Chi sono Publicazioni Cosa dicono In Italia Nel mondo Contatti menu

CMS Legal - SOX Whistleblowing and Privacy Laws in Europe - Italy


1. Which legal provisions of your national law conflict with the whistle blowing procedure of SOX?

Italy does not have any law or regulation that authorizes or requires companies to implement whistle blowing procedures. Whistle blowing procedures must comply with Italian law: in particular, the Italian Civil Code, the Italian Criminal Code, the Italian Labour Law (notably, Law n. 300 of May 20, 1970 and the National Collective Labour Agreements) and the Italian Data Protection Code (Law n. 196 of June 30, 2003) (‘Italian DPC’).
So far as the Italian DPC is concerned, it should be noted that existing regulations and guidelines on whistle blowing, while designed to provide specific protection to the person making use of the whistle blowing scheme, do not make any particular mention of the protection of the accused person (particularly with regard to the processing of his/her personal data).
The implementation of whistle blowing hotlines in Italy may thus give cause to potential conflicts to the following provisions of the Italian DPC:
- the data subject has the right to access personal data concerning him/her (i.e. to be informed of the source of the personal data, of the purpose, the processing and methods of the processing);
- personal data has to be processed fairly and lawfully;
- personal data must be kept for no longer than is necessary and must be accurate and up-to-date;
- personal data must be kept secure at all times and, where processed by a third party, be managed securely;
- and personal data should not be transferred outside the EU to any other country that does not have adequate protection for the rights of the individual.
In the light of the above, the implementation of whistle blowing schemes may be deemed compliant with Italian law only when the protection of personal data is ensured throughout the whole process of whistle blowing, not only in respect of the whistleblower, but also of the accused person.

1.1 Does your national privacy legislation apply to company data as well as to personal data?

The Italian DPC refers to the processing of personal data, which includes information related to natural or legal persons, bodies or associations, which allows them to be identified, or their data to be matched, directly or indirectly, with any other information (including a personal identification number).

1.2 Under which conditions is the processing of the personal data lawful?

A data controller may process the personal data of a data subject, without the data subject’s consent, only in a limited number of cases, as set out in Article 24 of the Italian DPC. Only two of the conditions set forth in that Article appear to be relevant. The processing must either be necessary for: (i) compliance with an obligation imposed by a law, regulation or Community legislation; or (ii) to pursue a legitimate interest of the data controller.
Whether a foreign law may be deemed as a legal obligation under the Italian DPC is subject to debate.
Whistle blowing schemes may be deemed lawful in Italy on the grounds that they are necessary for the purpose of a legitimate interest pursued by companies, namely the facilitation of good corporate governance within those companies.
However, the Italian DPC requires a balance to be struck between the legitimate interest pursued by a company processing personal data and the data subject's rights and fundamental freedoms, dignity and legitimate interests.

1.3 Most countries have an obligation to notify the data processing to the data protection authority. Can this authority accept or refuse the data processing?

The Italian Data Protection Agency (‘Italian DPA’) is not entitled to approve or disapprove the notification, but it may initiate legal proceedings if it believes that a particular processing is unlawful.
However, the details that are required to be notified in the relevant register do not always allow the Italian DPA, or persons consulting that register, to assess whether the processing by a data controller is proper or in accordance with the law.

1.4 Must the data subjects always be informed that data are being processed and, if so, when?

Existing regulations and guidance on whistle blowing focus on the need to protect whistleblowers and do not make any particular reference to the protection of the accused person. Even if accused, an individual is entitled to the rights he is granted under the Italian DPC.
It is important to note that the accused person has a right to be informed when personal data is collected about them from a third party as soon as practicably possible after the data is recorded, and of the alleged facts, unless this creates a substantial risk of jeopardising the company’s ability to investigate the allegation or gather evidence.

1.5 SOX implies the transfer of the personal data to other countries, namely the US. What are the equivalent rules under Italian law?

Apart from the cases referred to below, it is prohibited to transfer personal data that is the subject of data processing from Italy to countries outside the EU, whether temporary or not and in any form and by any means whatsoever, if the laws of the country of destination or transit of the data do not ensure an adequate level of protection of individuals.
The US is not considered by the European Commission as providing on the whole an adequate level of protection.
Nevertheless, the data controller can transfer personal data to non-EU countries when the data subject's consent has been expressly obtained or the transfer is necessary to meet contractual obligations resulting from a contract to which the data subject is a party.
Concerning the US in particular, the transfer of the data can be realised with no prior formalities required if the addressee has adhered to the Safe Harbor Agreement (thecompliance of the US companies with these principles creates a presumption of adequate privacy protection).

1.6 Is anonymous whistle blowing allowed?

There is no legal provision which would in particular prohibit anonymous whistle blowing procedures.

2. What is the incidence of labour laws and of other legislations?

According to Italian law, except for a very few criminal offences that have to be reported by everybody, the obligation to denounce a colleague or the behaviour of a colleague cannot be enforced unless that obligation is an integral part of the employment contract and of the obligations arising thereunder (i.e. duties of surveillance, supervision or control). What the above means is that if an employee fails to report a breach and such an omission is not openly in bad faith or in breach of a legal obligation, he/she cannot be subjected to a disciplinary measure.

3. Has there been any reaction by the national Data Protection Authority or of the courts?

To date no official decision or circular concerning SOX has been issued.

Fabrizio Spagnolo
CMS Adonnino Ascoli & Cavasola Scamoni
Via Agostino Depretis, 86
00184 Rome, Italy
E fabrizio.spagnolo@cms-aacs.com
T +39 06 4781 51
F +39 06 483 755