Workplace Investigations

The regulations on whistleblowing in the private sector were originally outlined in article 6 of Italian Legislative Decree No. 231 of 2001 (as amended by Law No. 179 of 2017), which state that the models of organisation must provide for one or more channels that allow persons in positions of representation, administration and management of the entity (and persons subject to their direction or supervision) to report unlawful conduct according to Italian Legislative Decree No. 231 of 2001 and violations of the entity’s organisational and management rules.

Currently, Italy has implemented Directive (EU) No. 1937 of 2019, which provides for the adoption of new standards of protection for whistleblowers, through the Italian Legislative Decree No. 24 of 2023 (WB Decree)[1].

In line with the Directive, the WB Decree states, inter alia, that[2]:

• an internal whistleblowing reporting channel must be put in place by all private legal entities (and legal entities in the public sector) that have employed, during the previous year, an average of 50 employees or, even below this threshold, operate in certain industries[3] or have adopted an organizational model in accordance with Legislative Decree no. 231 of 2001;
• the WB Decree prescriptions apply to reports concerning breaches of certain national/EU[4] legal provisions (varying depending on features such as the private or public nature of the employer and its dimensions), and not to claims or requests linked to interests of a personal nature of the reporting individuals (pertaining to their individual employment contracts or to relations with their superiors)[5];
• whistleblowers’ reporting may take place through:
  • the company’s internal reporting channels and internal reporting procedures (with the possibility – for entities employing up to 249 employees, even if not part of the same group – to share whistleblowing reporting channels); or
  • external reporting channels and external reporting procedures established by the member states’ competent authorities (in Italy, ANAC, i.e. the National Anticorruption Authority); or
  • in certain circumstances, public disclosure;
• whistleblowing systems must provide:
  • a duty of confidentiality regarding the whistleblowers’ identity (which generally may not be disclosed to persons other than those competent to receive or investigate on the reports, except in specific case and with the whistleblower’s consent; see also answer to question 12 below); and
  • ways of protecting collected data according to the GDPR, as well as tight deadlines for communication with whistleblowers[6]; and
  • an integrated system of protection of whistleblowers against any retaliatory action directly or indirectly linked to their reports or declarations, with a reversal of the burden of proof (meaning the employer must give proof of the non-retaliatory nature of measures adopted vis-à-vis whistleblowers); and
  • the procedures to be taken in case of anonymous whistleblowing report.

The treatment of whistleblowers and their reports is laid down in various specific laws in Portugal.

Law 93/2021

Under Law 93/2021, a whistleblower of work-related offences must not be retaliated against. Furthermore, imposing disciplinary penalties on the whistleblower within two years after their disclosure is presumed to be abusive. The whistleblower is entitled to judicial protection and may benefit from the witness protection programme within criminal proceedings. Additionally, reports will be recorded for five years and, where applicable, personal data that is not relevant for the handling of a specific report will not be collected or, if accidentally collected, will be deleted immediately.

Corruption and Financial Crime Law (Law 19/2008)

Under Law 19/2008, a whistleblower must not be hampered. Furthermore, the imposition of disciplinary penalties on a whistleblower within one year following the communication of the infraction is presumed to be unfair.

Additionally, whistleblowers are entitled to:

• anonymity until the pressing of charges;
• be transferred following the pressing of charges; and
• benefit from the witness protection programme within criminal proceedings (remaining anonymous upon the verification of specific circumstances).

Money Laundering and Terrorism Financing Law (Law 83/2017)

Law 83/2017, which sets forth the legal framework to prevent, detect and effectively combat money laundering and terrorism financing, applies to financial entities and legal or natural persons acting in the exercise of their professional activities (eg, auditors and lawyers)(collectively, obliged entities).

According to article 20 of Law 83/2017, individuals who learn of any breach through their professional duties must report those breaches to the company's supervisory or management bodies. As a result, the obliged entities must refrain from threatening or taking hostile action against the whistleblower and, in particular, unfair treatment within the workplace. Specifically, the report cannot be used as grounds for disciplinary, civil or criminal action against the whistleblower (unless the communication is deliberately and clearly unjustified).

Legal Framework of Credit Institutions and Financial Companies (RGICSF)

Credit institutions must implement internal-reporting mechanisms that must guarantee the confidentiality of the information received and the protection of the personal data of the persons reporting the breaches and the persons charged. Under article 116-AA of RGICSF, persons who, while working in a credit institution, become aware of:

• any serious irregularities in the management, accounting procedures or internal control of the credit institution; or
• evidence of a breach of the duties set out in the RGICSF that may cause any financial imbalance, must communicate those circumstances to the company's supervisory body.

These communications cannot, per se, be used as grounds for disciplinary, criminal or civil liability actions brought by the credit institution against the whistleblower.

Moreover, article 116-AB of the RGICSF establishes that any person aware of compelling evidence of a breach of statutory duties may report it to the Bank of Portugal. Such communications cannot, per se, be used as grounds for disciplinary, criminal or civil liability actions brought by the credit institution against the whistleblower, unless the report is clearly unfounded.

The Bank of Portugal must ensure adequate protection of the person who has reported the breach and the person accused of breaching the applicable duties. It must also guarantee the confidentiality of the persons who have reported breaches at any given time.

Portuguese Securities Code (CVM)

Article 382 of the CVM states that financial intermediaries subject to the supervision of the Portuguese Securities Market Commission (CMVM), judicial authorities, police authorities, or respective employees must immediately inform the CMVM if they become aware of facts that qualify as crimes against the securities market or the market of other financial instruments, due to their performance, activity, or position.

Additionally, according to article 368-A of the CVM, any person aware of facts, evidence, or information regarding administrative offences under the CVM or its supplementary regulations may report them to the CMVM either anonymously or with the whistleblower's identity. The disclosure of the whistleblower's identity, as well as that of their employer, is optional. If the report identifies the whistleblower, their identity cannot be disclosed unless specifically authorised by the whistleblower, by an express provision of law or by the determination of a court.

Such communications may not be used as grounds for disciplinary, criminal, or civil liability action brought against the whistleblower, and they may not be used to demote the employee.

According to article 368-E of the CVM, the CMVM must cooperate with other authorities within the scope of administrative or judicial proceedings to protect employees against employer discrimination, retaliation or any other form of unfair treatment by the employer that may be linked to the communication to the CMVM. The whistleblower may be entitled to benefit from the witness-protection programme if an individual is charged in criminal or administrative proceedings because of their communication to the CMVM.

If an employee complains to his or her superiors about grievances or misconduct in the workplace and is subsequently dismissed, this may constitute an unlawful termination (article 336, Swiss Code of Obligations). However, the prerequisite for this is that the employee behaves in good faith, which is not the case if he or she is (partly) responsible for the grievance.