Whistleblowing hotlines enhance transparency within a company; the creation of a whistleblowing internal procedure for a company implies a number of issues from a data protection and criminal law perspective. Here below you can find a set of FAQs on some relevant aspects related to the creation of such a procedure. 

1. What is a whistleblowing hotline? 

A whistleblowing hotline is a specific channel designed for employees to report misconduct internally. As clarified by Article 29 of the Data Protection Working Party's (WP29) "internal whistleblowing schemes are generally established in pursuance of a concern to implement proper corporate governance principals in the daily functioning of companies." For this reason, under a data protection law perspective, whistleblowing schemes enhance transparency, and they are considered a best practice. Under criminal law perspective, Law no. 179/2017 provides indications on reporting crimes and irregularities within the private and public employment context. More specifically, with regard to the private context, this law provides for an amendment to the Legislative Decree no. 231/2001 (231 Law). The 231 Law is aimed at encouraging companies to adopt compliance programs (Models) in order to prevent the commission of certain crimes (listed by the 231 Law) by the directors, managers or their subordinates, or other third parties in the interest or to the advantage of the company. The adoption of the Models is optional and not compulsory. Therefore, only the companies that adopted the Models have to adopt a detailed procedure for the whistleblowers' reports.

2. What needs to be taken into account when a company decides to create a whistleblowing hotline? 

When creating a whistleblowing hotline a company should:

  • dedicate specific channels to this procedure (at least one channel has to be based on information technology), suitable to ensure the confidentiality of the whistleblowers;
  • guarantee confidentiality of the whistleblowing hotline's content as well as safeguard the privacy and anonymity of people managing/being involved in the procedure;
  • prohibit discriminatory acts or any form of retaliation against anyone for making a report;
  • provide the application of disciplinary measures for those who violate the confidentiality of the whistleblowers;
  • provide an information notice, since each individual should be made aware of how data are processed within the context of the procedure;
  • ensure that the accused person is alerted as soon as possible, as long as it does not imply negative effects on the investigation;
  • ensure that data subjects' rights are granted.

3. Is there any restriction on the type of topics that reporters can denounce through hotlines (e.g. anticorruption, environmental damages, antitrust, discrimination)?

There are no specific restrictions on the type of topics that may be reported through whistleblowing hotlines. Notwithstanding this, under a data protection law perspective, whistleblowing schemes are considered to be legitimate either when they result from a legal obligation or when they are intended to satisfy a legitimate interest of the controller / third party receiving data.

Under a criminal law perspective, the whistleblower report usually regards the violation of the Models or the commission of an offence listed in the 231 Law, such as the crimes committed against the public administrations (e.g. bribery), bribery among private individuals, corporate crimes, market abuse crimes, manslaughter and serious injuries due to violation of health and safety in the work place, money laundering crimes, IT crimes, criminal conspiracy crimes, crimes regarding the falsification of identifying signs and marks, crimes against industry and commerce, crimes breaching copyright laws, environmental crimes, racism and xenophobia.

4. How can a company ensure that not too many people are involved within a whistleblowing's hotline? 

It is considered appropriate to limit the number of persons involved in such procedure.

5. Could the reports/notifications be anonymous? 

Under a data protection law perspective, WP29 generally considers anonymous reporting through whistleblowing hotlines to be acceptable, even though anonymous reporting should not be encouraged by companies as the standard way of reporting but rather as an exception.

Under a criminal law perspective, companies could accept the anonymous reports. Confindustria (the organization representing the manufacturing, construction, energy, transportation, ITC, tourism and services industries in Italy) also confirmed this. In any case, the anonymous reports have to provide detailed and accurate information about the violation of the Models or the commission of the offences listed under 231 Law.

6. How long should a company retain the documentation related to a whistleblowing?

Personal data processed through a whistleblowing scheme should be promptly deleted, usually within two months after completing the investigations of the facts alleged in the report. Notwithstanding this, in cases of proceedings or disciplinary measures initiated against the incriminated person, data should be kept until the conclusion of these proceedings and the period allowed for any appeal.

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.