ANAC 2026 Whistleblowing Guidelines: Certifying Reports and Internal Channels Ahead of Privacy Authority Inspections

ANAC Resolution 478 of 26 November 2025 raises the technical and organisational bar for internal whistleblowing channels under Legislative Decree 24/2023, the Italian implementation of EU Directive 2019/1937. The new framework took immediate effect and arrives in parallel with the Italian Data Protection Authority (Garante) Provision of 30 December 2025, which placed whistleblowing applications and platforms at the centre of the H1 2026 inspection plan. For EU and international organisations operating in Italy, or benchmarking their own group-wide implementations against the most demanding interpretation of the EU Directive, the message is operational: an internal channel that exists on paper is no longer enough. Inspectors will look for verifiable, court-admissible evidence that reports, meetings and decisions have been acquired and preserved without alteration.

This insight builds on the general guide Whistleblowing: certified digital reports under the EU Directive and focuses on the operational consequences of ANAC Resolution 478/2025 for organisations preparing for Privacy Authority inspections in 2026.

## What changes with ANAC Resolution 478/2025 and the Garante H1 2026 inspection plan

The new Italian guidelines do not rewrite the Directive: they harden its implementation. Three areas concentrate the practical impact.

Technical requirements of the new guidelines

ANAC Resolution 478/2025 introduces structural separation of roles in large organisations (above 250 employees, the same threshold used by the EU Directive for mandatory internal channels). The Data Protection Officer (DPO) can no longer also act as the report manager: the conflict of interest, previously tolerated in smaller setups, is now considered incompatible with the confidentiality duties of Article 12 of Directive 2019/1937. The guidelines also require:

• Mandatory, traceable training for personnel managing the channel, with documented refresh cycles
• Tracking of direct meetings with the reporting person, including written minutes signed by the parties (Article 14 of the Directive on follow-up duties)
• Logging of telephone lines used as a reporting channel, with retention rules aligned to GDPR principles of necessity and proportionality
• Separation of the IT environment hosting the channel from general corporate IT, including access logs and segregation of duties

The official text of EU Directive 2019/1937 is available on EUR-Lex. Organisations in other Member States should read the ANAC guidelines as a benchmark for the level of rigour any supervisory authority can legitimately demand under the same Directive.

The Garante inspection plan: whistleblowing applications and platforms under scrutiny

The Garante Provision of 30 December 2025 sets the H1 2026 inspection priorities. Whistleblowing platforms appear explicitly among the targets, with a focus on:

• Lawful basis and proportionality of data processing
• Confidentiality and access control on report content
• Retention periods and deletion procedures
• Use of end-to-end encryption and integrity controls on stored evidence
• Transparency obligations toward the reporting person and the persons concerned

Inspectors will request not only policies and DPIAs but operational evidence: logs, audit trails, time-stamped acquisitions of reports, and proof that the chain of custody between submission and final decision has not been tampered with.

Sanctions framework

The combined ANAC and Garante framework carries material financial exposure. ANAC can impose administrative penalties up to EUR 50,000 for failure to set up the channel, lack of follow-up, or breach of confidentiality. An additional EUR 5,000 to 30,000 range applies to retaliation against the reporting person or breaches of the manager's confidentiality duties. The Garante, separately, can apply GDPR administrative fines up to the higher of EUR 20 million or 4% of global turnover for data protection violations on the same processing activity. Double jeopardy concerns are mitigated by the different legal basis of each sanction.

The three evidence levels required during inspections

Inspections converge on three layers of evidence that any internal channel must be able to produce on demand.

Existence of the operational channel

The organisation must prove that the channel actually received and processed reports, not only that it was deployed. This means tracked acquisition of each report with metadata: submission timestamp, channel used (web form, telephone line, direct meeting), assigned case ID, and the identity hash of the reporting person where confidentiality permits. Acquisition logs must be retained in a tamper-evident format.

Confidentiality of the reporting person

Article 16 of EU Directive 2019/1937 requires Member States to ensure that the identity of the reporting person is not disclosed without explicit consent. Operationally, this translates into an immutable chain of custody on the report file and on every access event. The organisation must be able to demonstrate that no unauthorised user opened, copied or exported the report between submission and case closure. Standard file systems and document management systems, where any administrator can edit metadata, do not satisfy this requirement on their own.

Integrity of reports over time

The third level is forensic integrity: a hash-based chain that anchors each acquisition to a qualified time stamp and a qualified electronic seal under eIDAS Regulation (EU) 910/2014. The qualified time stamp proves the moment of acquisition; the qualified electronic seal proves the integrity of the file and the identity of the legal entity that sealed it. Together, they produce evidence that is admissible in court across the EU and recognised as having full evidentiary value until proven forged. For background on the role of qualified trust services, the European Commission's electronic trust services policy page is a useful reference.

How to apply source certification with TrueScreen

TrueScreen is the Data Authenticity Platform that allows organisations to acquire reports, meetings and documents with forensic methodology and integrate the seal of third-party qualified QTSPs via API. TrueScreen does not issue qualified certificates: it integrates qualified time stamps and qualified electronic seals issued by QTSPs directly accredited under eIDAS, producing evidence that meets the integrity requirements of ANAC Resolution 478/2025 and the Garante inspection plan.

Meetings with the reporting person: forensic acquisition of audio and video

When the reporting person requests a direct meeting (Article 14 of the EU Directive), the organisation must produce minutes that the parties can sign and that can be cross-checked with the original recording. TrueScreen acquires audio and video of the meeting with forensic methodology, anchoring each fragment to a qualified time stamp at the moment of capture. The acquisition file is then sealed with a qualified electronic seal, producing a single immutable artefact that proves what was said, when, and by whom. The same logic applies to telephone reporting lines, where TrueScreen acquires the call recording and the associated metadata in a tamper-evident format.

Uploaded documents and manager decisions: qualified electronic seal

Reports submitted through the web channel often include attachments: invoices, emails, screenshots, internal procedures. TrueScreen, the Data Authenticity Platform, applies a qualified electronic seal at the moment of upload, freezing the file in its original state. The same mechanism covers the follow-up acts of the report manager: assignment of the case, intermediate decisions, request for additional information, and the final outcome notified to the reporting person within the three-month deadline set by Article 9(1)(f) of Directive 2019/1937. Every act is sealed and time-stamped, producing a continuous evidentiary chain from submission to closure that an inspector can verify independently.

For a broader perspective on how certified digital reports raise the evidentiary value of an internal channel, refer to the parent guide on certified whistleblowing reports under the EU Directive.