The Italian Whistleblower Protection Law
Like all other members of the European union, Italy is required to transpose the EU Whistleblower Protection Directive into national law, which will become the Italian Whistleblower Protection Law. The EU Directive obliges businesses with 50 employees or more to have a reporting channel for a broad spectrum of potential whistleblowers, and forbids reprisals against whistleblowers. The deadline for this transposition was 17th December 2021, which Italy did not meet.
What is the current status of the Italian Whistleblower Protection Law?
While there is an Italian Whistleblower Protection law, it applies only to public sector employees as well as employees of private sector companies that have implemented the voluntary Organisational Model 231. Otherwise there is a patchwork of laws protecting whistleblowers, in particular from retaliation, in sectors such as the financial, banking and insurance sectors.
In terms of the transposition of the EU Directive into Italian law, the Italian government approved a ‘delegation law’ in April 2021 which mandated the government to begin the process. However there has been little information since then and as at February 2022, no draft proposal has been published for public consultation or analysis.
Italy has many whistleblowing protection national laws aimed at public or private sector companies that have implemented the Organisational Model 231. Though the country has begun the process of implementing the EU Whistleblower Protection Directive, no legal draft proposal has been published.
What to do while awaiting the Italian Whistleblower Protection Law
There are many elements of the EU directive that are similar to the existing Italian legislation, but there are also some significant differences where changes to the Italian Whistleblower Protection law will need to be made. However, companies in Italy who would prefer to start preparations for compliance can do so now. The EU Directive sets a number of minimum standards that will apply in all member states and to all organisations with 50 employees or more. We recommend that organisations familiarise themselves with these minimum requirements (see below) already now, and identify solutions that can help fulfil them.
- An internal secure channel for receiving whistleblower reports must be put in place.
- Acknowledgment of the receipt of the report must be provided to the whistleblower within seven days.
- An impartial person or department must be appointed to follow up on the reports.
- Records must be kept of every report received, in compliance with confidentiality requirements.
- There must be diligent follow-up of the report by the designated person or department.
- Feedback about the report follow-up must be given to the whistleblower within three months.
- All processing of personal data must be done in accordance with the GDPR.