The setting up of a whistleblowing scheme is now mandatory in Italy for both private and public entities, but what needs to be done?
Italy already provides a very stringent regime of corporate liability. The sole available defence against potential corporate criminal liabilities is to adopt an internal corporate model of organisation and management of the company (or of the group if more companies are involved) aimed at preventing the commission of crimes (the so called “231 Corporate Model of Compliance“). But such regime of criminal corporate liability now requires also the setting up of a whistleblowing scheme.
The extension of the regime to whistleblowing
The major change introduced as a consequence of a new law recently approved in Italy is that both public and private companies are obliged to set up a whistleblowing scheme for the handling of notifications and to ensure that no discriminatary actions are taken against whistleblowers.
In particular, the internal corporate model of organisation and management of the company shall provide in the case of private companies
- one or more channels enabling top managers and their subordinates to report misbehaviours or breach of the 231 Corporate Model of Compliance, providing the relevant details;
- at least one alternative reporting channel;
- the prohibition of adopting discriminatory conducts against the whistleblower; and
- penalties against whoever breaches the measures adopted to protect whistleblowers as well as those that report ungrounded misconducts with gross negligence or wilful misconduct.
The latter safeguard is particularly relevant since it is meant to avoid abuses of the reporting system.
What are the consequences under employment law?
Any discriminatory measure (i.e. dismissal, demotion, but also any other change that can be deemed discriminatory) against the whistleblower is considered to be null and void. And the peculiarity of this safeguard is that the relevant employer shall prove to have adopted the challenged measure for reasons other than those linked to the whistleblowing notification.
The provision above inevitably requires to ensure a higher level of internal compliance since employees might report a lack of compliance as a defense to challenge potential dismissals/discriminatory actions.
What privacy related safeguards shall be put in place?
Italian whistleblowing law requires that the reporting system ensures the protection of the identity of the whistleblower both in the criminal and in the disciplinary proceeding, without adding much more.
The matter had been subject of an opinion of the Article 29 Working Party (the body made by all the EU data protection authorities) back in 2006 where the WP29 stressed that whistleblowing schemes must be implemented in compliance with EU data protection rules since in the vast majority of cases rely on the processing of personal data (i.e. on the collection, registration, storage, disclosure and destruction of data related to an identified or identifiable person).
In particular, the following issues need to be taken into account:
1. Legal ground of the scheme
With the approval of the recent Italian law, the legal ground under which the whistleblowing scheme would be the need to comply with a law. However, this is also a tricky as requires to stay within the bounderies of what is expressly required under Italian law, while if the scheme goes beyond such limits it should be assessed whether the legal basis can be legitimate interest.
2. Compliance with the principle of proportionality
Is it possible to limit the number of persons that can report and can be incriminated? Maybe not in Italy with the new law. Likewise, can the report be anonymous? This is discouraged by the WP29 and would lower the protections provided by Italian law against the whistleblower. Also the information collected through the scheme needs to be relevant in relation to the misconducts covered by the law and cannot become a reporting system for any kind of misconduct. And maximum data retention periods need to be observed also in relation to such notifications.
3. Need to provide an adequate privacy information notice
A privacy information notice that with the EU General Data Protection Regulation needs to be much more detailed shall outline the process of personal data performed by means of the scheme. In particular, the rights of incriminated persons shall be carefully outlined in the notice and protected as part of the implementation of the scheme.
4. Obligation to ensure security of the processing
Given the sensitivity of the matter, the level of security to be followed during the whole process of handling of whistleblowing reports shall be considerably high. Also, when companies rely on a third party provider, this will act as data processor and therefore the company will remain liable. And, it should be assessed whether a data protection impact assessment is necessary to be run on the process of handling whistleblowing notifications.
Is a whistleblowing scheme part of your adequate organizational and security measures under the GDPR?
In addition to the topics above, it should be assessed whether the setting up of a whistleblowing scheme might support a company in demostrating the implementation of adequate organizational and security measures under the GDPR. And indeed this might become for instance a channel of communication of data breaches to which data controllers and data processors shall promptly react on the basis of their internal cyber security policies.
But, given the invasivity of such scheme, it should be assessed also whether its setting up requires the performance of a data protection impact assessment.