Whistleblowing channels under the scrutiny of the Data Protection Authority: ANAC updates and compliance checks for companies

by Beatrice Mordonini

With Resolution No. 797 of 30 December 2025, the Italian Data Protection Authority (the “Authority” or the “Garante”) established the inspection plan for the January–July 2026 semester, which, among the various activities, includes – in continuity with the previous semester – inspection activities focusing on whistleblowing.

For clarity, under Legislative Decree No. 24/2023 (the “Whistleblowing Decree” or “WB Decree”) – which transposed into Italian law EU Directive 2019/1937 on “the protection of persons who report breaches of Union law” (so-called Whistleblowing Directive) – the term “whistleblowing” refers to any report made by any individual concerning information about conduct, acts or omissions that harm the public interest or the integrity of a company and that the reporting person has become aware of in the context of their work-related or professional activities (hereinafter the “Report”).

Particularly relevant in this context are violations falling within the scope of Legislative Decree No. 231 of 8 June 2001 (“Decree 231”), namely criminally relevant conduct pursuant to Articles 24 et seq. of Decree 231, as well as breaches of the 231 Organizational Model, the Code of Ethics, and, more generally, the various components of the system of rules and procedures that companies may have adopted.

Whistleblowing legislation expressly requires the implementation of different types of reporting channels, giving preference to IT-based channels. Indeed, through dedicated software or applications, it is possible to adopt stringent security measures and ensure a higher level of protection of personal data, both during the collection of reports and their subsequent management. Moreover, when properly designed and configured, such platforms make it possible to encrypt data at rest and maintain confidential communication with the reporting person.

Data protection is therefore a central aspect in the management of reports, requiring the performance of assessments and the fulfilment of specific obligations in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), Legislative Decree No. 196/2003, as amended by Legislative Decree No. 101/2018 (the “Italian Privacy Code”).

Against this background, the inspection activities carried out by the Garante will specifically include the continuation of checks on the use of the most widely adopted applications for the collection and management of whistleblowing reports.

However, before examining how companies can prepare for potential inspections, it is necessary to analyse the recent developments introduced by the National Anti-Corruption Authority (“ANAC”).

ANAC’s Main Updates

National Anti-Corruption Authority (ANAC) has recently issued two measures: Resolution No. 478 of 26 November 2025, containing the new guidelines on internal reporting channels (“LG Internal Channels”), and Resolution No. 479 of 26 November 2025, which updates and supplements the previous Guidelines No. 311/2023 in order to ensure their overall consistency (collectively, the “ANAC Updates”).

The objective of the ANAC Updates is to ensure greater uniformity and efficiency in the entire system for managing Reports, while guaranteeing and maintaining full protection of the confidentiality of the whistleblower’s identity, the content of the Report, and the personal data of all individuals involved.

The main developments are primarily set out in the Internal Channels Guidelines, where ANAC addresses for the first time explicitly the issue of sharing internal reporting channels within corporate groups.

More specifically, ANAC identifies two different solutions, depending on the number of employees.

For companies within a group employing “up to 249 workers”, they may alternatively:

  • share the internal reporting channel; or
  • entrust the management of the reporting channel to third parties (so-called outsourcing), which, in the context of corporate groups, may also coincide with the parent company.

Conversely, where the number of employees exceeds 249, the only available option is to entrust the management of the reporting channel to a third party (i.e., outsourcing).

What are the main requirements for the proper implementation of the ANAC updates?

Where reference is made to a corporate group, and the individual company employs fewer than 249 workers and intends to share the internal reporting channel, it must:

  1. appoint a report handler for each company within the group;
  2. adopt technical and organisational measures to ensure that each handler can access only the reports relating to its own company. In corporate groups, this may translate, for example, into the creation of a single group-wide platform structured with separate sub-channels, corresponding to each company in the group (the company receives the report through its dedicated sub-channel and processes and investigates the report through its own designated handler). After receiving the report, the company may, where appropriate, make use of the investigative capabilities of the parent company, subject to prior notice to the reporting person;
  3. enter into a contract defining the roles and responsibilities within this arrangement;
  4. ensure that each company documents the decision to share the internal reporting channel and the related management model in its organisational act or Organisational Model (MOG).

With regard to data protection roles, the Internal Channels Guidelines expressly provide that, even where an internal reporting channel is shared, this does not give rise to joint controllership under Article 26 of the GDPR. Instead, the relationship should be structured as a controller–processor relationship pursuant to Article 28 of the GDPR, with the parent company acting as data processor.

Conversely, all corporate groups, regardless of their size, may rely on outsourcing.

Where this scenario applies, companies must:

  • Enter into an outsourcing agreement with the third party, governing in particular:
  • the methods for receiving reports;
  • the role and responsibilities of the persons handling the reports;
  • the methods and retention periods for data storage;
  • situations of conflict of interest;
  • the stages of the reporting management procedure and the relevant timelines.

In these cases, the third party must be appointed as data processor pursuant to Article 28 of the GDPR.

  • Appoint an internal contact person to ensure coordination with the external handler. Each company within the group must, in fact, be aware only of the reports falling within its own remit, so that the relevant governing body may adopt any measures deemed appropriate following the outcome of the investigation carried out by the handler.

The Italian Data Protection Authority’s opinion on the ANAC whistleblowing guidelines

For completeness, it should also be noted that the Italian Data Protection Authority issued a positive opinion on the ANAC Updates, limiting its intervention to a number of clarifications aimed at ensuring their full compliance with the General Data Protection Regulation and with the Legislative Decree No. 24/2023.

In particular, the Authority reiterates the obligation for public and private entities to implement internal reporting channels characterised by high security standards, through appropriate technical and organisational measures designed to safeguard the identity of the reporting person, the reported individual, and any third parties involved.

Furthermore, particular emphasis is placed on the obligation to carry out a Data Protection Impact Assessment (DPIA), as well as on the possibility to outsource the management of the reporting channel, with the provider being designated as data processor pursuant to Article 28 GDPR. The opinion also confirms the possibility of sharing a reporting channel among several entities, provided that selective access mechanisms are ensured and that the system complies with the principles of security and confidentiality.

Key aspects to consider in the event of inspections by the Italian Data Protection Authority

Companies subject to the obligations set out under whistleblowing legislation should, as part of a preventive compliance approach and by way of example, adopt the following organisational and technical safeguards:

  • access segregation and log traceability: authorisation profiles must be defined in line with the principle of least privilege, ensuring that individuals can access only the data and functionalities strictly necessary for performing their duties. In particular, a clear functional separation must be ensured between those responsible for receiving and investigating Reports and those carrying out IT system administration activities.
  • protection of the whistleblower’s identity through appropriate technical security measures (e.g., encryption, pseudonymisation, etc.).
  • data retention limitation and deletion: retention periods must be predetermined and consistent with the purposes of processing. Where possible, automatic deletion or data blocking mechanisms should be implemented, with any exceptions being properly justified and documented.
  • vendor management and risks related to IT applications: relationships with service providers must be governed through data processing agreements (DPAs) and contractual clauses regulating, among other things, sub-processors, data localisation, and transfers to third countries. Finally, the declared security measures must be verifiable and documented through an appropriate DPIA, which must be effective, regularly updated, and aligned with the evolution of the system.