All posts by Elisabetta Trecani

231 organizational models and code of conduct: do companies need both?

Legal news, ,

Many Italian companies have equipped themselves with an organizational model under legislative decree 231 of 2001, as well as with a code of conduct. Are both needed and what is their relationship?

Light on such question has been shed by the Italian Supreme Court with a recent decision published on August 1, 2023, within a dispute where a third party claimed to have actionable rights on the basis of the provisions of the code of conduct.

The Court, while defining the code of conduct as an instrument of “preventive control of the correctness of the conduct of persons operating within and on behalf of the entity”, rejected the plaintiff’s claims on the sole basis of the interpretation of the provisions of the code of conduct. It added that “in companies, the Code of Conduct constitutes the necessary completion of the organization, management and control model of the entity, as a corporate document aimed at identifying, with reference to the ethics and values that inspire the business, the rights, duties and responsibilities of all those who participate in the business (employees and, where appropriate, external parties that have business relations with the companies)”.

In light of the above, it has been clearly confirmed as follows:

  • the code of conduct complements the 231 organizational model;
  • the provisions of the code of conduct must be interpreted considering the 231 organizational model; and
  • the provisions of the code of ethics apply to all subjects falling within the scope of application of the 231 organizational model.

Therefore, the 231 organizational model and the code of ethics have a strong connection, they both have to be adopted and interpreted in light of each other.

New ANAC Guidelines On Whistleblowing Legislation

Legal news, , , , ,

On July 12, 2023 the Italian Anti-Bribery Authority (“ANAC”) has issued the much awaited “Guidelines on the Protection of Persons Reporting Violations of Italian and European Law” (the “Guidelines”).

The Guidelines, inter alia, indicate who the recipients of whistleblowing reports may be. The reports may be handled, alternatively, by:

  1. an internal person within the administration/body; or
  2. an internal office within the administration/body with dedicated staff, even if not exclusively; or
  3. an external person.

With regard to private entities, ANAC requires that the person or office entrusted with the task to manage the reporting channel has autonomy, which, in the opinion of ANAC, is to be interpreted as impartiality and independence.

Furthermore, ANAC leaves certain room to identify such person or offices depending on circumstances. In fact, the Guidelines set forth that “for private entities, the choice of the entity to be entrusted with the role of the whistleblowing management is left to the organizational autonomy of each entity, in consideration of the requirements related to the size, the nature of the activity carried out and the actual organizational reality. [..] This role, purely by way of example, may be entrusted, inter alia, to the internal audit bodies, to the Supervisory Board provided for by the rules of Legislative Decree No. 231/2001, and to the ethics committees.”, thus confirming that the Supervisory Body can act as recipient of the reports.

GARANTE VS. CHATGPT: LATEST DEVELOPMENTS

Legal news, , , , , ,

1. An Order to Stop ChatGPT

On March 30, 2023 the Italian Data Protection Authority (“Garante”) issued an order by which it temporarily banned the ChatGPT platform (“ChatGPT”) operated by OpenAI LLC (“OpenAI”). The Garante in fact regards ChatGPT as infringing Articles 5, 6, 8, 13 and 25 of the GDPR. In particular:

  • No Information.  OpenAI does not provide any information to users, whose data is collected by OpenAI and processed via ChatGPT;
  • No Legal Basis.  There is no appropriate legal basis in relation to the collection of personal data and their processing for the purpose of training the algorithms underlying the operation of ChatGPT;
  • No Check of User’s Age.  OpenAI does not foresee any verification of users’ age in relation to the ChatGPT service, nor any filters prohibiting the use for users aged under 13.

Given that, the Garante has immediately banned the use of ChatGPT, and OpenAI has blocked the access to ChatGPT to the Italian people.

2. Measures Offered by OpenAI

On April 11, 2023, in light of the willingness expressed by OpenAI to put in place measures to protect the rights and the freedom of the users of ChatGPT, the Garante issued a new order, which opened the possibly to re-assess ChatGPT if OpenAI adopts the following measures:

  1. to draft and publish an information notice to data subjects, which should be linked so that it can be read before the registration;
  2. to make available, at least to data subjects who are connected from Italy, a tool to exercise their right to (i) object, (ii) obtain a rectification, insofar as such data have been obtained from third parties, or (iii) the erasure of their personal data;
  3. to change the legal basis of the processing of users’ personal data for the purpose of algorithmic training, by removing any reference to contract and instead relying on consent or legitimate interest;
  4. to include a request to all users connecting from Italy to go through an “age gate” and to submit a plan for the deployment of age verification tools; and
  5. to promote a non-marketing-oriented information campaign by May 15, 2023 on all the main Italian mass media, the content of which shall be agreed upon with the Italian Authority.

OpenAI has until April 30, 2023 to comply (until May 31, 2023 to prepare a plan for age verification tools). The objections by the Garante have been echoed by other European Union data protection authorities. The European Data Protection Board will be attempting to solve the dispute within two months and launched a dedicated task force on ChatGPT “to exchange information on possible enforcement actions conducted by data protection authorities”

New Rules On Whistleblowing

Legal news

On December 9, 2022, a bill to implement Directive (EU) 2019/1937 on whistleblowing was submitted to the President of the Chamber of Deputies.

The draft envisages several obligations for entities of public and private sectors, including an obligation to activate a whistleblowing channel (internal or external) that guarantees the confidentiality of the identity of the reporting person, unless the reporting person gives express consent; of the person involved; of the person otherwise mentioned in the report; and of the content of the report and any related documentation.

Such reports may be made either in written or oral form, through telephone lines or voice messaging systems; the reporting person may request that a face-to-face meeting be scheduled.

The Italian Anti-Corruption Authority, after having heard the Italian Data Protection Authority, must adopt, within 3 months of the adoption of the legislation, specific guidelines on procedures for handling external reports.

To comply with personal data protection legislation, it will be necessary to:

  • Prepare adequate privacy notices regarding the processing of data collected within the reporting process;
  • Adopt appropriate technical and organizational measures to ensure an adequate level of confidentiality of the information of the reporting person and the person involved, as well as the content of the report and related documentation, to be identified on the basis of a data protection impact assessment;
  • Give an express authorization to the parties who will receive reports to process personal data;
  • Formally appoint all parties that process data related to the reports (i.e., external providers) as data processors.

The draft also provides that data related to internal and external reports, as well as related documentation, may be retained for up to a maximum of 5 years from the date of the communication of the final outcome of the reporting procedure.

Retaliation against reporting persons is prohibited and sanctions can be applied as a result.

Once approved, the whistleblowing legislation will take effect 4 months after the date of its entry into force, except for private-sector entities that have employed, over the past year, an average of not less than 50 and not more than 249 employees, with unlimited term or fixed-term employment contracts, for whom the provisions of the legislation will take effect as of December 17, 2023.