On December 9, 2022, a bill to implement Directive (EU) 2019/1937 on whistleblowing was submitted to the President of the Chamber of Deputies.
The draft envisages several obligations for entities of public and private sectors, including an obligation to activate a whistleblowing channel (internal or external) that guarantees the confidentiality of the identity of the reporting person, unless the reporting person gives express consent; of the person involved; of the person otherwise mentioned in the report; and of the content of the report and any related documentation.
Such reports may be made either in written or oral form, through telephone lines or voice messaging systems; the reporting person may request that a face-to-face meeting be scheduled.
The Italian Anti-Corruption Authority, after having heard the Italian Data Protection Authority, must adopt, within 3 months of the adoption of the legislation, specific guidelines on procedures for handling external reports.
To comply with personal data protection legislation, it will be necessary to:
- Prepare adequate privacy notices regarding the processing of data collected within the reporting process;
- Adopt appropriate technical and organizational measures to ensure an adequate level of confidentiality of the information of the reporting person and the person involved, as well as the content of the report and related documentation, to be identified on the basis of a data protection impact assessment;
- Give an express authorization to the parties who will receive reports to process personal data;
- Formally appoint all parties that process data related to the reports (i.e., external providers) as data processors.
The draft also provides that data related to internal and external reports, as well as related documentation, may be retained for up to a maximum of 5 years from the date of the communication of the final outcome of the reporting procedure.
Retaliation against reporting persons is prohibited and sanctions can be applied as a result.
Once approved, the whistleblowing legislation will take effect 4 months after the date of its entry into force, except for private-sector entities that have employed, over the past year, an average of not less than 50 and not more than 249 employees, with unlimited term or fixed-term employment contracts, for whom the provisions of the legislation will take effect as of December 17, 2023.