In Italiano: Whistleblowing, D.Lgs. 231/01 e Privacy
Law no. 179 of November 30th, 2017 (the “Law” or the “Law 179/2017”) – entitled “Provisions for the protection of whistleblowers who report offences or irregularities which have come to their attention in the context of a public or private employment relationship” [1] – set forth protective measures also for workers belonging to the private sector who report offences or irregularities which have come to their attention in the context of the employment relationship and provides some amendments to Legislative Decree 231/2001, which concerns the “Administrative liability rules for legal persons, companies and associations, including those without legal personality” (the “Decree 231”)[2].
The amendments concern the protection of employees or collaborators who report offences in the private sector: the Law extends to the private sector the protection of employees who report offences or who acknowledge violations relevant pursuant to the Decree 231 Crime List[3], of which they become aware for reasons of their office.
Pursuant to the Law, a 231 Compliance Program adopted by a private entity for being compliant with the whistleblowing scheme outlined by the Law shall now provide for:
(i) more than one channels that, while guaranteeing the confidentiality of the identity of the whistleblower, allow top manager and their subordinates to submit detailed reports of illegal conduct or violations of the 231 Compliance Program; one of these reporting channels must be via informatics tool;
(ii) the prohibition of discriminatory action against the whistleblower (i.e. anti-retaliation measures); and
(iii) adequate sanctions for those who violate the above-mentioned anti-retaliation measures and for those who – intentionally or negligently – carry out reports that prove to be unfounded.
All this being said, it is easy to understand that Law 179/2017 has many aspects of interest and, in particular, there are many implications between whistleblowing regulation and personal data protection.
Here below are some brief notes on such implications.
The topic has long been subject of interest. In fact, in 2009 the Italian Data Protection Authority requested the Italian Parliament and the Italian Government to adopt a legislative measure aimed at “providing an appropriate and systematic legal basis and at regulating the interference profiles of this phenomenon in compliance with the rules for the protection of personal data contained in the Legislative Decree 196/2003 ”[4].
Considering the amendments made to Legislative Decree 231/2001, the initial regulatory scenario has partly changed from what the Italian Data Protection Authority stated in 2009 in their report. Therefore, it is possible to argue that it seems legitimate to assume that the processing of personal and/or sensitive data in a whistleblowing scheme can be carried out, although without consent, in accordance with the provisions of Article 24, par. 1, lett. a), of Legislative Decree 196/2003[5].
The Law seems to fulfil, within the limits of the scope referred to in its articles, also the need to define “the scope of the rules with regard to the subjects involved as well as the aims to be pursued” [6]:
-
the Law applies only to entities that have adopted a 231 Compliance Program pursuant to Decree 231 and to their employees;
-
“those who may take on the quality of reported persons” [7], are the recipients of the 231 Compliance Program;
-
with reference to “the purposes that are intended to be pursued and the cases that may be reported by whistleblowers”, it is possible to point out the need to identify the “illegal conducts, which are relevant under this Decree and based on precise and consistent factual elements, or violation of the Model” [8].
On the other hand, the aspects connected with the definition of “the scope of the right of access by Article 7 of the Code by the person to whom the report refers (interested), with regard to the identification data of the report’s author (the whistleblower)” and to the processing of anonymous reports remain unregulated (unless the latter profile is not intended to be covered by the vague concept of “guarantee of the confidentiality of the identity of the whistleblower”).
With regard to the correct adoption and implementation of the whistleblowing schemes in compliance with current (at least, until May 25, 2018) European regulations on the protection and processing of personal data, it is useful to recall the indications of the Group for the Protection of Personal Data[9] (the “WP29”) contained in Opinion 1/2006. This Opinion examined in depth the application of the principles of data quality and proportionality of processing, the obligation to provide clear and complete information on the procedure, the rights of the denounced person, the security of the processing to be carried out by the procedure and the management of the procedures themselves[10].
Further reflections and suggestions on this topic have recently been provided by the European Data Protection Authority in his “Guidelines on processing personal information within a whistleblowing procedure” (the “Guidelines”) published in July 2016 and with which the European Data Protection Authority gave some indications for the creation of “whistleblowing schemes” by Institutions and Public Administrations as provided for by Regulation (EC) No. 45/2001[11].
The Guidelines contain a list of recommendations that must be followed so that the institutions could be compliant with the provisions of Regulation 45/2001 but its content could be useful also for the whistleblowing schemes in the private sector. More in details, it is required that the “scheme” provides for:
-
the implementation of defined channels for internal and external reporting and of specific rules where the purpose is clearly specified;
-
adequate guarantees on the respect of confidentiality of the information received and the protection of the whistleblowers’ identity and all other persons involved;
-
the application of the principle of data minimisation: only process personal information, which are adequate, relevant and necessary, for the particular case;
-
the identification of what “personal information” means in this context and which are the affected individuals in order to determine their right of information, access and rectification. Restrictions to these rights are allowed, as long as the EU institutions are able to provide documented reasons before taking such a decision;
-
the application of the two-step procedure to inform each category of individuals concerned about how their data will be processed;
-
the guarantee that, when responding to right of access requests, personal information of other parties is not revealed;
-
the definition of proportionate conservation periods for the personal information processed within the scope of the whistleblowing procedure depending on the outcome of each case; and
-
the implementation of both organizational and technical security measures based on a risk assessment analysis of the whistleblowing procedure in order to guarantee a lawful and secure processing of personal information.
The above comments become even more relevant in the context of the forthcoming entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council on “The Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data” (the “GDPR”) under which the whistleblowing scheme shall have to:
-
exhaustively define the roles assigned to the various actors involved in the procedure, also from the point of view of the so-called “organigram privacy”;
-
ensure adequate security measures for personal and/or sensitive data subject to the Treaty;
-
appoint – in the event of intervention by external parties – an external manager with written contracts in line with the new regulatory standards;
-
regulate – in case of multinationals – the modalities of possible data transfers between non-European States;
-
comply with data retention principles; and
-
regulate the right of access to documents of the person whose behavior is the subject of the whistleblowing.
[1] The Law has been published on the Official Journal of the Italian Republic of December 14th, 2017, n. 291 and has entered into force on December 29, 2017.
[2] The Legislative Decree of June 8, 2001, no. 231 has introduced a sort of criminal liability for companies and legal entities (so called, administrative liability) as a consequence of criminal offences committed in the interest or to the advantage of the company by directors, executives and their subordinates, agents and other individuals acting on behalf of the legal entity. The 231 Decree provides for an exemption from criminal liability if the company proves that: (i) it has adopted and implemented a compliance program aimed at preventing the misconduct sanctioned by the 231 Decree; (ii) the company management has appointed an ad hoc internal supervisory body (the “Vigilance Body”) to oversee the implementation and updating of the Compliance Program; (iii) the crime has been made (by an individual) who fraudulently has not complied with the Compliance Program; and (iv) the Vigilance Body’s overseeing duties have been carried out diligently.
[3] The Decree 231 Crime List is includes: crimes committed against the Public Administration (e.g. misappropriation of amounts to the detriment of the State, corruption, fraud, etc.); corporate crimes (e.g. false company communications, unlawful distribution of profits or reserves, private bribery, impeding the exercise of the duties of the public supervisory authorities, market manipulation, bribery among private individuals, instigation to bribery among private individuals, etc.); terrorism and subversion of the democratic order; crimes against individuals (e.g. enslavement, human trafficking); market abuse crimes (i.e. insider trading and market manipulation); manslaughter and accidental serious injuries occurring as a consequence of a violation of the rules regarding health and safety in the workplace; money laundering crimes and crimes relating to receiving and using stolen goods; information technology crimes (e.g. damage to information, data and computer programs, interception of computer or electronic communications); organized crimes (e.g. criminal association, mafia-style associations); crimes regarding the falsification of identifying signs/marks (e.g. falsification, alteration or use of distinguishing signs/marks of intellectual works or industrial products); crimes against industry and commerce (interference with the freedom of industry and commerce, commercial fraud, sale of industrial products with false signs/marks); crimes breaching copyright laws (e.g. entry into a system of electronic networks of intellectual works protected by copyright, re-use of database contents); incitement not to make declarations or to make false declarations to judicial authorities; environmental crimes.
[5] Art. 24, par. 1, lett. a), Legislative Decree 196/2003 - Cases in which processing can be carried out without consent: “Consent is not required when processing: a) is necessary for the fulfilment of an obligation set forth by law, by a regulation or by European laws”.
[9] The Group for the Protection of Personal Data has been established pursuant to Article 29 of the Directive 95/46/EC, as an Independent European body for advisory purposes dealing with data protection and confidentiality.
[11] Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, published on the Official Journal of the European Union no. L 008 on January 12, 2001.
