Procedure for the report of wrongdoing and irregularities

1. Purpose

The Company intends to promote a corporate culture characterized by correct behavior and a good system  of corporate governance; for this reason, the Company recognizes the importance of having a Procedure that governs the management of Reports of unlawful behavior by Recipients. This Procedure therefore defines adequate communication channels for receiving, analysing and processing Reports of unlawful conduct within the Company.

Recent interventions by the European and Italian legislators have regulated the whistleblowing systems, already known internationally, and defined as whistleblowing systems  (the term derives from the phrase "to blow the whistle".

This system aims to regulate the organizational and procedural aspects of the internal systems for reporting violations (so-called "Violation Reporting"). whistleblowing), which companies must adopt to allow their staff to report acts or facts that may constitute a violation of the law.

This system also provides for two main principles of the institution of whistleblowing:

1. the protection of the person who reports violations from within the work environment, against retaliatory, discriminatory or otherwise unfair conduct resulting from the Report;
2. the guarantee of the confidentiality of the personal data of the Whistleblower and of the alleged perpetrator of the violation, without prejudice to the rules governing investigations or proceedings initiated by the judicial authority, in relation to the facts covered by the Report.

The Procedure is an integral part of the Code of Ethics and the Model.

The Procedure complies with the requirements of  the Whistleblowing Decree, the Whistleblowing Directive  and Legislative Decree no. 231/2001.

 

2. Definitions

1	Reporting Channels	means the channels made available by the Company to submit Reports in an appropriate and timely manner. In line with the provisions of art. 4  of the Whistleblowing Decree, these channels guarantee, also by electronic means, the confidentiality of the identity of the Whistleblower.
2	Code of Ethics	It is a document with which the Company sets out the set of rights, duties and responsibilities of the Company itself with respect to all the subjects with which it enters into relations for the achievement of its institutional purpose adopted pursuant to Legislative Decree no. 231/2001. The Code of Ethics aims to establish ethical standards of reference and rules of conduct that the Recipients of the Code must comply with in their relations with the Entity for the purpose of preventing and repressing illegal conduct.
3	Privacy Code	Legislative Decree No. 196/2003 "Personal Data Protection Code, containing provisions for the adaptation of national law to Regulation (EU) No. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC" as amended by Legislative Decree No. 101/2018.
4	Whistleblowing Committee	It is a predominantly internal body that brings together several functions and is composed of: F. De Vita, P. Gagliardi La Gala, A. Esposito and is in charge of the management of Reports.
5	Recipients	(i) shareholders; (ii) directors; (iii) statutory auditors; (iv) employees; (v) self-employed workers as well as those who have a collaboration relationship with the Company; (vi) workers or collaborators who work for the Company, who provide goods or services or who carry out works for third parties; (vii) freelancers and consultants who work for the Company; (viii) volunteers and trainees, both paid and unpaid, who work for the Company.
6	Legislative Decree no. 231/01	Legislative Decree no. 231 of 8 June 2001 on the "Discipline of the administrative liability of legal persons, companies and associations, including those without legal personality" and subsequent amendments and additions.
7	Whistleblowing Decree	Legislative Decree 24/2003 of 10 March 2023 no. 24 of "Implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law and laying down provisions concerning the protection of persons who report breaches of national legal provisions" has been published in the Official Gazette.
8	Whistleblowing Directive	Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law.
9	Public Disclosure	consists in making public information on violations through the press or electronic means or in any case through means of dissemination capable of reaching a large number of people referred to in Article 15 of the Whistleblowing Decree.
10	Facilitator	this is a natural person who assists the Whistleblower in the Reporting process, operating within the same work context and whose assistance must be kept confidential.
11	GDPR	Regulation (EU) No. 2016/679 on the protection of personal data.
12	Model	the model pursuant to Legislative Decree no. 231/2001 adopted by the Company.
13	Supervisory body	the Supervisory Body pursuant  to Legislative Decree no. 231/2001 appointed by the Company.
14	Procedure	means this document "on whistleblowing".
15	Semi-Annual Report	it mainly contains the files of Reports opened in the reference semester and their status.
16	Signaling	means the person making the Report.
17	Marked	the person or entity named in the Whistleblowing or External Reporting or Public Disclosure as the person to whom the violation is attributed or as a person otherwise implicated in the publicly reported or disclosed violation.
18	Signalling	collectively all reports governed by this Policy.
	Anonymous Reporting:	when the Whistleblower's personal details are not made explicit or otherwise identifiable. These reports are treated as Ordinary Reports and are not subject to the protections provided for by the Whistleblowing Decree.
19	External Signaling	the communication, written or oral, of information on violations, presented through the external reporting channel referred to in art.  7 of the Whistleblowing Decree.
20	Relevant reporting pursuant to the Whistleblowing Decree	pursuant to Articles 2 and 3  of the Whistleblowing  Decree for private sector entities, such as the Company, the violations reported refer to conduct, acts or omissions that harm the public interest or the integrity of the public administration or private entity and which consist of: (i) relevant unlawful conduct pursuant to Legislative Decree no. 231/2001,  violations of the models adopted pursuant to Legislative Decree no. 231/2001; (ii) offences that fall within the scope of the  European Union or national acts indicated in the annex to the Whistleblowing Decree or of the national acts that constitute implementation of the European Union acts  indicated in the annex to the Whistleblowing Directive, even if not indicated in the annex to the Whistleblowing Decree  , covering the following areas: public procurement; financial services, products and markets and the prevention of money laundering and terrorist financing; product safety and compliance; transport safety; environmental protection; radiation protection and nuclear safety; food and feed safety and animal health and welfare; public health; consumer protection; protection of privacy and protection of personal data and security of networks and information systems; (iii) acts or omissions affecting the financial interests of the Union as referred to in Article 325 of the Treaty on the Functioning of the European Union as specified in the relevant secondary legislation of the European Union; (iv) acts or omissions relating to the internal market, as referred to in Article 26(2) of the Treaty on the Functioning of the European Union, including infringements of the European Union competition and State aid rules, as well as infringements concerning the internal market linked to acts infringing corporate tax rules or mechanisms the purpose of which is to obtain a tax advantage which defeats the object or purpose of the legislation applicable in the field of corporate tax; (v) acts or conduct which defeat the object or purpose of the provisions laid down in Union acts in the areas referred to in numbers (ii), (iii) and (iv).
21	Report not relevant pursuant to the Whistleblowing Decree	pursuant to Article 1 of  the Whistleblowing Decree, the  provisions contained therein do not apply: (i) to disputes, claims or requests related to a personal interest of the Whistleblower; (ii) reports of violations already governed by national or European Union acts indicated in the Whistleblowing Decree  or in the Directive; (iii) reports of violations of national security and procurement related to aspects of defense or national security.
22	Ordinary Reports	are the violations reported that refer to conduct, acts or omissions that do not fall within the scope of the Whistleblowing Decree  but which are nevertheless related to: a crime or misdemeanor, a violation or an attempt to conceal a violation of an international commitment duly ratified or approved by Italy; a violation of a unilateral act of an international organisation adopted on the basis of a duly ratified international commitment; a violation of a law or regulation; a threat or harm to the public interest, or the existence of conduct or situations contrary to the rules, principles or values conveyed by the company policies and procedures as well as by the Code of Ethics. Ordinary Reports must be processed according to the criteria established in the respective legal systems and with respect to which the protections provided for by the Whistleblowing Decree do not apply.
23	Society	PHSE S.r.l. with registered office in San Martino in Strada (LO), Via Del Lavoro snc, Località Cà dei Bolli
24	Software	The Digital PA platform segnalazioni.net as an IT channel for Whistleblowing suitable for ensuring, by electronic means, the confidentiality of the whistleblower's identity, in compliance with the regulations referred to in the Whistleblowing Decree .

 

3. References

The main references of this Procedure to internal and external regulatory provisions of the Company are indicated below.

 

• 1. Internal References
• Code of Ethics
• Model

 

• 2. External References
• Privacy Code
• Legislative Decree no. 196/2003
• Legislative Decree no. 231/2001
• Whistleblowing Decree
• Directive Whistleblowing 
• GDPR
• Confindustria Guidelines for the construction of organisational, management and control models pursuant to Legislative Decree no. 231/2001
• Anac Guidelines on the protection of persons who report violations of EU law and protection of persons who report violations of national regulatory provisions – procedures for the submission and management of external reports approved by Resolution no. 311 of 12 July 2023.

 

4. General principles

This Policy is based on the following pillars: (i) protection against bad faith Reports; (ii) the protection of the Whistleblower; (iii) the protection of the confidentiality of the Report.

The persons involved in this Procedure operate in compliance with the regulatory and organizational system, the powers and internal delegations and are required to operate in compliance with the laws and regulations in force and in compliance with the principles set out below applicable to all types of Reports:

• KNOWLEDGE AND AWARENESS – This Procedure is a fundamental element in order to ensure full awareness for an effective control of risks and their interrelations and to guide changes in the strategy and organizational context.
• PROTECTION OF THE REPORTED PERSON FROM REPORTS IN "BAD FAITH" – All subjects are required to respect the dignity, honor and reputation of each one. To this end, the Reporting Party is required to declare whether it has a private interest related to the Report. More generally, the Company guarantees adequate protection from "bad faith" Reports, censuring such conduct and informing that Reports sent for the purpose of damaging or otherwise causing prejudice, as well as any other form of abuse of this document are a source of liability, in disciplinary proceedings and in other competent bodies. In the context of relevant Reports pursuant to  the Whistleblowing Decree, the Reported Persons enjoy the protections provided for by the Whistleblowing  Decree.
• IMPARTIALITY, AUTONOMY AND INDEPENDENCE OF JUDGEMENT – All persons who receive, examine and evaluate the Reports are in possession of moral and professional requirements and ensure the maintenance of the necessary conditions of independence and due objectivity, competence and diligence in the performance of their activities.

 

5. Scope of application

The Procedure applies both  to the management of relevant Reports pursuant to the Whistleblowing Decree  and to the management of Ordinary Reports, for the latter, however, a different regime applies in relation to the provision of the protections provided for by the Whistleblowing Decree.

 

6. Roles and Responsibilities
   1. Whistleblowing Committee

The Whistleblowing Committee  is a body composed mainly of internal staff that brings together various functions and deals with the management of Reports pursuant to paragraph 8.

The Whistleblowing Committee  is supported by the RSPP and the HSE function for reports on accidents at work and in matters relating to financial and accounting reporting by the Finance area.

The Whistleblowing Committee  prepares and sends the reports referred to in paragraph 10.

The Whistleblowing  Committee promotes information and training activities relating to the Whistleblowing Procedure and Decree.

• 2. Supervisory body

The SB is constantly informed about the management of Reports on the basis of the provisions referred to in paragraph 8.

The SB is the recipient of the reporting referred to in paragraph 9.

Once the SB has received the final written report of the Report, it may decide to carry out further in-depth studies and independent evaluations, also through the use of its own budget.

 

1. 3. Board of Statutory Auditors

The Board of Statutory Auditors is the recipient of the reports referred to in paragraph 10.

With reference to the final report of the  investigation, the Board of Statutory Auditors may request further clarifications from  the Whistleblowing  Committee in the case of reports relating to financial statements, accounting records, internal controls and audits.

 

1. 4. Board of Directors

The Board of Directors is the recipient of the reports referred to in paragraph 10.

The Board of Directors, with reference  to the final report of the investigation with respect to which it may take the necessary decisions in order to ascertain individual responsibilities.

 

7. Reporting channels

The Company has set up a system for the collection of Reports as part of this Procedure, which provides for three reporting methods for Whistleblowers.

In particular, the Company offers the possibility of making a report through the following management methods:

• in writing through the Software accessible via the Internet at www.phse.com;
• b) in oral form via the Software accessible via the internet at www.phse.com through voice messaging systems; or
• in oral form through a face-to-face meeting at the request of the Whistleblower via the email address: whistleblowing@phse.com

 

1. 1. The report invites a non-competent person

If the Report is submitted to a person other than  the Whistleblowing Committee, where the Whistleblower expressly declares that he/she wishes to benefit from the protections provided for by  the Whistleblowing Decree or  such intention is inferred from the Report or from conclusive conduct, the Report is considered to have been transmitted, within seven days of its receipt, to the Whistleblowing Committee  , giving simultaneous notice of the transmission to the Reporting Person. On the other hand, if the Whistleblower does not expressly declare that he/she wishes to benefit from the protections, or such intention is not inferred from the Report, said Report is considered as an Ordinary Report.

 

1. 2. Reporting via the software

The Software is available 24 hours a day, every day of the year, and is operated on behalf of the Company by Digital PA, an independent service provider not affiliated with the Company. Digital PA is required to guarantee the confidentiality and security of personal data; this service provider is bound by confidentiality obligations and will only use personal data in the context of handling Reports and in accordance with applicable European Union rules.

Through the Software, the Whistleblower will be guided in every phase of the Report and will be requested, in order to better substantiate the same, a series of fields to be filled in in compliance with the required requirements.

In the event that the Report is made through the Software, the Software itself will provide for a complete and confidential registration in accordance with the relevant legislation.

The Company allows Whistleblowers to make oral reports by voice messaging.

If a recorded telephone line or other recorded voice messaging system is used for the Report, the Report, subject to the Whistleblower's consent, shall be documented by the Whistleblowing Committee  by  recording it on a device suitable for storage and listening or by means of a full transcript. In the case of a transcript, the Whistleblower may verify, rectify or confirm the content of the transcript by means of his/her signature.

 

1. 3. Referrals via an appointment

Whistleblowers may make the Whistleblower Reporting orally directly to the Whistleblowing Committee.

In this case, the Whistleblowing Committee  will arrange a meeting, in person or via videoconference, with the Whistleblower within seven working days of receipt of the request.

In this regard, the appointment to  the Whistleblowing  Committee can be requested via the email address whistleblowing@phse.com

This email address may be used only and exclusively for the request of the appointment and not for the communication of Reports.

In the case of Reports by appointment, upon receipt  of the Report, the Whistleblowing Committee assigns the Whistleblower a specific alphanumeric ID and proceeds to register the details of the Report on the Software, in particular:

1. day and time;
2. Signaling;
3. subject of the Report;
4. notes;
5. status of the Report.

This meeting, subject to the consent of the Whistleblower, is documented by the Whistleblowing Committee by  recording it on a device suitable for storage and listening or by means of a report. In the case of minutes, the Whistleblower may verify, rectify and confirm the minutes of the meeting by signing it.

 

A majority of the members of the Whistleblowing Committee must be present at this meeting, either in person or remotely .

In any case, the recording of the Report or the report must be entered and managed through the Software.

 

1. 4. Ordinary Reports and Anonymous Reports

The Company may also consider:

1. Anonymous Reports, where these are adequately substantiated, and [1]rendered in great detail, i.e. they are such as to bring out facts and situations relating them to specific contexts (e.g.: documentary evidence, indication of names or particular qualifications, mention of specific offices, procedures or particular events, etc.);
2. Ordinary Reports.

The Ordinary Report - even the non-anonymous one - must be detailed and have the widest possible degree of completeness and exhaustiveness.

The Whistleblower of Anonymous Reports and Ordinary Reports is required to provide all available and useful elements to allow the competent parties to proceed with the due and appropriate checks and assessments to verify the validity of the facts being reported, such as:

1. a clear and complete description of the facts covered by the Report;
2. the circumstances of time and place in which the acts that are the subject of the report were committed;
3. personal details or other elements that make it possible to identify the person(s) who have/have carried out the reported facts (e.g. title, place of employment where the activity is carried out);
4. any documents supporting the report;
5. the indication of any other subjects who may report on the facts covered by the Report;
6. any other information that may provide useful evidence about the existence of the facts reported.

In order for an Ordinary Report to be substantiated, these requirements do not necessarily have to be complied with at the same time, in view of the fact that the whistleblower may not be fully available to all the required information.

 

8. Operating Modes
   1. Premise

The activities of the Whistleblowing process are described in the following paragraphs.

 

1. 2. Submission of the Report

In order to facilitate the receipt of Reports, the Company prepares the possible reporting methods, which are described in paragraph 7, including the Software, considered preferential and suitable for ensuring, by electronic means, the confidentiality of the identity of the Whistleblower.

When submitting a Report, Whistleblowers are asked to provide as much detailed information as possible. Providing accurate information allows for a more efficient investigation of the Report.

1. In particular, the following categories of data will be collected and processed:
2. identity, functions and contacts of the Whistleblower;
3. identity, functions and contact details of the persons mentioned;
4. the identities, functions and contact details of the persons involved in the collection or processing of the Report;
5. reported facts; this category consists of a description of the facts referred to in the Report with the time, date and place, as well as other relevant information decided by the Whistleblower;
6. evidence collected during the investigation of the Report;
7. report on assessment activities;
8. actions taken as a result of the Report.

 

1. 3. Receipt and management of the Report

The verification of the Report will be based only on the data provided in an objective manner, directly related to the Reporting in progress and strictly necessary to ascertain the alleged facts. The description of the facts reported must be able to prove their presumed origin.

 

In the course of handling the Report, the Whistleblowing Committee must:

1. issue the reporting person with an acknowledgement of receipt of the Report within seven days from the date of receipt;
2. maintain dialogue with the Whistleblower;
3. follow up on the Reports received;
4. provides feedback to the Whistleblower.

The whistleblowing process is structured as follows:

• assesses the possible presence of situations that may undermine the independence and impartiality in the management of the Whistleblowing Committee in the management of the Report. Some examples can be:

1. a member of the Whistleblowing Committee is  hierarchically or functionally superior or subordinate to the Whistleblower or the Whistleblower, or is the internal contact person in the case of suppliers and consultants;
2. a member  of the Whistleblowing Committee  is the alleged perpetrator of the breach;
3. a member of the Whistleblowing Committee  has a potential interest related to the Whistleblowing that compromises impartiality and independence of judgment;
4. a member of the Whistleblowing Committee  is a witness to the facts covered by the Report.

2. issues the Whistleblower with acknowledgment of receipt of the Report within seven days;
3. informs the SB of  receipt of a Report;
4. where possible (including in the subsequent phases), identify the Whistleblower and the persons indicated in paragraph 11.3.

In the presence of one of the conditions referred to in point a)(i), the member of the Whistleblowing Committee in this position shall refrain from managing the Report, including through the adoption of appropriate measures on the Software.

 

2. Phase 2 – Assessment of admissibility  pursuant to the Whistleblowing Decree: the Whistleblowing Committee, following Phase 1, carries out an initial assessment of relevance pursuant  to the Whistleblowing  Decree, at the end of which it may decide to: 

1. ask the Whistleblower for further information/additions, especially if what is reported is not adequately substantiated. On the basis of the additional information/additions,   the Whistleblowing Committee  assesses whether the conditions referred to in points (ii) or (iii) below are met; or
2. consider the Alert as inadmissible:

• ascertained the generic content of the Report such as not to allow the facts to be understood;
• Reporting accompanied by inappropriate or irrelevant documentation;
• in the event of a non-relevant Report pursuant to  the Whistleblowing Decree; if relevant and classified as an Ordinary Report, for other matters concerning the Company's business, it informs the competent corporate functions and is carried out in accordance with the criteria established in the respective regulations;

3. consider the Report as admissible and proceed with the Investigation on the merits in the presence of a relevant Report pursuant to the Whistleblowing Decree.

In any case, the Whistleblowing Committee  must:

1. inform the SB of the outcome of the Preliminary Assessment;
2. provide feedback to the Whistleblower within three months from the date of the acknowledgment of receipt (see paragraph 8.3 (a) (ii)) or, in the absence of such notice, within three months from the expiry of the period of seven days from the date of submission of the Report, in the case of preliminary filing.

 

3. Phase 3 – Investigation on the merits: the Whistleblowing Committee, following Phase 2, once the relevance of the Report with respect to the Whistleblowing  Decree has been assessed, proceeds:

• Phase 4 – Conclusion of the Investigation: once the activity of Phase 3 has been completed, the Whistleblowing Committee  must communicate the outcome, through a written report, detailing the activities carried out to the Board of Directors, the Board of Statutory Auditors and the SB:

1. in the event of a negative outcome, archiving the investigation with adequate motivation, if relevant and framed as an Ordinary Report, for other issues concerning the Company's activities, informs the competent corporate functions and comes in accordance with the criteria established in the respective regulations;            
2. in the event of a positive outcome,  i.e. in the presence of a prima facie case  on the merits of the Report, it immediately informs the internal bodies in charge on the basis of their specific competences.

Once the written report has been received, the SB may decide, if the Report is relevant pursuant to Legislative Decree no. 231/2001, to carry out further in-depth studies and independent evaluations, also through the use of its own budget.

 

• Phase 5 – Monitoring and subsequent actions: if Phase 4 reveals corrective actions on the internal control system, it is the responsibility of the management of the areas/processes to be audited to draw up a plan of corrective actions for the removal of the critical issues detected.

 

The relevant functions and/or the SB, as far as it is competent, monitors the relative state of implementation of corrective actions through "follow-up".

 

1. 4. Tracking & Archiving

The Whistleblowing Committee  keeps track of all Reports received, indicating, but not limited to, the following elements:

1. type of Report received (i.e. administrative irregularities, fraud, corruption, etc.);
2. the indication of the Reported and the Whistleblower;
3. date of receipt and assessment of admissibility of the Report pursuant to Legislative Decree no. 24/2023;
4. the investigation carried out and the reasons for it;
5. the documentation received from the Whistleblower, collected during the investigation and any reports produced.

The documentation relating to the Reports, prepared and/or received during the process of managing them, is strictly confidential. This documentation is archived and stored in compliance with current regulations by  the Whistleblowing Committee  exclusively through the use of the Software. Reporting documentation may only be shared through the use of the Software.

The Reports and the related documentation are kept for the time necessary to process the Report and in any case no longer than five years from the date of communication of the final outcome of the Whistleblowing Procedure, in compliance with the confidentiality obligations referred to in Article 12 of the Whistleblowing Decree and the  principle referred to in Article 5, paragraph 1,  letter e) of the GDPR and 3, paragraph 1, letter e)  of the Privacy Code, without prejudice to longer retention periods determined by requests/orders of the Authorities or by the defence of the Company's rights in court.

 

1. 5. Special cases of conflicts of interest

With reference only to the relevant Reports pursuant to Legislative Decree no. 24/2023, if all or majority  of the members of the Whistleblowing Committee are in a  situation of conflict of interest referred to in paragraph 8.3 a) (i) or in any case the impartiality and independence in the management of the Report may be jeopardized, the conditions for making a Report through the external channel will be met.

 

9. Right to report externally

Nothing in this Procedure prohibits Recipients from reporting any violations of laws or government regulations to the Authority.

The Recipients do not need the prior authorization of the  Company and are not required to notify the Company in order to forward such reports or communications, in the cases provided for by the Whistleblowing Decree, once the Reports and communications have been submitted, they are not required to notify them or forward them to the Company itself.

 

Especially:

1. in the presence of the conditions set forth in Article 6 of  the Whistleblowing  Decree, the Recipient may make an External Report, namely:

 

The conditions for using the external channel at ANAC

1) Whether the internal channel is mandatory - is not active; - it is active but does not comply with the provisions of the legislator regarding the subjects and methods of submission of relevant Reports pursuant to the Whistleblowing Decree.

2) The Whistleblower has already made the internal report but has not been followed up

3) The Whistleblower has reasonable grounds to believe that if he/she makes an internal report - it would not be followed up effectively - This could lead to a risk of retaliation

4) The Whistleblower has reasonable grounds to believe that the breach may constitute an imminent or obvious danger to the public interest.

5) Upon the occurrence of the conditions referred to in paragraph 8.5. of the Procedure.

2. in the presence of the conditions set forth in Article 15 of  the Whistleblowing  Decree, the Recipient may make a Public Disclosure, namely:

 

The conditions for making a public disclosure

1) an internal report to which the Company did not respond within the prescribed deadlines was followed by an External Report to ANAC which, in turn, did not provide feedback to the whistleblower within a reasonable timeframe.

2) the Whistleblower has already directly made a Report external to ANAC which, however, has not given feedback to the Whistleblower on the measures envisaged or adopted to follow up on the Report within a reasonable timeframe.

3) the Whistleblower directly makes a public disclosure because he or she has reasonable grounds to believe, on the basis of concrete circumstances and therefore, not on mere inferences, that the violation may represent an imminent or obvious danger to the public interest.

4) the Whistleblower directly makes a public disclosure because he has reasonable grounds to believe that the external report may involve the risk of retaliation or may not be effectively followed up.

 

• Reporting

The Whistleblowing Committee prepares  the following reports for the Board of Directors, the Board of Statutory Auditors and the SB:

• a report at the end of the investigation relating to the management of the Report with an indication of the archiving and accompanied by the reasons, or with the indication of the prima facie case in case of validity of the Report. In any case, this end-of-investigation report must contain, bearing in mind the provisions  of the Whistleblowing  Decree with respect to the confidentiality of information, the following elements:

1. the type of Report received (e.g. Relevant  Report pursuant to the Whistleblowing Decree, Non-Relevant Report pursuant to the Whistleblowing  Decree, Ordinary Report, etc.);
2. the indication of the Whistleblower and the Whistleblower (in the presence of a relevant Report pursuant to  the Whistleblowing Decree where the conditions referred to in the Whistleblowing Decree are met);
3. the date of receipt and assessment of the admissibility of the Report pursuant to Legislative Decree no. 24/2023;
4.  the investigation carried out and the reasons for it;
5. the documentation received from the Whistleblower, collected during the investigation and any reports produced.

2. a Half-Year Report on Reports containing mainly the files of Reports opened in the reference half-year and their status.
3. a periodic report (at least on an annual basis and in any case before the presentation of the SB's annual report pursuant to Legislative Decree no. 231/2001) containing, among other things, information on the summary of the Reports management activities, with an indication of the results of the related investigations and the progress of the corrective actions identified and of the information and training activities.

 

11. Prohibition of retaliation or discrimination
    1. Anti-retaliation provisions

Recipients who make a Report in good faith will not be subject to any retaliation.

• 2. Whistleblower protection

In  order to  encourage the Recipient to report the wrongdoings of which he becomes aware in the context of the employment relationship, the Company guarantees  the necessary privacy to the Whistleblower in order to protect him/her from any internal retaliation or discriminatory acts.

 

In particular, the Company guarantees that the identity of the Whistleblower cannot be revealed without his/her express consent and that all parties involved in the management of the Report are required to protect its confidentiality, except in the cases indicated below:

• if the Whistleblower is liable for slander or defamation pursuant to the provisions of the Criminal Code;
• the Whistleblower incurs non-contractual civil liability pursuant to art. 2043 of the Italian Civil Code;
• in cases where anonymity is not enforceable by law.

Violation of the duty of confidentiality is a source of disciplinary liability, without prejudice to any other form of liability provided for by law.

Any retaliatory action or discriminatory behavior, direct or indirect, against the Whistleblower due to the Report is prohibited. Discriminatory measures include, according to the Whistleblowing Decree,  by way of example:

1. dismissal, suspension or equivalent measures;
2. relegation or non-promotion;
3. change of duties, change of place of work, reduction of salary, modification of working hours;
4. suspension of training or any restriction of access to it;
5. negative merit notes or negative references;
6. the adoption of disciplinary measures or other sanctions, including financial sanctions;
7. coercion, intimidation, harassment or ostracism;
8. discrimination or unfavourable treatment;
1. the failure to convert a fixed-term employment contract into an employment contract of indefinite duration, where the worker had a legitimate expectation of such conversion;
10. non-renewal or early termination of a fixed-term employment contract;
11. damage, including to the person's reputation, in particular on social media, or economic or financial harm, including loss of economic opportunities and loss of income;
50. improper listing on the basis of a sectoral or industrial agreement, formal or informal, which may result in the person not being able to find employment in the sector or industry in the future;
1000. the early termination or cancellation of the contract for the supply of goods or services;
14. the cancellation of a licence or permit;
15. the request to undergo psychiatric or medical examinations.

The above protections apply exclusively to relevant Reports pursuant to the Whistleblowing Decree.

 

1. 3. Protection of third parties connected to the Whistleblower

The protective measures referred to in the preceding paragraph shall also apply:

1. Facilitators;
2. to persons in the same working context as the Whistleblower and who are linked to him by a stable emotional or family bond within the fourth degree;
3. to the Whistleblower's work colleagues who work in the same work context as the same and who have a habitual and current relationship with said person;
4. to entities owned by the Whistleblower or for which the same persons work, as well as to entities operating in the same working context as the aforementioned persons.

 

1. 4. Confidentiality rights of the Reported

In compliance with the supervisory provisions, the Company adopts the same protection methods provided to guarantee  the privacy of the  Whistleblower also for the alleged perpetrator of the violation, without prejudice to any further form of liability provided for by law that imposes the obligation to communicate the name of the Reported (for example, requests from the Judicial Authority, etc.).

 

12. Privacy
    1. Processing of personal data

Any processing of personal data, including communication between the competent authorities, provided for by this Procedure and by Legislative Decree no. 24/2023 must be carried out in accordance with the GDPR and the Privacy Code.

 

Personal data that is clearly not useful for the processing of a specific Report is not collected or, if collected accidentally, is deleted immediately.

 

The processing of personal data relating to the receipt and management of Reports is carried out by the Company, in its capacity as data controllers, in compliance with the principles set forth in art.  5 and 25 of the GDPR, providing appropriate information to the Whistleblowers and to the persons involved pursuant to art. 13 and 14 of the same GDPR, as well as adopting appropriate measures to protect the rights and freedoms of data subjects.

The members  of the Whistleblowing  Committee are appointed as persons authorised to process personal data  pursuant to Article 29 of the GDPR and 2-quaterdecies  of the Privacy  Code or Data Processors pursuant to  Article 28 of the GDPR.

 

The Company identifies suitable technical and organizational measures to ensure a level of security appropriate to the specific risks deriving from the processing carried out, on the basis of an impact assessment on data protection and regulating the relationship with any external suppliers who process personal data on their behalf pursuant to art. 28 of the GDPR.

 

1. 2. Proportionality and accuracy of data collected and processed

The personal data collected for the purposes of the Whistleblowing Procedure must be adequate, relevant and not exceed the purposes for which it is collected or subsequently processed, and must be kept for a reasonable period of time. The personal data processed as part of the Procedure must be limited to the data strictly and objectively necessary to verify the claims contained in the complaint. Incident reports are stored separately from other personal data.  Personal data must be retained in accordance with applicable laws.

 

1. 3. Guarantee of the confidentiality of personal data and protection of the Whistleblower and the Reported

All parties who receive, examine and evaluate the Reports and any other person involved in the process of managing the Reports, are required to guarantee the utmost confidentiality on the facts reported, on the identity of the Reported and of the Whistleblower who is appropriately protected from retaliatory, discriminatory or otherwise unfair conduct. In the context of relevant Reports pursuant to  the Whistleblowing Decree  , Whistleblowers and Whistleblowers enjoy the protections provided for by the Whistleblowing Decree. Notwithstanding this, the communication of such information for the purposes of investigating and processing Reports, the identity of the Whistleblower and the subjects referred to in paragraph 11.3 are treated with the utmost confidentiality at every stage of the Procedure.

It may be necessary to disclose the identity of the Whistleblower to the appropriate authorities in the context of further investigations or legal proceedings, subsequently initiated following the investigation opened through the Whistleblowing Procedure.

• Formation

Recipients must comply with this Procedure and participate in training sessions on Legislative Decree no. 24/2023, the Code of Ethics and the Model.

 

The members of the  Whistleblowing Committee must be specifically trained in the management of Whistleblowing, also through continuous updating based on both regulatory and jurisprudential changes and best practices.

• Disciplinary sanctions and other measures

The Company will sanction any unlawful conduct in line with the provisions of Legislative Decree no. 24/2023, attributable to the Company's personnel, that may emerge as a result of verification of Reports, conducted pursuant to this regulatory instrument, in order to prevent any conduct that violates the law and/or this Procedure by the Company's own personnel.

Disciplinary measures, as provided for by law and by the applicable collective bargaining agreement, will be proportionate to the extent and seriousness of the unlawful conduct ascertained and may go as far as the termination of the employment relationship.

In particular, the Company will adopt sanctions when:

1. ascertains that no retaliation has been committed or when it ascertains that the Report has been obstructed or that an attempt has been made to obstruct it or that the obligation of confidentiality referred to in Article 12 of the Whistleblowing Decree has been violated;
2. ascertains that no procedures have been implemented for making and managing reports or that the adoption of such procedures does not comply with those referred to in Articles 4 and 5 of  the Whistleblowing Decree, as well as when it ascertains that the verification and analysis of the Reports received has not been carried out;
3. in the case referred to in art. 16, paragraph 3, i.e. when, except as provided for in art. 20  of the Whistleblowing Decree, the Whistleblower's criminal liability for the crimes of defamation or slander or in any case for the same crimes committed with the complaint to the judicial or accounting authority or his civil liability is ascertained, even with a first instance judgment,  for the same reason, in cases of wilful misconduct or gross negligence.

 

15. Dissemination and date of entry into force

This Procedure is widely disseminated as possible.

To this end, without prejudice to the forms of dissemination and transposition of the document and subsequent amendments or additions, it is sent to:

1. each member of the Board of Directors, the Board of Statutory Auditors and the SB;
2. each employee through the communicated strategies deemed most effective by the Company.

This Procedure is published on the Company's website.

The Company's human resources departments ensure, to the extent of their competence, the delivery of this Procedure to the Recipients at the time of recruitment to certify that they have read it.