Clifford Chance

Italy enacted the "Law on Whistleblowing" to establish general laws applicable alongside sector legislation. This is however limited to entities that adopted systems and controls under the Italian Vicarious Liability Act [1]^.

Legislative Decree no. 231/2001, art. 6.The Law on Whistleblowing

The Law on Whistleblowing [2] amended the Italian Vicarious Liability Act by introducing general rules on whistleblower protection within the private sector.

These rules are not mandatory for all entities but apply only to those that have adopted systems and controls under the Italian Vicarious Liability Act to prevent criminal offences ("Manual 231"). Manual 231 must provide for:

• one or more channels that enable directors and employees, ensuring that their identity remains confidential, to present particularised reports of unlawful conduct relevant to the Italian Vicarious Liability Act, based upon precise and consistent factual evidence, or of breaches of Manual 231 itself, where they have become so aware by reason of the duties they have performed; and
• at least one other reporting channel, with information technology equally capable of ensuring confidentiality of the whistleblower's identity.

Manual 231 must provide for whistleblower protection against acts of retaliation or discrimination for reasons directly or indirectly linked to the reporting.

In a reversal of the usual burden of proof, in the event of any dispute relating to disciplinary measures, demotion or reductions in employment duties, dismissals, transfers, or other organisational measures that directly or indirectly adversely affect the whistleblower's employment conditions, it is for the employer to show that those measures were based on grounds that had nothing to do with the whistleblowing.

Moreover, the disciplinary system set forth in Manual 231 must provide for sanctions against: (i) any person who breaches the measures protecting the whistleblower; and (ii) any whistleblower who acts wilfully, or with gross negligence, in making a report that turns out to be unfounded.

Some sector-specific regulations

Financial Sector

Under the Consolidated Financial Intermediation Act [3], the entities subject to the discipline on intermediaries and on financial markets must adopt specific procedures for internal reports of actions or events which may constitute a breach of the laws governing the activities undertaken or Market Abuse Regulation [4].
 
These procedures must provide for specific, autonomous and independent channels for reporting and guarantee confidentiality on the personal data of the whistleblower and the person allegedly responsible of the breach, as well as guarantee adequate protection for the whistleblower against retaliatory, discriminatory and disloyal measures.

Reports of certain types of breaches can be addressed also to the Financial Sector Regulators (i.e. Consob and the Bank of Italy) which must protect the whistleblower on conditions comparable to those of the internal reporting channels.

Banking Sector

The Consolidated Banking Act [5] requires that banks and the related parent companies adopt procedures for internal reports of actions or events which may constitute a breach of the laws governing banking activity, with the same characteristics and guarantees as those provided for the Financial Sector by the Consolidated Financial Act.

Similarly, reports on certain types of breaches can be addressed to the Bank of Italy on conditions comparable to those of the internal reporting channels.

In addition, the Bank of Italy shall forward to the European Central Bank (the "ECB") the received reports regarding significant entities or breaches of regulations or decisions of the ECB. The Bank of Italy can receive reports regarding less significant entities from the ECB.

Insurance Sector

The Private Insurance Code [6] provides that insurance and reinsurance companies and intermediaries adopt procedures for internal reports of actions or events which may constitute a breach of the provisions of the Private Insurance Code, with the same characteristics and guarantees as those provided by the above-mentioned Consolidated Financial Intermediation Act and Consolidated Banking Act.

Similarly, reports on certain types of breaches can be addressed also to the Insurance Sector Regulator (i.e. IVASS), which has to establish conditions, limits and procedures for receiving the reports.

Money Laundering

The Anti-Money Laundering Act (the "AML Act") [7] sets out a specific provision on whistleblower protection that applies to the various entities subject to the provisions of the AML Act, as listed under Article 3 (i.e. banks, financial and e-money institutions, insurance companies).

Entities subject to the AML Act must adopt procedures for internal reports by employees (or persons in comparable roles) of potential or actual breaches of the provisions on anti-money laundering and counter terrorist financing.

Such procedures must guarantee (i) confidentiality on the identity of the whistleblower and of the person allegedly responsible of the breach; (ii) whistleblower protection against retaliation, discrimination or other disloyal measures; and (iii) development of a specific, anonymous and independent reporting channel, proportionate to the nature and dimensions of the entity.

Public Employment

The Consolidated Law on Employment in the Public Sector [8] provides for whistleblower protection applicable to public employees and to employees of private sector entities that are subject to public control, as well as those working within and assisting businesses that supplied goods or services in the execution of works for general government.

Conclusion

Currently Italian law is substantially aligned with the provisions of the Whistleblower Protection Directive as regards the whistleblower protection against retaliation.

Nevertheless, a number of points should be considered with a view of updating legislation:

• Extension of its scope of application to all legal persons in the private sector with more than fifty workers (not only entities that adopted Manual 231 and/or fall within the scope of sector-specific regulations);
• Identification of the persons responsible for receiving internal reports and the authorities designated to receive external reporting in connection with entities in unregulated sectors;
• Obligations to provide reporting persons with an acknowledgement of receipt and follow-up on the report within the appropriate timeframe, as well as to guarantee suitable support measures; and
• Wide provision to ensure that a whistleblower will not be liable for the disclosure of trade and professional secrets and confidential information.

¹ Legislative Decree no. 231/2001, art. 6.
² Law no. 179/2017.
³ Legislative Decree no. 58/1988, articles 4-undecies and 4-duodecies.
⁴ Regulation (EU) no. 596/2014.
⁵ Legislative Decree no. 385/1993, articles 52-bis and 52-ter.
⁶ Legislative Decree no. 209/2005, articles 10-quater and 10-quinquies.
⁷ Legislative Decree no. 231/2007, article 48.
⁸ Legislative Decree no. 165/2001, article 54-bis.