Remember:
- to carefully keep the unique identification code of the report and the password issued by the Platform, since, in case of loss, it cannot be recovered or duplicated in any way and access to the platform will no longer be possible;
- that a single channel must be used to submit the report/communication and any subsequent additions;
- that the use of the platform is the preferred channel;
- that duplicate submissions of the same report must be avoided.
New developments introduced by Legislative Decree no. 24/2023
What changes with the new legislation
In implementation of Directive (EU) 2019/1937, Legislative Decree no. 24 of 10 March 2023 was issued concerning “the protection of persons who report breaches of Union law and containing provisions regarding the protection of persons who report violations of national provisions”.
The decree entered into force on 30 March 2023 and the provisions contained therein have been effective since 15 July 2023.
The decree applies to entities in the public and private sectors; with specific reference to the latter, the legislation extends protection to reporting persons who, in the last year, have employed an average of at least fifty employees, or, even below this threshold, entities operating in so-called sensitive sectors (services, financial products and markets and prevention of money laundering or terrorist financing, transport safety and environmental protection) and those adopting organisation and management models pursuant to Legislative Decree 231/2001.
Only for private entities that employed, in the last year, an average of employees with permanent or fixed-term contracts of up to two hundred and forty-nine, the obligation to set up an internal reporting channel starts from 17.12.2023.
Until that date, such private entities that have adopted or intend to adopt Model 231 will continue to manage the internal reporting channels in accordance with Legislative Decree 231/2001.
Entities required to comply with the rules
Private sector
Protection of reporting persons operating in the private sector, as provided by Legislative Decree no. 24/2023, imposes the obligation to set up reporting channels on those entities in the same sector that meet at least one of the following conditions:
- they have employed, in the last year, an average of at least fifty employees with permanent or fixed-term contracts;
- they operate in specific sectors (services, financial products and markets and prevention of money laundering or terrorist financing, transport safety and environmental protection), even if in the last year they have not reached an average of at least fifty employees with permanent or fixed-term contracts;
- they adopt organisation and management models under Legislative Decree 231/2001, even if in the last year they have not reached an average of at least fifty employees with permanent or fixed-term contracts.
Public sector
The obligation to set up internal reporting channels also applies to the following public sector entities:
- public administrations under Article 1, paragraph 2, of Legislative Decree 30 March 2001, no. 165;
- independent administrative authorities of guarantee, supervision or regulation;
- public economic entities, bodies governed by public law under Article 3, paragraph 1, letter d) of Legislative Decree 18 April 2016, no. 50;
- public service concessionaires, publicly controlled companies and in-house companies, as defined respectively by Article 2, paragraph 1, letters m) and o) of Legislative Decree 19 August 2016, no. 175, including listed companies.
What can be reported
Behaviours, acts or omissions that harm the public interest or the integrity of the public administration or the private entity and which consist of:
- administrative, accounting, civil or criminal offences;
- unlawful conduct relevant under Legislative Decree 231/2001, or violations of the organisation and management models provided for therein;
- offences falling within the scope of European Union or national acts relating to the following sectors: public procurement; financial services, products and markets and prevention of money laundering and terrorist financing; product safety and compliance; transport safety; environmental protection; radiation protection and nuclear safety; food and feed safety and animal health and welfare; public health; consumer protection; protection of privacy and personal data and security of network and information systems;
- acts or omissions that harm the financial interests of the European Union;
- acts or omissions concerning the internal market;
- acts or behaviour that nullify the object or purpose of the provisions of Union acts.
Choice of reporting channels
- internal (within the work context);
- external (ANAC – National Anti-Corruption Authority);
- public disclosure (through the press, electronic media or means of dissemination capable of reaching a large number of people);
- report to the judicial or accounting authority.
Internal reporting channel
The internal report addressed to the Company’s Whistleblowing Manager may be submitted in the following ways:
- Paper submission of the report (ordinary mail or registered letter with return receipt addressed to the person in charge of managing the report), bearing on the envelope the wording “To the attention of the Whistleblowing Reports Manager – strictly confidential” sent via postal service to the registered office;
- Delivery by hand (i.e. in a sealed envelope addressed to the Reports Manager, with the wording “strictly confidential”) at the registered office;
- Submission via the IT platform for the transmission/collection and management of whistleblowing reports.
For the transmission and management of reports, San Giorgio Servizi S.r.l. has chosen to use the Whistlelink IT platform available at the web address: sangiorgioservizi.whistlelink.com, by filling in the specific form.
In addition to the dedicated section on the website, the platform can be accessed from any other mobile device by entering the link sangiorgioservizi.whistlelink.com
The platform allows you to fill in, send and receive the “Report Form” electronically.
After the report is submitted, the whistleblower is shown a unique identification code and a password required for subsequent access.
The notification of the submission of a report is automatically sent to the mailbox of the person responsible for managing the report.
The whistleblower can monitor the progress of the investigation exclusively by accessing the IT platform and using the identification code and password received.
As an alternative to internal reports submitted in written form via the IT platform, reports may be made:
- orally via dedicated telephone line 0103733102;
- at the reasoned request of the reporting person, through a direct meeting scheduled within a reasonable time, according to the following modalities:
the meeting with the reporting person will take place in a company room that guarantees the confidentiality of his/her identity, of the persons involved or, in any case, mentioned in the report, of the contents of the report and of the related documentation. This room is identified as the Meeting Room located at the Manager’s office. In case this room is unavailable, it will be the responsibility of the Reports Manager to identify another room that guarantees an equivalent level of confidentiality;
subject to the reporter’s consent, the report will be documented by the Reports Manager by means of minutes. At the end of the drafting, the reporting person may verify, correct and confirm the contents by signing it.
The tool used to store the report will be kept, along with all the documentation received, in a locked cabinet located at San Giorgio Servizi S.r.l., ensuring that the identification data of the reporting person are kept separate from the rest of the documentation, which will remain accessible only to the Reports Manager for the purposes of conducting the investigation.
The reporting transmission and management tools guarantee the confidentiality of:
- the reporting person;
- the facilitator;
- the person involved or, in any case, of the subjects mentioned in the report;
- the content of the report and the related documentation.
The management of the reporting channels is entrusted to an internal person specifically trained to manage the reporting channel, identified as Marcello Gambardella, General Manager, who has been assigned the following authorisation profiles in the IT platform: Owner, Administrator, Manager, Viewer.
External reporting channel
Reporting persons may use the external channel (ANAC) when:
- the activation of an internal reporting channel within the work context is not required, or such a channel, even if mandatory, is not active or, if active, does not comply with legal requirements;
- the reporting person has already made an internal report and it has not been followed up;
- the reporting person has reasonable grounds to believe that, if an internal report were made, it would not be effectively followed up or that the report could give rise to a risk of retaliation;
- the reporting person has reasonable grounds to believe that the violation may constitute an imminent or obvious danger to the public interest.
Public disclosure
Reporting persons may make a direct public disclosure when:
- the reporting person has previously made an internal and external report or has made an external report directly, and no feedback has been received within the prescribed time limits on the measures planned or taken to follow up the report;
- the reporting person has reasonable grounds to believe that the violation may constitute an imminent or obvious danger to the public interest;
- the reporting person has reasonable grounds to believe that an external report may entail the risk of retaliation or may not be effectively followed up due to specific circumstances of the case, such as where evidence may be concealed or destroyed or where there is a well-founded fear that the person receiving the report may be in collusion with the perpetrator of the violation or involved in the violation itself.
Conditions for reporting
Reasonableness
At the time of making a report or complaint to the judicial or accounting authority or of public disclosure, the reporting or complaining person must have reasonable grounds to believe that the information on the reported, publicly disclosed or complained violations is true and falls within the scope of the legislation.
Methods
The report or public disclosure must be made using the channels provided (internal, external and public disclosure) in accordance with the criteria indicated above under “Choice of reporting channels”.
Assessment of the public interest and the personal interest of the reporting person
Reports must be made:
- in the public interest;
- in the interest of the integrity of the public administration or the private entity.
The reasons that prompted the person to report, complain or publicly disclose are irrelevant for the purposes of their protection.
What happens after the report?
Report management methods
San Giorgio Servizi S.r.l. shall:
- notify the reporting person of receipt of the report within 7 days from the date of receipt, unless the reporting person explicitly requests otherwise or San Giorgio Servizi S.r.l. believes that such notification would undermine the protection of the confidentiality of the reporting person’s identity;
- maintain communication with the reporting person and, if necessary, request additional information;
- diligently follow up reports received;
- conduct the investigation necessary to follow up the report, including hearings and the collection of documents;
- provide feedback to the reporting person within three months from the date of the acknowledgement of receipt or, in the absence of such an acknowledgement, within three months from the expiry of the seven-day period from the submission of the report;
- inform the reporting person of the final outcome of the report.
Protection of the confidentiality of reporting persons
- The identity of the reporting person cannot be disclosed to persons other than those authorised to receive or follow up reports;
- Protection covers not only the name of the reporting person but also all elements of the report from which the reporting person’s identity may be deduced, directly or indirectly;
- The report is exempt from access to administrative documents and from the right of generalised civic access;
- Confidentiality protection is extended to the identity of the persons involved and of the persons mentioned in the report until the conclusion of the proceedings initiated as a result of the report, subject to the same safeguards as those provided for the reporting person.
Compliance with personal data protection rules
The processing of personal data relating to the receipt and management of reports is carried out by San Giorgio Servizi S.r.l. as data controller, in compliance with European and national principles on the protection of personal data, providing appropriate information to reporting persons and persons involved in reports and adopting appropriate measures to protect the rights and freedoms of data subjects.
Furthermore, the rights referred to in Articles 15 to 22 of Regulation (EU) 2016/679 may be exercised within the limits set out in Article 2-undecies of Legislative Decree 30 June 2003, no. 196.
Internal and external reports and related documentation are kept for the time necessary to process the report and, in any event, no longer than 5 years from the date of communication of the final outcome of the reporting procedure, in compliance with the confidentiality obligations laid down by European and national legislation on the protection of personal data.
Retaliation
“Retaliation” means any act or omission, even attempted or threatened, carried out as a result of a report, a complaint to the judicial or accounting authority or a public disclosure, which causes or may cause the reporting person or the person who made the complaint, directly or indirectly, unjust harm.
Examples of retaliatory conduct:
- dismissal, suspension or equivalent measures;
- demotion or failure to promote;
- change of duties, change of place of work, reduction of salary, modification of working hours;
- suspension of training or any restriction of access to it;
- negative performance appraisals or negative references;
- disciplinary measures or other sanctions, including financial ones;
- coercion, intimidation, harassment or ostracism;
- discrimination or otherwise unfair treatment;
- failure to convert a fixed-term employment contract into a permanent employment contract where the worker had a legitimate expectation of such conversion;
- failure to renew or early termination of a fixed-term employment contract;
- damage, including to the person’s reputation, in particular on social media, or economic or financial prejudice, including loss of economic opportunities and loss of income;
- inclusion in improper lists, based on a formal or informal sector or industry agreement, which may result in the person being unable to find employment in the sector or industry in the future;
- early termination or cancellation of a contract for the supply of goods or services;
- cancellation of a licence or permit;
- the request to undergo psychiatric or medical examinations.
Competence to ascertain retaliation
- The management of communications relating to retaliation in the public and private sectors falls within the remit of ANAC, which may avail itself, for matters falling within their respective competences, of the collaboration of the Inspectorate for Public Service and the National Labour Inspectorate;
- The declaration of nullity of retaliatory acts is the responsibility of the judicial authority.
Burden of proof of retaliation
ANAC must ascertain that the conduct (act or omission) deemed retaliatory was a consequence of the report, complaint or disclosure.
Once the reporting person proves that they made a report in accordance with the law and suffered conduct which they consider retaliatory, it is for the employer to prove that such conduct is in no way connected to the report.
Since this is a presumption of liability, it is necessary that evidence to the contrary emerges in the proceedings before ANAC. For this purpose, it is essential that the alleged person responsible provide all elements to demonstrate the absence of the retaliatory nature of the measure adopted against the reporting person.
Extension of protection from retaliation to other persons
Protection from retaliation is extended to persons other than the reporting person, namely:
- the facilitator (a natural person who assists the reporting person in the reporting process and works within the same work context);
- persons in the same work context as the reporting person, the person who made a complaint or the person who made a public disclosure and who are linked to them by a stable emotional or family bond up to the fourth degree;
- colleagues of the reporting person or the person who made a complaint or public disclosure, who work in the same work context and have a regular and current working relationship with that person;
- entities owned by the reporting person or for which the same person works, as well as entities operating in the same work context as the above persons.
Protection of reporting persons
Non-punishability of reporting persons
The reporting person is not punishable for disclosing or disseminating information on violations:
- covered by a duty of secrecy other than legal professional privilege or medical confidentiality;
- relating to the protection of copyright;
- relating to the protection of personal data.
This applies where, at the time of the report, complaint or public disclosure, the reporting person had reasonable grounds to believe that the disclosure or dissemination of the information was necessary for the report and the report was made in accordance with the procedures required by law.
Loss of protection
Protection is not guaranteed where it is established, even at first instance, that the reporting person is criminally liable for the offences of defamation or slander or, in any event, for the same offences committed through a complaint to the judicial or accounting authority, or civilly liable, on the same grounds, in cases of intent or gross negligence; in such cases, disciplinary sanctions may be imposed on the reporting or complaining person.
Support measures for reporting persons
Support measures are provided consisting of information, assistance and advice free of charge on how to report and on protection from retaliation offered by national and European Union provisions, on the rights of the person involved and on the methods and conditions for access to legal aid at the State’s expense.
A list of Third Sector entities that provide support measures to reporting persons is kept by ANAC. The list, published on its website, contains the Third Sector entities that, in accordance with their statutes, carry out the activities referred to in Legislative Decree 3 July 2017, no. 117, and that have signed agreements with ANAC.
Contact – Reports Manager:
Marcello Gambardella – General Manager
Telephone: 0103733102
Email: info@sangiorgioservizi.eu