WHISTLEBLOWING PROCEDURE
Whistleblowing or the reporting of corporate wrongdoing became mandatory since 17 December 2023, regulated by Legislative Decree 24/2023 implementing Directive (EU) 2019/1937.
Since 15 July 2023, it is expected to be an expansion of the subjects required to equip themselves with tools and procedures that can be adopted for this type of reporting, for example, employees, consultants, collaborators, former employees, customers and suppliers, interns and shareholders.
Implementing the Whistleblowing procedure is important. It provides companies with the opportunity to minimize the risks of wrongdoing while guaranteeing maximum transparency and integrity to their internal and external collaborators.
- have employed an average of at least 50 workers in the last year;
- they operate in so-called sensitive sectors, such as the financial sector and the prevention of money laundering and terrorism;
- are subject to the obligation to adopt the organization and management models referred to in Legislative Decree 231/2001.
- the activation or adaptation of the internal signalling channel;
- the adoption of clear internal procedures and guidelines defining the operating methods of the established channel;
- the adaptation of Model 231, where adopted, for aspects relating to the regulation of reporting of offences and the related disciplinary system;
- the fulfilment of the privacy obligations provided for by the GDPR and the Privacy Code, including the adaptation of the information to be provided to employees and the carrying out of the impact assessment referred to in the Art. 35 GDPR.
FDC Consulting Digital ESG, thanks to a multidisciplinary team of internal and external collaborators made up of expert, can assist you in correctly implementing your whistleblowing system.
In particular, with our partners, we deal with the following activities:
- support for verifying the applicability of the whistleblowing legislation and in the evaluation of the related corporate governance profiles;
- consultancy for the development of different whistleblowing channels;
- drafting of whistleblowing policies/procedures and regulations for the management of reports;
- impact assessment of the whistleblowing process on the processing of personal data and related review of the privacy documentation, complying with the obligations established by the legislation on the protection of personal data (or DPIA) and in line with the principles of privacy by design and privacy by default referred to in Art. 25 GDPR;
- identification of a person, a responsible office, or an external company trained in this topic and equipped with the autonomy and competence requirements identified in Art. 4 of the decree;
- drafting of policies and informative communications on whistleblowing through the drafting of a reporting management procedure, clarifying the information available on procedures and prerequisites for making internal reports, as well as on procedures and prerequisites for making external reports (Art. 5 letter and Legislative Decree 24/2023). It is important to define which channels the organization intends to implement to allow reporting in written or oral form and dissemination;
- specific training on whistleblowing and reporting management; adjust your company by raising awareness among your staff regarding the correct use of the reporting channel. Also, implementing targeted and dedicated training courses for the staff to manage the report (and the proper management of personal data);
- it will be important that any external suppliers are appointed as “data controllers” or that if the reporting channels are shared with other bodies, a co-ownership agreement is drawn up under Art. 26 GDPR (Joint data controllers, EU Regulation 2016/679, art. 26).