Legal and regulatory framework

Legal role

What legal role does corporate risk and compliance management play in your jurisdiction?

In Italy, corporate risk and compliance management play an increasingly key role. Italy was one of the first countries to enact laws on legal entities’ criminal responsibility for offences committed by their directors, representatives, executives, managers, agents and employees. Legislative Decree 231/2001 has placed such responsibilities on legal entities for more than 15 years, and embraces a large variety of crimes that go far beyond anti-bribery and corruption. At the same time, enforcement of privacy rules has become increasingly effective. Naturally, sensitive legal sectors, such as banks, insurance companies and listed companies, are very specifically regulated and deeply scrutinised (according to the Banking Act 385/1993, the Insurance Act 209/2005 and the Financial Act 58/1998).

Laws and regulations

Which laws and regulations specifically address corporate risk and compliance management?

Article 2381 of the Italian Civil Code vests with the chief executive officer (under the continuing supervision of the board of directors) the task of ensuring the adequacy of the organisational, administrative and accounting set-up of the corporation. The above provision, which is interpreted as a general principle and is therefore applied to limited liability companies too, is intended to establish the duty of the directors to organise the business in a way that reduces the risk of non-compliance.

As far as listed companies are concerned, the Italian legal and regulatory framework provides for certain additional corporate bodies and procedures aimed at addressing corporate risk and compliance management. In particular:

  • pursuant to article 154-bis of the Financial Act 58/1998, listed companies shall appoint a manager in charge of preparing the company’s financial reports and ensuring that appropriate administrative and accounting procedures are put in place in connection therewith;
  • pursuant to article 123-bis of the Financial Act 58/1998, the board of directors of listed companies shall publish, on a yearly basis, a report on corporate governance providing information on, inter alia, the risk management and internal audit systems adopted by the company in relation to the financial reporting process; and
  • article 7 of the Code of Conduct for Listed Companies - which sets forth best practice standards for listed companies’ corporate governance on a ‘comply or explain’ approach - recommends adoption of an internal control and risk management system that shall consist of policies, procedures and organisational structures aimed at identifying, measuring, managing and monitoring the main risks concerning listed companies.

Moreover, pursuant to the above-mentioned provisions, it is recommended that listed companies set up a control and risk committee. The committee shall be charged, among other things, with supporting the evaluations and decisions made by the board of directors in relation to the company’s internal control and risk management system. For further information concerning the laws and regulations on corporate risk and compliance management of listed companies, see questions 6 and 7 below.

With respect to banks, the Bank of Italy’s Regulation 285/2013 establishes a comprehensive regulatory framework in connection with banks’ risk and compliance management. The general aim of the relevant provisions is setting up an integrated and effective internal control system in order to:

  • regularly monitor business operations and ongoing compliance with the applicable laws and regulations, and check the adequacy of the banks’ organisation and accounting arrangements;
  • adequately monitor all business risks; and
  • ensure information flows that allow management to make informed decisions.

Also, with regard to insurance companies and in line with the new Solvency II regulatory framework, Legislative Decree 209/2005 and Institute for the Supervision of Private Insurance and Collective Interest (ISVAP) Regulation 20/2008 provide for the implementation of an appropriate internal controls system, ensuring:

  • the efficiency and effectiveness of corporate processes;
  • adequate control of present and perspective risks;
  • the reliability and integrity of accounting and management information;
  • protection of assets from a medium and long-term perspective; and
  • compliance of the insurance companies’ activities with current legislation.

Large undertakings are also subject to Legislative Decree 39/2010 (on the auditing of their accounts), which, effective from 1 January 2017, now provides, for those exceeding certain dimension thresholds, the obligation to publish a non-financial statement containing information on the undertaking’s activity impact on environmental, social and employee matters, respect for human rights, anti-corruption and bribery matters.

Compliance violations may trigger a broad range of consequences. First of all, pursuant to article 2049 of the Italian Civil Code and article 185 of the Italian Criminal Code, legal entities are responsible for civil damages resulting from violations committed by their representatives and employees in the exercise of their functions or roles.

Moreover, pursuant to article 197 of the Italian Criminal Code and article 6 of Law 689/1981, legal entities are jointly liable for the fines levied against their representatives and employees for offences committed in the exercise of their functions or roles.

Since 2001, pursuant to Legislative Decree 231, a legal entity is also criminally liable for certain offences committed by its directors, representatives, executives, managers, agents and employees when the crime has been committed in the interests or to the benefit of the legal entity. Legal entities may exculpate themselves from such criminal responsibility only if very strict conditions are satisfied. The long list of crimes that trigger the criminal responsibility includes bribery; corporate crimes; forgery; money-laundering; health and safety and environmental crimes; cybercrimes; conjuring; insider trading and market abuse; copyright crimes; and many others. Legislative Decree 231 applies to legal entities incorporated in Italy, Italian branches of foreign legal entities, partnerships and associations with or without legal personality.

Specific additional rules apply to state-owned companies (Law 190/2012) that must adopt specific anti-corruption measures.

From 25 May 2018, the General Data Protection Regulation 679/2016 has direct application in Italy.

Types of undertaking

Which are the primary types of undertakings targeted by the rules related to risk and compliance management?

The primary focus is on banks and financial institutions, insurance companies and listed companies. As mentioned above, a specific set of anti-corruption rules applies to state-owned companies. However, compliance rules are increasingly designed to apply to all types of companies and even to unincorporated associations.

Regulatory and enforcement bodies

Identify the principal regulatory and enforcement bodies with responsibility for corporate compliance. What are their main powers?

Banks are supervised by the Bank of Italy and the European Central Bank (ECB). Following the implementation of the Single Supervisory Mechanism in accordance with Regulation (EU) No. 1024/2013, the ECB retains monitoring powers on all ‘significant’ Italian banks and specific tasks relating to the prudential supervision of all the banks, in cooperation with the Bank of Italy (eg, the decision on acquisition of qualifying holdings in banks). The other ‘less significant’ Italian banks are supervised by the Bank of Italy. In this respect, in addition to on- and off-site controls aimed at verifying compliance with banking and financial regulatory provisions (including anti-money laundering provisions), the Bank of Italy’s supervisory actions extend to the adoption of administrative measures mainly relating to prudential supervision (eg, adoption of non-standard risk method assessment by the banks). The ECB and the Bank of Italy also retain sanctioning powers. Generally speaking, with regard to ‘significant’ banks, the ECB can impose pecuniary and administrative sanctions for violations of directly applicable European rules. For ‘less significant’ banks the said sanctioning powers are generally attributed to the Bank of Italy. Finally, following the implementation of Directive 2014/59/EU (BRRD), the ECB and the Bank of Italy also exercise extensive powers in relation to banks’ crisis management.

With regard to insurance companies, the Italian Insurance Supervisory Authority (IVASS) is the competent supervisory authority charged with ensuring the stability of the Italian insurance market and the protection of insurance. In this context, IVASS retains inspection and investigation powers on technical, financial and capital management of insurance companies, verifying compliance with laws and regulations. IVASS also adopts regulatory provisions relating to different areas: internal controls systems, capital adequacy, valuation of technical provisions, accounting, etc. In line with banks’ regulatory framework described above, IVASS also has the power to impose administrative and pecuniary sanctions over insurance companies.

The Italian Securities and Exchange Commission (Consob) and Borsa Italiana are in charge of supervision of listed companies. Consob is an independent authority that is responsible for supervising the Italian regulated financial markets and financial intermediaries. In particular, Consob has the power to enact regulations to implement provisions of law on matters regarding regulated financial markets and financial intermediaries, and to impose administrative sanctions to the supervised entities. Borsa Italiana, a commercial company, is responsible for the organisation and management of the Italian stock exchange - its main responsibilities include supervising the transactions carried out on the markets and defining the rules and procedures for admission to listing of companies’ financial instruments.

While the enforcement of Legislative Decree 231/2001 on legal entities’ criminal responsibilities is in the hands of the criminal courts, the national anti-corruption authority is appointed to scrutinise anti-corruption legislation on state-owned companies.

Finally, the Italian Data Protection Authority is the independent authority that is responsible for supervising the compliance of data processing; receiving claims, reports and complaints; blocking illicit processing; and carrying out inspections.

Definitions

Are ‘risk management’ and ‘compliance management’ defined by laws and regulations?

With reference to banks and insurance companies, ‘risk management’ is not defined in the applicable regulatory provisions. However, the idea of risk management is widely used with general reference to risk monitoring and verification activities to be carried out by a specific internal function implemented within the banks and insurance companies. Also ‘compliance management’ is not defined in the applicable regulatory provisions. Compliance is used mainly in reference to the internal function, implemented within the banks and insurance companies, verifying - on a continuous basis - compliance with laws and regulations.

Processes

Are risk and compliance management processes set out in laws and regulations?

The Italian Civil Code only provides that the organisational, administrative and accounting set-up of a corporation be ‘adequate’ to the corporation’s size and business. Some more indications are provided for listed companies. Indeed, the Financial Act 58/1998 contemplates specific additional corporate bodies (such as the manager in charge of the accounting documentation) and generally refers to the guidelines of the Code of Conduct for Listed Companies, which is a soft law set of rules for which the Financial Act establishes the principle of ‘comply or explain’. Listed companies and, from 2016, state-owned companies also have the obligation to publish a corporate governance yearly report.

With reference to banks and insurance companies, risk and compliance management processes are deeply regulated under the applicable law and regulations (see question 2). Said regulatory provisions provide for a detailed framework relating, among other things, to organisational structures involved in said processes; ongoing control of aggregate exposure to relevant risks; and assessment of compliance status with the applicable laws and regulations, revision and reporting activities (conducted internally and with regard to the supervisory authorities).

Risks linked to data processing are to be addressed in compliance with the General Data Protection Regulation (GDPR) 679/2016.

Standards and guidelines

Give details of the main standards and guidelines regarding risk and compliance management processes.

Listed companies can voluntary adopt the Code of Conduct for Listed Companies issued by the committee for corporate governance. The Code of Conduct describes, inter alia, the main features of an effective internal control system and risk management; in particular, it requires companies to:

  • adopt a control system consisting of rules, procedures and an organisational structure aimed at identifying, monitoring and managing compliance risks; and
  • promote cooperation and communication between the executives and control bodies (ie, the statutory auditors, internal audit, control and risk committee, etc).

It is important to note that if a listed company decides not to adopt the Code of Conduct (wholly or partially), it is bound to the ‘comply or explain’ principle and the directors will be required to explain the reason for non-application.

The association of entrepreneurs has issued guidelines that provide a methodological approach in order to identify and address compliance risks and draft compliance shields to benefit of the exemption from criminal responsibility pursuant to Legislative Decree 231/2001. Indeed, legal entities can be exempt from criminal responsibility for offences committed by their directors, managers, agents or employees in the interest or to the advantage of the legal entity only if they adopt and effectively implement internal policies, rules and procedures and appoint a special supervisory body (a 231 compliance shield). The association of entrepreneurs’ guidelines require, inter alia:

  • assessing risks of crime, mapping the company’s risk areas and identifying potential gaps;
  • adopting and implementing a code of ethics and a disciplinary code;
  • establishing a whistle-blowing procedure;
  • training employees and executives;
  • carrying out monitoring and inspections; and
  • regularly updating and upgrading the compliance rules and the functioning of the system.

In that respect, it is worth remembering that Italian law 179/2017 has recently implemented a general regulation for whistle-blowing on top of specific provisions already contained in the Financial Act, the Banking Act and the Anti-Money Laundering Act.

As mentioned, banks and insurance companies are required to implement risk management and compliance functions aimed at carrying out risk and compliance management pursuant to mandatory law and regulatory provisions. In relation to banks, on 26 September 2017, the European Banking Authority published its guidelines on internal governance (including internal control systems) under Directive 2013/36/UE (EBA/GL/2017/11). In particular, these guidelines provide that a bank’s risk management function should be established and should:

  • be actively involved in elaborating an institution’s risk strategy and in ensuring that the bank has effective risk management process in place;
  • be involved in the evaluation of the impact of such changes on the bank’s overall risk, before decisions on material changes or exceptional transactions are taken; and
  • ensure that all risks are identified, assessed, measured, monitored, managed and reported on by the relevant units in the institution.

In addition, these guidelines recommend that institutions establish a permanent and effective compliance function to manage compliance risk.

Compliance function should:

  • advise the management body on measures to be taken to ensure compliance with applicable laws, rules, regulations and standards;
  • verify that new products and new procedures comply with the current legal framework; and
  • ensure that the compliance policy is observed.

Obligations

Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?

Italian subsidiaries or branches of foreign legal entities are fully subject to Legislative Decree 231/2001 on criminal responsibilities of legal entities for offences committed by their directors, managers, agents or employees. To exculpate from those criminal responsibilities, Italian subsidiaries and branches of foreign entities must comply with the same requirements as all other undertakings incorporated or operating in Italy. Those requirements include the adoption and implementation of an effective set of internal rules and procedures and the appointment of an independent supervisory body, adequately budgeted and with direct reporting to the board of directors.

Italian branches of EU banks and of Canadian, Japanese, Swiss and US banks shall not apply Italian regulatory provisions to internal control systems (including the risk and compliance process). However, the legal representative of such branches shall attest compliance by the relevant branch with the applicable Italian laws and regulations.

EU banks operating on a cross-border basis are not required to comply with said provisions owing to the circumstance that they shall already comply with their EU home member state regulations (equivalent to Italian provisions).

Italian branches of non-EU banks (different from those referred to above) shall comply with the same regulatory provisions on internal control systems (including the risk and compliance process) applicable to Italian banks. Non-EU banks operating on a cross-border basis are not required to comply with said provisions (however they shall obtain authorisation from the Bank of Italy assessing the equivalence of provisions applicable to non-EU banks, pursuant to their local law).

EU insurances companies operating in Italy through a branch or on a cross-border basis shall comply with Solvency II provisions on risk and compliance management (equivalent to Italian regulations).

Italian branches of non-EU insurance companies shall comply with Italian regulatory provisions on internal control systems (including risk management and compliance). Non-EU insurance companies cannot carry out insurance activities in Italy on a cross-border basis.

The GDPR 679/2016 applies to any processing of data within the context of the activities of the EU establishment of a data controller or data processor, even if the processing is carried out outside of the EU. In many important instances the GDPR also applies to data controllers or processors not established in the EU.

What are the key risk and compliance management obligations of undertakings?

Violation of compliance rules may expose undertakings to actions for civil damages, administrative fines and, in more than one case, to criminal responsibilities. With respect to Legislative Decree 231/2001, in addition to monetary sanctions, courts may order the publication of the judgment on the press, disqualify the undertaking from contracting with public administrations, inhibit the business of the undertaking (or specific lines of business) and even appoint trustees or commissioners that replace the managing bodies of the undertakings. Conditions to go exempt from criminal responsibilities are explained in question 7.

Banks should adopt adequate measures and procedures in order to ensure the proper and sound management of their business. In particular, banks should establish:

  • a second-level control function:
  • a comprehensive risk management function, which would have sufficient authority, stature, and resources taking into account the proportionality criteria, to implement risk policies and the risk management framework within the relevant bank. The risk management function, inter alia, should be actively involved at an early stage in elaborating the bank’s risk strategy and in ensuring that the same bank has effective risk management processes in place; and
  • a permanent and effective compliance function to manage its compliance risk, which should be able to report directly, where appropriate, to the management body in its supervisory function. The compliance function should be independent of the business lines and internal units it controls and have sufficiently authority, stature and resources to carry out its tasks;
  • a third-level control function:
  • an independent and effective internal audit function, in charge of reviewing control activities carried out by the relevant business line and by risk management and compliance functions. Internal audit function should be independent and ensure that the monitoring tools and risk analysis methods are in adequacy with the bank’s size, locations and the nature, scale and complexity of the risks associated with the bank’s model and business activities and risk culture and risk appetite.

It is worth mentioning that the internal governance arrangements and processes mentioned above should apply, mutatis mutandis, to insurance companies. In this regard, insurance companies should establish, in addition to the above, the actuarial function, which shall, inter alia:

  • coordinate the calculation of technical provisions;
  • ensure the appropriateness of the methodologies and underlying models used as well as the assumptions underlying the calculation of technical provisions; and
  • assess the sufficiency and quality of the data used in the calculation of technical provisions.

The GDPR 679/2016 dictates a number of assessments, actions and controls aimed at the protection of personal data. Violations can generate very high fines and may also trigger inhibitions.

Liability

Liability of undertakings

What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?

In principle, CEOs and executive directors have the duty to give and maintain an adequate set-up of the company’s structure, including as regards compliance. Moreover, in many instances, CEOs may be indicted of crimes committed by officers down the management chain because of the CEO’s position as top-executive officer with a duty to be informed and supervise on the management of the company. Only in specific cases can CEOs demonstrate that they have effectively delegated a function to a lower officer and be exempt from responsibility. In no case will CEOs be exempted for negligence or reckless disregard in supervising. Non-executive directors may similarly suffer severe consequences if they do not supervise the CEOs or do not intervene to eliminate or at least reduce compliance violations.

Although legal entities do not have a strict regulatory obligation to prepare and implement a 231 compliance shield (see question 7), pursuant to case law, directors have a fiduciary duty to minimise risks of crime commission and so, effectively, they are bound to adopt and implement a 231 compliance shield as part of their fiduciary duties.

Do undertakings face civil liability for risk and compliance management deficiencies?

Companies are bound to compensate damages suffered by third parties as a direct result of illegal or illicit actions or omissions attributable to the company (or its directors, managers or employees) as a result of wilful misconduct or simple negligence. In certain cases (eg, data protection laws) a stricter liability regime applies. In any case, damages must have been suffered as a direct and immediate result of the compliance violation (that is, there must be an ordinary causal nexus between the violation and the production of the prejudice whose redress is requested) and the plaintiff has the burden of proof as to the existence and amount of the damage.

Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?

Legal entities are jointly liable for payment of fines levied against their representatives or employees for conducts or omissions related to their office or work.

On top of that, Legislative Decree 231 provides for the following administrative sanctions that can be levied directly against a legal entity:

  • pecuniary penalties;
  • disqualifications, such as disqualification from exercise of the whole business, suspension or revocation of authorisations, licences or concessions, prohibition to trade with the public administrations, exclusion from grants, loans or subsidies, prohibition to advertise goods or services;
  • confiscations; and
  • publication of the court’s decision in one or more newspapers at the entity’s expense.

In broad terms, banks deemed liable for breaches of rules regarding internal control system and governance - also for those established by the Bank of Italy - are punished with an administrative pecuniary sanction from €30,000 to 10 per cent of their turnover.

Insurance companies deemed liable for breaches of rules regarding internal control systems and governance - also for those established by IVASS - are punished with an administrative pecuniary sanction from €5,000 to €50,000.

Do undertakings face criminal liability for risk and compliance management deficiencies?

Even if the adoption of a 231 compliance shield is not considered compulsory by the law (see question 10), failure to adopt or adoption of a non-effective 231 compliance shield prevents the legal entity from utilising the compliance defence. In fact, the legal entity, in that case, will not be allowed to be exonerated from criminal responsibilities, although it can still apply for a reduction of the sanction if the legal entity implements a solid 231 compliance shield before the first discussion hearing of the criminal trial commences.

Liability of governing bodies and senior management

Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?

Directors and general managers may be liable for breach of their duties towards their company, the company creditors, single shareholders or single third parties.

Responsibility towards creditors subsists if compliance rules safeguarding the integrity of the company’s net assets have been breached and the net assets are consequently insufficient to satisfy the creditors (in practice, when the company has become insolvent). That can take place, for example, when directors illicitly distribute reserves or act in conflict against their company.

Responsibility to single shareholders and single third parties can arise only when they have been directly and specifically damaged (eg, a damage that is personal to them and is not the mere implication of a damage that affects the earnings of all the shareholders or the rights of all stakeholders).

Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?

Legal entities that, in their capacity as joint obligors, have paid fines levied against their directors and employees generally have recourse to them.

Directors and senior management can receive fines for a broad variety of compliance crimes, including corporate compliance, breaches of data protection rules, insider trading and market abuse, environmental and health and safety violations.

In broad terms, members of administrative, direction and control bodies as well as personnel of banks, are punished with an administrative pecuniary sanction from €5,000 to €5,000,000 for breaches of the rules regarding internal control system and governance - also for those established by the Bank of Italy - to the extent that their conducts have contributed to the relevant infringements.

Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?

The Italian civil code and the legislation on insolvency and quasi-insolvency of companies provide for a wide range of corporate crimes, including false financial statements, illicit obstacles to mandatory audits and controls, illicit distribution of equity, illicit operations on treasury shares, extraordinary transactions in prejudice of creditors, conflict of interest, corruption, insider trading and market abuse, procuring or facilitating insolvency, etc.

Corporate compliance

Corporate compliance defence

Is there a corporate compliance defence? What are the requirements?

With respect to crimes committed by directors and senior management, in order to avoid (or at least reduce) the 231 sanctions, the legal entity must prove that:

  • it has adopted and continuously implemented an effective 231 compliance shield (see question 7);
  • a special compliance supervisory office (independent, autonomous, adequately budgeted and professional) has been set up;
  • the executive has committed the crime by ‘fraudulently evading or escaping’ the company’s compliance programmes and controls; and
  • there has been no omission or negligence imputable to the above said supervisor.

The above involves a first phase of shaping the 231 compliance shield through a risk assessment or gap analysis exercise, a second phase of compilation or collection of punctual compliance rules and procedures (not merely paperwork), the appointment of a supervisory body and the approval and implementation of a disciplinary code.

For crimes committed by employees, the legal entity will be held liable if the commission of the crime was determined by the breach of the supervisory obligations on employees by senior managers.

As to the relationships with third parties under the influence of the company (small suppliers, agents, etc), it is advisable to include specific contractual clauses to entitle the company to terminate the agreement, and to apply penalties in case of commission of a crime or investigations over the third party or service provider.

Recent cases

Discuss the most recent leading cases regarding corporate risk and compliance management failures?

One of the most critical points concerning compliance risks and failures is the parent company’s responsibility for breaches imputable to the subsidiary. On that point, the Criminal Supreme Court restated in 2016 (Decision 52316) that the parent and the group companies can be criminally liable pursuant to Legislative Decree 231/2001 if the crime was committed with their help or with the involvement of an individual acting on their behalf. The Court also reiterated that the mere adoption of a 231 compliance shield is insufficient for the company to avail itself of the compliance defence - the appointment of a specific supervisory body, vested with independent and effective powers, being crucial.

In a 2017 judgment (Decision 49056), the Criminal Supreme Court also stated that the responsibility of a company for a bribe paid to governmental officers can be assessed (and sanctions may be levied) even if the corrupted governmental officers have not been identified (provided that the proof of a bribe has been reached) and even if the governmental officers are not indicted in the same judicial proceedings as the one pending against the company (in the specific case, those officers had settled their responsibilities in a separate judgment). The court also reaffirmed that sole-shareholder companies are also subject to Legislative Decree 231/2001 and continue to be imputable regardless of whether they are solvent or insolvent.

Government obligations

Are there risk and compliance management obligations for government, government agencies and state-owned enterprises?

The anti-corruption legislation requires the public authorities to adopt an anti-corruption strategy and an action plan that should provide a valuation of the exposure level to corruption risks within the public offices, and the organisational measures to prevent such risks. In particular, the anti-corruption plan should, inter alia:

  • identify the areas that present material corruption risk;
  • provide training activities and control measures to prevent corruption risks; and
  • provide communication flows towards the anticorruption supervisor, who is required to monitor and control the functioning and effectiveness of the anti-corruption plan.

Digital transformation

Framework covering digital transformation

What are the key statutory and regulatory differences between public sector and private sector risk and compliance management obligations?

Legislative Decree 231/2001 and the anti-corruption legislation have different scopes of application, although both are aimed at preventing the commission of crimes and exempting from liability the legal entity if the measures adopted are effective. In such respect, as to the crimes to be prevented, Legislative Decree 231 regards crimes committed in the interest or to the advantage of the legal entity; the anti-corruption legislation also addresses the commission of crimes committed against the legal entity. Furthermore, the latter makes reference to a broader concept of corruption, including not only all crimes against public authorities, but also all cases of ‘bad administration’.

Update and trends

Update and trends

Updates and trends

With respect to data protection, on 25 May 2018 the GDPR will commence being directly applicable in Italy. The Italian government plan to enact a Legislative Decree in May 2018 to coordinate Italian legislation on data protection with the GDPR. The Italian privacy code will be repealed, while certain resolutions, general orders and instructions issued by the Italian data protection authority will survive.

As regards Legislative Decree 231, the EU Directive 2017/1371 of 5 July 2017 should be transposed into Italian law by July 2019, which will entail that certain tax crimes (VAT fraud) will commence to trigger companies’ responsibilities (on top of criminal responsibilities of the individual offender) when such tax crimes are committed by directors, managers, employees and agents in the interest or to the benefit of the company.