Whistleblowing and personal data protection: employer responsibilities

The term “Whistleblowing” refers to the practice of reporting illicit acts or irregularities within an organization. The new legislation applies to all entities, both public and private, with at least 50 employees, regardless of whether they have implemented the compliance model outlined in Legislative Decree No. 231/2001.

The main distinction among the various entities subject to the new provisions concerns the effective date: for private organizations with at least 249 employees in the previous year and for entities operating in the public sector, the legislation became effective on July 15, 2023. For all other entities, the deadline was set for December 17, 2023.

To establish an effective reporting procedure, organizations must adopt a series of measures, both internal and external, for managing reports. This process includes establishing an organizational structure dedicated to report management, following consultation with union representatives as stipulated in Article 51 of Legislative Decree No. 81/2015. The reporting system must ensure the confidentiality of the whistleblower through the implementation of specific measures and demonstrate the fairness of the process. The legislation recognizes the whistleblower’s right to address the Italian National Anticorruption Authority (ANAC) if the initial report does not receive the appropriate attention from the organization, in addition to other options outlined in Article 6 of Legislative Decree No. 23/24.

This means that computer systems designed for reporting must meet two fundamental criteria: protecting user privacy and recording the entire reporting process.

Privacy Compliance

The new whistleblowing regulations entail several privacy considerations. The confidential nature of reports aligns with the principles and measures established by the European Regulation on the Protection of Personal Data. The dynamic integration of these two regulations allows organizations to more effectively manage the obligations set out in Legislative Decree No. 23/2024.

Initially, it is essential to establish reporting channels that respect user privacy through the adoption of specific security measures. Article 4 of the decree specifies that, following consultation with union representatives as required by Article 51 of Legislative Decree No. 81/2015, organizations must activate reporting channels that ensure the whistleblower's confidentiality, even using encryption systems. Encryption is a cybersecurity technique that renders messages or information incomprehensible to anyone without the decryption key, thereby ensuring privacy. Encryption can be used both during message transmission and storage, protecting sensitive information and reports from potential data breaches. It is not surprising that the General Data Protection Regulation (GDPR) explicitly requires encryption as a measure to protect personal data processed by data controllers, as indicated in Article 32.

Regarding security measures, Article 4 emphasizes the importance of an organizational process. The organization must appoint a person or office responsible for managing the reporting channels. In this context, the importance of data governance becomes evident—a process in which the data controller appropriately assigns responsibilities and tasks to individuals processing the data. This is particularly relevant in the context of reporting, where it is crucial to adequately train those handling reports, emphasizing privacy and security measures to be adopted in various situations. Articles 29 and 32 of the GDPR, along with Article 2 quaterdecies of the Italian Privacy Code, require the designation of authorized data processors and their training in specific measures and precautions related to data processing. Through proper data governance, the data controller can track information flows and ensure accountability, a fundamental principle of the GDPR that requires detailed reporting of processing operations and protection measures implemented by the employer. This becomes even more crucial considering the involvement of third-party service providers responsible for managing the systems and IT equipment used to receive reports. According to Article 28 of the GDPR, the data controller must regulate the relationship with external data processors through contracts or other legal acts and ensure the adoption of adequate measures for protecting personal data processed within the scope of the assignment. The data controller must verify the effectiveness of the measures adopted by the external data processor before entering into an agreement or contract.

Reports cannot be retained for longer than necessary and must be kept for a maximum of five years from the date of communication of the outcome of the reporting procedure. The retention period must be recorded in the register of processing activities as required by Article 30 of the GDPR, which must be regularly updated. The register is a fundamental tool for demonstrating the data controller’s awareness in data management and must contain all the elements required by the regulations. Additionally, the register can be enriched with further information related to specific processing, such as the names of individuals authorized for processing or technical measures implemented to protect the whistleblower’s privacy.

Lastly, Article 13 of Legislative Decree No. 24/23 imposes an obligation on entities covered by Article 4 to conduct an impact assessment in accordance with Article 35 of the GDPR, considering external entities involved in data processing.

Violations of whistleblowing procedures are evaluated by the Italian National Anticorruption Authority (ANAC), which can impose administrative fines, ranging from a minimum of 500 euros to a maximum of 50,000 euros. Other forms of liability resulting from the failure to implement measures specified in European Regulation 679/2016 and the application of Legislative Decree No. 231/2001, as well as those arising from inspections following a report, remain in effect.