Lukas Plattner reflects on LEGALTECH IN SCENA: Bringing the legaltech community…
Internal investigations in Italy sit at the crossroads of (i) criminal procedure rules on defensive investigations under the Italian Code of Criminal Procedure ("ICCP"), (ii) employment law constraints, and (iii) data protection rules under the GDPR and the Italian Privacy Code. ISO 37008:2023 is increasingly used as a planning benchmark.
A critical preliminary distinction is between internal investigations as such and defensive investigations, carried out by formally appointed external defence counsel under the ICCP (Art. 327-bis and 391-bis). Investigations conducted by in-house functions are not legally privileged; privilege is preserved only when the matter is structured as a defensive investigation, following the procedural formalities set out in the ICCP.
Defensive investigations typically follow a structured workflow: (1) issue spotting and preliminary scoping, (2) evidence preservation (e.g., legal hold), (3) document collection and review, (4) forensic analysis on corporate devices, (5) interviews, and (6) outcome assessment and remediation. The process should remain flexible, as the scope often needs refining as facts emerge.
Where employees are involved, investigative steps must align with employment-law safeguards. Any disciplinary measures must respect the procedural guarantees under Art. 7 of the Workers’ Statute, including proper contestation and the employee’s right to be heard.
GDPR principles also contribute to shape investigative design. The lawful basis is commonly legitimate interest (Art. 6(1)(f) GDPR) and, where sensitive data are implicated, defence rights (Art. 9(2)(f) GDPR).
Operationally, before launching or forensic collections, investigators should verify the scope of existing IT/privacy policies and notices. A practical minimisation approach is also to apply timeframe and keyword filtering before substantive review, limiting exposure to irrelevant personal data.
Italy’s Data Protection Authority has also issued deontological rules specifically addressing processing in connection with defensive investigations and the exercise of defence rights.
Absent a formal defence counsel appointment, investigative materials may be exposed to prosecutorial seizure, and investigators may be summoned as persons informed of the facts. Securing privilege requires, as anticipated, conducting a defensive investigation with strict procedural compliance and practical safeguards (secure channels, confidentiality markings, etc.).
A further strategic dimension concerns Decree 231/2001 on corporate criminal liability: a well-run defensive investigation can support remediation and strengthen the entity’s defence. However, sharing outputs with Prosecutors implies waiving protection over what is disclosed, so engagement strategy should be counsel-led and case-specific.
Internal investigations in Italy require careful legal structuring and cross-functional execution, balancing effective fact-finding with employment-law safeguards, privacy requirements, and criminal procedure formalities to preserve privilege and the full range of strategic options.
Ornella Belfiori
Gabriele Belardinelli
