In Italy, the occurrence of an event involving conduct contrary to the law and/or company rules of conduct, or merely the reporting of such event through whistle-blowing channels or otherwise, would give rise to the launch of an HR internal investigation. In some cases, such conduct may be detected even if carried out off company premises (ie, unlawful or criminal conduct committed outside the workplace but impacting the contractual relationship). Many such cases are extensively documented in Italian case law, such as a bank or supermarket cashier arrested for theft or fraud against third parties, an employee caught using drugs outside working hours, and instances of sexual assault, underscoring the need to assess each case with specific attention, as it differs from any other.

In the Italian legal system, there are various ways to conduct internal investigations in the context of personnel management, not all of which are regulated by law. Their implementation depends on the specific case and the type of conduct to be verified, and on the particular judicial protection needs that may concern the employer.

• The first level of investigation is not regulated by any specific legal provisions and is carried out internally within the company, either through document review or by collecting information from colleagues or third parties. In such cases, the most appropriate way to collect and manage information is guided by evidentiary requirements for potential future litigation. It is therefore advisable to gather information in compliance with privacy regulations and to keep a documented record of any statements made by third parties, ensuring that such statements are signed by their authors whenever possible.
• The second level is much more specific, and pertains to so-called defensive investigations. These are formal tools for gathering information relevant to criminal proceedings and are generally employed when the conduct to be verified has potential criminal implications. Defensive investigations are carried out by a defence lawyer with a special mandate to search for and identify (also as a preventative measure) evidence in favour of their client – in the context of or with a view to criminal proceedings – and are regulated by Articles 327bis and 391bis of the Italian Code of Criminal Procedure.
• There are also investigations conducted under whistle-blowing frameworks, which are governed by a dedicated and specific regulatory framework concerning the conduct addressed in Legislative Decree No 24/2023 of 10 March 2023 (the “Whistle-Blowing Decree”).
• Finally, a company may ascertain facts through a formal audit, carried out by either an internal function or a dedicated external company, in compliance with the specific provisions governing such formal mechanisms of investigation. These audits are designed to produce accurate and impartial third-party documentation.

These channels can also interact with one another – meaning that, during an investigation, the method of verification can be adjusted based on the specific case. Throughout any of these processes, a company may choose to engage external professionals with specific investigative expertise (eg, private investigators or forensic and technological consulting firms), provided they are employed in compliance with privacy regulations. Investigative agencies must also possess the proper authorisations issued by the Ministry of the Interior.

It is particularly important to note that, in Italy, the regularity of the investigative process can directly affect the legitimacy of any resulting dismissal measures. This, in turn, can have significant financial consequences for the company or employer.

In general, then, the regulations are derived indirectly through the limits placed by labour law – ie, Law No 300/1970 (the “Italian Workers’ Statute”), special laws (especially on safety matters) and collective agreements), in particular – and by privacy law, criminal law and criminal procedural law.

In Italy, there is no obligation for employees to report through a specific channel. Employees are free to make reports in any manner, and the company can decide whether to initiate subsequent investigations.

There is a specific exception concerning the rules on so-called whistle-blowing, which were introduced in 2017 and later reformed in 2023. Specifically, this obligation was provided for by Article 4 of the Whistle-Blowing Decree. It requires companies to activate their own “reporting channels”, which guarantee that the identity of the reporting person and any other information from which this identity could be inferred – directly or indirectly – may not be disclosed without the express consent of the reporting person themselves. Also, this channel must guarantee the confidentiality of the person involved and any person mentioned in the report, as well as the content of the report and its documentation.

Furthermore, the law stipulates that the activation of these internal channels must take place with the involvement of trade union organisations (this is purely informative involvement, for the sole purpose of the company potentially obtaining opinions from these organisations). Within this channel, reports can be made in two ways at the employer’s choice:

• in writing (preferred); or
• orally (through telephone lines, voice-messaging systems or face-to-face meetings).

The Whistle-Blowing Decree provides that the management of the report must be entrusted to a person, internal or external to the administration, or to a dedicated office – both of which must have autonomy. In this case, “autonomy” entails:

• impartiality ‒ the person in charge must operate in a neutral and equidistant manner with regard to the parties involved, carrying out an activity free from any conditioning or favouritism; and
• independence – the person in charge must be capable of freely carrying out the activities to which they are bound for the purpose of managing the report, without interference.

In other words, the person in charge must possess operational and evaluative autonomy.

However, if the investigation results not from a report but from direct knowledge of facts committed by one’s own employee, Italian legislation does not expressly stipulate which figures may or may not “play a role” in the management of an internal investigation. It is the employer (the “company”) that is formally the “counterparty” in any internal investigation; in such operations, the company (through its highest representatives) may operate with the help of whomever it deems most appropriate, which is usually HR offices and managers. In this scenario, external activities are only permitted in private investigations, which are subject to stringent legal regulations and jurisprudential guidelines. In some cases, however, the assessment may require external expertise, including technical or scientific expertise, for which an independent consultant is selected (for both options).

There is no obligation to carry out an HR internal investigation in any circumstances. At most, as argued in doctrine, there is a legal obligation to consider the option of carrying out an internal investigation (after gaining knowledge of news/events relevant thereto). This could be considered an obligation only if the company receives information through the mandatory reporting channels, given that Article 5 of the Whistle-Blowing Decree provides that the company must “diligently follow up” on reports received.

In any case, and regardless of the referenced regulation, it is important to also consider the Italian rules on corporate criminal liability ‒ ie, whenever a company becomes aware of potentially criminal conduct, it is advisable to conduct internal investigations or full audits to ascertain the facts, identify risk areas and responsible parties, and adopt the most effective legal, HR and organisational measures. This approach aims to mitigate the company’s liability and economic risks (and even personal risks for executives and the board).

There is no specific regulation prohibiting the carrying out of an investigation under certain circumstances, except for the special provision in Article 8 of the Italian Workers’ Statute that prohibits any kind of investigation – including by third parties ‒ into workers’ political, religious or trade union opinions, or into any other matters that are not relevant in assessing the worker’s professional aptitude. It should be also noted that, if the competent authorities are investigating the same facts, the company must not take any action that could interfere with that investigation and must comply with the prescriptions that it will eventually receive.

In the specific case of the possible involvement of the judiciary in criminal offences, the investigation of criminally relevant facts falls under the jurisdiction of the competent public prosecutor’s office (Procura della Repubblica) (see 8.4 Criminal Cases). The company must take action (the so-called self-cleaning measures) to prevent the continuation of the offence and ascertain the facts that are immediately discernible to it, while remaining autonomous in taking disciplinary action against the employee involved.

An employer’s decision on whether or not to go ahead with an HR internal investigation in cases where an investigation is neither obligatory nor prohibited usually depends on matters of business expediency, and is determined on a case-by-case basis. More specifically, in all cases where an investigation is not formally mandatory, the employer could be indirectly obliged to conduct one in order to avoid violating the provisions set forth in Article 2087 of the Italian Civil Code (which require the employer to adopt all necessary measures to safeguard the physical integrity and psychological well-being of employees) and Legislative Decree 81/2008 (the “Decree on Workplace Safety”), which regulates health and safety in the workplace. This applies even in cases where companies have adopted the so-called 231 Model. In any case, it is a matter of prudence to prevent a known but unverified fact from becoming internally accepted, as this could result in an inability to sanction the employee responsible and even in executives being held liable for negligence due to their failure to act.

Article 5 of the Whistle-Blowing Decree requires an acknowledgement of receipt of the report to be issued to the reporting person within seven days from the date of receipt, which all happens completely anonymously. If the information is received outside the objective and subjective boundaries of the whistle-blowing regulation, the reporter has no right to receive feedback regarding the report.

The legislation does not recognise a general and unconditional right of the reported person to be informed of the report concerning them; such right is ensured only where the internal investigation is brought to an end and, as a consequence thereof, the reported person is formally notified of the alleged misconduct by means of a disciplinary charge letter, which they may challenge and defend against in accordance with the applicable law and collective bargaining agreement. However, in support of the reported person and their right of defence, Article 12(9) of the Whistle-Blowing Decree further provides that such person may be informed or, upon request, be heard through a paper-based procedure, by means of the submission of written observations and documents.

The Italian legal system lacks a rule regulating possible co-operation with the authorities and the channels of communication with them, nor is there a regulation regarding incentives for carrying out internal investigations or uncovering offences. Therefore, employers are generally not obliged to report criminal acts to the authorities unless they are considered public officials or people in charge of a public service. However, certain criminal acts (eg, corruption, bribery, money laundering or fraud against the state) may require mandatory reporting under specific circumstances, particularly in regulated industries or where public resources are involved; see 8.4 Criminal Cases for more detail.

In Italy, the legal system is primarily concerned with ensuring the confidentiality of the whistle-blower and protecting them. However, there are no limitations on confidentiality through non-disclosure agreements (NDAs). The issue, in this regard, mainly concerns the production of statements in court and their use during the investigation process. The parties may legally undertake to provide such statements but, regardless of the existence of such a confidentiality agreement, may then be required to abstain from such undertakings by the competent authorities in cases provided for by law.

In any case, parties are not typically asked to sign confidentiality agreements and/or NDAs covering an HR internal investigation. If there is no agreement to this effect, the employer may still demand the secrecy of internally shared information by virtue of the employees’ duties of diligence, obedience and loyalty (pursuant to Articles 2104 and 2105 of the Italian Civil Code). However, it must be borne in mind that waivers and settlements – in whole or in part ‒ that have as their object the rights and protections provided for in the decree are not valid unless they are made in the form and manner provided for in Article 2113(4) of the Italian Civil Code (in the protected venues, in trade unions or before the judicial authorities).

Where confidentiality has been the subject of an express legal undertaking, such conduct could be the subject of a possible legal challenge between the parties, but would certainly constitute conduct that could be challenged from a labour law point of view. In the event that confidentiality was not the subject of an express agreement, such conduct can only be challenged from a labour law point of view (under the above-mentioned duties).

In Italy, it is possible to conduct a preliminary investigation to determine whether a full HR internal investigation is warranted. However, it is important to be very cautious, as there is a real risk of information leaks or “contaminating” the evidence.

Nonetheless, there is no legal prohibition or formal procedure by law. It is an internal evaluation and a matter of common sense based on the principle of evidence; where there is a risk or perception of an issue, the legal need for an investigation and its type can be assessed. In any case, owing to the lack of regulation, the employer may operate as it sees fit. It is worth considering that, under Italian law (again, given that internal investigations and their requirements are not regulated), potential preliminary internal investigations would hardly be distinguishable from actual and complete internal investigations, from a logical point of view.

Typically, whistle-blowers and employees (or external collaborators) who are potentially aware of the facts are interviewed in the course of an HR internal investigation in Italy. Where the activities concern behaviour by an employee that does not have any corporate or criminal implications (ie, a simple HR investigation), and where it is deemed necessary to hear witnesses, at least two are usually preferred (if their versions coincide).

In Italy, whether or not there is anything an employer can do if an interviewee refuses to participate in the investigation, or only participates in certain aspects of it, will depend on the specific situation. If an investigation proves an employee’s knowledge of the facts, such reticence to participate could potentially be the subject of an independent disciplinary charge against the employee, considering the potential violation of the duties of diligence, loyalty and obedience mentioned in 2.3 Confidentiality Agreements and NDAs. Obviously, it is not possible to suggest a standardised solution in any one particular situation, as any solution should be carefully and cautiously weighed against the facts of the case.

As there is no normative reference in Italy, there are no restrictions on the ways in which interviews can be carried out in HR internal investigations, so they can be conducted remotely (eg, via Teams or Zoom). In defensive investigations, it is also possible to record the interview with a video camera; the employee must provide a specific statement to the external lawyer who records it, declaring that what has been stated and recorded matches exactly what they have said and that they are criminally liable. This means that if it emerges that they lied, they would be committing the crime of making false statements to the lawyer, who in that context is considered a public official.

In Italy, practice dictates that interviews are conducted by HR offices and managers, without any restrictions on the number of interviewers. There are no constraints regarding issues of gender, objectivity or seniority.

There are no instances in which a neutral third party is required to be present during interviews as a witness in HR internal investigations in Italy.

Interviewees do not have the automatic right to be accompanied by a support person or a lawyer during an interview as part of an HR internal investigation in Italy, but the company can always conduct the investigations through a lawyer. However, if the internal investigation concerns potentially criminal facts, the employee should be reminded of their right to refrain from testifying on circumstances involving their own involvement, and the employee will certainly not be obliged to answer when the integrity of the privilege against self-incrimination is at risk. This is not the case at the venue for disciplinary justifications after an employee has received a disciplinary letter; there, the employee can be accompanied by a union representative (if the challenged employee so requests). If the person is “accused” of conduct that is punishable under labour law, they can ask to present their justification in the presence of a union representative appointed by themselves, after receiving a disciplinary notice, and the employer cannot deny such appointment.

As there is no normative reference in Italy, there is no information that interviewers are required to provide to interviewees at the start and/or the end of an interview in an HR internal investigation, with the exception of the reminder of their right to refrain from testifying on circumstances involving their own involvement where the internal investigation concerns potentially criminal facts, as outlined in 3.6 Support Person and/or Lawyer.

Owing to the lack of normative reference in Italy, interviewees are free to request that the interview be stopped in an HR internal investigation. Such conduct – as already depicted – can potentially only stand alone (or, rather, in a separate disciplinary procedure) for violation of the duties of diligence, loyalty and obedience mentioned in 2.3 Confidentiality Agreements and NDAs.       

It is not necessary to take minutes during an interview as part of an HR internal investigation in Italy, but it can be done, depending on the type of offence being investigated. In the case of conduct relevant only to labour law, a report may be advisable, but the interviewed employee may be called as a witness before the judicial authorities in the event of litigation between the company and the charged employee. However, in cases where the employee presents their justification orally (in a disciplinary proceeding) – especially if accompanied by a union representative – it is advisable to prepare a record of the meeting, which will then be signed by the parties involved.

The possibility of recording a witness as part of internal company investigations is a sensitive issue that requires balancing organisational needs with compliance with applicable law ‒ in particular, with regard to privacy, the right to confidentiality, and individual liberties. Generally speaking, a company may record a witness in the context of HR internal investigations, provided that this is proportionate and justified by a legitimate interest, and complies with data protection legislation. However, it is advisable to act transparently, and to inform the witness whenever possible and adequately protect the data collected. As already explained in 1.2 Bases, it is possible to record an interview in so-called defensive investigations.

If a participant (whether the whistle-blower, the person being reported or a manager handling the report) records a conversation without informing the others, the lawfulness of this action and the admissibility of the recording will be assessed ex post facto based on jurisprudential principles, rather than depending on preventative safeguards. Recording for non-defensive purposes or disseminating the content is a criminal offence.

Given that HR internal investigations are not regulated in Italy, the methods of investigation have not been formalised. The modalities chosen in each instance must still be carried out in compliance with Italian laws (in particular, labour law, privacy law and criminal procedural law). Article 8 of the Italian Workers’ Statute contains a very stringent rule on this point, prohibiting the employer from carrying out investigations ‒ even by means of third parties ‒ into the employee’s political, religious or trade union opinions, as well as into facts that are not relevant to the assessment of the employee’s professional aptitude.

With regard to the employer’s duty to protect the reporter during an HR internal investigation, the Whistle-Blowing Decree provides that:

• the identity of the whistle-blower may not be disclosed to persons other than those competent to receive or follow up on whistle-blowing reports;
• the protection concerns not only the name of the whistle-blower but also all elements of the report from which the identification of the whistle-blower may be derived, even indirectly; and
• the protection of confidentiality is extended to the identity of the persons involved and the persons mentioned in the report until the conclusion of the proceedings initiated on account of the report, in compliance with the same guarantees provided for in favour of the whistle-blower.

There are no protection and guarantee mechanisms for the subjects of the report in HR internal investigations who are unaware of a process that is not managed by third parties but by other corporate units, such as internal auditing. The protection of the whistle-blower is lost if they are found to be liable for libel, slander or defamation. On this assumption, the respondent (who will know the identity of the reporter) may possibly act against the reporter by way of compensation for damage to their image and reputation.

Although internal investigations and disciplinary proceedings may often travel on the same track, they could well be separated, being potentially autonomous from each other (internal investigations may relate to more situations than those concerning a single employment relationship involved in the specific investigations). Having become aware of any conduct or of any infringement of the law or company regulations, the employer may serve a disciplinary letter on the employee and may then issue a disciplinary sanction, in accordance with the formalities laid down by law and by collective bargaining. In cases where the accusations are particularly serious and well founded, upon issuing the disciplinary notice, the employer may precautionarily suspend the respondent (who will therefore not be allowed to return to the workplace) pending their justification and the conclusion of the disciplinary procedure.

Employees are protected as described in 4.1 Protection of the Reporter whenever they act as whistle-blowers, facilitators (individuals who assist the whistle-blower in the reporting process, such as colleagues or representatives) and witnesses. In any case, the employer may ‒ pending completion of the investigation ‒ demand such measures as it deems appropriate, such as the precautionary suspension mentioned in 4.3 Measures Against the Respondent (which, in fact, can also be adopted in the case of conduct potentially capable of negatively affecting the safety and protection of the employee population).

There are no specific provisions regarding procedural guarantees that must be put in place or steps that must be followed in HR internal investigations in Italy (with the exception of the reminder of an employee’s right to refrain from testifying on circumstances involving their own involvement where the internal investigation concerns potentially criminal facts, as outlined in 3.6 Support Person and/or Lawyer). It is understood that investigations must be carried out in fairness and good faith (Articles 1175 and 1375 of the Italian Civil Code), without discriminatory and/or intimidating attitudes. The purpose of investigations (and this is therefore reflected in the materiality of how they are carried out) must obviously comply with Article 8 of the Italian Workers’ Statute, which prohibits any kind of investigation – including through third parties ‒ into workers’ political, religious or trade union opinions, or into matters that are not relevant to assessing the worker’s professional aptitude.

The employer can and should provide an internal regulation along the lines of the general provisions of the Whistle-Blowing Decree, pursuant to the provisions set forth therein. The Whistle-Blowing Decree establishes the obligation to implement an internal or external channel for receiving and managing reports concerning violations of national or EU regulations where such violations are detrimental to the company. The legislature aimed to encourage the use of internal channels within the organisation, as they are closer to the source of the issues being reported; effective prevention and prompt detection of violations depend on obtaining relevant information from those closest to the origin of the violations.

Such internal reporting channels must ensure the confidentiality of the identity of the whistle-blower, the person involved and the person mentioned in the report, as well as the content of the report and the related documentation. The National Anti-Corruption Authority (Autorità Nazionale Anticorruzione, or ANAC) has the power to impose an administrative monetary penalty ranging from EUR10,000 to EUR50,000 when it identifies the following within public and private sector entities (Article 21, paragraph 1, letter b) of the Whistle-Blowing Decree):

• the failure to establish reporting channels;
• the failure to adopt procedures for submitting and managing reports; or
• the existence of procedures that do not comply with the provisions of Articles 4 and 11 of the Whistle-Blowing Decree.

Regarding the most efficient way to carry out investigations, the 2023 Standard ISO-37008 (“Internal Investigations of Organisations – Guidance”) offers general but comprehensive insights regarding the instruments to be employed and the best practices to be followed during HR internal investigations. However, such investigative tools and best practices must be employed in compliance with the complex scenario of Italian legislation.

In HR internal investigations in Italy, the employer bears the burden of proof, through the offices and the persons responsible for this task. The documentation related to each report must be kept for the necessary time, and under no circumstances for longer than five years from the date of communication of the final outcome of the reporting procedure. In cases where the evidence is preparatory to a disciplinary sanction, it must be assumed that ‒ even in the absence of a codified division of the “degree” of proof – the evidence must be such as to lead to the incriminated fact being considered as having happened.

In Italy, there are no provisions governing when an HR internal investigation may be ended. In any case, it could be argued that the employer may discontinue the investigation when it has established the existence or non-existence of the circumstances underlying the report.

Following an HR internal investigation in Italy, the employer is obliged to inform the reporting person of the outcome of their report, including whether the report has been dismissed or whether it has been determined to be well-founded and eventually forwarded to the competent authorities. The Whistle-Blowing Decree provides that acknowledgement must be provided to the reporting person within three months from the date of the acknowledgement of receipt or, in the absence of such notice, within three months from the expiry of the seven-day period from the submission of the report.

However, this deadline is not peremptory. In fact, it may be that some investigations and analyses require more time. In this case, the reply to the reporting person takes on an interlocutory character and is aimed at informing them of the stage of progress of the investigation by the employer and/or of the activities the latter intends to carry out.

In Italy, there are no rules governing the form that the conclusion of an HR internal investigation must take.

Since there is no normative reference in Italy, any written reports that are used are completely non-formalised. They tend to take into account the information and investigation steps carried out in chronological order, in conjunction with the evidence collected.

As mentioned in 6.2 Procedure for Ending an HR Internal Investigation, the whistle-blower has the right to receive information on the outcome of the investigations carried out in relation to their report. The reported person, on the other hand, has the right to receive the information as part of any disciplinary proceedings initiated against them following the conclusion of the verification and analysis of the report and in the event that such proceedings are based in whole or in part on the report. Access to this information, of course, must be granted while respecting the privacy of the person making the report and of persons other than the reported person who are nonetheless implicated insofar as they are mentioned in the report.

In Italy, there are no rules from which an obligation to communicate the results of HR internal investigations to public authorities can be derived, except as mentioned in 8.4 Criminal Cases regarding facts of a criminal nature. It continues to be understood that the results of internal investigations could constitute information that, pursuant to specific legislative provisions, may result in a mandatory reporting obligation.

In Italy, the only person who is always guaranteed to be informed of the closure of an HR internal investigation is the reporter. The respondent, on the other hand, will receive such information only if it lays the basis for a subsequent disciplinary or judicial proceeding, or when the defamatory nature of the accusations made against them has been established. In all other cases, the respondent may be informed only at the employer’s discretion (but does not have a right in this regard) and provided that the confidentiality of the individuals involved is respected.

The type of disciplinary sanction that the employer may impose on the employee depends on the type of conduct complained of and what the collective agreement applicable to the employment relationship (and, of course, the law and Civil Code) provides for on that point. Such a disciplinary dispute must first and foremost respect the principle of “timeliness”, by virtue of which an employer wishing to challenge unlawful conduct by an employee must do so without delay, in the shortest possible time. Therefore, this temporal consideration should be taken into account from the day on which the employer has completed the investigation into the relevant contested conduct. Generally, disciplinary sanctions range from a warning, a fine of up to three hours’ pay, or suspension from work and pay (for the maximum days provided for by the collective agreement applied to the employment relationship), to dismissal with notice and ‒ in the most severe cases ‒ without notice.

At the conclusion of the investigation, if the employer identifies behaviour attributable to the employee that warrants disciplinary action, this must be formally communicated through a disciplinary notice. The employer cannot directly impose a disciplinary sanction. Italian legislation (specifically, the Italian Workers’ Statute) establishes the worker’s inalienable right to defence, which allows the employee to respond to the disciplinary notice and present their justifications (eventually with the assistance and presence of a union representative). The employer can only legitimately impose the disciplinary sanction deemed most appropriate after the worker has provided their justifications (or after the expiration of the deadline for submitting them), taking into account the justification provided by the employee.

In the context of Italian corporate practices, organisational measures such as team-building or mediation are not commonly adopted. In some instances, regardless of the validity of the allegations, the employer may take specific actions to preserve the well-being of the work environment – for example, by implementing a transfer deemed necessary owing to organisational incompatibility or by taking appropriate measures to mitigate work-related stress risks, whenever the information (whether verified or unverifiable) suggests such actions.

The employer’s failure to take appropriate action, even in the face of unsubstantiated facts, could potentially expose them to future claims for violating the provisions of Article 2087 of the Italian Civil Code. As further elaborated in 8.2 Sexual Harassment and/or Violence and 8.3 Other Forms of Discrimination and/or Harassment Including Bullying and/or Mobbing, this provision establishes that employers must take all necessary measures to protect the physical integrity and psychological well-being of the employee. The occurrence of damage (moral, existential and/or biological) resulting from the failure to comply with this legal provision entails the obligation to provide compensation for such damage.

To ensure the right to personal data protection for whistle-blowers or reporting individuals, the legislature has established that the acquisition and management of reports, public disclosures or complaints (including communications between competent authorities) must comply with data protection regulations ‒ in particular, Regulation (EU) 2016/679 (the “EU General Data Protection Regulation”, or GDPR) and Legislative Decree No 196 of 30 June 2003. Any exchange and transmission of information involving the processing of personal data by EU institutions and/or authorities must also comply with Regulation (EU) 2018/1725. Data protection must be ensured not only for the whistle-blower or reporting individual but also for other parties whose confidentiality is protected, such as facilitators, involved persons and individuals mentioned in the report, as they are considered “data subjects” under data protection regulations.

Data controllers, data processors and individuals authorised to process personal data must adhere to several fundamental principles ‒ namely, they must:

• process data lawfully, fairly and transparently;
• collect data solely for the purpose of managing and following up on reports, public disclosures or complaints;
• ensure that data is adequate, relevant and limited to what is necessary for the purposes for which it is processed;
• guarantee the accuracy and up-to-date status of the data;
• retain data only for the time necessary to process the specific report and, in any case, no longer than five years from the date of communication of the final outcome of the reporting procedure;
• process data in a manner that ensures its security, including protection through appropriate technical and organisational measures from unauthorised or unlawful processing, accidental loss, destruction or damage;
• respect the principles of privacy by design and privacy by default;
• conduct a data protection impact assessment;
• provide, where possible, ex ante information to potential data subjects about data processing through the publication of information documents (eg, on websites or platforms, or through brief notices in written or oral communication channels);
• ensure the record of processing activities is updated;
• guarantee the prohibition of tracking reporting channels; and
• ensure, where feasible, the monitoring of authorised personnel’s activities while respecting guarantees to protect the whistle-blower.

With regard to personal data processed in the context of an HR internal investigation, the person involved or mentioned in the report, public disclosure or complaint may not exercise – for the time and to the extent this constitutes a necessary and proportionate measure – the rights that the GDPR normally grants to data subjects (such as the right to access personal data, the right to rectify it, the right to request its erasure or the so-called right to be forgotten, the right to restrict processing, the right to data portability, and the right to object to processing). Exercising such rights could indeed result in actual and concrete harm to the confidentiality of the whistle-blower’s identity. In such cases, the reported individual or the person mentioned in the report is also precluded from contacting the data controller if they believe that the processing of their data violates these rights and, in the absence of a response from the data controller, are precluded from filing a complaint with the Data Protection Authority.

In Italy, Law No 132/2025 (“Provisions and Delegations to the Government on Artificial Intelligence”) entered into force on 10 October 2025 in implementation of Regulation (EU) 2024/1689 and represents the first comprehensive legislative intervention within the Italian legal system aimed at systematically regulating the impact of the use of AI systems across the various areas of economic, social and institutional life.

The legislation adopts a regulatory framework based on the classification of AI systems according to the level of risk associated with their use, thereby introducing a graduated approach to the regulation of the different applications. As a general principle, it is reaffirmed that the use of such systems must comply with fundamental rights and individual freedoms, and with the principles of transparency, proportionality, accuracy, personal data protection, confidentiality, non-discrimination, gender equality and sustainability.

Furthermore, the development of AI systems and models must be based on datasets and processes whose fairness, reliability, security, quality, appropriateness and transparency are guaranteed and subject to oversight, in accordance with the principle of proportionality in relation to the sectors in which such systems are deployed.

In any event, such systems must be designed and applied in compliance with human autonomy and decision-making power, and with the principles of harm prevention, knowability, transparency and explainability, while ensuring effective human oversight and intervention. In this context, AI is already being used to a significant extent in the context of internal investigations, mainly for activities such as investigative support, document analysis and managing information flows. However, it cannot replace the legal and disciplinary assessment, which remains the exclusive domain of human decision-making. This is particularly true given the limits imposed by legislation on the protection of workers and the processing of personal data, as set out in Article 4 of the Italian Workers’ Statute and the GDPR.

As discussed in 1.2 Bases, in the absence of specific legislation on HR internal investigations in Italy, the procedures governing such investigations derive their legal foundation “by subtraction” from other disciplines. These include labour law, criminal procedure and – notably – whistle-blowing regulation, which has been extensively addressed and analysed in the preceding sections.

As noted, the whistle-blowing framework is governed by the Whistle-Blowing Decree and concerns the protection of individuals who provide information that may lead to the investigation, determination and prosecution of violations of regulations. Therefore, there are no additional specific protections. Where the conditions for applying the provisions of the Whistle-Blowing Decree are met, the individuals involved will benefit from the corresponding rights; otherwise, the ordinary civil law provisions and, where applicable, procedural and criminal law rules will apply.

In Italy, complaints related to sexual harassment and violence are protected by specific regulations that apply in various contexts, both in the workplace and in society.

• According to Article 609-bis of the Italian Penal Code, sexual harassment consists of unwanted acts or behaviour of a sexual nature aimed at intimidating or overpowering a person, without their consent. Harassment can be verbal, physical or psychological.
• Article 26 of Legislative Decree No 198/2006 (the “Code of Equal Opportunities between Men and Women”), which provides an extensive analysis of workplace harassment scenarios, requires companies to adopt preventative measures to avoid sexual harassment and protect the victims. The victim may also ask to be transferred to another workplace or request a modification of their working hours.
• If the worker is dismissed owing to reasons related to the harassment they have suffered or to their reporting of it, the maximum protection provided for unfair dismissals under Article 18 of the Italian Workers’ Statute will be applied.
• As mentioned in 6.9 Other Measures, Article 2087 of the Italian Civil Code requires the employer to take all necessary measures to protect the physical integrity and psychological well-being of the employee. The occurrence of damage (moral, existential and/or biological) resulting from the failure to comply with this legal provision entails the obligation to provide compensation for such damage (similar obligations also arise from the provisions of the Decree on Workplace Safety).

This framework of protection, together with continuously evolving case law, demonstrates a steady commitment to refining the safeguards available to victims, thereby making the protection system increasingly responsive and effective.

Italian laws on discrimination and harassment are extensive and cover various areas, including gender, race, disability and other protected characteristics. Employers are required to adopt policies and measures to prevent and combat discrimination and harassment, and also to protect workers who are victims, guaranteeing them the right to protection and assistance.

Article 18 of the Italian Workers’ Statute provides the highest level of protection following discriminatory dismissal: “reinstatement in the workplace”. “Discriminatory” in this context refers to dismissal based on political beliefs or religious faith, membership in a union or participation in union activities (including the employee’s participation in a strike), as well as reasons related to the race, language, gender, disability, age, sexual orientation or personal beliefs of the employee.

Discriminatory Dismissal

An employee who has been subjected to discriminatory dismissal is entitled to so-called full reinstatement protection, which obliges the employer to:

• reinstate the employee in their job position;
• pay the employee compensation equal to the salary accrued from the date of dismissal to the date of actual reinstatement, minus any amounts the employee may have earned through other employment during this period; and
• pay the social security and welfare contributions for the entire period between the dismissal and the reinstatement.

In terms of effects, the law also equatesdiscriminatory dismissal with:

• dismissal given in connection with marriage;
• dismissal issued in violation of the prohibition on termination in relation to maternity and paternity protection; and
• dismissal linked to other cases of nullity provided for by law or dismissal based on a motive determined unlawful pursuant to Article 1345 of the Italian Civil Code.

Protection for Marriage or Parenthood

The law protects female workers against dismissals due to marriage or during maternity in order to safeguard the family role of women. Therefore, the dismissal of a female worker is prohibited from:

• the beginning of the pregnancy period until the child reaches one year of age; and
• the day of the request for marriage banns until one year after the marriage celebration.

The prohibition of dismissal from the beginning of leave until the child reaches one year of age also applies to the working father who takes leave during the first three months following the child’s birth in the absence of the mother (severe infirmity, death, abandonment or exclusive custody granted to the father). During these periods, dismissal is permitted only in the following cases:

• gross misconduct constituting just cause;
• cessation of the company’s activity;
• completion of the work for which the employee was hired or termination of the employment contract upon the expiration of its term; or
• unsuccessful probation period.

Outside these cases, any dismissal given during the protected period is null and void.

Also notable is Law No 903/1977, which prohibits any discrimination based on sex in relation to access to work – regardless of the method of hiring and regardless of the sector or branch of activity – at all levels of the professional hierarchy. Furthermore, the Code of Equal Opportunities between Men and Women prohibits discrimination in the workplace based on sex, especially with regard to the protection of pregnant workers or those on maternity leave. Law No 205/1993 is also worth mentioning, as it prohibits any form of racial, ethnic, religious or nationality-based discrimination in the workplace.

Other laws worth citing include:

• Law No 125/1991, which promotes equal opportunities in the workplace and promotes policies to reduce the disparity in treatment between men and women, particularly in professional and salary matters; and
• Law No 67/2006, which prohibits any discrimination against people with disabilities and also applies in the workplace (and in employment relationships).

Mobbing or Bullying

In the Italian legal system, there is no specific regulation dedicated to the phenomenon of mobbing or bullying. However, several laws that protect workers’ health, safety and well-being allow the identification of oppressive conduct as previously described, in order to allow protection in such situations.

At the constitutional level, the following provisions can be relevant:

• Article 2 of the Italian Constitution, which affirms the central and primary value of the individual, both as a person and as a member of society;
• Article 3 of the Italian Constitution, which establishes the principle of equality among citizens and prohibits unjustified discrimination, assigning the Republic the task of ensuring the effective realisation of this objective; and
• Article 4 of the Italian Constitution, which guarantees all citizens the right to work and promotes the conditions necessary for the effective exercise of this right.

At the level of ordinary law, the following provisions of the Italian Civil Code can be relevant:

• Article 2087, which requires the employer to adopt all measures necessary to protect the physical integrity and moral personality of workers, according to the specifics of the work activity, experience and technology; and
• Article 2103, which regulates the performance of work by the employee, identifying the cases and methods in which a change in the originally assigned tasks may occur.

Victims of bullying and/or mobbing are also protected by other sources, including:

• Article 15 of the Italian Workers’ Statute, which declares the nullity of agreements or acts intended to implement forms of discrimination in the workplace;
• Articles 25 et seq of the Code of Equal Opportunities between Men and Women, which are dedicated specifically to combatting discrimination in the workplace; and
• Article 28 of the Decree on Workplace Safety, which considers work-related stress as a risk to workers’ health.

Although there is no specific legislation governing the phenomenon of mobbing, it may ‒ in certain cases – constitute the offence outlined in Article 582 of the Italian Criminal Code, which states that “anyone who causes personal injury to another, resulting in physical or mental illness, shall be punished, upon the complaint of the injured party, with imprisonment from six months to three years”. If conduct occurs within a family setting, the offence is also prosecutable ex officio.

It is theoretically conceivable to establish a potential connection – within the aforementioned terms and, notably, by applying the criterion of objective imputation – between mobbing and an entity’s liability under Legislative Decree No 231/2001 (“Decree 231”). This decree introduced a significant innovation in corporate law, assigning administrative/criminal liability to companies (of any type, size or activity) for a range of offences committed by their directors, managers, employees or third-party agents, provided these acts were carried out in the interest or for the benefit of the company and were made possible by shortcomings in the company’s organisational structure. Companies can avoid liability (and the associated sanctions) if they have adopted an adequate organisational and management model, before the commission of the offence, with the characteristics prescribed by Decree 231.

In addition, the valuable work of the courts has been instrumental in defining and framing the instances of mobbing through the systemic interpretation of the aforementioned provisions and the general principles underlying the Italian legal system (including those of constitutional rank). The most recent court rulings have concentrated on consolidating and clarifying existing legal principles, particularly the difference between mobbing and “straining”, and the liability of employers under Article 2087 of the Civil Code. This development is therefore mainly jurisprudential in nature rather than legislative, aimed at strengthening the enforcement of existing protections.

Under Italian law, there is no specific regulation governing co-operation with authorities, communication channels with them, or incentives for conducting internal investigations and uncovering misconduct. As mentioned in 2.2 Communication to Authorities, employers therefore do not have a general obligation to report criminal acts to the authorities unless they are considered public officials or people in charge of a public service.

Certain criminal acts (eg, corruption, bribery or money laundering) may require mandatory reporting under specific circumstances, particularly in regulated industries or where public resources are involved. However, even in the absence of a mandatory reporting obligation, an employer might choose to report in order to avoid being implicated in concealing the crime or failing to address a criminal act.

In any case, if the allegation involves crimes that must be reported (eg, corruption or acts affecting public safety), the employer should file a formal complaint or report (denuncia) with the competent public prosecutor’s office (Procura della Repubblica) or law enforcement authorities (eg, police, Carabinieri). The report should include all relevant information and evidence gathered during the internal investigation, while ensuring compliance with data protection regulations (eg, the GDPR); employers must ensure that the identities of whistle-blowers and others involved are protected in line with the Whistle-Blowing Decree.

The employer may conduct an internal investigation before or alongside reporting to authorities. However, the employer must ensure that the investigation:

• respects procedural fairness and avoids violating the rights of the employee(s) involved;
• protects data privacy under GDPR rules and maintains confidentiality, especially concerning whistle-blower protections; and
• avoids interfering with or prejudicing any parallel criminal investigation by the authorities.

If the allegations are confirmed and involve criminal misconduct, the employer must act in accordance with disciplinary procedures. For companies adopting the 231 Model, if the criminal allegations involve offences listed in the 231 catalogue (eg, corruption, money laundering, fraud and environmental crimes) and there is credible evidence, the company is expected to report the findings to the competent judicial authorities. Reporting is not strictly mandatory under the 231 framework but is crucial to demonstrate the company’s co-operation and good faith in order to mitigate liability.

In Italy, no specific legal procedures have been established for internal investigations involving multiple jurisdictions, but there are principles and regulations that employers must consider in order to ensure compliance with both local and international laws. In cases involving multiple jurisdictions, employers should ensure they take the following into account:

• local and international laws – regulations regarding data protection (such as the GDPR in the EU) and employee rights can vary significantly between jurisdictions;
• jurisdictional conflicts ‒ in some instances, the laws of one jurisdiction may conflict with those of another, and this requires careful and accurate legal analysis; and
• the application of Italian law – if the case involves Italian workers, even if they are working abroad, the employer must ensure compliance with Italian regulations.