ITALY Law and Practice Contributed by: Michela Bani, Alessandro Paone and Giacomo Bertelli, NIUS Legal and HR Solutions
• collect data solely for the purpose of managing and following up on reports, public disclosures or complaints; • ensure that data is adequate, relevant and limited to what is necessary for the purposes for which it is processed; • guarantee the accuracy and up-to-date status of the data; • retain data only for the time necessary to process the specific report and, in any case, no longer than five years from the date of communication of the final outcome of the reporting procedure; • process data in a manner that ensures its security, including protection through appropriate technical and organisational measures from unauthorised or unlawful processing, accidental loss, destruction or damage; • respect the principles of privacy by design and privacy by default; • conduct a data protection impact assessment; • provide, where possible, ex ante information to potential data subjects about data processing through the publication of information documents (eg, on websites or platforms, or through brief notices in written or oral communication channels); • ensure the record of processing activities is updat - ed; • guarantee the prohibition of tracking reporting channels; and • ensure, where feasible, the monitoring of author - ised personnel’s activities while respecting guaran - tees to protect the whistle-blower. 7.3 Access With regard to personal data processed in the context of an HR internal investigation, the person involved or mentioned in the report, public disclosure or com - plaint may not exercise – for the time and to the extent this constitutes a necessary and proportionate meas - ure – the rights that the GDPR normally grants to data subjects (such as the right to access personal data, the right to rectify it, the right to request its erasure or the so-called right to be forgotten, the right to restrict processing, the right to data portability, and the right to object to processing). Exercising such rights could indeed result in actual and concrete harm to the confi - dentiality of the whistle-blower’s identity. In such cas - es, the reported individual or the person mentioned in
the report is also precluded from contacting the data controller if they believe that the processing of their data violates these rights and, in the absence of a response from the data controller, are precluded from filing a complaint with the Data Protection Authority. 7.4 AI In Italy, Law No 132/2025 (“Provisions and Delega - tions to the Government on Artificial Intelligence”) entered into force on 10 October 2025 in implementa - tion of Regulation (EU) 2024/1689 and represents the first comprehensive legislative intervention within the Italian legal system aimed at systematically regulating the impact of the use of AI systems across the various areas of economic, social and institutional life. The legislation adopts a regulatory framework based on the classification of AI systems according to the level of risk associated with their use, thereby intro - ducing a graduated approach to the regulation of the different applications. As a general principle, it is reaffirmed that the use of such systems must comply with fundamental rights and individual freedoms, and with the principles of transparency, proportionality, accuracy, personal data protection, confidentiality, non-discrimination, gender equality and sustainability. Furthermore, the development of AI systems and models must be based on datasets and processes whose fairness, reliability, security, quality, appropri - ateness and transparency are guaranteed and sub - ject to oversight, in accordance with the principle of proportionality in relation to the sectors in which such systems are deployed. In any event, such systems must be designed and applied in compliance with human autonomy and decision-making power, and with the principles of harm prevention, knowability, transparency and explainability, while ensuring effective human over - sight and intervention. In this context, AI is already being used to a significant extent in the context of internal investigations, mainly for activities such as investigative support, document analysis and manag - ing information flows. However, it cannot replace the legal and disciplinary assessment, which remains the exclusive domain of human decision-making. This is particularly true given the limits imposed by legisla -
247 CHAMBERS.COM
Powered by FlippingBook