news and insights


18 APR 2019    WHISTEBLOWER – NEW EU RULES TO PROTECT THE REPORTING SUBJECTS

The EU Parliament has enacted a new Directive, not yet published on the EU Official Journal, to protect whistleblowers revealing breaches of EU law in a wide range of areas including public procurements, financial services, money laundering, product and transport safety, nuclear safety, public health, consume and data protection. 

Safe Reporting Channels
To protect whistleblowers and ensure that the information disclosed remains confidential, the new rules allow whistleblowers to disclose information through different reporting channels: internally, to the legal entity concerned (i.e. the company) or directly to the competent national authorities, as well as to the relevant EU institutions, bodies and agencies. Therefore,  companies and national authorities must create such reporting channels. In defect thereof, the whistleblower will still be protected  if he/she elects to disclose information publicly. Such obligation shall not apply to small companies and small municipalities.

Safeguard against retaliation

The EU Directive prohibits reprisals and introduces new safeguards to prevent the whistleblower from being suspended, demoted and intimidated or facing other forms of retaliation. The same protection is provided for those assisting whistleblowers (such as colleagues or relatives).
Member States must ensure  that whistleblowers have free access to information relating to available procedures and remedies, as well as legal assistance during the proceedings. The reporting subject may also receive, during  legal proceedings, financial and psychological support.

Next Steps
The Directive shall be now approved  by the EU Minister and, following its publication on the EU Official Journey , Member States will have 2 years to implement it.

11 APR 2019    ITALIAN DATA PROTECTION AUTHORITY – DATA BREACH - RUSSEAU PLATFORM

Decision of the Italian Data Protection Authority 4th April 2019 no. 9101974

By a recent decision (4th April 2019) Italian Data Protection Authority, following reporting also by private citizens, has rendered a decision on a data breach case which involves Rousseau platform and other websites linked to Movimento 5 Stelle.
Article 33 of EU Regulation 2016/679 on data protection provides for an obligation to notify to the Authority, within 72 hours from the event and/or from the moment in which knowledge thereof is acquired, data breach cases (i.e. episodes of unlawful access into a computer system and breach of security measures to illicitly acquire data contained on a server or cases of file cryptography through malware with simultaneous ransom demand of a payment in bitcoins). 
The case under reference was started in 2017 when, following am investigation, the Authority issued a first decision (no. 7400401 of 21st December 2017) indicating specific actions to improve the above platforms, having identified numerous critical areas from a computer point of view, which compromised security thereof, also with respect to unauthorized access into the platforms, with evident breach of data protection law (the then applicable Data Protection Code, Italian Legislative Decree no. 163/1996 and numerous decisions of the Data Protection Authority). Amongst the preliminary necessary measures ordered in 2017 the Authority has requested the following:
- adaptation of the minimum length of passwords to access into the system;
- adoption of net protocols https to grant a higher security;
- adoption of sound cryptographic algorithms  to adequately protect users’ passwords;
- auditing  measures to verify lawfulness of data processing with reference to the e-voting system through the platforms under reference, by keeping the registries of the IT systems administrators’ accesses and of the operations performed (log) in the data base of the Rousseau  Platform (in compliance with a General Decision of the Data Protection Authority of 2008 concerning IT systems administrators) as well as :
-  improvement of the information given to the interested parties according to the then applicable article 13 of Italian legislative Decree 196/2013.
Furthermore, the above decision stated the unlawfulness of users’ data processing by the owners of the websites connected to Movimento 5 stelle, based on communication of the data to third parties (Wind Tre spa e ITNET srl) lacking an adequate reason therefor.
Following the above preliminary prescriptions, the Data Protection Authority has investigated further in order to ascertain if and how the measures provide for in 2017 had been implemented.

At the end of the above investigation – and after two postponements thereof based on relevant requests by Association Movimento 5 Stelle and Russeau Platform -   having performed the technical controls aimed at verifying concretely the soundness of the security systems adopted with respect to the critical aspects identified by the Authority in 2017, remaining infringements  have emerged which have led the Authority to apply a sanction to Association Rousseau, in its quality as Data Processor of Movimento 5 Stelle, equal to € 50.000, according to article 58 of EU Regulation 2016/679 (GDPR), for breach of article 32 of GDPR (safety of the processing).

Amongst the main infringements of data protection law emerged following the Authority’s investigations, we highlight the following:

-          obsolescence of some software components of the websites (the distributor of the Csm software in question does not issue updates thereof as of 2013);

-          notwithstanding adoption of a traceability system of the activity performed, the system used in the Platforms does not allow to trace adequately the accesses (reading and/or amendment) into the database by the System Administrators of Russeau Association who can operate, for example, on users’ data without their activity being adequately traced, so that it is not possible to carry out the computer auditing required by the Authority, thus exposing personal data in the Platforms to high risks of breach;

-          measures adopted have not eliminated the possibility to alter, cancel or extract offline copies of the results of e-voting operations on the platform: in other words, integrity, authenticity and confidentiality of the vote are not granted by those who act as Data Base Administrators;

-          finally, the use of the same authentication credentials assigned to authorised persons granted high privileges for management of the platforms supporting the websites www.movimento5stelle.it e rousseau.movimento5stelle.it; this circumstance prevents from attributing actions performed in a computerised system to a determine d authorised person, with a prejudice for the controller, prevented from the possibility of controlling activity of these technical important figures. 

Jointly with the administrative sanction, the Authority has given precise terms for adaptation and improvement of the platforms under reference, ordering to the Association Movimento 5 stelle, in its quality as controller, and to Association Rousseau, as processor, to evaluate the impact on data protection with specific reference to the e-voting functionality of the platform.

Avv. Grazia Quacquarelli, LL. M.

11 APR 2019    ITALIAN DATA PROTECTION AUTHORITY – DATA BREACH - RUSSEAU PLATFORM

Decision of the Italian Data Protection Authority 4th April 2019 no. 9101974

By a recent decision (4th April 2019) Italian Data Protection Authority, following reporting also by private citizens, has rendered a decision on a data breach case which involves Rousseau platform and other websites linked to Movimento 5 Stelle.
Article 33 of EU Regulation 2016/679 on data protection provides for an obligation to notify to the Authority, within 72 hours from the event and/or from the moment in which knowledge thereof is acquired, data breach cases (i.e. episodes of unlawful access into a computer system and breach of security measures to illicitly acquire data contained on a server or cases of file cryptography through malware with simultaneous ransom demand of a payment in bitcoins). 
The case under reference was started in 2017 when, following am investigation, the Authority issued a first decision (no. 7400401 of 21st December 2017) indicating specific actions to improve the above platforms, having identified numerous critical areas from a computer point of view, which compromised security thereof, also with respect to unauthorized access into the platforms, with evident breach of data protection law (the then applicable Data Protection Code, Italian Legislative Decree no. 163/1996 and numerous decisions of the Data Protection Authority). Amongst the preliminary necessary measures ordered in 2017 the Authority has requested the following:
- adaptation of the minimum length of passwords to access into the system;
- adoption of net protocols https to grant a higher security;
- adoption of sound cryptographic algorithms  to adequately protect users’ passwords;
- auditing  measures to verify lawfulness of data processing with reference to the e-voting system through the platforms under reference, by keeping the registries of the IT systems administrators’ accesses and of the operations performed (log) in the data base of the Rousseau  Platform (in compliance with a General Decision of the Data Protection Authority of 2008 concerning IT systems administrators) as well as :
-  improvement of the information given to the interested parties according to the then applicable article 13 of Italian legislative Decree 196/2013.
Furthermore, the above decision stated the unlawfulness of users’ data processing by the owners of the websites connected to Movimento 5 stelle, based on communication of the data to third parties (Wind Tre spa e ITNET srl) lacking an adequate reason therefor.
Following the above preliminary prescriptions, the Data Protection Authority has investigated further in order to ascertain if and how the measures provide for in 2017 had been implemented.

At the end of the above investigation – and after two postponements thereof based on relevant requests by Association Movimento 5 Stelle and Russeau Platform -   having performed the technical controls aimed at verifying concretely the soundness of the security systems adopted with respect to the critical aspects identified by the Authority in 2017, remaining infringements  have emerged which have led the Authority to apply a sanction to Association Rousseau, in its quality as Data Processor of Movimento 5 Stelle, equal to € 50.000, according to article 58 of EU Regulation 2016/679 (GDPR), for breach of article 32 of GDPR (safety of the processing).

Amongst the main infringements of data protection law emerged following the Authority’s investigations, we highlight the following:

-          obsolescence of some software components of the websites (the distributor of the Csm software in question does not issue updates thereof as of 2013);

-          notwithstanding adoption of a traceability system of the activity performed, the system used in the Platforms does not allow to trace adequately the accesses (reading and/or amendment) into the database by the System Administrators of Russeau Association who can operate, for example, on users’ data without their activity being adequately traced, so that it is not possible to carry out the computer auditing required by the Authority, thus exposing personal data in the Platforms to high risks of breach;

-          measures adopted have not eliminated the possibility to alter, cancel or extract offline copies of the results of e-voting operations on the platform: in other words, integrity, authenticity and confidentiality of the vote are not granted by those who act as Data Base Administrators;

-          finally, the use of the same authentication credentials assigned to authorised persons granted high privileges for management of the platforms supporting the websites www.movimento5stelle.it e rousseau.movimento5stelle.it; this circumstance prevents from attributing actions performed in a computerised system to a determine d authorised person, with a prejudice for the controller, prevented from the possibility of controlling activity of these technical important figures. 

Jointly with the administrative sanction, the Authority has given precise terms for adaptation and improvement of the platforms under reference, ordering to the Association Movimento 5 stelle, in its quality as controller, and to Association Rousseau, as processor, to evaluate the impact on data protection with specific reference to the e-voting functionality of the platform.

Avv. Grazia Quacquarelli, LL. M.

16 MAR 2019    CODE OF BUSINESS CRISIS AND INSOLVENCY - CHANGES TO THE CIVIL CODE

On 16th March 2019 some provisions of Legislative Decree no . 14 dated 12nd January 2019 (so called  “ Code of companies’ crises and insolvencies” , hereinafter “Code of Crisis”, published on Official Journal no. 38 of 14th February 2019) came into full force and effect. The Code of Crisis is composed of 391 article, most of which will come into force in August 2020. 
Amongst the provisions which came into force as of 16th March, we illustrate some of the most significant, which have amended the Italian Civil Code.
A.      Article  375 of the Code of Crisis
This article amends  article  2086 of the Italian civil code, introducing a second paragraph which requires the entrepreneur,  who operates through a company, to adopt and implement an “organizational, administrative and accounting structure” , consistent with the nature and dimension of the company, also in order to detect promptly any sign of the company’s crisis and loss of the business continuity. The entrepreneur is obliged also to take any adequate step to adopt and implement any action provided for by law to overcome the crisis and, consequently, recover  the business continuity. The legislator has meant, therefore, to further involve and empower the entrepreneur, obliging it to adopt an adequate internal structure able to detect promptly  the crisis and, consequently, act for the recovery of the business continuity.
B.      Article  377 of the Code of Crisis
This article amends articles 2257, 2380-bis, 2409-novies and 2475 of the Italian civil code  imposing the adoption of adequate corporate organizational structures and reiterating that management of the company is the responsibility, exclusively, of the Directors, who perform the necessary operations  to achieve the corporate goal.
C.      Article 379 of the Code of Crisis
It amends article 2477 of the Italian civil code, providing, for limited liability companies, the obligation to appoint a supervisory body (Auditor or Board of Auditors) if:
I.        the company is obliged to draft consolidated  financial statements;
II.      the company controls another company which is obliged to have the statutory audit;
III.    the company has exceeded, for two consecutive financial years, at least one of the following limits: 1) total asset of the balance sheet: Euro two million; 2) income from sales and turnover: Euro 2 million; 3) average number of employees during the financial year: 10.
According to article 2477, fifth subparagraph, of Italian civil code, the obligation to appoint a supervisory body or an auditor shall be complied with, by the shareholders’ meeting, within 30 days from approval of the financial statements, in relation to  which those limits have been exceeded; in defect thereof, the appointment is made by the competent Court, upon request from any interested party or “upon reporting from the Company’s register Registrar” (as introduced by the Code of Crisis).
Finally, limited liability companies and cooperative companies – if the requirements of article 2477, first subparagraph, of the Italian civil code occur – shall appoint the supervisory body or the auditor and, if necessary, adapt and amend the Deed of incorporation and the Articles of Association to the above new regulations,  within 9 months from the date of 16th March 2019 (i.e. within 16th December 2019).

06 MAR 2019    FRAUDOLENT WORK SUPPLY - LABOUR INSPECTORATE CIRCULAR N. 3/2019

Legislative Decree no. 87/2008, converted into Law no. 96/2018, has re-introduced in Italian legal system the crime of fraudulent manpower supply (article 38 bis of Italian Legislative Decree no. 81/2015) which occurs when “the work supply is implemented with the specific goal of avoiding the application of compulsory rules of law or of collective agreements applicable to the worker”. The sanction provided for is equal to € 20 per worker for each day of the supply.
The Labour Inspectorate, by circular no 3/2019, has provided some clarification concerning the different hypothesis in which the above crime occurs, as follow:
- through illicit building contract, aimed at avoiding applicability of compulsory rules of law or of collective agreements  subsequently allowing the employer to save money on the work cost; or
- through the involvement of work agencies, when the employer fires an employee with a view to re-hiring him/her through a work agency, thus breaching the rules of law or collective agreements; and
- through fake transnational secondments by the Italian employer, as far as the secondment is functional to the avoidance of internal rules or collective agreements.
Besides applying monetary sanctions, the Labour Inspectorate shall apply prescriptive measures aimed, by way of example, at obliging the effective employer to hire the workers for the entire duration of the contract. 
Finally, the Labour Inspectorate has indicated, amongst the element supporting the existence of a fraudulent intention (besides the avoidance of compulsory regulations) the occurrence of situations of financial distress of the firm and the consequent impossibility of sustaining the cost of personnel in the light of the annual turnover.

17 JAN 2019    ANTICORRUPTION LAW

On 16thJanuary 2019, Law no. 3 dated 9thJanuary 2019 (“Measures to prevent crimes against Public Administration, as well as concerning he statute of limitation of crimes and transparency of political parties and movements” - so called “Anti-Corruption Law”) has been published in the Official Journal (Official Journal no. 13 of 16th January 2019). The mentioned Law will come into full force and effect on 31st January 2019.
The provision contains new important regulations concerning the prevention and contrast of corruption in Public Administration and, more in general, in the field of criminal law.
More precisely, the punishment for the crimes of corruption and embezzlement are changed (for the first one the words "from one to six years" are amended with "from three to eight years"; for the second the words "with imprisonment of up to three years and with a fine of up to € 1,032 " are replaced by "with imprisonment from two to five years and with a fine from € 1,000 to € 3,000 "). Moreover, for the crime of improper corruption, the penalty is increased from one year to three years of imprisonment (in the minimum) and from six to eight years (in the maximum).
Finally, those convicted of offenses against Public Administration (amongst which embezzlement, corruption and bribery) will no longer be allowed to benefit from penalties alternative to imprisonment, such as premium permits and assignment of external work.
Any sentence for the above offences, whether committed to the detriment or to the benefit of a business activity, or in connection thereof, implies – as ancillary punishment – a ban from public offices and the inability to enter into any agreement with Public Administration. The ban and inability can be perpetual (exception made for  obtainment of a public service) or temporary, if the punishment inflicted is inferior to a given period of time or specific mitigating circumstances occur.
With Anti-corruption law also Legislative Decree 8th June 2001 n. 231 is amended, by both (i) raising the terms of maximum duration of the measures against entities as a consequence of corruption crimes and (ii) introducing trading of illicit influence (article 346 bis of Italian Criminal Code) amongst the predicted offences of the mentioned Decree.

+link+

11 JAN 2019    UNAUTHORSED ACCES INTO A COMPUTER SYSTEM

Having found out the above, the bank decided to report the employee, taking into account that the second employee, addressee of the e-mails and who had solicited the same, had no password or authorisation to access into these data. The Court of Appeal of Milan (by decision of 10th July 2017) confirmed the liability (ascertained by the Court of First Instance) of the e-mails addressee, as well, deeming him guilty of the crime provided for under article 615 ter of the Italian Penal Code (“unlawful access into a computer system”). More specifically, the contribution of the defendant  had consisted in having incited the colleague  to commit the crime, asking him to forward the above mentioned data, even though he was not authorised to access thereinto.
The employee appealed the Court of Appeal’s decision before the Supreme Court, alleging, amongst the others, breach of law and defective reasoning on the alleged occurrence of the crime under article 615 ter of the Italian Penal Code, on the basis that “merely sending an e-mail from a colleague to another, through one’s own e-mail account, cannot integrate the objective requirement of the crime under reference”.
However, the Supreme  Court has considered the appeal unfounded, reiterating the principle of the Supreme Court’s (Joined Chambers) decision no. 41210 of 18th May 2017, according to which “any employee’s behaviour in breach of the above duties (loyalty) is illicit and unauthorized it evidencing the intrinsic incompatibility of the access into the computer system connected with a use thereof inconsistent with the spirit of the relevant power’s granting”.
As a consequence of the above, also remaining in a computer system for an extended period of time with respect to the one allowed and/or to commit a forbidden activity – i.e. “transmittal of the list to a subject not authorised to have knowledge thereof” – integrates the behaviour provided for and punished by article 615 ter of the Italian Penal Code; furthermore, as per the above, the employee asking the colleague to forward him data - which he is not authorized to access into -can be involved in the crime under reference.

21 DEC 2018   SISTRI'S ABOLITION

The Decree Law n° 290 on 14 th December 2018, has published in the Official Gazette General Series n. 135 "Urgent provisions on support and simplification for businesses and for public administration" (hereinafter "Simplification Decree"), which entered into force on December 15, 2018. Among the contained innovations  in the Simplification Decree we point out that, with the 'art. 6 of the aforementioned provision, with effect from 1st January 2019 the waste tracking control system (SISTRI) has been deleted, provided for by article 188-ter of Legislative Decree 3rd April 2006, no. 152 (T.U. ambiente). Consequently, from the beginning of next year and until the definition of a new waste traceability system - which, according to the provisions of paragraph 3 of art. 6 of the Simplification Decree, will be organized and managed directly by the Ministry of the environment and the protection of the territory and the sea - the subjects required to track the waste will continue to fulfill their obligations through paper forms, filling the loading and unloading registers and the waste identification form.