
What shall privacy-related safeguards be put in place?
Italian whistleblowing law requires that the reporting system ensures the protection of the whistleblower’s identity both in the criminal and in the disciplinary proceeding, without adding much more.
The matter had been subject to an opinion of the Article 29 Working Party (the body made by all the EU data protection authorities) back in 2006 where the WP29 stressed that whistleblowing schemes must be implemented in compliance with EU data protection rules since in the vast majority of cases rely on the processing of personal data (i.e., on the collection, registration, storage, disclosure and destruction of data related to an identified or identifiable person). The “Guidelines on the processing of personal information within a whistleblowing procedure” issued in 2016 by the European Data Protection Supervisor are interesting, even if they are addressed to EU institutions rather than companies, given the role of the EDPS.
I summarized the issues also in the video below in Italian as part of my videoblog Diritto al Digitale and in more detail in English in the outline below:
1. Legal ground of the scheme
The legal ground under which the whistleblowing scheme would be the need to comply with the above-mentioned law. However, this is also tricky as it requires to stay within the boundaries of what is expressly required under Italian law. Simultaneously, if the scheme goes beyond such limits, it should be assessed whether the legal basis can be legitimate interest.
2. Compliance with the principle of proportionality
Is it possible to limit the number of persons that can report and can be incriminated? Not in Italy following the above-mentioned law. Likewise, can the report be anonymous? This is discouraged by the WP29 and would lower the protections provided by Italian law against the whistleblower. Also, the scheme’s information needs to be relevant for the misconducts covered by the law and cannot become a reporting system for any misconduct. And maximum data retention periods need to be also observed for such notifications.
3. Need to provide adequate privacy information notice
A GDPR compliant privacy information notice needs quite detailed and shall outline the process of personal data performed using the scheme. In particular, the rights of incriminated persons shall be carefully outlined in the notice and protected as part of the scheme’s implementation. On the topic, you can read the article “Privacy information notice – more complicated with the GDPR.”
4. Obligation to ensure the security of the data processing
Given the matter’s sensitivity, the level of security to be followed during the whole process of handling whistleblowing reports shall be considerably high. Also, when companies rely on a third-party provider, this will act as a data processor, and therefore the company will remain liable. It should be assessed whether a data protection impact assessment is necessary to be run on the process of handling whistleblowing notifications.
Is a whistleblowing scheme part of your adequate organizational and security measures under the GDPR?
In addition to the topics above, it should be assessed whether the setting up of a whistleblowing scheme might support a company in demonstrating the implementation of adequate organizational and security measures under the GDPR. And indeed, this might become, for instance, a channel of communication of data breaches to which data controllers and data processors shall promptly react based on their internal cybersecurity policies.
But, given the invasivity of such a scheme, it should also be assessed whether its setting up requires the performance of a data protection impact assessment.
What to do now?
The whistleblowing scheme’s review has both corporate criminal law and data protection law implications that shall be thoroughly reviewed to avoid potential risks for the company.