The new regulation on Whistleblowing introduced by Legislative Decree dated 10 March 2023 no. 24, which implements EU Directive 2019/1937, brings to the attention of public and private entities numerous new elements compared to the previous legislation dated 2017, including an innovative management of the internal reporting channel.
In fact, art. 5 of the Legislative Decree prescribes that the management of the internal channel must be entrusted alternatively to a dedicated independent internal person or office with specifically trained personnel, or to an external autonomous subject with specifically trained personnel.
But what fulfilments does the management of the aforementioned channel exactly involve?
First of all, whoever manages such channel will have the responsibility to notify the whistleblower of the receipt of the report, within the term of seven days from the date of receipt.
The manager of the reporting channel will also have to maintain the communications with the whistleblower and possibly request for integrations where necessary.
The manager of the reporting channel will also have the responsibility to follow up on the reports received and provide with feedback within a time frame specifically defined by the Legislative Decree, i.e., three months from the date of notification of receipt or, lacking such notice, within three months from the end of the seven-day term after the presentation of the report.
Lastly, clear information on the channel, procedures and conditions for making internal reports must be made available at the workplace and on the organisation's website.
Beyond what is indicated in art. 5, it should be noted that the specifically trained personnel responsible for managing the channel must also be ready to comply with the provisions regarding the processing of personal data. Therefore, personal data that are clearly not useful for processing the report should not be collected (or immediately deleted if they are accidentally collected). At the same time, the confidentiality of the reporting person must be guaranteed, also through encryption tools, and the documentation relating to the report must not be kept for a period of time exceeding five years starting from the communication of the final outcome of the specific procedure.
It should be noted that the legislation provides for the possibility of sharing the internal channel and its relative management but only for municipalities other than provincial capitals and private subjects who employed an average number of subordinate workers under permanent or fixed-term contracts not exceeding two hundred and forty-nine in the last year.
Art. 5 of the Legislative Decree also provides for the possibility to outsource the management of the internal channel. The choice of the Legislator to provide for specific and rigorous fulfilments – mentioned above – for the correct management of the channel leads, as a logical consequence, to an increase in the organizational and management costs for the recipients of the new legislation.
Therefore, the possibility to outsource the management of the internal channel could play an important role in relieving organizations from the operational phase of receiving reports as well as from the compliance with the additional obligations provided.
The external person in charge will therefore be able to guarantee a timely management of the reports by following the methods and times required by the Legislative Decree under analysis, accurately observe the provisions on the correct processing of personal data, as well as contribute to creating trust in the subjects involved, having the maximum operational autonomy as required by law.
This last aspect, which is essential to avoid the risk of conflict of interest with potential economic and reputational consequences for organisations, requires a clarification of what is meant by "autonomous subject" in relation to the possibility of outsourcing the internal channel.
In this sense, it must be understood as an independent subject with respect to the operational functions of the organization, therefore unrelated to any hierarchical dependence on the same.
Given the above, a peculiar aspect of the regulation is that it is focused on the protection of reports concerning crimes – meant as violations of rules - of public interest.
This element automatically makes it possible to distinguish this reporting system from other and different systems aimed at protecting people reporting offenses that are not of public interest.
Consider, for example, the reports concerning violations of the organization and management model (MOG) pursuant to Legislative Decree no. 231/2001: it is no coincidence that the Whistleblowing discipline does not allow external reports to be made for such offenses, when relating to companies with less than 50 employees.
Given the above analysis, it is important to underline that the entry into force of Legislative Decree no. 24/2023 will not repeal - and therefore will leave open - other reporting systems concerning specific sectors. In the specific case, this is the system for reporting offenses falling within anti-corruption and public contracts under Legislative Decree no. 50/2016 and subsequent amendments. With this regard, since 6 June 2022, the "Modulo Unico Informatizzato di Segnalazione” (single computerized reporting form) has been the exclusive reporting channel to ANAC.
The same applies to the reporting of suspicious transactions for anti-money laundering purposes. In this sense, the Whistleblowing legislation does not affect the reporting system provided under Legislative Decree no. 231/2007.
