Legislative Decree 231/2001 | Law, Health & Technology

A recent decision of the Milan Court exempted an Italian company from criminal charges under law 231, even while it found its employees guilty of a 231 financial crime.

The Court held that the company’s managers abused of their override powers to systematically ignore internal control systems. Nonetheless, the court found that the company had effectively implemented its compliance 231 model, although such model was fraudulently circumvented by the managers.

The Court confirmed, as already established in the Impregilo case, that the occurrence of a crime does not automatically prove the non-completeness and non-effectiveness of a company’s compliance program. A separate analysis of the compliance program must instead be carried out, even if a crime has occurred and individuals are found guilty.

Under Italian law 231, companies are liable for employees’ crimes when the crime is committed in the interest or to the advantage of the company. Such 231 liability can be lifted if the company has effectively implemented a compliance program aimed at preventing such crime. Despite the incentive built in in 231 law for companies to set up and effectively implement a compliance program, past case law has not been generous in granting such exemption from liability. The recent Milan court case may open a new path.

Whistleblowing, or reporting of breaches of the law, is often regulated in a fragmented and non-comprehensive fashion. This is about to change thanks to Directive 2019/1937 of October 23, 2019 “on the protection of persons who report breaches of Union law” (the “Directive”), aimed at harmonizing and broadening the protection of whistleblowers and of reported entities.

In Italy whistleblowing is currently governed by Legislative Decree no. 165/2001 (for public employees) and by Legislative Decree no. 231/2001 (for private employees). With regard to the private sector, whistleblowing provisions are only applicable to companies who have adopted a “231 Organizational Model”.

The Directive should have been implemented by December 17, 2021. The Italian government has been delegated by the Parliament to adopt the necessary implementing measures but, as many other EU countries, the legislative process has already exceeded the December 17 deadline.

While the details of the national law that will implement the Directive are still unknown, certain basic principles can already be envisaged:

In principle, the Directive applies to public entities and to private entities with at least 50 employees or with an annual turnover of more than Euro 10 million, with two caveats: (i) the Directive is applicable, regardless of the number of employees, if your company operates within the scope of EU legislation preventing money laundering and terrorist financing (e.g., financial services); and (ii) Member States may decide to apply new whistleblowing provisions also to companies below the 50-employees threshold;

The Directive broadens the concept of reporting person: among others, also self-employed workers, shareholders, members of the key company’s bodies, (sub)contractors and suppliers will be covered by the protection afforded by whistleblowing legislation (such as the protection of their identity), even if their work relationship has ended or has yet to begin;

The Directive also broadens the subject matter of the report: to be covered by the Directive, reports have to relate to breaches of EU law in specific sectors. However, the Directive provides for the possibility to broaden the subject matter as to include violation of domestic legislation;

The Directive provides for three reporting channels:
- Internal channel: if you have adopted a 231 Model, you are surely already equipped with an internal whistleblowing channel, which however will require to be upgraded as to cover the new definition of reporting person and the strict reporting and follow-up requirements established by the Directive;
- External channel, which will be set up by the government and will likely allow to blow the whistle to public authorities, such as the Italian Anticorruption Authority. (If you have an IT provider which helps you run a whistleblowing channel, that’s an internal one);
- Public disclosure: reporting persons may “go public” only if other channels have not been successful.

In relationto groups of companies, the European Commission has clarified the matter with two opinions, dated June 2, 2021 and June 29, 2021: each legal entity with 50 or more workers is required to set up its own channels and procedures for internal reporting. Entities with 50 to 249 employees, may “share resources” with their parent companies (but also with non-linked companies) and may also, but not exclusively, rely on their channels;

Data collection and processing activities under whistleblowing provisions must be carried out in compliance with the GDPR: as an example, personal data which are manifestly not useful for the purposes of a specific report must not be collected or, if collected accidentally, deleted.

While we wait for the Italian law implementing the Directive, the above basics already give you an idea of what is to come.

Law, Health & Technology

A blog by the life sciences group of GITTI and PARTNERS Studio Legale Associato (www.grplex.com). Our views on healthcare, new technologies, and their interactions with the law.

Tag Archives: Legislative Decree 231/2001

Effectively Implemented “231” Model Exempts Italian Company from Criminal Corporate Liability