Download the press review.

The post DE BERTI JACCHIA ADVISES ANDION ON THE ACQUISITION OF A MAJORITY STAKE IN THE ENERLAND BIOGAS PLANT appeared first on Studio Legale De Berti Jacchia Franchini Forlani.

By way of the Decree No. 24/2023 (“Decree”), Italy has transposed into law the Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of union law into various jurisdictions.

The Decree has been enacted on 30 March 2023. The purpose of the Decree is to safeguard individuals who report breaches of certain national or European Union laws (which came to their knowledge in the work context) that may jeopardize the public interest, the integrity of public administration or of a private entity^[1].

The Decree took effect on 15 July 2023 for employers with an average of at least 250 employees in the year 2022^[2].

For companies that had an average of up to 249 employees in 2022 the main obligation provided by the Decree to set up internal reporting channels will have to be implemented by 17 December 2023^[3].

We have described in another article the compliance aspects related to the Decree^[4]. In this contribution we will focus instead on the quite important data protection actions that the companies should put in place.

1. PRINCIPLES OF THE GDPR TO KEEP IN MIND WHEN READING THIS ARTICLE

Art. 5 of the GDPR sets some principles related to processing of personal data, which should be observed while carrying out (or designing) activities that imply such processing.

More specifically, these principles delimit the boundaries within a data processing activity can be considered lawful. Failure to comply with these principles, and the gravity of the related violation, will determine the imposition of possible fines and/or penalties. The data controller shall be responsible for (and be able to demonstrate) compliance with those principles. “Accountability” is the one term which better summarizes the GDPR, and this dictum, of course, also applies to data processing activities related to the management of a whistleblowing channel.

The principles that any data controller must be able to demonstrate, are:

1. 1. “… lawfulness, fairness and transparency …”, which means that the processing must be based on one of the legal basis provided for in art. 6 of GDPR, and must also be inspired by good faith (e., for companies obligated to adopt a whistleblowing system, the provisions of the Decree will constitute a legal basis for the processing of personal data pursuant to art. 6.1.(c) GDPR). Moreover, those principles provide the data controller with a general disclosure duty to data subjects of the main features and information about the processing;
   2. “… purpose limitation …”, which means that data collected for specified, explicit and legitimate purposes, shall not further processed in a manner that is incompatible with those purposes (e., the data related to a whistleblowing report, shall be used only to handle the report, give feedback to the whistleblower, etc.);
   3. “… data minimisation …”, which means that data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (e., data that are not useful or irrelevant for the handling of a whistleblowing report, shall not be collected or, if collected, shall be promptly deleted);
   4. “… accuracy …”, which means that data must be accurate and, where necessary, kept updated (e., if a whistleblower wishes to amend its report because it contains erroneous data, every reasonable step must be taken to ensure that such data are rectified without delay);
   5. “… storage limitation …”, which means that data must be kept in a form which permits identification of data subjects for no longer the time necessary for the purposes for which the personal data are processed (e., once the whistleblowing report is successfully handled, or once the legal term for data retention provided for in the Decree is expired, such data must be deleted or anonymized);
   6. “… integrity and confidentiality …”, which means that data must be processed in a manner that ensures appropriate security against unauthorised or unlawful processing and against accidental loss, destruction or damage (e., the whistleblowing system shall be properly secured with encryption, or shall be used only by authorized employees, etc.).

Last (but not least), art. 25 of the GDPR provides the so-called principle of “… data protection by design and by default …”, which means that the data controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures. It shall then take into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the varying risks to the the rights and freedoms of natural persons, in order to meet the requirements of the GDPR and protect the rights of data subjects.

2. SPECIFIC DATA PROTECTION ISSUES INVOLVED IN THE DECREE

We will now discuss of the specific issues arising from Decree.

As mentioned, the Decree main obligation is to set up internal communication channels to allow to the whistleblower to report certain facts to the company.

The receipt and handling of whistleblowing reports result in the processing of personal data referrable to the individuals involved in the reported facts.

This implies that the companies obliged to implement a whistleblowing channel have to adopt (in their quality of data controller) a series of measures to ensure the lawfulness, confidentiality and security of the processing carried out (directly, or by means of their employees and/or collaborators involved in the management of the reports).

Indeed, the principles set forth by the GDPR at the basis of all kind of data processing activities cannot be ignored. On the one hand, attention must be given to the privacy roles played by those involved in the management of reports. On the other, security and organizational measures designed to ensure the confidentiality of the information received cannot be neglected either. We will then analyse the main features that the companies must comply with (and take into consideration) when implementing a whistleblowing channel.

3. THE OBLIGATION TO DEFINE THE PRIVACY ROLES TAKING INTO CONSIDERATION THE DIFFERENT SCENARIOS

The company obliged to implement a whistleblowing channel, could alternatively entrust its management to:

1. 1. a person/office (with dedicated staff properly trained) within its own organization;
   2. an external entity.

The result of the choice could be two-fold as we explain below.

3.1. The scenario in which the company sets internally its own reporting channel

As mentioned above, the company that establishes the reporting channel is considered a data controller. A data controller is the subject that will delineate the means and purposes of the data processing, and, therefore, will always have to guarantee that the data processing complies with the principles and regulations placed at the basis of any data processing activities.

Art. 4.4 of the Decree also states that private sector companies that have employed, in the last year, an average number of employees (permanent or fixed term) not exceeding 249, can share the internal reporting channel and the related management. In such event, the companies that share the internal reporting channel will be considered as joint data controllers. This means that such companies have to jointly determine the purposes and means of the processing of personal data, and they are required to establish, in a transparent manner, through an internal agreement^[5], their respective responsibilities for compliance with the obligations arising from the legislation on personal data protection. The essential contents of such agreement must be made available to the data subjects and all the parties eventually concerned.

Data controllers and joint data controllers shall then identify, within their own organizational structure, the individuals (employees) expressly designated with specific tasks and functions related to the processing of personal data^[6]. These individuals will operate (for data protection purposes) under the authority of the data controllers and joint data controllers, and should receive appropriate and specific instructions from them, as well as adequate and professional training.

Such role, as clarified by ANAC Guidelines, may be entrusted, among others, to individuals within the internal audit bodies, or the Supervisory Board provided for in the regulations of Legislative Decree No. 231/2001, or to ethics committees.

In any case, it is expressly provided that the individuals/office entrusted with the management of the whistleblowing channel, must be:

1. 1. 1. Impartial, in order to ensure that reports are handled fairly and free from internal or external influences;
      2. Independent, in order to ensure objective and impartial analysis of the report.

It may occur, however, that data controllers decide to outsource the management of the whistleblowing channel (and the relevant reports) to third parties, external to their organization, instead of appointing their own employees as authorized subjects. In the event that a third party is entrusted with the management of the whistleblowing channel (or, otherwise, is involved in a part of the reports’ management procedure such as the provider of the IT platform on which the reporting channel is based), the latter must be appointed, by contract or other legal act, as data processor^[7]; the data processor is indeed the subject that carries out the data processing on behalf of the data controller. Therefore, the data processor must comply with the specific instructions that the data controller has provided. Finally, it is mandatory that the data processor presents sufficient guarantees, in particular in terms of specialized knowledge, reliability and resources, to put in place technical and organizational measures that ensure respect for confidentiality, data protection and secrecy.

4. THE NECESSITY TO CARRY OUT A DATA PROTECTION IMPACT ASSESSMENT AND RELEVANT SECURITY MEASURES

After having examined and defined the roles that those involved in the management of the whistleblowing channel may have, there are other relevant consequences of adopting a whistleblowing channel.

First of all, it is fundamental that the employer (as data controller) guarantees, from the design of the reporting channel (privacy by design), and by default (privacy by default), that only the personal data strictly necessary in relation to the specific reporting purpose are processed. In order to do so, the data controllers must carry out, while designing the features of the reporting channel, and thus before the start of processing of the reports, a data protection impact assessment^[8] (“DPIA”), in order to identify possible risks related to the processing and apply the necessary measures to avoid or mitigate these risks.

The DPIA will need to take into consideration that since the processing of whistleblowing reports entails high risks to the rights and freedoms of data subjects, data controllers must adopt several measures to protect the confidentiality of reports and relative information. Such measures^[9] could result in the use of encryption tools within the reporting channel, as well as ensuring the segregation of duties of the subjects involved in the processing.

With specific reference to the case where the access to the reporting channel is made through the data network of the data controller, it must be ensured that there is no traceability of the whistleblower, both on the IT platform and in the network possibly involved. Otherwise, the recording and storage (e.g., in the logs of firewall equipment), of information about connections to the reporting channel could allow the traceability of the individuals who used the platform, including the whistleblowers, and therefore frustrate the other measures eventually adopted by data controller in order to protect the identity of the whistleblower. On the other hand, where possible, the tracking of the activities of the authorized personnel shall be ensured, in order to prevent the misuse of data related to the reporting, except for those data from which the identity or activities of the whistleblower could be disclosed^[10].

5. INFORMATION DUTIES TO BE GIVEN TO THE DATA SUBJECTS

Data controllers must provide possible data subjects with appropriate information about the processing of personal data^[11].

This means, inter alia, that the following should be brought to the attention of the data subjects:

• • the data controller and its contact details;
  • the contacts of the data processor (if the service has been outsourced externally);
  • the purpose of the processing;
  • the legal basis of the processing;
  • the methods of processing;
  • the scope of processing and the subjects to whom the data are disclosed;
  • the storage period of personal data;
  • the contact details of the DPO, whether existent;
  • the data subjects’ rights and guidance on how they can exercise them.

By way of example, such information may be provided as an annex to the whistleblowing procedure, (e.g., on the website of the data controller), or in a special section of the IT application used for the filing of the reports, as well as being made available in the workplaces.

With reference to the obligation to make the disclosure, however, it must be noted that, in the phase of acquisition of a report and/or in any subsequent investigation, no specific information or disclosure should be provided to parties other than the whistleblower. The aim is to avoid the frustration of the confidentiality protections provided by the Decree.

6. OBLIGATION TO ADJOURN THE REGISTER OF PROCESSING

Moreover, the record of processing^[12] must be adjourned with the relevant details of the data processing related to the management of the reports. The record should contain the name and contact details of the data controller and, where present, the joint data controller, a description of the categories of data subjects and categories of personal data that are processed, the competent authorities to which the such data have been or will be disclosed, etc..

7. DATA RETENTION

In the Decree, it is expressly provided that personal data shall be kept in a form that allows the identification of the data subjects for a period of time not longer than the achievement of the purposes for which they are processed, and that reports and related documentation be retained for as long as necessary for the processing of the report and, in any case, no longer than five years from the communication of the final outcome of the procedure.^[13]

8. EXERCISE OF DATA SUBJECTS’ RIGHTS

The rights referred to in Articles 15 to 22 of the Reg. (EU) 2016/679 may not be exercised by request to the data controller nor by a complaint under Article 77 of the Reg. (EU) 2016/679, if they may result in prejudice of the confidentiality of the whistleblower’s identity, within the limits in which this constitutes a measure necessary and proportionate, taking into account the fundamental rights and freedoms of the data subjects.

9. CONCLUSIONS

As discussed in our previous article on the subject matter, the Decree imposes significant compliance burdens on companies regarding the establishment of whistleblowing procedures, with a particular emphasis on criminal law and organizational aspects.

Understandably, stakeholders have focused on meeting these requirements in their rush to comply.

However, as emphasized in this contribution, important privacy measures also need implementation within the same deadline specified in the Decree.

It is crucial not to overlook these measures, and steps should be taken to ensure compliance with them as well.

Download Article

The post THE IMPORTANT DATA PROTECTION ASPECTS RELATED TO THE NEW WHISTLEBLOWING LEGISLATION IN ITALY appeared first on Studio Legale De Berti Jacchia Franchini Forlani.

By way of the Decree No. 24/2023 (“Decree”), Italy has transposed into law the Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of union law into various jurisdictions.

The purpose of the Decree is to safeguard individuals who report breaches of certain national or European Union laws (which came to their knowledge in the work context) that may jeopardize the public interest, the integrity of public administration or of a private entity^[1].

Already in July 2023, the National Anti-Corruption Authority (“ANAC”) had published guidelines focused on the submission of the external reports in accordance with the Decree (“ANAC Guidelines”).

While it now approaches the last deadline for the compliance to the Decree (i.e., 17 December 2023, see below point 2), the main association representing manufacturing and service companies in Italy (“Confindustria”) has now published on 30 October 2023 guidelines for the implementation of the Decree in the private sector^[2] (“Confindustria Guidelines“).

The indications therein contained are very useful in clarifying aspects, including those of an operational nature, on which the Decree was silent.

In this article, we will provide an overview of the Decree, as now better clarified by the Confindustria Guidelines, focusing especially on the obligations laying on the private entities^[3].

1. PERSONAL SCOPE OF THE DECREE

In the Decree it is provided that the following private entities are required to comply with the new whistleblowing rules^[4]:

• • private entities which have employed an average of 50 or more workers with permanent or fixed-term employment contract;
  • regardless of the number of workers employed, private entities dealing in sectors such as “… financial services, products and markets, and prevention of money laundering and terrorist financing …”, “… transport safety” and “protection of the environment …” (listed in a specific annex of the Decree);
  • regardless of the number of workers employed, private entities which have adopted an organizational model pursuant to Legislative Decree 231/2001 (“Model 231”)^[5].

2. TIMING FOR THE IMPLEMENTATION OF THE DECREE

The Decree took effect on 15 July 2023 for employers with an average of at least 250 employees in the year 2022^[6]

For companies that had an average of up to 249 employees in 2022 the main obligation provided by the Decree to set up internal reporting channels (see below point 5.1) will have to be implemented by 17 December 2023^[7].

3. THE MATERIAL SCOPE OF THE DECREE

In the first place, below we will assess who are the protected individuals and what is the protected reporting under the Decree.

• • The protected individuals

It is noted that the Decree notably expands the scope of protected individuals when there is a reporting.
In particular, the Decree grants legal protection to^[8]:

• • • the whistleblower (the category of individuals entitled to make a whistleblowing report is extensive and encompasses candidates for employment, current employees, former employees, trainees, shareholders, members of corporate bodies, consultants and professionals, as well as employees or consultants of contractors);
    • persons supporting and helping the whistleblower in its reporting (so called “facilitators”);
    • work colleagues or relatives of the whistleblower;
    • entities owned by the whistleblower or operating in the same work environment as the whistleblower;
    • entities owned by the whistleblower or entities for which the whistleblower works^[9].

• • The protected reporting^[10]

The reporting of information is covered by the Decree when it pertains to violations that harm public interests or the integrity of companies. In the Decree it is prescribed that^[11]:

• • • whistleblowers can report breaches pertaining to a very broad perimeter of matters (administrative, accounting, civil or criminal offenses, as well as to certain specified laws such as financial services, money laundering, environment, public health, etc.);
    • in companies that have adopted Model 231 whistleblowers can report breaches of Model 231 and related laws (e., offenses or attempted offenses). In this regard, it is noted that Legislative Decree 231/2001 makes specific reference to a broad category of crimes for which a company may be liable expanding thus the object of the reporting quite significantly.

4. DUTIES: IMPOSED BY THE DECREE

Hereinbelow, we will now look at the duties imposed to the companies based on the Decree.

• • The duty to establish an internal channel of reporting^[12]

The employers are mandated to establish internal reporting channels (following consultations with the internal representatives of the workers or with the trade unions)^[13]. The management of the reporting channel shall be entrusted: (i) either to an individual or to an autonomous internal office dedicated to it, with personnel specifically trained for the management of the reporting channel; or (ii) to an external entity, also autonomous and with personnel specifically trained.

The internal reporting channel must allow individuals to:

• • • submit reports in writing, which can include using online platforms. In this respect, the company shall abide with: (i)provisions promoting, inter alia, the utilization of encryption tools to safeguard the confidentiality of the communications^[14]; and (ii) the obligation to process personal data in compliance with the GDPR^[15];
    • make oral reports, utilizing methods such as telephone lines or voice messaging systems;
    • request a face-to-face meeting for reporting if the whistleblower prefers this option.

In any case, it is imperative that: (i) the internal channels ensure the confidentiality of the identity of the whistleblower, the person involved, and the person mentioned in the report, as well as the content of the report and its related documentation; (ii)the company provides clear information on the operation of the channel to all the stakeholders^[16] setting thus up whistleblowing procedures.

• • Management of the reports at the Group level

We note that the Decree limits to prescribe that employers with less than 250 employees can share the same internal reporting channels^[17].

On the other hand, the Decree does not provide any guidance regarding the possibility to share channels within corporate groups^[18].

The recently published Confindustria Guidelines^[19], which also take into consideration the ANAC Guidelines, provide useful indications/instructions in this regard taking note that the Groups may have an interest in sharing the same channel of reporting.

In this regard, the following two possibilities seem to be endorsed:

1. 1. 1. a first solution could be to adopt a unique IT platform, with a decentralized management at the level of the individual subsidiary company. In such cases, group companies would allow the whistleblowers, once logged in the IT platform, to select the company where they work and to which they intend to report. In this way, the appropriate office in the selected company could initiate the process and handle the report;
      2. a second solution could be to entrust the parent company, as a third party with respect to the subsidiaries, with the activities related to the handling of the reports. In this case, in addition to the use of a unique IT platform (possibly, with dedicated and segregated channels for each company) set up by the parent company, each subsidiary may entrust, with specific service contracts, the management of the reporting channel to the parent company itself.

However, we note that there are still some interpretative doubts on such topics. It shall thus be carried out a case-by-case analysis.

• • The duty to follow-up

The Decree introduces a specific obligation to effectively handle and follow-up on reports. The subject designated to receive and manage reports through the internal reporting channel is entrusted, inter alia, with the following obligations^[20]:

• • • promptly acknowledge the receipt of the report to the reporting person within seven days of receiving it;
    • maintain ongoing communication with the reporting person and, if necessary, request additional information;
    • thoroughly investigate the report to assess the veracity of the reported facts and take any necessary corrective actions;
    • provide feedback to the reporting person within three months from the date of acknowledgment of receipt. If no acknowledgment was sent to the reporting person, the feedback should be provided within three months from the end of the seven-day period following the submission of the report^[21].

5. THE FORMS OF PROTECTION GUARANTEED BY THE DECREE^[22]

The whistleblowers and the other connected individuals mentioned in paragraph 4.1 above are entitled to certain protections under the Decree^[23].

In particular:

• • any action taken by the employer against them (such as dismissal or changing of work location) is automatically considered retaliation and is null and void unless the employer can prove in court that the action was entirely unrelated to the whistleblowing. This represents a complete shift of the burden of proof to the employer;
  • there is an exclusion of liability for defamation, copyright infringement, breach of confidentiality obligations, violation of data protection laws, disclosure of trade secrets for the whistleblower to the extent he/she has reasonable grounds to believe that the disclosure of information (giving rise to the above breaches) is necessary to report a violation and he/she acts in compliance with the Decree^[24];
  • the identity of whistleblowers should generally remain confidential, even in disciplinary proceedings against accused individuals based on the whistleblowing report^[25]. On the other hand, if the knowledge of the identity of the reporting person is essential for the defense of the accused individual, the report shall only be usable for disciplinary proceedings with the express consent of the reporting person for the disclosure of his/her own identity^[26].

The protective measures provided above are not granted when a criminal or civil court has determined that the reporting person, either intentionally or with gross negligence, made a false or unfounded report^[27].

6. THE SANCTIONS^[28]

The Decree provides that the ANAC may apply administrative sanctions in case of:

• • adoption of retaliatory measures or acts aimed at breaching the confidentiality of the identity of the reporting person or aimed at hindering the reporting (with a fine ranging from Euro 10,000 to Euro 50,000); or
  • failure to implement the internal reporting channels in compliance with the Decree and/or failure to adopt the relevant procedures (with a fine ranging from Euro 10,000 to Euro 50,000).

7. SUGGESTED ACTIONS TO IMPLEMENT THE DECREE

Based on all the above, the steps which shall be complied with to ensure compliance with the Decree by 17 December 2023 are the following:

1. 1. Assessment of existing reporting channels
      In the first place, it will be necessary to assess the current reporting channels and procedures (if any) to ensure to which extent they may be considered in line with the Decree’s requirements.
   2. Introduction of Internal Reporting Channels compliant to the Decree and the GDPR
      Subject to the assessment made under point A. above, it will be necessary to introduce internal reporting channels compliant with the Decree and the GDPR and set the relevant procedures.
      
      
   3. Consultation with the internal representatives of the workers or with the trade unions
      In the frame of the actions sub A) and B) it will be necessary to inform the internal representatives of the workers or the trade unions about the need to create new reporting channels or enhance existing ones in compliance with the Decree.
      
      
   4. Update of the Organization, management and control model adopted pursuant to Italian Legislative Decree no. 231 of 2001 (if any)
      In cases where companies have adopted Organization, management and control models in accordance with Legislative Decree no. 231 of 2001, it will be necessary to update, also in light of the previous steps, the requirements/prescriptions contained in the models, especially in order to include the rules related to the internal reporting channels (and related safeguards).

Download Article

The post THE GUIDELINES ENACTED BY CONFINDUSTRIA ON 30 OCTOBER 2023 BETTER CLARIFY THE WHISTLEBLOWING LEGISLATION IN ITALY appeared first on Studio Legale De Berti Jacchia Franchini Forlani.

Pubblicato su Cyber Security 360

Download Article

The post TRUFFA ONLINE: ECCO QUANDO LA BANCA RIMBORSA IN CASO DI PHISHING appeared first on Studio Legale De Berti Jacchia Franchini Forlani.