The new regulation outlined in Legislative Decree 24/23 aims to enhance the protection of individuals (so-called whistleblowers) who report behaviors, acts, or omissions that harm public interest or the integrity of public administration or private entities.
The Company (data controller), in developing its internal organizational model aimed at the proper management of reports, must adopt all organizational, IT, and physical measures to ensure that the processed personal data is not subject to risks of unauthorized access, loss, or unlawful processing, referring to the provisions of the GDPR.
The regulation establishes two different "timeframes" to fulfill new obligations:
a) By July 15, 2023, for private sector entities that have employed, in the last year, an average of more than 249 subordinate workers with indefinite or fixed-term contracts.
b) By December 17, 2023, for entities that have employed an average of at least 50 individuals in the last year or fall within activities defined as "relevant" (1) or have adopted organizational, management, and control models under Legislative Decree 231/2001 regarding the criminal liability of companies and entities.
1. Information according to Articles 13 and 14 GDPR: adequate information must be provided to reporting individuals and involved parties.
2. Reception/Management Model: a reception and management model for internal reports must be defined, identifying technical and organizational measures to ensure an appropriate level of security. For example, "dedicated reporting channels must be activated, ensuring, also through the use of encryption tools, the confidentiality of the identity of the reporting person, the involved person, and any person mentioned in the report."
3. Staff Training: specific training must be provided as an organizational measure. "The management of the reporting channel is entrusted to an internal person or office, autonomously dedicated and with personnel specifically trained for the management of the reporting channel, or is entrusted to an external subject, also autonomous and with specifically trained personnel."
4. Impact Assessment: the processing must undergo a prior impact assessment according to Article 35 GDPR. "Entities defined in Article 4 establish their model for receiving and managing internal reports, identifying technical and organizational measures suitable for ensuring a level of security adequate to the specific risks arising from the treatments performed, based on an impact assessment on data protection."
5. Appointment of External Controllers under Article 28 GDPR: the relationship with external suppliers (e.g., platform providers) must be defined in accordance with GDPR or Police Directive (2).
6. Retention Period: internal and external reports and related documentation are retained for the time necessary for the processing of the report and, in any case, not exceeding five years from the date of communication of the final outcome of the reporting procedure, in compliance with the principle of limitation of retention (as per Article 5, paragraph 1, letter e) of the GDPR and Article 3, paragraph 1, letter e) of Legislative Decree no. 51 of 2018 implementing the Police Directive.
7. Update of the Processing Activities Register: whistleblowing must be included as a specific processing activity in the register of processing activities in accordance with Article 30, paragraph 1 of the GDPR.
1 Services, Products, Financial Markets, and Prevention of Money Laundering or Terrorist Financing, Transportation Security, and Environmental Protection
2 Directive 2016/680 of the European Parliament and of the Council of Europe, concerning the protection of individuals regarding the processing of personal data by competent authorities for the purposes of crime prevention, investigation, detection, and prosecution or the execution of criminal penalties, as well as the free movement of such data, introduces regulation concerning the protection of individuals with regard to the processing of data by authorities for the purposes of crime prevention, investigation, and prosecution.
Nicolò Ghibellini
n.ghibellini@bmvinternational.com
