Workplace Investigations

In practice, the following factors to be considered will be: (1) verification of the informant's identity; (2) whether the informant has any conflict of interest with the reported employee or whether it will affect the objectivity of their reporting; (3) how to persuade the informant to provide more information or evidence, or to cooperate in court as a witness; (4) how to increase the admissibility of evidence when the informant refuses to cooperate in court as a witness or fails to provide original evidence; (5) how to improve the evidence chain and protect the informant from being attacked or retaliated by the informant, etc.

The regulations on whistleblowing in the private sector were originally outlined in article 6 of Italian Legislative Decree No. 231 of 2001 (as amended by Law No. 179 of 2017), which state that the models of organisation must provide for one or more channels that allow persons in positions of representation, administration and management of the entity (and persons subject to their direction or supervision) to report unlawful conduct according to Italian Legislative Decree No. 231 of 2001 and violations of the entity’s organisational and management rules.

Currently, Italy has implemented Directive (EU) No. 1937 of 2019, which provides for the adoption of new standards of protection for whistleblowers, through the Italian Legislative Decree No. 24 of 2023 (WB Decree)[1].

In line with the Directive, the WB Decree states, inter alia, that[2]:

• an internal whistleblowing reporting channel must be put in place by all private legal entities (and legal entities in the public sector) that have employed, during the previous year, an average of 50 employees or, even below this threshold, operate in certain industries[3] or have adopted an organizational model in accordance with Legislative Decree no. 231 of 2001;
• the WB Decree prescriptions apply to reports concerning breaches of certain national/EU[4] legal provisions (varying depending on features such as the private or public nature of the employer and its dimensions), and not to claims or requests linked to interests of a personal nature of the reporting individuals (pertaining to their individual employment contracts or to relations with their superiors)[5];
• whistleblowers’ reporting may take place through:
  • the company’s internal reporting channels and internal reporting procedures (with the possibility – for entities employing up to 249 employees, even if not part of the same group – to share whistleblowing reporting channels); or
  • external reporting channels and external reporting procedures established by the member states’ competent authorities (in Italy, ANAC, i.e. the National Anticorruption Authority); or
  • in certain circumstances, public disclosure;
• whistleblowing systems must provide:
  • a duty of confidentiality regarding the whistleblowers’ identity (which generally may not be disclosed to persons other than those competent to receive or investigate on the reports, except in specific case and with the whistleblower’s consent; see also answer to question 12 below); and
  • ways of protecting collected data according to the GDPR, as well as tight deadlines for communication with whistleblowers[6]; and
  • an integrated system of protection of whistleblowers against any retaliatory action directly or indirectly linked to their reports or declarations, with a reversal of the burden of proof (meaning the employer must give proof of the non-retaliatory nature of measures adopted vis-à-vis whistleblowers); and
  • the procedures to be taken in case of anonymous whistleblowing report.

If an employee complains to his or her superiors about grievances or misconduct in the workplace and is subsequently dismissed, this may constitute an unlawful termination (article 336, Swiss Code of Obligations). However, the prerequisite for this is that the employee behaves in good faith, which is not the case if he or she is (partly) responsible for the grievance.

The relevant laws and regulations in the PRC have not clarified the retention period of the investigation findings. According to Article 19 of the Personal Information Protection Law of the PRC, unless otherwise required by laws or administrative regulations, the retention period of personal information shall be the shortest period necessary to achieve the purpose of handling the information. Since the employee's personal information is very likely to be involved in the investigation findings, such report should be retained for the shortest period necessary to achieve the purpose of handling the information. In general, once the investigation is completed, the purpose of the internal investigation has been achieved or it is no longer necessary to achieve the purpose, and the employer may, in accordance with Article 22 of the Administrative Regulations of the PRC on Network Data Security (Draft for Comments), delete or anonymize the personal information within fifteen (15) working days. If it is technically difficult to delete the personal information, or it is difficult to do so within fifteen (15) working days due to business complexity or other reasons, the employer shall not conduct any processing other than storing the personal information and adopting necessary security measures, and shall give reasonable explanations to the employee.

The employer would normally keep the outcomes of the investigation for the entire duration of the employment relationship with the involved employee.

After the termination of the employment relationship, it appears reasonable to conclude that the employer would be entitled to retain this information for the time necessary to exercise its defence rights in litigation (taking into account that 10 years is the statute of limitations for contractual liability). Further requirements or restrictions under general privacy laws (and particularly the GDPR) should also be checked.

According to Art. 14 WB Decree, internal and external whistleblowing reports (including related documents) must be kept for as long as necessary for report processing, but no more than five years from the date of transmission of the procedure's final outcome.

From an employment law point of view, there is no statute of limitations on the employee's violations. Based on the specific circumstances (eg, damage incurred, type of violation, basis of trust or the position of the employee), a decision must be made as to the extent to which the outcome should remain on the record.

From a data protection point of view, only data that is in the interest of the employee (eg, to issue a reference letter) may be retained during the employment relationship. In principle, stored data must be deleted after the termination of the employment relationship. Longer retention may be justified if rights are still to be safeguarded or obligations are to be fulfilled in the future (eg, data needed regarding foreseeable legal proceedings, data required to issue a reference letter or data in relation to a non-competition clause).[1]