{"id":32531,"date":"2026-06-11T15:24:21","date_gmt":"2026-06-11T13:24:21","guid":{"rendered":"https:\/\/it.andersen.com\/?p=32531"},"modified":"2026-06-11T15:28:15","modified_gmt":"2026-06-11T13:28:15","slug":"whistleblowing-the-risks-for-businesses-and-whistleblowers","status":"publish","type":"post","link":"https:\/\/it.andersen.com\/en\/whistleblowing-the-risks-for-businesses-and-whistleblowers\/","title":{"rendered":"Whistleblowing: the risks for businesses and whistleblowers"},"content":{"rendered":"<p>In this edition of the <strong>Compliance &amp; Risk Management<\/strong> Newsletter, professionals from Andersen\u2019s <strong>231\/Privacy<\/strong> Service Line have examined <strong>the risks for businesses and whistleblowers<\/strong> in order to highlight the ever-increasing importance of adopting specific technical and organisational measures capable of mitigating the risks arising from the application of <strong>whistleblowing<\/strong> legislation, thereby improving their <strong>governance<\/strong> and <strong>resilience<\/strong>.<\/p>\n<h2>Non-compliance with whistleblowing legislation: breaches and liability<\/h2>\n<p>Almost three years after Legislative Decree 24\/2023 came into force, many organisations continue to underestimate the obligations introduced by whistleblowing legislation.<\/p>\n<p>Organisations required to comply with the legislation must ensure the existence of internal channels that guarantee the <strong>confidentiality<\/strong> of the whistleblower\u2019s identity, the identities of those involved and the content of the report, as well as define a <strong>process<\/strong> for handling reports that is <strong>clear<\/strong>, <strong>traceable<\/strong> and <strong>compliant<\/strong> with data protection regulations.<\/p>\n<p>Failure to comply may expose the organisation to significant consequences. Legislative Decree 24\/2023 grants ANAC the power to impose <strong>administrative fines<\/strong> on organisations that <strong>fail<\/strong> to activate the mandatory reporting channels or that adopt procedures that do not comply with legal requirements. Alongside the risk of sanctions, the <strong>reputational and organisational impacts<\/strong> must not be overlooked. The absence of an effective reporting system can, in fact, compromise the organisation\u2019s ability to promptly detect unlawful conduct, operational irregularities or regulatory breaches, with potential economic and reputational repercussions.<\/p>\n<h2>Whistleblowing management and personal data processing: the risk of data breach is increasing.<\/h2>\n<p>The management of reports (<strong>whistleblowing<\/strong>) presents new and complex challenges for corporate security, placing the protection of personal data at the top of the agenda. In this scenario, the risk of a data breach is no longer a remote possibility, but a real threat. Reports may, in fact, contain not only common personal data (identifying details of the whistleblower and the subject of the report) but also <strong>special categories of personal data<\/strong> (so-called \u201c<em>sensitive data<\/em>\u201d).<\/p>\n<p>If this data is stolen due to <strong>unauthorised access, cyber-attacks or simply human error<\/strong>, the consequences for the organisation are significant. A data breach can result not only in heavy <strong>financial penalties<\/strong> from the Data Protection Authority, but also in <strong>reputational damage<\/strong> that undermines the trust of employees and stakeholders. It goes without saying that no employee will use reporting channels if they fear their identity might be exposed. To mitigate this risk, companies must adopt an approach based on \u201c<em>privacy by design and by default<\/em>\u201d. It is essential to implement <strong>encrypted communication channels<\/strong>, restrict access to formally authorised individuals only, and provide ongoing training for staff responsible for handling reports.<\/p>\n<h2>The risks of an unsubstantiated whistleblowing report<\/h2>\n<p>The protection afforded to whistleblowers is not unlimited: the safeguards provided by law do not apply to those who make an unfounded report with <strong>malice or gross negligence<\/strong>. Internally, the company may initiate <strong>disciplinary proceedings<\/strong> for the misuse of the reporting channel, up to and including the application of sanctions provided for by the company\u2019s disciplinary system.<\/p>\n<p>In civil law, the person reported may take action to obtain <strong>compensation for damages<\/strong> caused by the unfounded report.Furthermore, unfounded reports may constitute criminal offences of <strong>defamation<\/strong> or <strong>slander<\/strong>.<\/p>\n<p>The reporting channel does not require certainty of wrongdoing, but presupposes that the whistleblower acts in <strong>good faith<\/strong>, on the basis of reliable and verifiable information.Using the <em>whistleblowing<\/em> channel for retaliatory, personal or self-serving purposes exposes one to <strong>risks<\/strong> that may be far more serious than the benefits that the law grants to those who report correctly.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this edition of the Compliance &amp; Risk Management Newsletter, professionals from Andersen\u2019s 231\/Privacy Service Line have examined the risks for businesses and whistleblowers in order to highlight the ever-increasing importance of adopting specific technical and organisational measures capable of mitigating the risks arising from the application of whistleblowing legislation, thereby improving their governance and [&hellip;]<\/p>\n","protected":false},"author":146,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[50],"tags":[],"acf":[],"_links":{"self":[{"href":"https:\/\/it.andersen.com\/en\/wp-json\/wp\/v2\/posts\/32531"}],"collection":[{"href":"https:\/\/it.andersen.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/it.andersen.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/it.andersen.com\/en\/wp-json\/wp\/v2\/users\/146"}],"replies":[{"embeddable":true,"href":"https:\/\/it.andersen.com\/en\/wp-json\/wp\/v2\/comments?post=32531"}],"version-history":[{"count":2,"href":"https:\/\/it.andersen.com\/en\/wp-json\/wp\/v2\/posts\/32531\/revisions"}],"predecessor-version":[{"id":32535,"href":"https:\/\/it.andersen.com\/en\/wp-json\/wp\/v2\/posts\/32531\/revisions\/32535"}],"wp:attachment":[{"href":"https:\/\/it.andersen.com\/en\/wp-json\/wp\/v2\/media?parent=32531"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/it.andersen.com\/en\/wp-json\/wp\/v2\/categories?post=32531"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/it.andersen.com\/en\/wp-json\/wp\/v2\/tags?post=32531"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}