意大利：《就业法通讯》|2026年2月

Annex to the Employment Law Newsletter of February 2, 2026Whistleblowing: ANAC Guidelines on Internal Reporting Channels On 26 November 2025,the National Anti-Corruption Authority (so-called ANAC) approved newguidelines on whistleblowing,completing the implementationof Italian regulationsthat implementEUDirective 2019/1937. Theguidelinesprovideoperational guidance on the adoption of internal and externalreportingchannels,with particular attention to corporate groups,reporting methods,roles and Recommendations and guidance for corporate groups▪Single reporting channel: ANAC recommends the use of a single channel capable of receiving all reportsto avoid confusion for whistleblowers. ▪Outsourcing: it is also possible to share the internal reporting channel, in cases provided by law, oroutsource its management, including to a group company, provided that the autonomy of thepersonin-charge of managing reports (manager/supervisor),confidentiality, traceability and compliance withapplicable provisions of the laware ensured. Where the manager is external, an agreement must be putin place between the entity obliged to implement the channel and the external manager-also in the case of intra-group outsourcing-specifying tasks, powers and responsibilities. In anycase, it is advisablefor the company establishing the channel to appoint an internal contact point to ensure operational reports within its scope and for the compliance of its reporting system, even if the channel is shared oroutsourced. ANAC may, therefore, sanction each company individually, even within a group, for ▪Supervisory limits: ANAC’s supervisory authority is limited to the national territory, but responsibilityremains with the Italian principal even if the channel is managed by a foreign entity. The role of trade unionsThe activation of the internal reporting channel-as well as any substantial amendments or updates to the organisationaldocumentation-must involve trade unions in advance; without such involvement, theprocedure is considered non-compliant and may lead to sanctions underapplicable provisions of the law. This involvement is informative and non-binding, and the procedures and timing (provided they arereasonable and not late) are left to the discretion of thecompany.In the absence of internal trade union representation (i.e. RSA or RSU), the most representative national trade unions at territorial levelmustbe informed. The investigation process ANAC reiterates that the manager is the only autonomous and independent subject authorised to receivereports and carry out all necessary activities, including conducting the investigation and deciding whetherto close the case or forward the collected information to the competent bodies (e.g. judicial authorities). Incase of a conflict of interest or absences longer than 7 days, a substitute must be appointed. ▪Acknowledgementof receipt: a notice to the whistleblower confirming receipt, without anyassessment of the content. If the report is mistakenly sent to a different internal subject, it must beforwarded to the manager within 7 days, informing the whistleblower.▪Preliminaryreview: verification of subjective and objective conditions to proceed. ▪Retention: documentation must be deleted within 5 years of the final outcome. This excludesanonymisation as a way to retain data beyond the legal limit. Privacy issues: DPIA, channels, metadata, retentionThe guidelines require careful coordination with privacy law as sanctions from theItalianData Protection Authority remain fully applicable.Violations of confidentiality may constitute breaches under bothapplicable provisions of the lawand the GDPR, as clarified bythe Italian Data Protection Authority In this context, the Data Protection Officer (so-calledDPO) plays a central role: they must be involved indesigning internal channels and drafting the DPIA (so-called Data Protection Impact Assessment),providing recommendations to mitigate risks. The DPO remains independent, does not manage reports Further instructions include: (i) the use of dedicated IT platforms allowing stronger technical measures; (ii)non-traceability of the connection and absence of identifying logs when accessing the reporting channel viathe corporate network; (iii) access to the whistleblower’s identity only when necessary and justified; (iv) the The link between whistleblowing and231ModelThe integration of whistleblowing into the regulatory framework governing the administrative liability of entities(so-called 231 Model)has been further strengthened.Currently, a 231 Model lacking a compliantwhistleblowing system must be considered inadequate for the purposes of exempting the legal entity from channels are an integral part of the risk prevention system and must be integrated within231Model, in linewith risk mapping, information flows to the Supervisory Body (so-calledOrganismo di VigilanzaorOdV)and the disciplinary system. In particular, in performing its ordinar