Italy – New whistleblowing rules finally in force: Key data protection issues

In July, Legislative Decree No 24/2023 (the “Whistleblowing Decree”) finally came into force. It implements EU Directive 2019/1937 - although misses the December 2021 transposition date by a considerable margin.

This article focuses on how the Whistleblowing Decree navigates the longstanding tensions between whistleblowing programmes and data protection laws, rather than the wider employment law considerations.

Protection for “concerned persons”

One important change is to provide explicit protection for the “concerned person”, that is to say the person against whom the allegation has been made and any other persons mentioned in the report. As the guidelines issued by the National Anti-Corruption Authority (known as “ANAC”) clarify, this is to safeguard the “concerned persons’” reputation before the breach has been proved.

The Whistleblowing Decree also similarly contains strong protection for the whistleblower, whose identity can only be revealed in limited situations (see below).

Data protection obligations

Further to these confidentiality obligations, the data controller has to implement a reporting channel that complies with general data protection obligations by:

• adopting technical and organisational measures to guarantee a level of security adequate to the risks deriving from the processing (Article 32 GDPR);
• completing a data protection impact assessment (DPIA) in compliance with the privacy by design and privacy by default principles (Article 25 GDPR);
• training the personnel that will handle a whistleblowing report, including the formal appointment of them as persons authorised to process personal data as per Article 29 GDPR and Article 2-quaterdecies of the Italian legislative Decree No 196/2003;
• implementing an appropriate data processing agreement where the implementation of the reporting channel is outsourced;
• updating any record of processing as per Article 30 GDPR;
• preventing any tracking of the reporting channel in a way that might reveal the identity of the whistleblower (as per the ANAC guidelines); and
• providing a privacy notice to the whistleblower as per Article 13 GDPR.

In addition to the general obligations above, the Whistleblowing Decree specifically mentions the need to comply with the privacy by design and privacy by default principles. This is particularly important since it implies that the data controller shall implement reporting channels regarding only personal data useful and necessary for the report itself, by allowing the whistleblower to include only relevant data related to the concerned person and not also unnecessary data such as, by way of example, data related to sexual or religious orientation.

The Whistleblowing Decree also states that data controllers can keep relevant personal data for a period of no more than five years from the closure of the whistleblower file, as specified by the ANAC guidelines. This provision is interesting since, rather than relying on the general storage limitation principle, it is the legislator itself that has expressly decided on the retention period.

Additional protection for the whistleblower

Recognising the need to protect the identity of the whistleblower, the Whistleblowing Decree specifically:

• protects the whistleblower’s identity in proceedings -- in particular, in proceedings before the Court of Auditors (in this case, the identity cannot be disclosed until the investigation phase is closed) and in disciplinary proceedings (should it be necessary to reveal the identity for the purposes of the defence of the accused individual, then not only its consent to disclosure is required but it also receives a written communication explaining the grounds on which it would be beneficial to the other persons’ defence); and
• protects the whistleblower’s identity from subject access requests and other exercise of the rights in Articles 15-22 GDPR by the concerned person. The ANAC guidelines state that the concerned person cannot exercise such rights, or lodge a complaint before the
  Garante if this results in a risk of disclosing the whistleblower’s identity.

Conclusions

The GDPR has had a huge impact on whistleblowing, as with many other fields of activity. This is hardly surprising given the sensitive nature of the personal data being processed and the need to balance the data protection rights of the whistleblower, the concerned person(s) and the legitimate benefits of allowing such reports.

Here, the legislator obviously intends to encourage whistleblowers by demonstrating their identity will be well protected. Similar protection is not provided to the concerned person(s) given the practical consequences of any whistleblowing report which might, for instance, result in judicial proceedings. In any event, care is needed as the Garante is likely to be watching this area and may well take speedy enforcement action against non-compliant whistleblowing systems.