Rivista-2024-N2-art.1.FranzaE

RECONNAISSANCE ON THE DISCIPLINE OF WHISTLEBLOWING. THE ITALIAN DISCIPLINE

Author: Dr. Enea Franza, economist

1. European and international legislation

The transposition of whistleblowing regulations into the Italian national legal system has been significantly influenced by the international context and by the measures implemented at global level over time; in particular, by the United Nations Convention against Corruption (UNCAC) of 30 October 2003, where, among other things, it is envisaged that adequate protection measures can be introduced into the legal system of each State report to the competent authorities events concerning the crimes contemplated within the Convention itself, with the specific recommendation (pursuant to Article 33) to States to protect persons who report acts of corruption and the provision of appropriate measures for the protection of witnesses and whistleblowers, ensuring that they do not suffer retaliation or discrimination[1].

In addition, the OECD (The OECD Guidelines for Economic Co-operation and Development) for Multinational Enterprises is part of the OECD Declaration on International Investment and Multinational Enterprises, adopted by the forty-two governments participating in the Declaration on International Investment and Multinational Enterprises of 25 May 2011 at the 2011 OECD Ministerial Meeting. In particular, the Guidelines recommend that companies establish internal reporting mechanisms and protect employees who report misconduct.

At EU level, however, the Council of Europe's Civil Convention on Corruption of 4 November 1999 should be noted. Signed in 1999, the Civil Convention on Corruption entered into force on 01/11/2003 and has been signed by 42 states (all members of the Council of Europe, with the exception of one, Belarus), of which 35 have ratified at a later date[2]. The aim of the Convention is to strengthen international cooperation in the fight against corruption, which is recognised as a major threat to economic development and the proper functioning of markets. It establishes the need to provide protection against "any unjustified sanction against employees who, in good faith and on the basis of reasonable suspicion, report acts of corruption to the persons or authorities responsible".

In summary, the Convention sets out key objectives aimed at combating corruption through various measures and principles. Firstly, it is proposed to establish common rules to strengthen legal protection against corruption. In addition, it aims to facilitate international cooperation on the prevention, investigation and prosecution of corruption. Finally, it promotes integrity and transparency in public and private affairs. The Convention covers a wide range of acts of corruption in both the public and private sectors. It includes specific provisions on civil liability for damages resulting from acts of corruption, ensuring that victims can obtain redress. While not solely focused on protecting whistleblowers, the Convention recognises the importance of protecting whistleblowers. It encourages Member States to take national measures to protect whistleblowers from retaliation and discrimination, ensuring a safe environment for reporting.

The Convention also promotes various preventive measures to combat corruption. These include adopting codes of conduct for public officials and business executives, promoting corruption training and awareness programs, and encouraging transparency in financial and business operations. A crucial aspect of the Convention is the facilitation of mutual assistance between Member States in the prosecution of corruption cases. It includes specific provisions for information sharing and cooperation in cross-border investigations, strengthening collective capacity to tackle corruption globally. The Convention provides a comprehensive and integrated legal framework to tackle corruption. It establishes common standards, encourages preventive measures, protects whistleblowers and promotes effective international cooperation, creating a robust system for the prevention and prosecution of corruption.

Directive 2019/1937, also known as the "Whistleblowing Directive", concerning "the protection of persons who report breaches of Union law",[3] which strengthens and standardises protection measures, establishing the obligation to create internal reporting channels for private legal entities with more than 50 employees, all public sector entities (including entities owned or under the control of such entities) or municipalities with more than 10,000 inhabitants. EU Directive 2019/1937 was adopted to establish common minimum standards aimed at protecting those who report breaches of EU law. This piece of legislation is a key step to ensure that whistleblowers can act without fear of retaliation and with the assurance that their reports will be treated with the utmost confidentiality. The scope of the directive is also very broad and covers a wide range of areas. These include the financial sector, where regulation and financial operations are closely monitored to ensure compliance and market integrity. Environmental protection is another key area, with regulations promoting sustainability and protecting ecosystems. Public health is also among the areas covered by the Directive, ensuring that health security is protected for the well-being of citizens. In addition, the Directive applies to product safety, ensuring that products comply with strict standards for consumer protection.

With regard to the protection of whistleblowers, the Directive provides for several measures to ensure that whistleblowers do not suffer retaliation. Whistleblowers are protected from any form of retaliation, including dismissal, downgrading, or other forms of discrimination. In addition, the Directive ensures the confidentiality of the identity of the whistleblower, while also allowing for the possibility of anonymous reporting to further reduce the risk of retaliation.

Obviously, the international references have provided a reference framework within which each State has subsequently declined its own national discipline, thus creating a fairly fragmented and heterogeneous framework among the various countries.

2. National legislation

2.1. The public sector: Law No. 190/2012 and Legislative Decree No. 165/2001

The development of a real legislation relating to whistleblowing began in the public sector, in the context of which Law 190/2012 (the so-called "Anti-Corruption" Law) amended Legislative Decree 165/2001 by introducing art. 54-bis, entitled "Protection of public employees who report wrongdoing". Indeed, it should be noted that if at the stage of the first elaboration of the rule the subjective scope of application concerned the "public employee" tout court, following the amendments made by Law 179/2017, the discipline ended up including not only personnel belonging to Public Administrations (referred to in Article 1, paragraph 2 of the rule), but also to entities that employ staff under public law (Article 3), as well as to private entities and companies under public control pursuant to art. 2359 c.c.[4] Another important innovation introduced by Law 179/2017 concerns the extension of whistleblowing legislation and related protection to workers and collaborators of companies supplying goods and services that carry out works in favor of the Public Administration.

The question concerns the applicability of the new Article 54-bis of the Italian legislation to private-law entities with non-controlling public participation and to publicly controlled listed companies. The decision to exclude these entities from the discipline raises doubts and criticisms, especially considering the expansion of the scope of application of the discipline itself. Private law entities with non-controlling public participation are not included in the new Article 54-bis. This article, which has been amended to extend its scope, thus leaves out a significant category of entities which, although publicly owned, are not directly controlled by the State or other public administrations.

As far as publicly controlled listed companies are concerned, even if there is no explicit provision, it can be inferred that they are excluded from being subject to the rule. This deduction would be based on their exclusion from the application of the legislation on transparency (Legislative Decree 33/2013) established by Legislative Decree 175/2016. In other words, regulatory symmetry suggests that, since these companies are excluded from the transparency legislation, they should be similarly excluded from the new Article 54-bis. In summary, despite the broadening of the scope of application of the rules, the choices made leave out private law entities with non-controlling public participation and listed companies under public control, raising questions about the consistency and fairness of these exclusions.

Furthermore, regarding the recipients of the reports pursuant to Article 54-bis of Legislative Decree 165/2001, it is also provided that they must be addressed to the Head for the Prevention of Corruption and Transparency (RPCT), or to the National Anti-Corruption Authority (ANAC) in the event that the reported fact directly concerns the latter. Consequently, contrary to what happened based on the previous version of the article, the new wording of the rule explicitly excludes the transmission of the report to the hierarchical superior or other parties other than the RPCT, to avoid any situations of subjection or fear that could jeopardize the whistleblower's willingness to initiate the whistleblowing procedure.

2.2. Public sector bodies

Article 54-bis of Legislative Decree 165/2001, known as the Consolidated Law on Public Employment (TUPI), as amended by Article 1, paragraph 1, of Law 179/2017, establishes that the public employee who, in the interest of the integrity of the public administration, reports to the person responsible for the prevention of corruption and transparency, or to the National Anti-Corruption Authority, or reports to the ordinary judicial or accounting authority, unlawful conduct of which he/she has become aware by reason of the employment relationship, may not be sanctioned, demoted, dismissed, transferred or subjected to other organizational measures that have negative effects, direct or indirect, on the working conditions, determined by the report. This rule identifies the subjective scope of application of the rules on the protection of employees who report unlawful conduct, expanding the number of recipients compared to the previous Article 54-bis, which referred generically to "public employees". This choice seems to be in line with the expansion of the subjects who, in various ways, are required to apply Law 190/2012 and Legislative Decree 33/2013.

In order to outline the scope of public bodies subject to the application of whistleblowing legislation, it is appropriate to start by defining the notion of public employee. According to the second paragraph of Article 54-bis, "public employee" means the employee of any State administration, including institutes and schools of all types and levels, educational institutions, companies and administrations of the State with an autonomous system, Regions, Provinces, Municipalities, Mountain Communities and their consortia and associations, university institutions, autonomous social housing institutes, chambers of commerce, industry, crafts and agriculture and their associations, all national, regional and local non-economic public bodies, administrations, companies and bodies of the National Health Service, the Agency for the negotiation representation of public administrations (ARAN) and the agencies referred to in Legislative Decree 300/1999[5]. In addition, the definition of a public servant also includes a person who works for a private law entity subject to public control pursuant to Article 2359 of the Civil Code. This includes companies in which another company holds a majority of the votes exercisable at the ordinary meeting, companies in which another company holds sufficient votes to exercise a dominant influence at the ordinary meeting, and companies that are under the dominant influence of another company by virtue of particular contractual ties with it.

With reference to these types of entities, it should be noted that ANAC has clarified the following:

regarding publicly controlled companies, these entities coincide with those referred to in art. 2, paragraph 1, letter m) of Legislative Decree 175/2016, as amended by Legislative Decree 100/2017. These entities have already been included in the scope of application of the rules on transparency and anti-corruption pursuant to art. 2-bis, paragraph 2, letter b), Legislative Decree 33/2013; in-house companies subject to similar control, whether separate or joint, are also included in the subjective scope of application of the legislation on employee protection, while, as far as listed companies are concerned, in the silence of the rule, it is considered that they are not included in the scope of application of Law 179/2017, in line with the provisions of Legislative Decree 33/2013;
other private law entities under public control referred to in Article 2-bis, paragraph 2, letter c), of Legislative Decree 33/2013, such as associations, foundations and private law entities however named, even without legal personality, which simultaneously meet certain requirements, are to be considered subject to the discipline established by Law 179/2017.

That said, ANAC also ruled on the other categories of public bodies provided for by the Decree. For example, it has been clarified that, as far as public administrations are concerned, the reference made by paragraph 2 of art. 54-bis to art. 1, par. 2, of Legislative Decree 165/2001 allows us to consider that the discipline on whistleblowing applies to all public administrations required to apply the legislation on the prevention of corruption and transparency pursuant to art. 1, par. 2-bis, Law 190/2012. In this sense, these subjects, in addition to the public administrations expressly indicated in art. 1, paragraph 2, of Legislative Decree 165/2001, also the Port System Authorities and Professional Associations.

Furthermore, even in the absence of a clear inclusion of the independent administrative authorities in the list referred to in paragraph 2 of Article 54-bis, the National Anti-Corruption Authority (ANAC) considered that they fell within the subjective scope of application of the rule. In fact, art. 54-bis, par. 2, expressly includes employees of public administrations whose employment relationship is subject to the public regime, pursuant to Article 3 of Legislative Decree 165/2001: this category also includes, among others, employees of entities that carry out their activities in the matters contemplated by Law 281/1985 (staff of the National Commission for Companies and the Stock Exchange, CONSOB) and Law 287/1990 (staff of the Italian Competition Authority, AGCM), both independent authorities. Finally, it should be noted that the scope of application of the whistleblowing regulation also extends to workers and collaborators of companies that supply goods or services and carry out works in favor of the public administration, as mentioned above.

As far as the subject of the report is concerned, the legislation requires that it concern "unlawful conduct of which the public employee has become aware" (Article 54-bis, paragraph 2, Legislative Decree 165/2001). However, an exhaustive list of reportable facts or offences is not provided. However, it is considered that the reported unlawful conduct must cause public harm, as whistleblowing does not include complaints of a personal nature or claims. In this sense, the scope of the reports includes offences associated with maladministration, such as abuse of powers to obtain private advantages, malfunctioning or pollution of administrative action by external parties, favouritism, and behaviour that contrasts with the pursuit of the public interest and undermines citizens' trust in the impartiality of the administration.

The report must be detailed to allow the Corruption Prevention and Transparency Officer (RPCT) to conduct the appropriate checks and investigations, as well as assess the validity of the reported facts. As specified by ANAC, the minimum contents of the report include: (i) the identification data of the whistleblower; (ii) the place of work/structure and the period, even approximate, in which the event occurred; (iii) a clear description of the reported fact. The report should also include any other available information or documents that can confirm the veracity of the facts reported. It is not necessary for the whistleblower to be certain of the actual occurrence of the facts reported or of the identity of the perpetrator; It is sufficient that there is a high probability that the event occurred. However, reports based on mere suspicions or rumours cannot benefit from protection, as the information must be acquired during the work activity.

After managing the investigation in compliance with confidentiality and impartiality, the Corruption Prevention and Transparency Officer (RPCT) evaluates the reported facts, may request clarifications, and audit the whistleblower and other parties if necessary; Subsequently, it uses the content of the reports to identify critical areas of the administration and improve the corruption prevention system.

In the case of manifestly unfounded reports, the RPCT may decide to close the report or take organisational action to strengthen corruption prevention measures. In addition, it may transmit the content of the report to internal or external third parties competent for the adoption of any measures (Article 54-bis, paragraph 4, Legislative Decree 165/2001). The endogenous denunciations included in the alert constitute an effective tool of widespread control that guarantees a mechanism of protection within the public apparatus, acting as an organic immune system. However, for such complaints to be encouraged, it is essential that the whistleblower is "protected" from possible retaliation or harassment, even if only in terms of the working climate in which he or she carries out his or her work.

The Italian legal system has provided for specific measures to protect the public employee who reports irregularities. It is established that the whistleblower may not be subject to sanctions, demotion, dismissal, transfer or other organisational measures that may have negative effects (direct or indirect) on his working conditions due to his reporting. Any discriminatory or retaliatory act adopted by the employer must be declared to the National Anti-Corruption Authority by the whistleblower himself or by the most representative trade unions in the administration concerned. In any case, it is the responsibility of the public administration or entity to demonstrate that the discriminatory or retaliatory measures taken against the whistleblower are motivated by reasons unrelated to the report itself (Article 54-bis, paragraph 2, Legislative Decree 165/2001).

Further protections for the civil servant are guaranteed by two factors. First of all, reporting is exempt from the administrative access provided for by Law 241/1990. Secondly, with regard to the privacy of the whistleblower: in the context of criminal proceedings, the identity of the whistleblower is kept secret and covered by secrecy. In proceedings before the Court of Auditors, the identity of the whistleblower cannot be revealed until the conclusion of the investigation phase. In disciplinary proceedings, the identity of the whistleblower cannot be revealed if the challenge to the disciplinary charges is based on separate and additional investigations with respect to the report, even if derived from the same. However, if the report is wholly or partially well-founded and the identity of the whistleblower is essential to the defence of the accused, the report may only be used in disciplinary proceedings with the whistleblower's consent to the disclosure of his/her identity. In addition, the legislator has established that the whistleblower cannot enjoy these protections if he is held responsible, with a first instance judgment, for the crimes of slander or defamation, or for crimes committed through the complaint itself. This exclusion also applies if you are found to be liable for the same reasons, in the event of intent or gross negligence. (art. 54-bis, paragraph 7, Legislative Decree 165/2001).

2.3. Companies and entities under public control and in which they have a stake

The subjective scope of application of the legislation on whistleblowing in the public sector is defined by Article 1 of Law 179/2017, which amends Article 54-bis of Legislative Decree 165/2001, relating to the "General rules on the organization of employment in public administrations". According to Article 1 of Law 179/2017, the "public employee" is the reporting party. This law extends the concept of "civil servant" to other categories for the purposes of applying whistleblowing regulations.

These categories include employees of public economic entities, in accordance with Legislative Decree 97/2016, which included public economic entities among the subjects to the legislation on the prevention of corruption and transparency, employees of private law entities subject to public control pursuant to Article 2359 of the Civil Code, and workers and collaborators of companies supplying goods or services and carrying out works in favor of the public administration. With reference to private law entities subject to public control, the National Anti-Corruption Authority specified in Resolution no. 1134/2017 which entities are within the scope of application of the rules on transparency referred to in Legislative Decree 33/2013.

"Bodies governed by private law subject to public control" means associations, foundations and other bodies governed by private law, whether having legal personality, which meet the following requirements:

a budget of more than five hundred thousand euros,
an activity financed by public administrations for at least two consecutive financial years in the last three years, and
all the holders or members of the administrative or steering body appointed by public administrations.

Therefore, publicly owned companies and other private law entities not under public control are subject to the whistleblowing rules only if they are "companies that supply goods or services and carry out works in favor of the public administration" and, of course, are subject to the discipline of Law 179/2017 in the private sector (Article 2). Article 2 of Law 179/2017, impacting on Legislative Decree 231/2001 through the insertion of some paragraphs in Article 6 of this rule, effectively extends the subjective scope to all the subjects indicated in Article 1, without making distinctions.

Finally, it should be noted that, in the absence of a specific regulatory provision, listed companies do not fall within the scope of Article 1 of Law 179/2017. This is based on the analogy with the provisions of Legislative Decree 33/2013, which explicitly excludes, in Article 2-bis, paragraph 2, letter b), from the regulations on transparency and anti-corruption listed companies, as defined by Article 2, paragraph 1, letter m) of Legislative Decree 175/2016, together with the companies controlled or participated by them, unless the latter are, through listed companies, subsidiaries or subsidiaries of public administrations.

Provisions to protect whistleblowers have specific features for companies and entities under public control. This stems from the fact that these entities are distinguished from both public administrations and privately held companies and entities by the main sectors involved in the reports. These sectors may concern offences related to the provisions on the prevention of corruption and illegality in the public administration, as well as those governed by the administrative liability of legal persons, companies and associations, including those without legal personality, as established by Legislative Decree 231/2001. Therefore, through the implementation of specific measures included in the Three-Year Plan for the Prevention of Corruption and Transparency (PTPCT) and in the Organization, Management and Control Model pursuant to Legislative Decree 231/2001, companies and entities under public control will have to establish reporting procedures in compliance with Law 179/2017, which regulate reporting both in the anti-corruption field and in the sphere of administrative liability.

This peculiarity does not concern Public Administrations, which are not subject to the application of the legislation on the administrative liability of companies and entities (as defined by Legislative Decree 231/2001). PA employees will therefore only be able to report cases of corruption. For PAs, the internal body designated to receive reports will only be the RPCT. In the case of companies and entities under public control, on the other hand, two internal figures designated to receive reports will coexist: the RPCT for corruption reports and the Supervisory Body for those relating to liability pursuant to Legislative Decree 231/2001. In both contexts, the reports must be detailed, relate to facts known and verified directly by the whistleblower and, if possible, clearly identify the perpetrator of the unlawful conduct. The content of the reports must aim to preserve the integrity of the public administration, reinforcing the principles of legality and proper functioning of administrative action that characterize Public Administrations and companies and entities under public control.

The reporting procedures, aimed at ensuring the confidentiality of the whistleblower in both areas, can be regulated according to the provisions of Law 179/2017. This law, which amends Article 54-bis of Legislative Decree 165/2001, establishes the general rules on the organization of employment in public administrations. In addition, reporting procedures must also comply with the provisions relating to transparency and the prevention of corruption, as set out in Legislative Decree 33/2013. After the preliminary investigation, the RPCT and/or the SB must report their conclusions to the Administrative Body of the company or entity under public control, as required by current legislation on whistleblowing and the administrative liability of companies, such as Legislative Decree 231/2001.

3. The role of ANAC

Law 179/2017 introduced important changes, eliminating the requirement to report to the hierarchical superior and establishing the National Anti-Corruption Authority (ANAC) as the competent external authority to receive such reports. This change was made to ensure greater independence and effectiveness in the process of reporting and preventing corruption. In addition, the law has introduced more robust protection measures for employees who make reports, to prevent possible retaliation from the employer. It is important to note that the Department of Public Administration has expanded the options for civil servants, allowing them to report not only to the Corruption Prevention and Transparency Officer (RPCT), but also directly to ANAC. Legislative Decree 165/2001 was then updated to reflect these changes, establishing that civil servants have the right to report alleged illegal practices to both the RPCT and ANAC. In addition, it has been established that any punitive measure against the whistleblower must be communicated to ANAC, thus ensuring more effective control over compliance with protection measures. Article 54-bis of the Consolidated Law on the Prevention of Corruption (TUPI) provides further details on the actions that ANAC must take once it receives a report of alleged illegal practices in the Public Administration. In particular, it establishes that the Authority is required to inform the Department of Public Administration of the Presidency of the Council of Ministers or other bodies competent for guarantee or discipline activities regarding any necessary measures.

After investigating, considering the size of the administration or entity involved in the report, ANAC may apply various sanctions:

If the adoption of discriminatory measures by a Public Administration or an entity is ascertained, an administrative fine of between 5,000 and 30,000 euros may be imposed.
If it is found that there are no procedures for forwarding and handling reports, or that procedures do not comply with those prescribed, an administrative fine of between €10,000 and €50,000 may be imposed.
If it is ascertained that the person in charge has failed to carry out the verification and analysis of the reports received, an administrative fine of between 10,000 and 50,000 euros may be imposed.

These sanctions aim to ensure the proper functioning of corruption reporting and prevention mechanisms within the Public Administration, promoting transparency and accountability. The TUPI establishes that ANAC, after consulting the Guarantor for the protection of personal data, must adopt guidelines relating to the procedures for submitting and managing reports^{^[6]}, encouraging the use of IT methods and promoting the use of cryptographic tools to ensure the confidentiality of the identity of the whistleblower and the contents of the reports and related documentation.

In 2015, ANAC has already issued guidelines with the aim of establishing a system for the management of reports. This system is divided into two levels. First-level whistleblowing concerns reports from ANAC employees relating to unlawful conduct within the Authority itself. The second level: involves reports from employees of other public administrations concerning illegal conduct in the public sphere. Both systems are designed to allow employees to report misconduct through easy-to-use tools, while ensuring the confidentiality of the information transmitted and allowing a small group of individuals to receive and analyze reports.

Regarding first-level reports, ANAC has set up a specific process that allows the whistleblower to be accredited on an IT platform accessible exclusively to internal users. The data of the report are automatically forwarded to the person designated by the Authority for the start of the investigation, i.e. the RPCT (Head of Corruption Prevention and Transparency), allowing the whistleblower to monitor the progress of the investigation through an identification code.

Once the report is taken care of, the RPCT is responsible for assessing its content. If the report is found to be obvious and manifestly unfounded, the RPCT may decide to close it. However, if the report is well-founded, the RPCT assesses which entities from a predetermined list can receive the report, based on the profiles of illegality found. It is important to underline that the processing of data and documents relating to reports is carried out in compliance with the law and that access to documents is regulated by ANAC's IT security policies, as well as by the more restrictive security policies established in the Operational Manual for the use of the whistleblowing management system. This ensures the protection of the confidentiality of information and the proper handling of sensitive data. About second-level reports, ANAC has activated a specific whistleblowing channel on its website. This channel allows employees to make reports, even anonymously, although in this case there is an "extra 54-bis" treatment.

The whistleblower form is structured in a series of multiple-choice questions, which include information such as the whistleblower's occupation, the administration or entity involved in the misconduct, etc. There is also the possibility to indicate the names of the informed subjects and to attach supporting documentation. At the end of the process, the system generates an identification code that keeps track of the report and its outcome after the investigation. Reports are managed by the Anti-Corruption Supervisory Office, whose manager, assisted by a stable working group designated by act of the Secretary General, is responsible for handling the reports. This office, as part of its institutional activities of supervision and control over the application of the legislation on the prevention of corruption, manages reports with the necessary precautions to preserve the confidentiality of the whistleblower. During the investigation, the Supervisory Office may request information from the RPCT of the administration involved in the report, or, in specific situations, from other third parties. This approach ensures that reports are dealt with appropriately, protecting the confidentiality of the whistleblower and ensuring the objectivity of the analysis of the reported conduct.

Once the head of the Supervisory Office has submitted to the ANAC Board his assessment of the non-obvious groundlessness of the report, the Board will deliberate on the possible transmission of the report to the Judicial Authority and the Court of Auditors for the adoption of the consequent measures. However, it is important to note that within the ANAC Guidelines a serious deficiency in the current legislation is highlighted, since there are no specific provisions on how to protect the confidentiality of the whistleblower's identity in the phase of forwarding the report from ANAC to the Judicial Authority and/or the Court of Auditors.

Consequently, when the report is transmitted, the name of the whistleblower is also indicated. However, care should be taken to highlight that this is a "report received from a person to whom the legal system recognizes a strengthened protection of confidentiality pursuant to art. 54-bis of Legislative Decree 165/2001". This serves to signal that the whistleblower enjoys special confidentiality protection under the law, even though the whistleblower's name is communicated to the competent authorities.

The new ANAC Guidelines, published for consultation on 24 July 2019, go beyond the previous Guidelines and provide an updated and detailed framework on the protection of perpetrators of crimes or irregularities discovered in the context of an employment relationship, based on Article 54-bis of Legislative Decree 165/2001, commonly known as "whistleblowing". The first part of the new Guidelines illustrates the main changes concerning both the subjects (public administrations and other entities) required to implement the legislation, and the subjects (the so-called "whistleblowers") who benefit from the enhanced protection regime and provides indications on the characteristics and objects of the report, on the methods and times of protection, as well as the conditions that may prevent you from benefiting from it. In the second part, the general principles for the management of the report are outlined, in line with the provisions of the legislation. The importance of the role of the RPCT is underlined and operational guidance is provided to administrations on the procedures to be followed to deal with reports, from sending and receiving to evaluating them.

Finally, in the third part, the Guidelines describe the procedures managed by ANAC about both reports of unlawful conduct and retaliatory measures against the whistleblower. This comprehensive and up-to-date framework is crucial to ensure an effective whistleblowing system that promotes transparency, legality and whistleblower protection.

The favourable opinion of the Data Protection Authority on the draft Guidelines is subject to the introduction of a series of changes aimed at ensuring compliance with privacy legislation and avoiding interference in the correct management of reports: (i) It is necessary to better specify the rights guaranteed by the privacy legislation also to the perpetrator of the alleged offence; (ii) The RPCT must be limited to the ability to associate the report with the identity of the whistleblower; (iii) It is important to further detail the role played by data controllers who may access the information contained in the reports. ANAC must strengthen measures to protect the identity of the whistleblower, for example by using secure protocols for data transmission, providing selective access to report data, and avoiding an excessive number of notifications on the status of the file. Finally, regarding the possibility of extending the scope of the offences provided for by the whistleblowing legislation to other offences not expressly mentioned, such as harassment, mobbing or violations of privacy legislation, the “Garante” expressed concerns about the processing of personal data that does not fully fall within the scope of the sector's regulations.

This raises important questions regarding the protection of personal data and the need to clearly define the limits of the institution of whistleblowing.

4. The private sector: Law 179/2017 and Legislative Decree 231/2001

Law 179/2017 introduced important changes to the legislation on whistleblowing, extending it also to the private sector through the amendment of Article 6 of Legislative Decree 231/2001, adding paragraphs 2-bis, 2-ter and 2-quarter to Article 2. This law differs from public sector legislation because it does not clearly identify the recipients but defines them by referring to the subjects indicated in Article 5, paragraph 1, letters a) and b) of Legislative Decree 231/2001, i.e. people in top positions and employees. Another innovation compared to the previous legislation is that it does not include third parties such as suppliers and business partners among the recipients. In this way, the law limits the application of the rule only to the internal staff of the entity that has adopted an organization and management model according to Legislative Decree 231/2001. This limitation contrasts with the best practices generally followed for Legislative Decree 231/2001, which usually provide for the acceptance of the code of ethics and specific procedures also by third parties.

Law 179/2017 introduced important changes to the legislation on whistleblowing, extending its discipline to the private sector through the amendment of Article 6 of Legislative Decree 231/2001 and the addition of paragraphs 2-bis, 2-ter and 2-quarter to Article 2. This extension concerns only those within the entity, i.e. those who hold top positions and subordinate employees, as defined by Article 5, paragraph 1, letters a) and b) of Legislative Decree 231/2001. The legislation does not include suppliers, business partners or other third parties among the recipients of the law, thus limiting its scope of application to internal staff only. This is a difference from established best practices, which generally require third parties to comply with the organisational model and ethical principles of the entity. Third-party reporting could be very effective because it is less influenced by internal hierarchy concerns.

Another significant innovation concerns the recipient of the reports. Law 179/2017 does not clearly specify who should receive the reports, leaving it to the entity to identify the person or body in charge of receiving and processing them. This must be done within the framework of a system of adequate controls and information flows, allowing institutions to adapt procedures to their organisational needs. However, this requires careful structuring of systems to ensure their effectiveness. In addition, Law 179/2017 introduces a coordination discipline between whistleblowing and the regulations relating to professional, scientific, industrial, and business secrecy. Article 3 of the law provides that reports made in accordance with Article 54-bis of Legislative Decree 165/2001 and Article 6 of Decree 231 are protected by a "just cause" of disclosure. This means that the whistleblower is not subject to criminal or civil liability if he/she discloses information covered by secrecy to report wrongdoing, as established by Articles 326, 622 and 623 of the Criminal Code and Article 2105 of the Civil Code.

The rule therefore protects the whistleblower in the interest of the integrity of public and private administrations and in the prevention of embezzlement. In summary, Law 179/2017 has brought significant innovations for the private sector in terms of whistleblowing, strengthening the protection of whistleblowers and promoting the integrity of administrations, but limiting the application of the rule only to internal employees of entities.

4.1. The adaptation of organizational models pursuant to Legislative Decree 231/2001

As outlined in the previous paragraphs, Law no. 179 of 30 November 2017 also introduced in the private sector the discipline relating to the so-called whistleblowing, i.e. the provisions for the protection of those who report crimes or irregularities of which they have become aware in the context of an employment relationship. Confindustria pointed out that: "... The implementation of mechanisms to protect the complainant from possible retaliation is a strong incentive for the emergence of illegal practices carried out within the institution, which would otherwise remain submerged. The whistleblower must therefore be identified as the subject who contributes to restoring legality in the entity to which he belongs" (Confindustria, Guidelines for the construction of organization, management, and control models pursuant to Legislative Decree no. n. 231/2001, 2018, p. 26).^{^[7]}

Regarding legality, Law No. 179 of 30 November 2017, as previously mentioned, introduced Legislative Decree No. 231 of 8 June 2001 (hereinafter also "231" or "Decree 231"), art. 6 paragraph 2-bis, providing as follows:

Reporting Channels: The organisational, management and control models referred to in art. 6, paragraph 1, letter a) of Legislative Decree 231/2001 must provide: a) one or more channels that allow the subjects indicated in art. 5, paragraph 1, letters a) and b) of Legislative Decree 231/2001 to submit, in order to protect the integrity of the entity, detailed reports of unlawful conduct, relevant pursuant to this decree and based on precise and consistent factual elements, or violations of the organization and management model of the entity, of which they have become aware due to the functions performed; these channels guarantee the confidentiality of the identity of the whistleblower in the management of the report;
Alternative Channel: Pursuant to art. 6, paragraph 2-bis, letter b) of Legislative Decree 231/2001, at least one alternative reporting channel must be provided suitable for ensuring, by electronic means, the confidentiality of the identity of the whistleblower.
Prohibition of Retaliation: Art. Article 6, paragraph 2-bis, letter c) of Legislative Decree 231/2001 establishes the prohibition of retaliatory or discriminatory acts, direct or indirect, against the whistleblower for reasons related, directly or indirectly, to the report.
Disciplinary Sanctions: Pursuant to art. 6, paragraph 2-bis, letter d) of Legislative Decree 231/2001, in the disciplinary system adopted pursuant to paragraph 2, letter e), sanctions must be provided for those who violate the measures to protect the whistleblower, as well as those who make reports with intent or gross negligence that prove to be unfounded.

These regulatory provisions aim to create a safe and secure environment for whistleblowers, incentivising the reporting of misconduct and contributing to the maintenance of legality within organisations. The whistleblowing regulation has therefore had a threefold impact on Legislative Decree 231/2001: i) the need to amend/update the 231 Organisational Models; ii) a consequent involvement of the Supervisory Body (SB), according to different degrees of intervention depending on the choices and structure of the companies or entities in which they operate; iii) the need for the preparation of an operational procedure on whistleblowing.

With reference to point sub i), the "General Part" of the Organizational Models ex 231, it is to be integrated with the provision of a descriptive section of Law 179/2017, the indication of the reporting channel suitable for guaranteeing the confidentiality of the identity of the whistleblower as well as the alternative channel established for this purpose (for example by indicating a special email box set up for this purpose), the express introduction of the prohibition of retaliatory or discriminatory acts, direct or indirect, against the whistleblower for reasons related, directly or indirectly, to the report. Disciplinary sanctions related to the violation of the prohibition referred to in the previous point must also be provided for against those who violate the measures to protect the whistleblower or those who make reports with intent or gross negligence that prove to be unfounded. It goes without saying that there will also need to be a section dedicated to alignment with other types of reports. In fact, these additions are necessary to ensure the compliance of the Organizational Models with the regulatory provisions introduced by Law 179/2017 and to ensure effective protection of whistleblowers, contributing to the improvement of governance and the promotion of legality within organizations.

The integration of the disciplinary and sanctioning system is important because, on the one hand, it aims to target violations relating to the new whistleblower protection regulations and, on the other, to ensure the truthfulness of the reports themselves. With regard to point ii), the amendments made by Law no. 179 of 30 November 2017 have expanded the sphere of activity of the Supervisory Bodies (SBs). In particular, the SBs shall: a) supervise the modification and updating of the 231 Organizational Model pursuant to art. 6, paragraph 1, letter a) of Legislative Decree 231/2001; b) support the Entity in the preparation of a specific whistleblowing procedure that regulates the reporting methods, as provided for by art. 6, paragraph 2-bis, letter a) of Legislative Decree 231/2001; c) verify the adequacy of the information channels set up to ensure the correct reporting of crimes or irregularities and ensure the confidentiality of whistleblowers, as provided for by art. 6, paragraph 2-bis, letter a) of Legislative Decree 231/2001; d) verify the effectiveness of the IT channel referred to in art. 6, paragraph 2-bis, letter b) of Legislative Decree 231/2001; e) manage, as far as it is competent, the process of analysis and evaluation of reports; f) supervise compliance with the prohibition of retaliatory or discriminatory acts, direct or indirect, against the whistleblower for reasons related, directly or indirectly, to the report, as established by art. 6, paragraph 2-bis, letter c) of Legislative Decree 231/2001; g) supervise, as far as it is competent, the correct use of information channels by whistleblowers; h) supervise the training of employees and collaborators on the subject of whistleblowing, ensuring that they are adequately informed about the reporting methods and the safeguards provided for by the legislation.

These provisions, deriving from Law 179/2017, aim to strengthen the internal control system of organizations and promote a corporate culture oriented towards legality and transparency, while ensuring effective protection for whistleblowers. Finally, about the need for the preparation of an operating procedure on whistleblowing, referred to in point iii), an illustrative index, although not exhaustive, of the operating procedure on whistleblowing is provided below. Table of contents: purpose and purpose of the procedure; reference legislation; addressees of the procedure; the subject and content of the report; recipients of the report; communication channels/reporting of the report; how to manage and verify the validity of the reports; data protection and document archiving/retention; forms of protection and responsibility of the whistleblower.

4.2. Whistleblower protection: regulatory requirements

As previously mentioned, about protection in the private sector, Law no. 179 of 30 November 2017 supplemented the provisions on the administrative liability of entities referred to in Legislative Decree 231/2001 through art. 2, para. 1. In particular, art. 6 The following paragraphs have been added. Paragraph 2-bis establishes that the models referred to in letter a) of paragraph 1 must include: a) one or more channels that allow the subjects indicated in Article 5, paragraph 1, letters a) and b), to submit, in order to protect the integrity of the entity, detailed reports of unlawful conduct or violations of the entity's organization and management model, of which they have become aware by reason of their duties; these channels must ensure the confidentiality of the whistleblower's identity throughout the reporting management process; (b) at least one alternative reporting channel suitable for ensuring, by electronic means, the confidentiality of the whistleblower's identity; (c) the prohibition of retaliatory or discriminatory acts, direct or indirect, against the whistleblower for reasons related to the report; d) in the disciplinary system adopted pursuant to paragraph 2, letter e), sanctions against those who violate the measures to protect the whistleblower or those who make reports with intent or gross negligence that prove to be unfounded. Letters a) and b) of paragraph 2-bis specify that the confidentiality of the whistleblower must be guaranteed through the provision of adequate reporting channels, at least one of which must be of an electronic nature.

Given the general nature of the rules in question, the limit to confidentiality regarding the identity of the whistleblower identified by Article 54-bis, paragraph 3 of Legislative Decree 165/2001, with reference to criminal proceedings, is also considered applicable to the private sector. It should also be noted that the concept of anonymity is distinct from that of confidentiality, as the latter presupposes the detection of the identity by the whistleblower who, once recognizable, can enjoy adequate protection. Paragraph 2-ter establishes that the adoption of discriminatory measures against the persons who make the reports referred to in paragraph 2-bis may be reported to the National Labour Inspectorate, for the measures within its competence, not only by the whistleblower, but also by the trade union organization indicated by the same. Paragraph 2-quarter specifies that the retaliatory or discriminatory dismissal of the reporting party is null and void. Any change of duties pursuant to Article 2103 of the Civil Code, as well as any other retaliatory or discriminatory measure adopted against the whistleblower, are also null and void. It is the employer's responsibility, in the event of disputes related to the imposition of disciplinary sanctions, or to demotion, dismissal, transfer, or subjection of the whistleblower to other organizational measures having negative effects, direct or indirect, on working conditions, after the submission of the report, to demonstrate that such measures are based on reasons unrelated to the report itself. The second sentence of the paragraph in question has raised doubts regarding the burden of proof on the employer. A strict interpretation of the provision in question is therefore required, in the sense that, to consider the sanction imposed legitimate, proof of the existence – in addition to the conduct complained of – of a causal link between the sanction itself and the conduct complained of must be considered sufficient, without further investigation as to the reasons for the measure adopted.

From the analysis carried out so far and from the comparison between the different regulatory provisions, it emerges that there is a significant difference in the protection offered to civil servants compared to those operating in the private sector. This difference is also evident considering that the adoption of an Organizational Model according to Legislative Decree 231/2001 is not an obligation but an option for private companies.

It is important to note that Law no. 179 of 30 November 2017, art. Article 3, paragraph 1, has established specific forms of protection for those who report situations of wrongdoing, both in the public and private sectors, to avoid potential civil or criminal liability related to the violation of office, professional, scientific or industrial secrets, or to loyalty obligations. In this context, priority is given to maintaining the integrity of administrations, both public and private, and to preventing and suppressing illegal behaviour. However, these safeguards are applicable only if the report is made within the limits and in the forms established by art. 54-bis of Legislative Decree 165/2001 or art. 6 of Legislative Decree 231/2001. It is important to underline that this exemption regime does not apply in the following cases: if the alert is made in a manner that is excessive to those necessary to resolve the illegality, in particular if the disclosure takes place outside the channels specifically designated for that purpose; if the whistleblower is subject to a duty of professional secrecy due to a consultancy or assistance relationship with the entity, company or person involved.

Having illustrated the protections placed on the reporting party, it seems appropriate to identify those present (albeit to a lesser extent) for the "reported" subject.

Initially, it should be noted that reports in the public and private sectors must concern, respectively: (i) any unlawful conduct of which the subject has become aware by reason of his or her employment relationship and the report must operate to protect the integrity of the Public Administration; (ii) unlawful conduct, relevant pursuant to Legislative Decree 231/2001, and must be based on precise and agreed facts, or must concern violations of the Organizational Model of which they have become aware by reason of the functions performed. These peculiarities and limitations are aimed at excluding any protection if the reports are not detailed, but based on mere "rumors", i.e. made for the personal purposes of the whistleblower (e.g. revenge), or even in bad faith, and represent, in fact, the protection for the "reported" subject. As far as the public sector is concerned, the protection of the reported person is limited in cases where the latter is ascertained pursuant to Article 54-bis, paragraph 9, Legislative Decree 165/2001: "criminal liability for crimes of slander or defamation (even with a sentence in the first instance) or in any case for crimes committed with the complaint referred to in paragraph 1; or "civil liability, for the same reason, in cases of wilful misconduct or gross negligence". The reference to wilful misconduct presupposes the knowledge, on the part of the agent, of the groundlessness of the report; Gross negligence, on the other hand, is only relevant for the purposes of disciplinary proceedings or compensation for damages in civil proceedings. In fact, art. Article 54-bis, paragraph 1 states: The public employee who, in the interest of the integrity of the public administration, reports to the person responsible for the prevention of corruption and transparency referred to in Article 1, paragraph 7, of Law no. 190 of 6 November 2012, or to the National Anti-Corruption Authority (ANAC), or reports to the ordinary judicial or accounting authority, unlawful conduct of which he has become aware by reason of his relationship of Work may not be sanctioned, demoted, dismissed, transferred, or subjected to any other organizational measure having direct or indirect negative effects on the working conditions determined by the report. The adoption of retaliatory measures, referred to in the first sentence, against the whistleblower shall in any case be communicated to ANAC by the person concerned or by the most representative trade unions in the administration in which they were implemented. ANAC informs the Department of Public Administration of the Presidency of the Council of Ministers or the other guarantee or disciplinary bodies for the activities and any measures within its competence"Start of module

In the private sector, Article 6, paragraph 2-bis, letter d) of Legislative Decree 231/2001 prescribes the adoption of sanctions in the disciplinary system for those who, with intent or gross negligence, make unfounded reports. This provision, introduced by Article 2 of Law 179/2017, aims to create a balance in the system, discouraging spurious complaints and protecting the interests of the entity. However, there is a difference in treatment between the public and private sectors: while in the public sector there is a loss of protection for the employee who reports, in the private sector there are sanctions within the company system. In addition, paragraph 3 of Article 54-bis establishes that if the dispute is based on the report and the identity of the whistleblower is essential for the defence of the accused, the report can only be used with the consent of the whistleblower. This provision, introduced by Law 179/2017, modifies the previous legislation that required the communication of the whistleblower's data if deemed necessary for the defence of the accused. Regarding the right of defence, Confindustria underlines the importance of protecting both the reporting party and the reported party, avoiding excessive imbalances. To ensure a balance of application, the protection of the confidentiality of the identity of the whistleblower should be balanced with the right of defence of the reported person, especially in the case of abusive reports. However, the full exercise of the whistleblower's right of defence depends on the identification of the identity of the whistleblower and the verification of the possible abusive nature of the report, which could temporarily compromise the position of the reported person, especially at the reputational level.

Furthermore, according to ANAC, when dealing with reports, it is important to take the necessary precautions to protect the confidentiality of the reported person, in order to avoid prejudicial consequences, including reputational consequences, within the work environment. Therefore, in accordance with the principles established by EU Regulation 2016/679, the administration or entity involved must ensure a balance in the protection of confidentiality between the whistleblower and the reported person from the receipt of the report, protecting both from the specific risks to which they are exposed, with particular attention when forwarding the report to third parties.

4.3 The rôle of supervisory bodies

The institution of whistleblowing today is fully part of corporate compliance, which presents itself differently in the public and private sectors. This issue is an integral part of the company's adequate organizational structures, supervised not only by the administrative body, but also by the internal control bodies. Its practical implementation concerns both the correct execution and the identification of the recipients of the reports. In the public sector, the Corruption Prevention and Transparency Officer is one of the main subjects involved, as defined by Law 190/2012 and ANAC. In the context of Law 231, on the other hand, a key role is entrusted to the Supervisory Body. Even before the introduction of a specific regulation on whistleblowing, the doctrine agreed in considering the SB as the recipient of reports relating to violations of Model 231. This is because Article 6, paragraph 2, letter d) of Legislative Decree 231/2001 requires information obligations towards the body responsible for monitoring and compliance with the Models. As a result, the whistleblowing tool is included in the information flow addressed to the SB, which must also include the anomalies and typicalities found in the context of the information available from the company functions.

A conscious and systematic reading of the new legislation confirms that the Supervisory Body (SB) can be identified as the recipient of reports of violations of Model 231. The SB is already in charge of receiving the information flows relating to periodic checks on the effective implementation of Model 231. Whistleblowing is therefore naturally integrated into the broader context of corporate information flows. The SB, by its nature, is responsible for the proper functioning of the procedures, the examination and evaluation of the reports received. If the information reported is relevant, the SB reports it directly to the Board of Directors. In addition, it is responsible for drawing up an annual report on the functioning of the internal reporting system.

Confindustria has supported the identification of the Supervisory Body (SB) as a possible recipient of reports in the "231" whistleblowing system[8]. This solution, according to Confindustria, seems to be effective in pursuing the purposes of the new discipline, i.e. the safeguarding of the integrity of the entity and the protection of the whistleblower. It would be difficult to achieve these objectives if reports were instead sent to entities with a position of functional or hierarchical dependence on the whistleblower, the alleged perpetrator of the breach, or to entities with a potential interest related to the report.

It has been suggested, however, that the recipient of the reports could also be identified with other subjects, while still involving the SB. From an operational point of view, two scenarios have been hypothesized: a. The relevant reports pursuant to Decree 231, limited to the 231-control system and considered as traditional information flows, would be mainly addressed to the SB; b. Relevant reports pursuant to Decree 231 could be included in a broader whistleblowing scheme that transversally regulates the provisions of various regulations. In this second scenario, other control bodies may be involved. To avoid conflicts of interest, it was pointed out that it would be necessary to provide for an escalation system if the report directly concerns one of the members of the SB, directing the report to another recipient. In this case, the management of the report would be entrusted to another party, such as the Board of Statutory Auditors, the sole auditor of the company, the Head of Internal Audit or the compliance function, or an external professional. The addressee of the report, in compliance with the confidentiality obligations on the identity of the whistleblower, would be required to report the critical issues detected to the administrative body and/or other control bodies, to conduct a verification of the nature of the potential offence and the necessary measures to be taken, depending on the area concerned.

4.4. Operational aspects and information flows

Article 6 of Decree 231 requires that the Organizational Models include information obligations to the body in charge of monitoring and compliance with the models. This arrangement leaves ample room for corporate autonomy in the practical implementation of information flows. The main trade associations have always stressed the importance of information flows in the context of the 231 system. Recently, several associations have highlighted that Decree 231 provides for the obligation to establish information flows to the SB, concerning the execution of sensitive activities, anomalous situations, or possible violations of the Model. These information flows must be defined according to the specific needs of each entity and must allow the SB to be constantly informed of facts that could lead to the entity's liability.

Information flows are a crucial tool for monitoring the Organizational Model and for evaluating the effectiveness of prevention measures. A well-structured system of information flows adapted to the company's reality is an important compliance tool that ensures the effectiveness of the supervisory activity entrusted to the SB. The information exchanged with the SB constitutes the "231 documentary set", which also has a defensive function in the event of a dispute by the judicial authority. While Article 6 of the Decree does not specify the methods for structuring information flows, thus leaving a wide margin of autonomy to the entity, paragraph 2-bis relating to whistleblowing expressly requires that the Organizational Models provide for reporting channels suitable for guaranteeing the confidentiality of the whistleblower's identity. This whistleblowing discipline makes it possible to identify hypotheses of crime not considered in the drafting phase of the Organizational Model.

From an operational point of view, companies must either implement existing information channels, especially regarding the requirement to guarantee the confidentiality of the whistleblower or set up new ones. These new channels may include but are not limited to: (i) Dedicated email account with password and access data provided to the members of the Supervisory Body, as the recipient of the reports. The use of an email inbox prevents the receipt of anonymous reports, forcing the whistleblower to take responsibility from the start.

(ii) Specific Digital Software. (iii) Web Platforms. (iv) Platform integrated into the company's IT system (company intranet). (v) Toll-free number and related third-party call center.

It is also important to consider the issue of anonymous reporting.

Art. 54-bis of Legislative Decree 165/2001 seems to exclude anonymous reports from its scope of application. However, ANAC admits that such reports can be considered, provided that they are processed through channels separate and distinct from those of whistleblowing. In addition, the entity must regulate in the Anti-Corruption Plan or in another organizational act the methods of managing anonymous reports. These considerations can also be extended to the "private/231" context, allowing anonymous reporting but establishing minimum requirements in terms of accuracy, sufficiency and severity of the content transmitted. However, the anonymity of the report will result in the inapplicability of the protections provided for by Law 179/2017. The Supervisory Body, if designated as the recipient of the reports, plays a crucial role in the process of evaluating and managing the reports received. This requires a procedure that ensures uniformity and consistency and that is applicable to different types of reports and their degrees of complexity and severity.

In the event of the application of both Decree 231 and Law 190/2012, collaboration between the Supervisory Body (and/or the other recipients of the reports) and the Head of Prevention and Transparency is required, maintaining the utmost confidentiality on the report and the identity of the whistleblower. The regulation of information flows to and from the Supervisory Body, including whistleblowing regulations, must be dealt with specifically in the Supervisory Body's regulations.

4.5. Training and information requirements

Training, communication, and information activities are essential to ensure the effective implementation of the Organizational Model. The application of the principles contained in Model 231 strongly depends on the involvement of the entire organizational structure. Therefore, information and training are crucial because they demonstrate the real commitment of the institution to the prevention of crimes and encourage people's cooperation in promoting a culture of legality. The objectives of adequate information include promoting cooperation, leveraging the principle of interaction, ensuring continuity of cooperation, and creating opportunities for information and discussion. Associations such as CNDCEC, ABI, CNF and CONFINDUSTRIA have underlined the importance of training in the correct and adequate implementation of Model 231, which must be widely disseminated through various channels, such as the delivery of the paper to the recipients with a declaration of acknowledgement, publication on the intranet and website of the institution, and mandatory training courses, including online. The procedures and protocols of the Model must be communicated to the recipients through personalized information and training meetings, differentiated according to the role within the organization. About the public sector and the issue of whistleblowing, the ANAC Guidelines recommend planning awareness-raising and staff training initiatives to disseminate the aims of the whistleblowing institution and illustrate the procedure for its use, through specific communications, training events, newsletters, and intranet portals.

In conclusion, the training activity promoted by the Supervisory Body should cover topics such as the relevant legislation, the sensitive areas identified in the risk mapping, the protocols of conduct, the information flows, the methods of reporting violations and the sanctioning system.

4.6. A Few Considerations

The integrated approach to compliance represents a significant change in the company's organization. While in the past compliance could be seen as an unnecessary burden, today it is considered a central element, in line with the growing importance of controls in the modern enterprise. The scandals that have affected numerous companies have raised attention to issues related to governance, ethics, and financial crimes, highlighting the need for better corporate management. Control has become crucial to protect the interests of all stakeholders, both private and public. From a traditional concept of retrospective checking, we have moved to a preventive and continuously developing approach. Investing in improving risk management processes, control systems and financial reporting is no longer seen as a cost, but as an opportunity to increase business efficiency, reduce losses and optimize the use of resources. "Integrated control systems" allow companies to manage risks synergistically across the entire company structure.

ISO certifications highlight the advantages of these systems, such as avoiding duplication, preventing regulatory conflicts, and creating synergies between the different management phases. Compliance, understood as regulatory compliance, is an integral part of this approach. "Organizational models" and "compliance programs" have become fundamental tools for the prevention of corporate risks and for the promotion of corporate social responsibility. Their adoption is seen not only to achieve business goals, but also as an opportunity to improve and grow. In summary, the integrated approach to compliance represents a significant change in the business organization, which brings benefits both in terms of regulatory compliance and business efficiency.

In Italy, different forms of compliance programs have been introduced to address regulatory and organizational challenges. These include the Organization, Management and Control Models provided for by Legislative Decree 231/2001, the tools for the preventive detection of the state of crisis according to Law 155/2019, the reorganization of public administrations governed by Law 124/2015, the Corruption Prevention Plan and the Three-Year Program for Transparency and Integrity pursuant to Law 190/2012, and the specific procedures on occupational safety and health, environment, quality governed by Legislative Decree 81/2008. However, for these initiatives not to result in a mere formal fulfilment or even in a harmful burden from an economic and bureaucratic point of view, a real effort is needed to harmonise and structure the responses to national and EU legislation that have a direct impact on the company.

The legislator is adopting an approach based on the idea of "organisation by prevention". This means that a good organization not only aims to achieve optimal results, but also involves the promotion of virtuous behaviour and the adoption of preventive measures against illegal behaviour. In other words, it is moving towards a logic that is not limited to retrospective punishment, but also aims to incentivize correct behaviour through the threat of sanctions if it is not.

Work is being done to strike a balance between the need to sanction unlawful behaviour and the need to ensure compliance with the principles of proportionality and reasonableness. Whistleblowing has become an integral part of this prevention system, acting as a meeting point between procedures and controls, encouraging the reporting of violations. When dealing with organisational procedures for whistleblowing, it is important to integrate them with any procedures that already exist within the company to avoid duplication or overlap and to maintain a manageable number of procedures. Business procedures are critical to managing risks, but an overly procedural structure could create confusion for operators, leading them to not apply them correctly or avoid them to speed up activities.

Whistleblowing certainly involves costs, both economic and organizational, such as the creation of IT reporting systems, the management of reports, subsequent checks and possible litigation. However, as in the case of compliance, these costs can be seen as an investment to improve the corporate structure and prevent not only misconduct, but also internal dysfunction or fraud. The introduction of the international standard ISO 37001:2016 on management systems for the prevention of corruption represents an interesting operational starting point for the definition of whistleblowing policies. Although voluntary in nature, this standard provides detailed guidance for establishing, implementing, maintaining, updating and improving a management system for the prevention of corruption, both active and passive.

The scope of this rule is substantially overlapping with the provisions in Italy of Legislative Decree 231/2001 for the private sector and Law 190/2012 for the public sector on corruption. It is certifiable, like the standards relating to quality, environmental and safety management systems, and is applicable to any type of organisation, including public, private, or private law bodies with public control. Paragraph 8.9 of ISO 37001:2016 specifically provides for "reporting of suspicions", i.e. the implementation of procedures that allow for the reporting in good faith and based on reasonable belief of acts of corruption, committed, attempted or alleged, as well as violations or deficiencies of the management system for the prevention of corruption. The law also establishes the possibility of anonymous reporting and provides detailed guidance on the investigation and management of corruption. Although the ISO 37001:2016 standard was introduced before Law 179/2017, it already defined procedures for reporting. Subsequently, the Application Guideline on the ISO 37001:2016 standard provided indications on how to integrate the obligations provided for by Law 179/2017 in the procedures adopted to comply with the requirement for UNI ISO 37001 certification, for example about the methods of transmission of reports and the guarantee of their anonymity.

5. The new rules

In the context of the meeting of 9 December 2022, the Council of Ministers definitively approved the legislative decree for the implementation of the EU Directive 2019/1937 on Whistleblowing. This legislative decree, issued on 10 March 2023 as Legislative Decree no. No. 24, concerns the protection of persons who report violations of European Union law and national regulations. On 4 August 2022, the Italian executive received the delegation for the implementation of EU Directive 2019/1937 with Law No. 127, published in the Official Gazette S.G. No. 199 of 26 August 2022. Legislative Decree No. 24 entered into force on March 30, 2023, and its provisions are effective from July 15, 2023. This decree applies to both public and private sector entities. For the private sector, the protections extend to whistleblowers who have employed, in the last year, an average of at least fifty employees. Even if under the limit of fifty workers, the legislation applies to entities operating in sensitive sectors (e.g., services, financial products and markets, prevention of money laundering, transport safety, environmental protection) and to those that adopt organization and management models pursuant to Legislative Decree no. 231/2001. Private entities that, in the last year, have employed an average of employees (with permanent or fixed-term contracts) up to two hundred and forty-nine, are obliged to set up an internal reporting channel starting from 17 December 2023. Until that date, private entities that have adopted or intend to adopt the 231 model will continue to manage the internal reporting channels in accordance with the provisions of Legislative Decree no. 231/2001.

The EU Directive 2019/1937 for the protection of whistleblowers applies to complaints relating to violations of EU legislation in the areas indicated, including public procurement, privacy, and security of IT systems. The protections provided by the Directive do not differentiate between employees in the public and private sectors, ensuring uniform protection for all whistleblowers. The Directive is certainly a step forward towards resolving the issues that remain unresolved in the regulatory framework, marking a further step towards the creation of an environment in which whistleblowers can safely and confidentially report the illegal activities of which they become aware. The stated objective of EU Directive 2019/1937, in fact, is to provide a high level of protection to whistleblowers who report breaches of EU law in specific sectors, including public procurement, services, financial products and markets, prevention of money laundering and terrorist financing, transport security and environmental protection, and personal data protection (privacy).

The directive, as anticipated, applies to employees in the public and private sectors, to self-employed workers, consultants, suppliers, and to those who are part of administrative, management or supervisory bodies of a company, as well as persons working under the supervision and direction of contractors, subcontractors, and suppliers. This represents a significant extension from the previous discipline, which often limited protection to only direct employees of organizations. In addition, Member States must establish safe and effective reporting channels for the reception and management of reports, both internal (within the organisation) and external (designated competent authorities).

These channels must ensure the confidentiality of whistleblowers' identities, protecting them from any form of retaliation such as dismissal, suspension, demotion, or other discriminatory measures, and must respond to reports within a reasonable timeframe, providing feedback within three months of receipt of the report. In addition, reporting channels must be easily accessible to all potential whistleblowers. Compared to previous legislation, which often lacked formal reporting structures or did not adequately guarantee confidentiality and protection against retaliation, the Directive introduces clear and stringent requirements.

The Directive provides for several safeguards for whistleblowers, including protection against retaliation, the right to receive information and advice on their rights and reporting procedures, and the possibility of financial assistance and psychological support. This is an improvement over previous regulations, which generally did not provide for such support and protection measures. Organisations with more than 50 employees or an annual turnover of more than €10 million are obliged to set up internal reporting channels. In addition, for entities operating in sensitive sectors, the Directive imposes more stringent obligations even if they do not reach the above thresholds. Employers must establish secure and confidential internal channels for reporting violations and train employees on reporting rights and procedures, ensuring they are aware of the protections available. Compared to the previous framework, this provision significantly expands the obligation to set up reporting channels to a larger number of organisations and sectors.

The Directive states that whistleblowers can use both internal and external channels. If whistleblowers do not receive a response through internal channels, or if they believe that the use of such channels may pose risks of retaliation, they may contact the competent authorities directly or, as a last resort, make their report public. This flexibility is an improvement over previous legislation, which often limited the options available to whistleblowers.

Competent authorities must follow a strict follow-up process on the reports received, ensuring that investigations are conducted in an impartial manner and that corrective action is taken if the reports are found to be well-founded, while maintaining the confidentiality of the whistleblower's identity throughout the process. This represents a significant improvement over previous legislation, which often lacked effective and impartial follow-up procedures.

In conclusion, the EU Directive 2019/1937 represents a sufficiently comprehensive and detailed regulatory framework for the protection of whistleblowers, aiming to create a safe and supportive environment for reporting violations. Its implementation, however, requires significant efforts from Member States and organisations to ensure that whistleblowers are adequately protected and that breaches are effectively addressed, and compared to the previous framework, the Directive is characterised by broader protections, more stringent obligations for organisations, and more structured and secure reporting and follow-up mechanisms.

Legislative Decree No. 24 of 2023, which entered into force on 30 March 2023 with provisions effective from 15 July 2023, represents a significant evolution compared to the previous Italian legislation on the protection of whistleblowers. This new decree, as anticipated, implements the above-mentioned Directive (EU) 2019/1937 of the European Parliament and of the Council, introducing important innovations and extensions.

One of the main innovations compared to the pre-existing and commented regulatory framework concerns the scope of application. The previous legislation, in fact, focused mainly on the public sector and on some specific categories of workers in the private sector. With the new decree, however, the scope has been extended to include all private sector companies with at least 50 employees, as well as those operating in sensitive sectors regardless of the number of employees. This shift reflects a more inclusive and generalised approach, recognising the need for whistleblower protection in a wide range of work settings.

In addition, whistleblower protection has been significantly expanded. While previous legislation focused primarily on employees, the new decree extends protection to a variety of individuals, including self-employed, contractors, trainees, volunteers, and even job applicants. This expansion recognizes the vulnerability of a wider range of people who may become aware of breaches and encourages a safer environment for reporting.

Another important innovation concerns the establishment of secure and confidential internal reporting channels. Organizations are now obliged to create and maintain such channels, ensuring that the identity of the whistleblower and the individuals involved remains confidential. This represents a change from the previous legislation, which did not have such stringent requirements for the confidentiality and security of reporting channels. In addition, internal reporting is encouraged as a first step, but the whistleblower still has the option to go directly to external authorities if they believe that internal reporting will not be effective or fear retaliation.

Protection measures against retaliation have been strengthened. While previous legislation offered protection against certain forms of retaliation, the new decree expands this protection to include any form of direct or indirect retaliation, such as dismissal, demotion, suspension, threats, and other forms of discrimination. This change aims to provide more comprehensive protection for whistleblowers, ensuring that they can report breaches without fear of negative consequences.

The decree also introduces specific reporting and timing obligations. Organisations must provide feedback to the whistleblower within three months of receiving the report, with the possibility of extending this period to six months in particularly complex cases. This obligation to respond represents a change from the previous legislation, which did not specify such clear and rigorous deadlines for responding to reports. In addition, organisations must inform the whistleblower about the measures taken because of the report.

Penalties for non-compliance are another important element of the new decree. There are significant administrative penalties for organisations that fail to comply with their obligations to set up reporting channels, protect whistleblowers or take retaliatory measures. This introduction of sanctions aims to ensure stricter compliance with the legislation and to dissuade behaviour that may jeopardise the protection of whistleblowers.

Finally, the new decree provides for the possibility of anonymous reports, with the obligation for the competent authorities to also take these reports into consideration, while respecting specific evaluation criteria. The previous legislation clearly did not provide for the management of anonymous reports, making this a significant novelty that further expands the possibilities of protection for whistleblowers.

In summary, Legislative Decree No. 24 of 2023 introduces a series of innovations compared to the past regulations, expanding the scope of application, extending protection to a wider range of subjects, strengthening confidentiality and security measures, introducing significant verification obligations and sanctions, and providing for the possibility of anonymous reporting. These changes aim to promote greater transparency and integrity in both the public and private sectors, providing more robust and inclusive protection for whistleblowers.

6. Integration of the Whistleblowing with other legal and regulatory disciplines

As can be seen from the above considerations, the regulatory instruments governing the institution of whistleblowing have significantly increased over the last few years, extending to numerous cases, and intersecting with other legal and regulatory disciplines concerning different sectors. By way of example and not exhaustively, we can cite some interventions of the legislator on disciplines relating to various areas. In the banking sector, Legislative Decree 72/2015 introduced, within Legislative Decree 385/1993 (Consolidated Banking Act, TUB), articles 52-bis and 52-ter, relating to the obligation to report violations. These articles stipulate that bank employees must report violations of banking regulations, thus contributing to transparency and the prevention of illegal practices in the industry[9]. In the anti-money laundering legislation, Legislative Decree 90/2017 amended Article 48 of Legislative Decree 231/2007, defining a specific discipline on whistleblowing in the field of anti-money laundering. This decree aims to strengthen the reporting mechanisms for suspicious money laundering transactions, ensuring greater protection for whistleblowers.

Regarding financial activity and market abuse, Legislative Decree 129/2017 introduced into Legislative Decree 58/1998 (Consolidated Law on Finance, TUF) Articles 4-undecies and 4-duodecies, which govern whistleblowing in relation to violations of financial market rules and market abuse. These provisions are aimed at preventing and suppressing misconduct in the financial market, ensuring that reports can be made safely and effectively. In the insurance sector, Legislative Decree 68/2018 introduced articles 10-quarter and 10-quinquies in Legislative Decree 209/2005 (Private Insurance Code), regulating whistleblowing in the insurance sector. These articles provide for the obligation for operators in the sector to report violations of insurance regulations, thus contributing to the protection of policyholders and the fairness of the insurance market.

These examples show how the legislator has intervened in a targeted manner on different sectoral regulations to complement and strengthen the provisions on whistleblowing, ensuring greater protection for whistleblowers and promoting transparency and integrity in the various economic and financial sectors.

6.1. Banking, Financial and Insurance Regulations

Legislative Decree no. 72 of 12 May 2015, which implements Directive 2013/36/EU, known as CRD IV, made significant changes to the Consolidated Banking Act (TUB) and the Consolidated Law on Finance (TUF), introducing, among other things, Articles 52-bis and 4-undecies7. These changes anticipated regulatory interventions subsequently sanctioned by Law 179/2017, marking a fundamental step in the regulation of whistleblowing in the Italian banking and financial sector. Article 52-bis, paragraph 1, of Legislative Decree 385/1993 (TUB) establishes that banks and their parent companies shall adopt specific procedures for the internal reporting by staff of acts or facts that may constitute a violation of the rules governing banking activities. This regulatory provision imposes an obligation on banks to set up specific internal procedures to allow staff to report acts or facts that are potentially illegal or do not comply with banking regulations. The aim is to ensure that such behaviours are identified and managed in a timely manner, promoting transparency and integrity within financial institutions.

In compliance with the delegation conferred by the primary law, the Bank of Italy has adopted specific regulatory provisions to implement the provisions of Article 52-bis. It updated Circular No. 285 of 17 December 2013, entitled "Supervisory provisions for banks", introducing detailed guidelines on whistleblowing. These guidelines outline how banks should structure and manage their internal reporting procedures, ensuring that employees can securely and confidentially report any breaches, without fear of retaliation.

Subsequently, Law 179/2017 further strengthened the regulatory framework on whistleblowing, extending the protections for whistleblowers beyond the banking and financial sector. This law established that whistleblowers must be protected from any form of retaliation, creating a safer environment for reporting wrongdoing and consolidating the provisions introduced by Legislative Decree 72/2015.

In summary, Legislative Decree 72/2015 represented a significant step in the regulation of whistleblowing in the Italian banking and financial sector. By introducing Article 52-bis into the Consolidated Law on Finance, it imposed on banks the obligation to adopt specific procedures for the internal reporting of violations, subsequently detailed and implemented by the Bank of Italy through Circular No. 285 of 2013. Law 179/2017 further strengthened these provisions, extending protections for whistleblowers and promoting an environment of greater transparency and accountability within financial institutions. From a subjective point of view, whistleblowers can be both employees and individuals who operate within the company organization on the basis of relationships that place them in the work context, although in different ways than the traditional employment relationship. It is important to underline that the regulatory provision is limited to providing the minimum requirements for the definition of reporting systems, leaving it to credit institutions to choose the most appropriate technical and operational solutions. The decision on the approval of these mechanisms is entrusted to the body with the task of strategic supervision. In addition to this, it is essential to identify an entity responsible for the internal reporting systems, to ensure that these procedures work effectively.

In other words, the legislation sets out the basic principles that must be adhered to for reporting systems but leaves room for the autonomy of financial institutions in defining operational details. The aim is to enable banks to adopt personalised approaches that consider their specificities and needs, while ensuring an adequate level of transparency and protection for whistleblowers and promoting the proper management of reports of wrongdoing or non-compliant behaviour.

According to the Bank of Italy's provisions, the internal means of reporting regulatory violations must guarantee several crucial aspects. First, they must ensure the confidentiality and protection of the personal data of the whistleblower and the reported person. This implies that the information disclosed during the reporting process must be treated confidentially and protected from unauthorized access. Secondly, reports must be handled through dedicated channels, which are autonomous and independent of normal internal reporting procedures. This helps to ensure that reports are dealt with appropriately and that they are preserved from interference or influence from stakeholders.

Another important point is that the persons in charge of receiving, examining, and evaluating reports should not be involved in decisions relating to reported cases. This ensures a degree of separation and neutrality in decision-making, avoiding conflicts of interest and ensuring that decisions are made in an impartial and evidence-based manner. In addition, it is essential that the individuals involved in handling the reports protect the whistleblower from any negative consequences, such as retaliation or discrimination, that may result from their reporting of regulatory violations.

Finally, banks must appoint a specific person responsible for internal reporting systems, who is responsible for ensuring that the process is properly managed, and that relevant information is transmitted directly to the relevant corporate bodies when necessary. This helps to ensure that reports are dealt with in a timely manner and that corrective actions are taken when appropriate, while also maintaining appropriate oversight and control over the bank's internal processes.

As far as the whistleblowing procedure is concerned, it is essential to define several key aspects in a clear and detailed manner. First, it is important to establish who is authorized to make reports and what situations can be reported. This ensures that reports are made by competent persons and relate to behaviours or situations that are relevant from a regulatory or ethical point of view.

The operational procedures for reporting must be well defined, ensuring that whistleblowers can do so in a secure and confidential manner. This may include the use of dedicated channels, such as telephone lines or secure online platforms, to ensure the confidentiality of the information transmitted. The investigation process must clearly indicate the steps to be followed in assessing and investigating the reports received. This may include the designation of a team or committee to conduct the investigation, as well as the expected timeframe for each step of the process. It is also important to establish how the whistleblower and the reported person must be kept informed of the progress of the proceedings. This ensures transparency and fairness in the handling of reports, allowing both parties to be properly involved in the process. The obligation for the whistleblower to declare any private interests related to the report is crucial to ensure the impartiality and reliability of the reports. This helps to avoid conflicts of interest and ensure that reports are made in good faith and for the good of the organization. Finally, if the whistleblower is involved in the reported violations, it is important to establish preferential treatment for the latter over the others involved. This may include safeguards for the whistleblower and the ability to work with relevant authorities to resolve breaches in an effective and timely manner.

After the amendments made by Legislative Decree 72/2015, the Consolidated Banking Act (TUB) was further amended by Article 1, paragraph 13, of Legislative Decree 223/2016. This amendment introduced paragraph 4-bis of Article 52-ter, which establishes the need for adequate information flows between the Bank of Italy and the European Central Bank.

The Italian Banking Association (ABI) has also taken a position on the issue, examining various aspects related to the implementation of breach reporting systems. These aspects include the regulatory perimeter, the parties authorised to make reports, the reporting methods and the roles and responsibilities of the various parties involved in receiving, analysing, and communicating reports to the relevant bodies. According to the ABI document, the implementation of a whistleblowing system is an important element to ensure proper corporate management and constant compliance with the principles of transparency and integrity.

From an operational point of view, the process is divided into three phases:

Receipt of the report by the competent body.
Analysis of the report, which includes the examination of the formal admissibility and the assessment of the merits of the report by the competent entity.
Immediate communication to the corporate bodies of the relevant information reported, to take the necessary measures, including those of a disciplinary nature. It is important to note that this phase, if triggered, is not necessarily sequential to the other two phases and can be started even before the analysis is complete.

Phase 3 is clearly the responsibility of the "Internal Whistleblowing System Manager". The other two phases, on the other hand, can be managed in different ways depending on the organizational complexity of the company and the level of formalization desired for the whistleblowing system. In addition, the first two phases could be managed separately by separate managers, or they could be entrusted to a single individual who has the necessary skills and authority to manage both phases. This decision depends on the structure and specific needs of your organization. Phase 1 could involve receiving reports, pre-assessing and determining their validity, while phase 2 could involve initiating a more detailed investigation into the report confirmed as valid.

If your company is small or has a simple organizational structure, it may be practical to entrust both of these steps to a single manager. However, in larger or more complex companies, it may be preferable to distribute these responsibilities among multiple individuals or departments to ensure effective management and proper segregation of duties. In any case, it is important for the company to develop and implement a clear and robust regulatory framework to manage whistleblowing, including clear procedures for each step of the process, ensuring transparency, impartiality and confidentiality for those who report any violations or improper behaviour. In a similar way to what is provided in relation to the specific banking sector, art. Article 4-undecies of the TUF provides for the adoption of mechanisms for reporting violations by intermediaries and issuers, also contemplating the need to structure specific internal communication channels, but also an external channel, with Consob as its recipient (depending on the supervisory allocation). Also in this case, the Legislator has also expressly established the need to guarantee the confidentiality of the personal data of the whistleblower and the alleged perpetrator of the violation, protecting him from any retaliatory, discriminatory, or otherwise unfair conduct resulting from the report. Paragraph 3 of the rule in question also makes it explicit that, beyond the hypotheses of liability by way of slander or defamation, the submission of a report as part of the whistleblowing procedure does not constitute a violation of the obligations arising from the employment relationship.

As far as the insurance sector is concerned, the institution in question was regulated by Legislative Decree 68/2018, which introduced Articles 10-quarter and 10-quinquies into Legislative Decree 209/2005. These rules provide, respectively, for the presence of an internal and an external channel for the reporting, by the staff of insurance companies, of facts that may constitute violations of the rules governing the activity carried out and contemplated in the Private Insurance Code. Regulatory intervention regarding the establishment of internal and external communication channels for reporting breaches in the insurance industry is a significant step towards promoting transparency and regulatory compliance. It is essential that insurance companies have adequate communication channels in place to ensure the protection of the whistleblower's identity and the confidentiality of personal data, including the reported data.

If an external channel is used for reporting, as indicated, the report must be forwarded to the Insurance Supervisory Institute (IVASS), which assumes the role of competent authority. It is IVASS's responsibility to establish the conditions, limits, and procedures for the receipt of external reports, to ensure fair and confidential treatment of the same. It is interesting to note that IVASS has issued a regulation that underlines the importance of including in the corporate governance system of insurance companies’ methods that allow staff to bring particularly serious situations directly to the attention of the higher hierarchical levels. This further reinforces the importance of a company culture that promotes the reporting of issues and encourages open and transparent communication within the organization.

In summary, the establishment of whistleblowing channels in the insurance sector, together with the supervision of IVASS and the promotion of corporate governance that favors the reporting and management of critical issues, is essential to ensure a more transparent, compliant and risk-oriented sector.

6.2. Anti-Money Laundering Regulations

Whistleblowing has also been established in the regulatory framework related to the fight against money laundering and terrorist financing. With the implementation of the fourth European directive (EU Directive 2015/849) through Legislative Decree 90/2017, the national legislator has integrated into Legislative Decree 231/2007 a special section, called "reporting violations", which includes article 48 dedicated to "reporting violations". This article requires entities under anti-money laundering legislation to establish and implement procedures to enable employees or equivalent entities to report any "potential or actual" violations of the rules aimed at preventing money laundering and terrorist financing. In summary, this provision provides a legal framework to promote and protect those who report possible violations of the law in these sensitive areas.

The regulatory provision states that these procedures must ensure the following:

a) The protection of the confidentiality of the identity of the whistleblower and of the alleged perpetrator of the violations, without prejudice to compliance with the rules governing the investigations and proceedings conducted by the judicial authority concerning the facts reported.

b) The protection of the whistleblower from punitive, discriminatory, or unfair actions resulting from the report.

(c) The establishment of a specific reporting channel, which is anonymous and independent, appropriate to the nature and size of the entity subject to the obligations.

It should also be noted that reports made in accordance with these procedures do not in themselves constitute breaches of the obligations arising from the contractual relationship between the whistleblower and the obliged entity.

With reference to the identity of the whistleblower, art. Article 48 expressly provides that the same may be disclosed only with his consent or when knowledge is indispensable for the defence of the reported person. Art. 15, paragraph 1, of Regulation (EU) 2016/679 – GDPR, which provides for the right of the data subject to obtain from the data controller confirmation as to whether personal data concerning him or her is being processed and, if so, to obtain access to the personal data and to a series of information duly listed by the law.

The obligation to adopt procedures for internal reporting is also reiterated by the Bank of Italy in the provision on internal controls implementing Legislative Decree 231/2007, which requires recipients to ensure control over the verification of compliance by the staff of supervised entities with internal procedures and all regulatory obligations, including those of "communication and reporting and the protection of confidentiality in the matter of reporting". With the introduction of whistleblowing in the field of anti-money laundering, it is necessary to adopt an internal system for reporting violations, both potential and actual, of the provisions aimed at preventing money laundering and terrorist financing. However, it is important to note that the whistleblower protection and procedural aspects are not defined in detail. As a result, the whistleblowing system in the anti-money laundering context has shortcomings, especially when compared with the provisions contained in Article 6, paragraphs 2-bis, 2-ter and 2-quarter of Legislative Decree 231/2001 (which will be discussed in the next paragraph).

Undoubtedly, despite the obvious demand for legislative intervention aimed at further clarifying procedures and protections, it is essential for those involved to adopt the procedures indicated in Article 48, providing themselves with adequate tools to manage whistleblowing reports. These tools must be able to manage anonymous and confidential information flows effectively and appropriately.

6.3. Legislation on the protection of personal data

The management and protection of personal data in the context of whistleblowing is an area of significant importance considering EU Regulation 2016/679 (General Data Protection Regulation – GDPR), which replaced the previous Directive 95/46/EC. The current regulation imposes stringent obligations and specific protection for the processing of personal data, requiring organizations to take appropriate measures to ensure compliance. In particular, it is necessary to consider the rights of the parties involved, including the whistleblower and the whistleblower. The GDPR ensures that the whistleblower has the right to access, rectify and delete their personal data, although these rights must be balanced with the need to maintain the integrity of the investigation and protect the confidentiality of the whistleblower. It is also imperative to provide clear and transparent information on the processing of personal data to all parties involved, specifying who manages the data, the purposes of the processing, the legal basis, the rights of the data subjects and the ways to exercise them. Personal data collected through whistleblowing schemes must only be kept for as long as necessary to achieve the intended purposes and must be securely deleted once it is no longer needed. Technical and organizational measures for data security include the adoption of protection tools such as encryption and anonymization, as well as the implementation of internal procedures that ensure GDPR-compliant processing, through staff training, the definition of roles and responsibilities, and the conduct of regular audits. It is crucial to strike a balance between protecting the whistleblower's identity and the whistleblower's right to know the allegations, assessing on a case-by-case basis, and taking steps to minimise the risk of retaliation. Conducting a Data Protection Impact Assessment (DPIA) is advisable to identify and mitigate risks to the rights and freedoms of data subjects. Organizations must be prepared to cooperate with data protection authorities and respond to any inquiries or investigations. In summary, the management of personal data in the context of whistleblowing requires strict attention to the rights of data subjects and the adoption of appropriate measures to ensure compliance with the GDPR, balancing transparency and confidentiality, protecting both the whistleblower and the whistleblower, and ensuring that data is treated securely and responsibly.

Based on the elements indicated by the Data Protection Authority, the platforms intended for the management of whistleblowing reports must be designed with specific technical and organizational characteristics to ensure the security and confidentiality of the data processed. User authentication procedures should be based on "strong authentication" techniques, such as the combined use of passwords and OTPs (One Time Passwords). With regard to the safe and secure access to the application for all users, it is necessary that the IT procedure uses only secure data transport protocols, such as the https protocol, in order to ensure secure communication that protects the confidentiality, integrity of the data relating to the identity of the whistleblower and the content of the report, as well as the authenticity of the web pages used for the acquisition and management of reports. User profiling mechanisms must be configured to ensure visibility limited to the role played only, allowing selective access to report data. It is envisaged that the Head of Corruption Prevention and Transparency (RPCT) may assign specific reports to individual investigators in a support function. In addition, it is essential to ensure the traceability of the operations carried out by the RPCT and the investigating bodies, except for consultations carried out by the whistleblower to monitor the evolution of their report. These measures are essential to ensure the protection of personal data and compliance with applicable privacy and information security regulations. Although not explicitly provided for by the Data Protection Authority, in relation to data protection in whistleblowing procedures, it may still be appropriate to carry out the data protection impact assessment provided for by art. 35 of the GDPR. That article provides that, where a given procedure presents a high risk to the rights and freedoms of natural persons, by providing for the use of new technologies (having regard to the nature, object, context, and purposes of the processing), the controller shall, before proceeding with the processing, carry out an assessment of the impact of the planned processing on the protection of personal data. A single assessment may look at a set of similar treatments that present similar high risks. The DPIA (Data Protection Impact Assessment) is therefore an essential tool for identifying and mitigating the risks associated with the processing of personal data in whistleblowing procedures. This assessment allows you to analyse in detail how your data is processed, identify potential vulnerabilities, and implement appropriate measures to ensure compliance with GDPR provisions. Considering the sensitive nature of the information processed and the use of advanced technologies, a DPIA can offer a clear picture of potential privacy threats and suggest solutions to minimise risks, thus helping to strengthen data protection and promote trust in the whistleblowing system.

These factors, together with the provisions of the GDPR and the Privacy Code as amended by Legislative Decree 101/2018, have been analysed in a recent provision, in which, while expressing itself favourably with respect to the ANAC Guidelines, the Guarantor for the Protection of Personal Data is responsible for specifying some cases[10]. The reported person, presumed to be the perpetrator of the offence, is not precluded in absolute terms from exercising the rights provided for by art. 15 to 22 of the GDPR; Art. Article 2-undecies of the Privacy Code, in fact, establishes in paragraph 3, in relation to the specific limitations to the rights of the data subject provided for in paragraph 1 with reference to the institution of whistleblowing, that in this case the rights in question can be exercised through the Guarantor in the manner referred to in art. 160 of the Code. It will be the Garante itself that will carry out a balance between the right invoked by the reported and the need for confidentiality of the whistleblower's identification data. The whistleblowing procedure must comply with the principle of minimization contained in art. 5 of the GDPR and, for example, to avoid the proliferation of communications to the whistleblower to inform them of the progress of the investigation. As part of the whistleblowing procedure, organisational and/or technical safeguards must be put in place that allow the RPCT alone to associate the report with the identity of the whistleblower.

The Garante also pays particular attention to the operation of IT platforms intended to manage reports owned by external suppliers, which in this case act as data processors pursuant to art. 28 of the GDPR, which in the first paragraph requires in any case the presence of "sufficient guarantees to put in place adequate technical and organizational measures in such a way that the processing meets the requirements of this regulation and guarantees the protection of the rights of the data subject". Therefore, third-party providers must ensure that their platforms comply with GDPR regulations by implementing security measures that protect the personal data processed. Such measures must include secure protocols for transporting data, robust authentication mechanisms, and access controls that limit data visibility to authorized parties only. In addition, providers must be able to ensure the traceability of transactions carried out on the platform and support organizations in complying with their legal obligations regarding data protection, including compliance with the principle of minimization and the protection of the confidentiality of reports. The Garante stresses the importance of establishing detailed and clear contracts between the data controller and the data processors, specifying the responsibilities of each party and the security measures to be adopted, as required by art. 28 of the GDPR. These contracts must also include procedures for managing data breaches and assisting in responding to data subject requests, ensuring that the rights of whistleblowers and whistleblowers are adequately protected.

In the light of the regulatory framework in question, the entity responsible for the management of the data must be considered as the entity that implements a whistleblowing system. Violation of the duty of confidentiality is a source of disciplinary liability, without prejudice to any other form of liability provided for by law. Generally, therefore, although the identity of the whistleblower cannot be revealed without his express consent and all those involved in the management of the report are required to protect its confidentiality, it is possible to identify exceptions in cases where the report is made with the aim of damaging or prejudicing the reported (so-called "bad faith" reporting) and there is a liability by way of slander or defamation pursuant to law; anonymity is not enforceable by law (e.g. in the case of criminal investigations, inspections by supervisory bodies, etc.); the report reveals facts and/or circumstances that, although unrelated to the company's sphere, make it appropriate and/or necessary to report to the Judicial Authority (e.g. for crimes of terrorism, espionage, attacks, etc.).

6.4. Listed Companies and Corporate Governance Code of Borsa Italiana

In the securities market sector, the reporting rules were integrated with the transposition of the European legislation on market abuse (Regulation no. 596/2014) and MIFID II, which took place with Legislative Decree 179/2017, and are currently contained in articles 4-undecies and 4-duodecies of the TUF. The rules in question are dealt with in relation to the specific area of listed companies within the Corporate Governance Code drawn up by the Corporate Governance Committee of Borsa Italiana, integrated in 2018[11]. Art. 7, explicit reference is made to the issue of whistleblowing, in relation to the internal control and risk management system consisting of the set of rules, procedures and organisational structures aimed at allowing the identification, measurement, management and monitoring of the main risks, with reference to information flow exchange systems. This regulatory integration requires listed companies to adopt adequate internal procedures for the management of reports, ensuring both the protection of the whistleblower and the confidentiality of the information collected. Arts. Articles 4-undecies and 4-duodecies of the TUF establish specific obligations for financial intermediaries about the reporting of violations of regulatory rules and other offences, in accordance with the provisions of Regulation no. 596/2014 on market abuse and MIFID II.

The Corporate Governance Code, through art. 7, promotes the adoption of effective internal control systems, stressing the importance of whistleblowing as a tool to prevent and detect irregularities and abuses. Listed companies are therefore required to develop a whistleblowing management system that allows information to be collected and processed securely, respecting the principles of integrity, confidentiality, and protection of personal data, as established by the GDPR and Italian privacy regulations. These measures include the implementation of secure authentication procedures, the minimization of the data collected, and the adoption of secure protocols for the transmission of information. In addition, it is essential that companies ensure the traceability of transactions and the ability of the Corruption Prevention and Transparency Officer (RPCT) to monitor and manage reports, preserving the identity of the whistleblower, except in exceptional cases provided for by law.

The indications of the Corporate Governance Committee of Borsa Italiana establish that, at least in the issuing companies belonging to the FTSE-MIB index, an adequate internal control and risk management system must be equipped with an internal system for reporting by employees of any irregularities or violations of applicable regulations and internal procedures (so-called whistleblowing system), in line with existing national and international best practices, which guarantees a specific and confidential information channel, as well as the anonymity of the whistleblower. This whistleblowing system must be structured in such a way as to allow employees to report violations in an environment that ensures the confidentiality of the information and protects the identity of the whistleblower. Best practices suggest the implementation of secure procedures for handling reports, including technical and organizational measures to prevent unauthorized access to data and to ensure that only those people who are strictly necessary can access the reported information.

FTSE-MIB companies are required to establish a dedicated and secure communication channel, such as a secure online platform or a dedicated telephone line, which allows employees to report irregularities in a secure and anonymous manner. In addition, clear internal policies should be in place that outline procedures for handling reports, including response times, how to investigate, and safeguards for whistleblowers. Not only does this approach facilitate the early detection of misconduct, but it also helps to create a transparent and accountable work environment where employees feel confident that they can report irregularities without fear of retaliation. In addition, complying with best practices and current regulations on whistleblowing helps companies avoid legal penalties and maintain the trust of investors and other stakeholders.

The issue was also addressed by Consob with a Manual of Procedures dedicated to the "Procedure for dealing with exposures", which is part of the set of information that can be exploited, from a risk-based perspective, both from a programmatic point of view, through the definition of the activities of the supervisory units in their respective annual operational plans, and in terms of prioritization of the interventions that can be activated. Complaints can contribute, in compliance with sector regulations and together with other information inputs collected and analyzed internally, to a more complete protection of the public interests protected by CONSOB. In fact, they make it possible to acquire - in an unconventional way - information about possible critical situations, even if only potential, present in the financial system, contributing to the protection of investors. The general category of complaints also includes reports pursuant to Article 4-duodecies of the TUF, which refer to violations of the sector rules governing the activities carried out by supervised entities as well as Regulation (EU) no. 596/2014.

The Commission distinguishes the complaints into:

which can be transmitted by any subject (natural person or entity), even anonymously or subscribed with pseudonyms. This typology concerns matters falling within the competence of CONSOB, contains complaints about the economic/financial damage suffered, reports of conduct, situations or facts deemed illegitimate, irregular or in any case anomalous involving supervised entities or sectors in which the Commission's supervisory powers insist. The facts reported must be concrete, sufficiently detailed and, where appropriate, documented.
which relate to potential or actual breaches of Regulation (EU) No 596/2014.

The management of the complaint is mandatory by the CONSOB operating unit, regardless of the method of dealing with it or whether the actual investigation has been opened. According to CONSOB's indications, the following are considered "inadmissible":

of generic or irrelevant content, i.e. statements from which it is not possible to deduce the supervised entities, the facts complained of and, in general, elements useful for the purposes of CONSOB's supervisory activity.
from which there are no cases of violation of specific rules.
concerning subjects or matters that do not fall within the competence of CONSOB itself. Complaints that cannot be prosecuted are archived and the relevant file is closed.

In the event that the complaint is dealt with, the competent authority assesses the possible need to increase the level of confidentiality of the investigation and updates the information relating to the handling of the complaint on the appropriate IT application, taking into account the nature of the source of the report, the content and the context of reference, assigning to the report a degree of relevance depending on the impact (foreseeable or actual at depending on whether it is assessed before or after the investigation has been carried out) on the investigation activity.

The complaints contribute to the set of information that can be used by CONSOB for the purposes of supervision of the financial market and the fairness of operators. The concept of complaint also includes "reports of violations" pursuant to Article 4-duodecies of the Consolidated Financial Act (TUF) that may be received by CONSOB from the staff of supervised entities and that refer to violations of the sector rules governing the activity carried out by them as well as of Regulation (EU) no. 596/2014 (so-called "Consolidated Financial Act") Legislative Decree no. 107 of 10 August 2018, containing the provisions of the aforementioned regulation, inserted a new paragraph 1-bis to Article 4-duodecies of the TUF, pursuant to which the procedures are adopted by CONSOB in accordance with the provisions of Implementing Directive (EU) 2015/2392, concerning the reporting to competent authorities of actual or potential breaches of the above-mentioned Market Abuse Regulation.

Since 3 January 2018, CONSOB has adopted a specific procedure for receiving and processing reports relating to potential or actual alleged violations or unlawful violations of the rules of the TUF, as well as directly applicable European Union acts in matters falling within its area of competence (so-called whistleblowing). In this regard, Law no. 179 of 30 November 2017 provides for a series of protections for those who report crimes or irregularities of which they have become aware in the context of an employment relationship, which also contemplate the illegitimacy of any disciplinary measures with retaliatory or discriminatory purposes of the reporting party. The procedure, illustrated below for the sake of completeness, is published on the CONSOB website, and accompanied by explanatory notes. Reports may be received by CONSOB from the personnel of the subjects who fall within the scope of supervision, i.e. employees and those who in any case operate based on relationships that determine the inclusion in the company organization of the same subjects, even in a form other than the employment relationship. Pursuant to Implementing Directive (EU) 2015/2392, anyone, even anonymously, can report to CONSOB potential or actual violations of the rules on market abuse, contained in Regulation (EU) No. 596/2014 or in the TUF.

The reports shall contain concrete facts, sufficiently detailed and, where appropriate, documented. The whistleblower who has knowledge of these facts can therefore benefit from special guarantees of confidentiality and protection. To receive reports pursuant to art. 4-duodecies of the TUF and EU Directive 2015/2392, CONSOB has activated two dedicated channels, telephone and telematic, for the immediate receipt of reports. The exponent can indicate the need and the mode of direct contact chosen from those provided. CONSOB responds to the whistleblower to inform him/her, within the limits permitted by the rules on investigative secrecy and confidentiality rules regarding information to the market, about the use of the complaint, or, if necessary, to communicate, if necessary, that CONSOB has no competence in the matters covered by the complaint and to report the transmission of the same complaint to the competent Authority, if this has not already occurred on the initiative of the exponent; to inform of the request for clarification sent to the supervised entity and of the feedback provided by the latter in cases where the complaint concerns alleged non-compliance of qualified intermediaries with regard to the failure to respond to a complaint or to specific requests by the client relating to information, documents or the transfer of a securities dossier; to inform you that the complaint will be the subject of in-depth investigations as part of the supervisory activity and that the acts and measures of CONSOB concerning supervised entities, aimed at protecting general interests, are published, as a rule, on the Institute's website.

CONSOB confirms receipt of the report, with the following exceptions: - the complaint is anonymous or signed under a fictitious name; - the exponent has explicitly requested not to receive the confirmation; - if the confirmation of receipt of the report may jeopardise the protection of the identity of the whistleblower.

No response is due in cases of complaints addressed by savers to supervised entities and transmitted to CONSOB for more information. Once the report has been received, CONSOB through personnel in charge of processing the reports and in accordance with procedures aimed at ensuring the confidentiality of the same that do not allow access to unauthorized personnel: verifies, where possible, the existence of the conditions for the qualification of the report as "whistleblowing"" or exposed "qualified"; If the subjective requirements or objects required are not met, the report is reclassified as "ordinary".

The "relevance" of the report, i.e. its usefulness for supervisory purposes, is ascertained through the assessment of the following elements: exponent: the nature of the source of the report; content: the relevance and precision of the facts described; damage: the relevance and extent of the irregularities reported; Reference context: the level of internal (e.g. other investigations) and external (e.g. by judicial authorities and/or media) attention to the facts described and/or the irregularities reported.

Based on this classification, the reports are used within any investigations already underway or for the purpose of adopting new supervisory measures within the limits of CONSOB's competences. In any case, CONSOB may ask the reporting person to clarify the information provided or to provide additional information of which he or she is aware, in the manner indicated by the same.

As required by Implementing Directive (EU) 2015/2392, providing information to CONSOB pursuant to Regulation (EU) No. 596/2014 does not constitute a violation of any limitations on the disclosure of information imposed by contract or by legislative, regulatory, or administrative means, nor does it imply, for the reporting person, any liability in relation to such reporting. The protections indicated below apply to the whistleblower (where he/she is not anonymous) and to the reported person in the case of "whistleblowing".

The forms of protection by CONSOB of Whistleblowers, even if they operate within the framework of an employment contract, are limited to what is described below.

(a) Attestation

If a reporting party requests it, once it has been verified that the complaint is classified as qualified, a certificate can be produced attesting to the collaboration activity carried out with CONSOB.

b) Communications to other Authorities

Reports can be forwarded to the Judicial Authority.

If necessary, any contact with other Authorities regarding the investigation subject to the report or the forwarding of information is managed within the limits provided for by art. 4 of the TUF.

The identity of the whistleblower, the reported person or any other reference to circumstances that allow the identification of the reporting person, or the reported person will be communicated to authorities other than the judicial authority, where necessary, specifying that the "receiving" authority is required to guarantee the same forms of confidentiality protection granted by CONSOB in the context of this procedure.

Similarly, the information exchanged relating to commercial or operational aspects and other matters of an economic or personal nature shall be communicated to authorities other than the judiciary, specifying that the information is subject to the obligation of professional secrecy under national law.

c) Access Requests

If, during the supervisory investigation, CONSOB receives a request for access to the documents with reference to the report, the identity of the whistleblower, as well as that of the reported person, is exempt from the right of access provided for by art. 22 et seq. of Law 241/1990. Access to documentation may be viewed or a copy extracted only in a manner that safeguards the confidentiality of the whistleblower and the reported person.

d) Privacy

Art. 15 of Regulation 2016/679/EU (GDPR) about the identity of the whistleblower. Data processing is carried out in accordance with the GDPR. Personal data is stored for a maximum period of five years.

(e) Professional secrecy

Professional secrecy applies to all persons who work or have worked for CONSOB. Information covered by professional secrecy may not be disclosed to any other person or authority except in accordance with the provisions of Union or national law.

(f) Communications to third countries

If necessary, the possible transfer of personal data of the whistleblower or reported person to third countries may take place on condition that the requirements of the GDPR are met, only on a single basis and by requesting in advance a declaration certifying that the data will not be transferred to another third country unless CONSOB gives explicit written authorization, and any conditions are met.

CONSOB may communicate the personal data of the whistleblower, or the reported person received from other competent authorities of another Member State to a supervisory authority of a third country only upon explicit agreement with the Authority that transmitted the data and, where applicable, shall communicate such data exclusively for the purposes for which that authority has given its agreement. Similarly, if, after transferring the personal data of the whistleblower or reported person to another competent authority of another Member State, the latter requests to communicate such data to a supervisory authority of a third country, the consent must be expressed explicitly and indicating the purposes for which CONSOB has expressed its agreement.

Cooperation agreements between CONSOB and other Authorities that provide for the exchange of personal data are stipulated ensuring compliance with the GDPR.

6.5. Occupational health and safety

Whistleblowing is an important tool for protecting workers, especially in sensitive areas such as health and safety in the workplace. The whistleblowing regulations allow workers to report unlawful conduct or dangerous situations without fear of retaliation, in relation to the employer's obligations under art. 18 of Legislative Decree 81/2008.

The employer is required to provide workers with the necessary and suitable personal protective equipment, after consulting the head of the prevention and protection service and the competent doctor, if any. If a worker finds that these devices are not adequate or are not provided, they can use whistleblowing to report the violation, thus ensuring timely intervention for their own safety and that of their colleagues. The employer must take measures to control hazardous situations in the event of an emergency and provide instructions so that workers can leave the workplace or danger zone in the event of serious, immediate, and unavoidable danger. Whistleblowing allows workers to report the absence or inadequacy of such measures or instructions, contributing to the prevention of serious incidents.

Obligations to provide information, education and training on risks and safety measures are essential for the prevention of accidents at work. Workers can use whistleblowing to report the lack or inadequacy of these training activities, improving the overall preparation of the work environment. The employer must allow workers to verify, through the workers' safety representative, the application of safety and health protection measures. Whistleblowing reports can highlight non-compliance with this obligation, ensuring that checks are carried out correctly. The employer is required to take appropriate measures to prevent the technical measures adopted from causing risks to the health of the population or deteriorating the external environment, periodically verifying the continued absence of risk. Whistleblowing makes it possible to report situations in which the measures taken are inadequate or are not respected, thus ensuring the protection of the community and the environment. Finally, the employer must update the prevention measures in relation to organizational and production changes that have relevance for the purposes of health and safety at work, or in relation to the degree of evolution of prevention and protection techniques. Whistleblowing can be used to report the failure to implement necessary updates, promoting continuous improvement of working conditions.

In this way, whistleblowing represents an effective tool for the protection of workers' health and safety, making it possible to promptly identify and correct violations of the obligations provided for by Legislative Decree 81/2008. This not only fosters a safer working environment, but also a corporate culture based on transparency and accountability.

The current legislation imposes specific obligations on workers, with a view to actively involving the workforce and sharing responsibilities with the employer and supervisors. This sharing is aimed at ensuring a safe and healthy working environment. Art. Article 20(2)(e) of Legislative Decree 81/2008 states that workers are required to immediately report to their employer, manager, or supervisor any deficiencies in safety means and devices, as well as any dangerous conditions of which they become aware. This report must be timely and punctual, so that the necessary measures can be taken to prevent accidents or damage to health. In addition, workers are obliged to take direct action, in the event of an emergency, within the scope of their powers and possibilities, to eliminate or reduce situations of serious and imminent danger. This duty must be fulfilled without prejudice to the obligations referred to in point (f) of that subparagraph, and workers must inform the workers' safety representative of the actions taken. This obligation to intervene immediately in the event of danger not only highlights the individual responsibility of each worker, but also underlines the importance of collaboration and communication within the work environment.

The importance of such reporting and intervention actions is particularly evident considering the health emergency caused by the Covid-19 epidemic. In this context, the Shared Protocol for the regulation of anti-contagion measures in the workplace, supplemented on 24 April 2020, clearly establishes that the continuation of production activities can only take place in the presence of conditions that guarantee workers adequate levels of protection. If these conditions are not met, activities will be suspended. Failure to comply with the provisions of the protocol and the legislation on health and safety at work may constitute an offence of various kinds. In this context, the role of the whistleblower is crucial. The whistleblower, in fact, has the function of reporting illegal behavior or risky situations that could compromise the safety of workers. It is crucial that the whistleblower is protected from any form of censorship or retaliation. Whistleblower protection is essential to ensure that reports are made without fear of negative consequences, thus promoting a transparent and safe working environment.

In conclusion, the legislation on health and safety at work assigns specific reporting and intervention obligations to workers which, if properly complied with, contribute significantly to the prevention of accidents and the protection of health in the workplace. Whistleblowing is an effective tool for the protection of workers' rights and for the continuous improvement of working conditions, ensuring greater accountability and transparency on the part of all actors involved.

6.6. Competition and antitrust

As far as the protection of competition is concerned, in the absence of a specific regulatory provision at national level, one of the main references is the Communication of the European Commission of 16 March 2017. In this Communication, the Commission expresses its intention to create a new tool to facilitate the submission of reports on possible cartels and other antitrust breaches, while ensuring the anonymity of whistleblowers.

The Communication of the European Commission underlines the importance of encouraging the denunciation of anti-competitive practices, such as the formation of cartels, which represent a serious threat to the internal market and to the proper functioning of the economic system. Cartels involve unlawful coordination between competing undertakings with the aim of fixing prices, restricting production, or sharing markets, thereby causing significant harm to consumers and other undertakings. The Commission recognises that one of the main obstacles to reporting such practices is the fear of retaliation by the employers or companies involved. To overcome this obstacle, the Commission proposes the adoption of an anonymous reporting system that protects the identity of whistleblowers. This system allows employees, competitors, or other stakeholders to provide information about anti-competitive practices without exposing themselves to personal risk. The anonymous reporting mechanism proposed by the European Commission includes the use of secure technological tools that enable communication between whistleblowers and competition authorities without revealing the identity of the whistleblower. This system also provides protection measures for those who decide to reveal their identity, guaranteeing them the greatest possible protection against possible retaliation.

The introduction of such tools is seen as a crucial step to strengthen antitrust enforcement and to ensure that markets function in a fair and competitive manner. Whistleblower reports can provide competition authorities with valuable information that would otherwise be difficult to obtain, thus facilitating the detection and prosecution of anti-competitive practices.

In summary, the Communication of the European Commission of 16 March 2017 represents a fundamental point of reference in the field of competition protection, highlighting the importance of whistleblowing as a tool to combat cartels and other antitrust violations. Protecting the anonymity of whistleblowers is essential to encourage whistleblowing and to ensure a more transparent and competitive market. The European Commission intends, through the Communication of 16 March 2017, to ensure that individuals can actively contribute to the fight against cartels and other unfair and anti-competitive practices. These practices include price agreements, manipulation of comparative procedures, foreclosure of products from the market, and unfair foreclosure of competitors.

In the past, one of the main tools used to detect cartels was the so-called leniency programme[12]. This program, which falls under the umbrella of corporate whistleblowing, allows a company to report its involvement in an anti-competitive practice in exchange for a reduction in the fine or full immunity, provided that the report takes place before the sanctioning proceedings are initiated. The leniency programme has played a crucial role in detecting and sanctioning cartels, as it incentivises companies to cooperate with competition authorities by providing crucial evidence and information on illegal practices. However, this tool is limited to the business context and does not cover reports from individuals outside the organisation involved in anti-competitive practices.

The Commission's 2017 Communication aims to close this gap by introducing a new system that facilitates anonymous reporting by individuals. This new tool is designed to protect the identity of whistleblowers and encourage reporting of anti-competitive practices by employees, competitors or other stakeholders. The Commission thus intends to broaden the range of information available to competition authorities by improving their ability to detect and prosecute antitrust breaches.

The anonymous whistleblowing system involves the use of secure technologies that allow whistleblowers to communicate with the authorities without revealing their identity. This protection is critical to overcome the fear of retaliation and to ensure that critical information is provided without personal risk to whistleblowers. In conclusion, the European Commission's strategy, outlined in the Communication of 16 March 2017, aims to strengthen the fight against cartels and anti-competitive practices through the implementation of a new anonymous reporting system. This tool complements the existing leniency programme, expanding the possibilities for detecting and prosecuting illegal practices and helping to create a fairer and more competitive market.

The novelty introduced by the Communication of the European Commission of 16 March 2017 also allows individuals, who are aware of the existence of cartels or other violations of antitrust rules, to actively contribute to combating such practices. This new system increases the likelihood of identifying and prosecuting misconduct, as well as acting as a deterrent to other businesses that may be tempted to join or remain within a cartel, or to continue to engage in other illegal and anti-competitive behaviour. In this way, the new instrument reinforces and complements the effectiveness of the leniency programme. According to the Commission's intentions, the new instrument should make it possible to achieve a number of specific objectives. Firstly, it allows individuals to provide information securely, granting them the option to request a response from the Commission to their messages. This facilitates an active and constructive dialogue between whistleblowers and competition authorities. Secondly, the system allows the Commission to request clarifications and additional details regarding the alert received. This is essential to ensure that the information is sufficiently detailed and useful for investigations. Thirdly, the new tool protects the anonymity of the whistleblower using encrypted communications and the use of external providers. Protecting the identity of the whistleblower is crucial to encourage reporting without fear of retaliation. Finally, the system aims to increase the likelihood that the information received will be sufficiently reliable and accurate to allow the Commission to pursue its investigation effectively. This objective aims to improve the quality of the information collected by increasing the effectiveness of actions to combat anti-competitive practices. The combination of these objectives makes the new system an effective complement to the leniency programme, expanding opportunities to detect and sanction anti-competitive practices. Not only does the new tool facilitate the collection of crucial information, but it also creates an environment where potential whistleblowers feel safe and secure.

In summary, the European Commission's strategy, expressed in the Communication of 16 March 2017, aims to strengthen the fight against cartels and anti-competitive practices through the introduction of an anonymous reporting system. This system, through the protection of the identity of whistleblowers and the possibility of interacting with the Commission, represents a significant step towards the creation of a fairer and more competitive market.

As far as national law is concerned, the importance of building adequate whistleblowing procedures as part of compliance programmes relating to competition protection legislation has recently been explicitly recognised. In this context, one of the most relevant references is represented by the "Guidelines on Antitrust Compliance" issued by the Italian Competition Authority (AGCM) on 25 September 2018[13].

The Guidelines have been drawn up with the aim of providing companies with a clear picture of the conduct that could lead to a reduction in the penalties imposed based on Article 15, paragraph 1, of Law 287/1990. This article provides that the AGCM may impose financial penalties on companies that infringe competition rules, but also provides for the possibility of a reduction in penalties for companies that adopt effective compliance programs. In particular, in Article 2 of the document, the Italian Competition Authority (AGCM) provides that, as part of the solutions defined in the compliance program, "a first tool is generally internal reporting models that allow staff to quickly report antitrust issues, obtain clarifications on specific issues, and even allow reporting, even anonymously, possible violations. In the event of the adoption of a whistleblowing system, it is desirable that the latter guarantees anonymity and protection of whistleblowers from any retaliatory conduct against them". This provision highlights the importance of having effective internal reporting models, which allow staff to identify and report antitrust issues within the company in a timely manner. These templates must include mechanisms to obtain clarification on specific issues, as well as the possibility to report, even anonymously, any antitrust violations. The AGCM's forecast underlines the need for whistleblowing systems to guarantee the anonymity of whistleblowers. This assurance is critical to encouraging reporting without fear of retaliation.

In addition, the AGCM recommends that such systems ensure the protection of whistleblowers from any retaliatory conduct, to create a safe and conducive environment for reporting anti-competitive practices. The adoption of these tools is an integral part of compliance programs, as it allows companies to monitor and manage antitrust issues internally, thus reducing the risk of violations and demonstrating a concrete commitment to compliance with competition regulations.

In summary, Article 2 of the AGCM's "Antitrust Compliance Guidelines" establishes that internal reporting models and whistleblowing systems are key elements of compliance programs. These tools must be designed to facilitate the reporting of antitrust issues, ensure the anonymity of whistleblowers, and protect them from possible retaliation, thus helping to create a business environment geared towards compliance with competition rules and the prevention of anti-competitive practices. These procedures must be designed to ensure that reports are handled confidentially and that whistleblowers are protected from retaliation. The creation of such procedures is considered an essential component of compliance programs, as it allows companies to detect misconduct at an early stage and take the necessary corrective measures. In addition, the implementation of an effective whistleblowing system demonstrates the company's commitment to compliance with antitrust rules and can positively influence the AGCM's assessment of its conduct. In particular, the Guidelines indicate that companies that adopt antitrust compliance programs, including whistleblowing procedures, may benefit from a reduction in penalties if they demonstrate that such programs have been effective in preventing, detecting, and correcting violations. This incentive aims to promote a corporate culture geared towards compliance with competition rules and the prevention of anti-competitive practices.

In conclusion, the "Antitrust Compliance Guidelines" of the Italian Antitrust Authority represent a fundamental point of reference for Italian companies, clearly indicating the importance of adopting whistleblowing procedures as part of antitrust compliance programs. Not only do these guidelines help companies comply with competition law, but they also offer the possibility of achieving a reduction in penalties through the adoption of effective preventive and corrective measures .

End of Module

[1] Law no. 116 of 3 August 2009 for the ratification and implementation of the United Nations Convention against Corruption, adopted by the UN General Assembly on 31 October 2003 with resolution no. 58/4, signed by the Italian State on 9 December 2003, as well as internal adaptation rules and amendments to the Criminal Code and the Code of Criminal Procedure. (09G0123) (OJ n.188 of 14-8-2009).

[2] Law No. 112 of 28/06/2012 provides for the ratification of the Civil Convention on Corruption, drawn up in Strasbourg on 04/11/1999. By this law, Italy shall give full effect to the provisions of the Convention approximately 13 years after its signature.

[3] On 9 March 2023, the Council of Ministers approved, at the end of a long regulatory process Legislative Decree no. 241 of 10 March 2023, the decree implementing EU Directive 1937/2019, concerning the protection of persons who report breaches of EU law and national regulations (so-called whistleblowing).

[4] 2359 c.c. Subsidiaries and associates. The following are considered subsidiaries: 1) companies in which another company has a majority of the votes exercisable at the ordinary shareholders' meeting; (2) companies in which another company has sufficient votes to exercise a dominant influence at the ordinary general meeting; (3) companies which are under the dominant influence of another company by virtue of contractual links with that company. For the purposes of the application of numbers 1) and 2) of the first paragraph, the votes due to subsidiaries, trust companies and intermediary persons shall also be considered; Votes due on behalf of third parties are not counted. Related companies are companies over which another company has significant influence. Influence is presumed when at least one-fifth of the votes can be exercised at the ordinary shareholders' meeting, or one-tenth if the company has shares listed on the stock exchange.

[5] See "Art. 8 (The legal system). 1. Agencies are structures which, in accordance with the provisions of this Legislative Decree, carry out activities of a technical and operational nature of national interest, currently carried out by ministries and public bodies. They operate at the service of public administrations, including regional and local ones."

[6] ANAC, Resolution no. 6 of 28 April 2015, "Guidelines on the protection of public employees who report offences (so-called "Guidelines on the protection of public employees who report wrongdoings"). whistleblower)".

[7] CONFINDUSTRIA, "Whistleblowing regulations", Explanatory note of January 2018.

[8] ORGANIZATIONAL MODEL PURSUANT TO LEGISLATIVE DECREE NO. No. 231/2001 DISCIPLINE AND DUTIES OF THE SUPERVISORY BODY Rome, 19 December 2023

[9] 6 Article 52-ter was subsequently amended by Legislative Decree 223/2016, which introduced a new paragraph 4-bis.

[10] Opinion on the draft "Guidelines on the protection of those who report crimes or irregularities of which they have become aware by reason of an employment relationship, pursuant to art. 54-bis of Legislative Decree 165/2001 (so-called whistleblowing)" - Register of measures no. 215 of 4 December 2019.

[11] The Corporate Governance Committee is made up of business associations (ABI, ANIA, Assonime, Confindustria) and professional investors (Assogestioni) and Borsa Italiana. The institutional purpose of the Committee is to promote the good corporate governance of listed Italian companies, through the Corporate Governance Code, the first version of which was adopted in 1999, and to monitor its application. On 9 December 2019, the Committee defined the contents of the new Corporate Governance Code, which was then definitively approved and published on the Committee's website on 31 January 2020.

[12] Also known as "leniency programmes", Leniency programmes provide for the total or partial exemption of penalties for a company participating in a cartel, if it cooperates with the antitrust authorities by helping them to prove the existence of the cartel. In 2006, the Italian legislator adapted the domestic legal system to the provisions of Regulation (EC) No. 1/2003, thus bringing the position of companies involved in antitrust proceedings before the Italian Authority closer to that of companies called upon to defend themselves before the European Commission. As a result of this reform, the Italian antitrust rules have been supplemented to give the Authority the power to adopt precautionary measures (Article 14 bis, Law no. 287/90); the possibility of accepting commitments from companies subject to preliminary investigations (Article 14 ter of Law No 287/90) and the power to adopt a leniency programme (Article 15, paragraph 2 bis of Law No 287/90).

[13] GUIDELINES ON ANTITRUST COMPLIANCE Order no. 27356/2018

IN EVIDENZA

Ricerca