Whistleblowing

Whistleblowing Procedure

PURPOSE

The purpose of this Whistleblowing Management Policy (hereinafter, the “Policy” or “Procedure“) is to define and establish an adequate and efficient model for the operation of the Internal Information System (or “Whistleblowings Management System“) that enables the receipt and processing of notifications of acts or omissions that may constitute Sectoral Violations, in accordance with:

the relevant legislation (DIRECTIVE (EU) 2019/1937 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 October 2019 on the protection of persons who report violations of Union Law, and
to Italian Legislative Decree 24/2023.

The Procedure is intended to facilitate the correct implementation of EU law (legal certainty) and thus ensure the ‘well-being‘ of the Company. The objective is the ‘transparency’ of private action, which is the road to a truly virtuous company. The Company also handles Reports to avoid incurring detrimental effects related to Violations (e.g. negative publicity on the market).

The purpose of this Procedure is to ensure professional, confidential, impartial handling and adequate protection of the rights of Data Subjects throughout the entire process of making, handling, processing, investigating and resolving Reports made through the Company’s Internal Reporting Channel.

This Procedure governs the roles, processes and means of operation of the Company’s Internal Reporting Channel, so as to regulate matters relating to Reports made, as well as their management and resolution by the designated Case Manager(s).

The processes of processing, investigation, resolution and, in general, management of Reports received pursuant to this Procedure shall be governed by the utmost objectivity and independence, establishing in this Procedure the corresponding mechanisms to avoid the concurrence of possible conflicts of interest.

Furthermore, the rights to be informed of the actions or omissions attributed and the presumption of innocence of the Involved Persons are guaranteed by this Procedure.

DEFINITIONS AND SCOPE

2.1 Definitions

For the purposes of this Procedure, the following definitions apply:

ANAC – National Anti-Corruption Authority (or Competent Authority)	Italian independent administrative authority designated to (i) receive External Reports and (ii) carry out the functions provided for by the Directive, including feedback to the Whistleblower, in particular with regard to the follow-up given to Reports, in the cases provided for by the Decree
Sectoral Acts	regulatory acts identified in Appendix A* of this Procedure*
Reporting Channels	channels for making the Report, made available to the Whistleblower by the Company, in the case of an Internal Report, or by ANAC, in the case of an External Report, respectively; These Internal Reporting Channels in turn are defined as Internal or External depending on whether they are managed directly by the Company or respectively by third parties authorised by them
Reporting Committee	all Case Managers, when acting collectively
Working context	work or professional activities, present or past, carried out within the framework of legal relations, through which, irrespective of the nature of such activities, a person acquires information on Violations and in the context of which he/she could risk being retaliated against in case of a Report or Public Disclosure or a complaint to the Judicial Authority
Whistleblowing Decree	Legislative Decree 24/2023 transposing the Whistleblowing Directive in Italy
Public Disclosure	making Information on Violations publicly available through the press or electronic media or otherwise through means of dissemination capable of reaching a large number of people (e.g. radio, television, blogs, internet, automated e-mail campaigns)
Whistleblowing Directive	EU Directive 2019/1937 on the protection of persons who report violations of Union Law
Third Sector Entities	Entities that have entered into agreements with ANAC to provide Support Measures
Facilitator	a natural person who assists a Whistleblower in the reporting process, operating within the same working context and whose assistance must be kept confidential
Case Manager(s)	person(s) designated under this Procedure to receive the Report and/or carry out the further activities provided for in this Procedure
GDPR	EU Data Protection Regulation 679/2016
Group	The corporate group to which the Company(ies) belongs
Information on Violations	information, including well-founded suspicions, concerning: i) Violations committed or which, on the basis of concrete evidence, could be committed in the organisation with which the Whistleblower or the person making the complaint to the judicial or accounting authority has a legal relationship; and (ii) elements concerning any conduct aimed at concealing such Violations
Whistleblowing Privacy Policy	Information communicated pursuant to Articles 13-14 of the GDPR by the Company to Data Subjects
Data Subject	Natural person(s) to whom the personal data processed within the framework of the collection and management of Reports refer
ANAC Guidelines	· ANAC Guidelines on the Protection of Persons reporting Violations of Union Law and the Protection of Persons Reporting Violations of National Laws – Procedures for the Submission and Handling of External Reports (approved by Resolution No. 311 of 12 July 2023), and · Regulations for the management of external reports and for the exercise of ANAC’s sanctioning power in implementation of Legislative Decree 24/2023 (approved by resolution no. 301 of 12 July 2023).
Protection Measures	measures provided for in para. 3 of Appendix B* of this Procedure*
Support Measures	measures provided for in para. 4 of Appendix B* of this Procedure*
Person involved (or Reported)	natural or legal person mentioned in the internal or external Report or in the Public Disclosure as a person to whom the Violation is attributed or as a person otherwise implicated in the reported or publicly disclosed Violation
Portal/Software	the third-party cloud portal, accessible on the Internet at https://bizzottowhistleblowing.integrityline.com, including user-usable functionalities and its secure database
Procedure	this document
Procedures	set of directives, instructions, protocols and written procedures envisaged and implemented by the Company in order to prevent Violations, and/or to reduce their consequences or recurrence
Independent External Professional	the external party (natural or legal person), autonomous and trained, designated by the Company as the Case Manager
Legal relationship	legal relationship between the Whistleblower and the organisation in which a Violation has been committed or may be committed; the legal relationship may be direct or indirect (i.e. through a third party having a direct legal relationship with the Company(ies))
Reporting Register	Portal Database/Software
Feedback	communication to the Whistleblower of information on the Follow-up that is given or that is intended to be given to the Report
Retaliation	any conduct, act or omission, even if only attempted or threatened, committed by reason of the Report or of the complaint to the judicial authority or of the Public Disclosure and which causes or is likely to cause, directly or indirectly, unjust damage to the person making the Report or the complaint
Administrative sanctions	administrative pecuniary sanctions applicable by ANAC against non-compliance under the Whistleblowing Decree
Disciplinary sanctions	disciplinary sanctions applicable by the Company in the event of non-compliance with the provisions of this Procedure
Signalman	a natural person, as referred to in Chapter 2.2.3, who makes a Report or Public Disclosure of Infringement Information acquired in the course of his/her working context
External Report	written or oral communication of Information on Violations submitted through the Reporting Channel activated by ANAC
Internal Report	written or oral communication of Information on Violations, submitted through the Reporting Channels made available by the Company
Séguito	action taken by the Case Manager to assess the existence of the reported facts, the outcome of the investigation and any measures taken
Internal Information System	Portal/Software
Company	the Company listed in Chapter 2.2.1 below
Private Sector Subjects	entities, other than those falling under the definition of Public Sector Entities
Public Sector Stakeholders	· public administrations referred to in Article 1(2) of Legislative Decree 165/2001, · public economic entities, · bodies governed by public law referred to in Article 3(1)(d) of Legislative Decree 50/2016, · public service concessionaires, · publicly controlled companies referred to in Article 2(1)(m) of Legislative Decree 175/2016, even if they are listed, · in-house companies referred to in Article 2(1)(o) of Legislative Decree 175/2016, even if listed
External Subjects	Whistleblowers other than Internal ones
Internal Subjects	whistleblowers defined as internal in the table in Section 2.2.3 of this Procedure
Protected Subjects	The persons envisaged in Para. 1 of Appendix B* to this Procedure, who are eligible for the Protection.*
TFUE	Treaty on the Functioning of the European Union
Safeguards	the set of Protection and Support Measures provided for in the Whistleblowing Decree
Violations of Sectoral Acts	within the scope of the Sectoral Acts identified in Appendix A, which have occurred or which are very likely (on the basis of concrete elements) to occur in the organisation (possibly also different from the Company, e.g. a supplier of the same or a contact person of an auditing firm of the same) with which the Whistleblower has a legal relationship, including any conduct aimed at concealing such violations, regardless of the fact that: – the employment relationship with the Company has ended in the meantime (so-called former employee), or that – the facts were learnt during the selection process (e.g. candidate) or in other pre-contractual negotiations with the Company, regardless of whether, under national law, Whistleblowing violations are administrative, criminal or purely civil violations (e.g. risk of damages).

2.2 Subjective scope

This Procedure applies as of now, i.e. from today’s date, to the Company ANDREA BIZZOTTO S.P.A. with registered office in Via Motton 9 – 36061 – Bassano Del Grappa (VI).

This Procedure applies:

to persons making i) Internal and/or External Reports or ii) Public Disclosures or iii) Complaints to the judicial authorities, in relation to Violations of Sectorale Acts;
to the other Protected Subjects;
other categories of Data Subjects whose data are processed in connection with Reports managed by the Company.

Whistleblowers may belong to the following categories:

a) Company’semployees, including casual workersregardless of their position within the Company, the legal nature of their relationship and the area of activity or level of hierarchy (Internal Whistleblower)
b) Paid and unpaidvolunteersand trainees working for the company (Internal Whistleblower)
c) Self-employed workers, including self-employment relationships that have a special discipline pursuant to Article 2222 of the Italian Civil Code (work contract) (including freelance professionals and consultants who provide their services to the Company, g. intellectual professions for the exercise of which registration in special registers or lists is required, such as psychologists, architects, surveyors, etc.).

as well as

Holders of a collaboration relationship as referred to in Article 409 of the Italian Code of Civil Procedure, who work for the Company, the latter being understood to mean:

ü those of private employment, even if not inherent to the exercise of an undertaking (e.g. domestic work, home-working);

ü agency, commercial representation relationships; and

ü other collaborative relationships resulting in the provision of continuous and coordinated work, mainly of a personal nature, even if not of a subordinate nature

e.g. lawyers, engineers, social workers, who work for the company by organising it independently (para-subordinate relationship)

(External Whistleblower)

d) Workersand collaborators who work for third parties Public or private sector entities that provide goods or services or carry out works for the Company(External Whistleblower)
e) Freelancers and consultantsworking for the Company (External Whistleblower)
f) Shareholders(External Whistleblower)
g) nMembers of the administrative and/or management or representative bodyof the Company, including non-executive members (e.g. directors without or with delegated powers), even when such functions are exercised on a de facto basis (Internal Whistleblower)
h) Members of the control or supervisory bodyofthe Company

(e.g. Mayors, Auditors or Auditing Companies, DPO – Data Protection Officer) (Mayor: Internal Whistleblower Auditor or contact person of auditing company – DPO: External Whistleblower)

2.3 Objective scope

Whistleblowers are obliged to communicate well-substantiated Infringement Information based on precise (adequately detailed) and concordant facts, and not facts of a general, confusing and/or blatantly defamatory or slanderous content.

Reports may also be anonymous, i.e. they may not show the identity of the Whistleblower or allow the identity of the Whistleblower to be reconstructed or found. They will be examined, provided they comply with the above requirements.

They will not be taken into account and will result in exclusion from the Safeguards under this Procedure:

(a) challenges, claims or demands linked to a personal interest of the Whistleblower or of the person who filed a complaint with the judicial authority or made the Public Disclosure that relate exclusively to his or her individual employment relationships, or inherent to his or her employment relationships with hierarchically superior figures

(e.g. reports concerning labour disputes, discrimination between colleagues, interpersonal conflicts or involving only the Whistleblower and another worker or persons to whom the Report or Public Disclosure or Complaint relates), and

(b) information contained in Reports that have already been rejected by any Internal Reporting Channel or by ANAC, and

(d) information referring to acts or omissions not expressly covered by this Procedure.

Stand still:

(i) the application of the provisions on (a) the exercise of the right of workers to consult their representatives or trade unions, (b) protection against unlawful conduct or acts carried out as a result of such consultations, (c) the autonomy of the social partners and their right to enter into collective agreements, and (d) the repression of anti-union conduct (e.g., by way of example but not limited to, Article 28 L. 300/1970 et seq. – Workers’ Statute), and

(ii) the application of the provisions of criminal procedure (if the Whistleblower has information about an offence, he/she may always lodge a complaint with the competent criminal authority).

All Reports sent through the Internal Reporting Channel must be made in good faith. This means that, at the time of submission, the Whistleblower must have reasonable and sufficient grounds to believe that the information provided is true, accurate and has not been obtained through potential breaches (e.g. criminal offences).

In this sense, malicious or grossly negligent reports may give rise to the relevant sanctions by the Company, without prejudice to the civil and criminal liabilities that may ensue.

REGULATION OF ACTIVITIES

3.1 Generalities

The Report is:

a)compulsory, on the part ofInternal Parties (NB: by virtue of the general duties of loyalty, diligence and good faith connected with the legal relationship with the Company, to be understood as expressly reaffirmed herein);
b)compulsory, byExternal Parties who are contractually obliged to the Company to report;
c) optional, byExternal Partieswho are not contractually obliged to the Company to report.

3.2 Subject of the Report

In order to facilitate and allow the due verifications and preliminary investigation activities by the Company, also in order to ascertain the merits of the Report, the Report must contain at least the following information:

identity of the Whistleblower (name, surname, number of a valid identity document), unless the Whistleblower wishes to remain anonymous;
relationship with the Company (candidate, employee/collaborator, director, shareholder, supplier/consultant, partner, etc.) and, if applicable, the position/qualification/corporate position of the Whistleblower;
as clear, detailed and complete a description as possible of the facts that are the subject of the Report;
the circumstances of time and place in which the acts were committed, if known;
identity of the person to whom the violation is attributed (so-called “Involved Person”) or elements useful to identify him/her (area/position/qualification/assignment), if known;
indication of any other persons who may report on the facts that are the subject of the Report;
Indication of any documents that may confirm the facts that are the subject of the Report;
description of the reasons related to the working activity carried out that made the reported facts known;
any other information that may provide useful proof of the existence of the reported facts;
if applicable, means of communication with the Whistleblower other than the Portal/Software (e-mail address, telephone or other) so that the Case Manager can communicate with the Whistleblower.

If, after assessing the content of the Report, the Report lacks the minimum mandatory requirements for its proper evaluation, the Case Manager will proceed to request the corresponding information and/or documentation from the Whistleblower through the communication methods indicated by the latter, proceeding as per Chapter 3.5.2 in the event that the necessary information is not available for the opening of the investigation phase.

3.3 Types of Report

3.3.1. Internal Signalling Channels

The Internal Reporting Channels must be activated after a mandatory hearing of the representatives (RSA/RSU) or, failing that, of the most representative territorial trade unions at national level. Any comments made by the trade union have the value of a non-binding opinion.

Internal Reporting Channels are, in turn, divided into Internal and External, depending on whether they are managed directly by the Company or, respectively, by third parties authorised by them.

3.3.1.1 Reporting

The following Internal Reporting Channels may be used by the Whistleblower:

INFORMATORS:

Portal/Software, accessible at https://bizzottowhistleblowing.integrityline.com

ORALS:

Voice recording (to a registered voicemail/voicemail box) possible in the Portal/Software. The Case Manager is obliged to document the verbal Report by means of a detailed account of the conversation written by the staff processing the Report, which, after being dated and signed by the Case Manager, will be submitted to the Whistleblower, which will have the right to verify, rectify and approve the account by affixing its signature.
(at the request of the Whistleblower or if deemed useful and possible by the Case Manager, while respecting the Whistleblower’s wish for anonymity) Direct meeting with one or more Case Managers, including via remote videoconference session if necessary. The Case Manager ensures in this case, subject to the consent of the Whistleblower, that i) the meeting takes place within a reasonable time from the date of the request, and ii) a complete and accurate record of that meeting is kept on a durable support that allows access to the Violation Information.

The Case Manager is obliged to document the meeting:

a)recording the conversation on a durable support that allows access to the Information; or
b)drawing up a detailed minute of the meeting, which is also to be recorded in the Portal/Software. The Whistleblower has the right to verify, rectify and approve the minutes by his/her signature.

NB: If a person other than the competent Case Manager receives a Report, he/she must forward it to the competent Case Manager, within 7 (seven) days of its receipt, complete with any supporting documentation received, not retaining any copy of it and refraining from taking any independent initiative for analysis and/or investigation, and guaranteeing its confidentiality at all times.

Failure or delay on the part of the first addressees of the Reports to notify the competent Case Manager constitutes a serious breach of this Procedure, and as such is punishable by the Disciplinary Sanctions referred to in Section 8 below.

3.3.2. External Reporting and Public Disclosure

3.3.2.1 External Signalling

The Whistleblower may only make an External Report (i.e. to the ANAC) if, at the time of its submission, one of the following conditions is met:

there is no compulsory activation of any Internal Reporting Channel within its working context, or
the Internal Reporting Channel, although theoretically envisaged as mandatory for the Company, is in fact not active or, even if activated, does not comply with regulatory indications;
the Internal Report already made by the Whistleblower had no Follow-up;
the Whistleblower has reasonable grounds for believing that, if he or she made an Internal Report, it would not be effectively followed up or that the Report might give rise to the risk of retaliation; ‘reasonable grounds’ shall mean the presence of concrete factual elements, and not merely and generically feared, supporting the expectation of being retaliated against;
the Whistleblower has grounds to believe that the Violation may constitute an imminent or obvious danger to the public interest.

External Signalling is carried out:

in writing through the Reporting Channel activated by ANAC (for more information on contact details and instructions on the use of the External Reporting Channel, the confidentiality regime applicable to External Reports and the process for handling External Reports see https://www.anticorruzione.it/-/whistleblowing), or
orally through (i) telephone lines or (ii) voice messaging systems or, (iii) at the request of the Whistleblower, through a face-to-face meeting set within a reasonable time.

3.3.2.2 Public Disclosure

The Whistleblower is entitled to make a Public Disclosure of the Violation, benefiting from the Legal Protections, only if the following prerequisites are met (the ‘Public Disclosure Prerequisites‘):

has first carried out the Report (internal and external, or directly external), but

no acknowledgement of receipt was sent to the Whistleblower within 7 working days from the date of Report, or
appropriate action has not been taken in response to the Report within a period of three months from the date of receipt of the Report;

or when

the Whistleblower has reasonable grounds to believe that:

the Violation may constitute an imminent or obvious danger to the public interest, such as where there is an emergency situation or the risk of irreversible damage; or
in the case of an External Report, there is a risk of retaliation or may be ineffective due to the circumstances of the case, such as where evidence may be concealed or destroyed or where there is reason to believe that the recipient of the Report may be colluding with or involved in the Violation.

3.4 Case Manager

3.4.1. Generalities

The Administrative Body is the competent body for the appointment, as well as for the removal or dismissal, of the Case Manager, who, in turn, is responsible for the management and processing of Reports entering the Internal Reporting Channel.

The Case Manager may be a natural person or a collective body that may delegate to one or more of its members (a natural person) the powers to manage and process individual Reports.

In the remainder of this Procedure, the reference to Case Managers is to be understood as being limited to the sole Case Manager, in the event that the latter remains the Case Manager of the Report according to the rules therein.

In the event that the sole Case Manager initially designated operates the possible Investigation Delegation provided for in Article 3.6.2.d, or in the event of the designation of several Case Managers, they act collectively as the “Reporting Committee“.

The management of Internal Reporting Channels is entrusted to an independent External Professional.

The Case Manager acts in a functional position that is autonomous and independent of the rest of the corporate functions and of any hierarchical or functional subordination that may exist.

Without prejudice to the generality of the foregoing, it is therefore strictly forbidden for any person to exert pressure, send peremptory instructions, attempt to condition or hinder in any form whatsoever, and in general seek to compromise the autonomy, impartiality and independence of the Case Manager.

The Case Manager must be specifically trained for such management.

3.4.2. Budget

The body of the Company competent to appoint the Case Managers provides for the allocation to them of an annual budget, to be used for the performance of the tasks assigned. The amount of the budget is deemed to be automatically renewed from year to year, unless otherwise quantified by the competent body.

3.4.3. Tasks

The Case Manager is responsible for:

a)receive and take charge of Reports;
b)Screening (content analysis and admissibility assessment) of Alerts;
c)provide the Whistleblower with the Notice of Receipt of the Report within 7 days from the date of the Report, unless this would jeopardise the confidentiality of the Report or the identity of the Whistleblower or the Whistleblower has waived its right to communications relating to the investigation; maintain contact with the Whistleblower for further communications;
d)diligently follow up the Report;
e)determine, in coordination with area company contacts if necessary, the advisability or need to take immediate action to prevent (stop or mitigate) further damage;
f)carry out or arrange for the proper investigation of the reported facts, in accordance with the rules and principles set out in this Policy;
g)decide on the outcome (merits) of the Reports, on the basis of the results of the investigation within the strict legal deadline; extend the termination period for reasons of complexity;
h)propose the appropriate measures for the resolution of the Violation, as well as, where appropriate, the disciplinary measures to be taken, with the possibility of delegating this power to another competent body;
i)communicate the outcome of the Report to the relevant persons within the deadline set out in this Procedure (unless, in the case of the Whistleblower, he/she has waived the right to avail himself/herself of the communications relating to the investigation);
j)ensure the proper filing and storage of Reports;
k)coordinating with the Privacy Function and other corporate functions, where necessary or required, to meet the compliance requirements of the personal data processing operations covered by the Reports ;
l)make available clear information on the Reporting Channels, procedures and prerequisites for making Internal and External Reports, by means of the specific methods provided for in this Procedure and/or further identifiable; for this specific purpose, the Company’s HR Function is henceforth deemed to be delegated to act also on behalf of the Case Manager;
m)manage the Internal Reporting Channels, ensuring the necessary protection requirements of the system for managing and storing data on Reports, also by limiting access to them, also by making use of the skills and activities of the Company IT and/or Privacy Functions;
n)resolve any doubts and requests for clarification concerning the provisions of this Procedure;
o)keep the Register of Reports referred to in Chapter 3.5.1 up to date;
p)ensure that appropriate measures are taken to prevent and avoid possible retaliation against the Whistleblower and other Protected Persons.

For the performance of the aforementioned tasks, and in cases where it deems it necessary, the System Administrator may be assisted by an external consultant or even delegate some of the aforementioned functions to the latter. In this respect, the System Administrator shall obtain a confidentiality agreement from the external consultants involved in the management and resolution of the communication.

Likewise, he shall obtain the same from internal collaborators when he deems it useful or necessary.

3.5 Examination of Reports

3.5.1. Protocol

Mandatory entry of a Report in the Portal/Software causes

the automatic assignment of an ID Code to the Report (protocol), and
the automatic recording, in a secure electronic database (the “Reporting Register” or “Internal Information System”), of all communications and information received and/or exchanged by users through the Portal/Software during management activities, as well as of all internal management actions performed through the Portal/Software itself

The Report received via non-written Internal Reporting Channels (e.g. voice message, personal meeting) must be entered immediately into the Portal/Software by the Case Manager (e.g. the first to receive it).

3.5.2. Screening

Following receipt of the Report, the Case Manager takes it over and carries out a preliminary assessment, aimed at ascertaining that the Report:

a)contains the required minimum information, and
b)concerns facts not constituting a type of infringement included among those listed in Appendix A,
c)comes from Whistleblowers belonging to one of the categories provided for in this Procedure,
d)does not contain information that even a cursory examination reveals to be manifestly false or unreliable,
e)does not contain information that already on summary examination appears to be the result of an offence committed by the Whistleblower,
f)does not appear, even on cursory examination, to have been made by the Whistleblower in bad faith, i.e. with the intention of harming the Company or third parties connected with it,
g)does not contain significant new information on Violations with respect to a previous Report for which the relevant decision-making procedure has been completed,

and therefore whether the Report is to be considered admissible (the “Screening“).

The Case Manager shall issue a decision on the admissibility or non-admissibility of the Report.

The Case Manager must refrain from further pursuing an Alert that does not meet the above-mentioned eligibility requirements.

If the Case Manager assesses that the Report is inadmissible, it issues a decision to close the Report, giving reasoned written notice to the Whistleblower, unless the latter has waived the right to receive communications.

Alternatively, if the documentation is missing or defective in any way, the Case Manager may request further information from the Whistleblower. Similarly, the Case Manager may, if he/she deems it necessary, ask the Whistleblower for further information on the Report made, or, with the Whistleblower’s consent, transfer the Report to a competent corporate function.

If, in the opinion of the Case Manager, there are reasonable grounds for believing that a criminal offence has been committed, he shall inform the competent body on the basis of the structure of delegations and powers (after having verified the absence of any conflict of interest on the part of that body), inviting it to consider sending to the Public Prosecutor’s Office (or the European Public Prosecutor’s Office, if competent) a detailed report of the facts considered to be criminal offences.

Finally, the Case Manager must forward the communication without delay to the authority, body or third party body, which may be considered competent ratione materiae to handle the Report.

3.5.3. Conflict of interest

If the Case Manager considers the existence of a conflict of interest with respect to the Report received (e.g. the subject of the Report concerns violations attributable even indirectly to the Case Manager himself/herself, or to the Functional Area in which the Case Manager himself/herself performs his/her usual duties, or to persons related or linked by a stable affective bond, etc.), he/she shall

declare within the “Notes” field of the Portal/software relating to the Report, the nature of the conflict of interest;
refrain from dealing with the Report, and shall therefore not have access to the information resulting from the actions taken in the handling of the Report (unless he/she is an Involved Person); and
Immediately transfer the management of the Report to another Case Manager not subject to a conflict of interest, or, in the absence of such a Case Manager not subject to a conflict of interest, to the additional person designated and appointed by the competent administrative body.

3.5.4. Feedback to the Whistleblower

Within 7 days of receipt of the non-anonymous Report, the Case Manager shall provide the Whistleblower with an acknowledgement of receipt of the Report, by an appropriate means to ensure the confidentiality of the message.

The acknowledgement of receipt may be omitted if:

– the Whistleblower expressly opposed, or

– there is reason to believe that confirmation of receipt of a written Report would compromise the confidentiality of the identity of the Whistleblower.

Acknowledgement to the Whistleblower on the outcome of the report must be provided within a period of three months, commencing:

from the date of the acknowledgement of receipt of the Report, or,
if the initial acknowledgement of receipt has not been sent to the Whistleblower (e.g. because the Whistleblower has remained anonymous despite being guaranteed the possibility of receiving the notice via the Portal/Software, or because it has expressly waived the right to receive the said notice), from the expiry of 7 calendar days from the date of receipt of the Report.

NB: In particularly complex cases requiring an extension of the time limit for the investigation, this may be extended, at the decision of the Case Manager, up to a maximum of a further three (3) months, in which case the Whistleblower must be informed of the extension within the first three months.

3.6 Investigation

3.6.1 Generalities

Each Report assessed as admissible must be investigated for its merits.

If the Case Manager assesses that the Report is admissible (in particular, that it falls within the scope of this Procedure, as it relates to Violations of Sectorial Acts), it is at its discretion:

assess whether the Report falls within the competence ratione materiae of other bodies or functions under mandatory legal provisions (e.g. Board of Statutory Auditors or Auditing Firm/Auditors in administrative, fiscal, accounting and balance sheet matters subject by law to their control, RSPP, DPO, SB231) and therefore, on the basis of a decision to be taken in agreement with such bodies and functions, transfer the management of the Follow-up to such bodies or functions, or share with such bodies or functions the management of the Follow-up, with the consequent assumption by them of the status, respectively concurrent or exclusive, as the case may be, of Case Manager and of the consequent duties and responsibilities, subject to acceptance of this Procedure;
(in the case of their competence ratione materiae according to the corporate system of delegation of powers in force, e.g. privacy delegate, etc.) coordinate the management of the Follow-up with such bodies or functions, subject to the acceptance of this Procedure, with the Case Manager retaining the original tasks and responsibilities (see also point 3.6.2 letter d).

In particular, this must be done at the first available meeting or, if urgent, without delay.

assess that the further handling of the Report does not fall within the competence – under mandatory legal provisions or the delegation system – of any other corporate body or function, and consequently

proceed with further investigative steps (investigation, etc.), or
identify, upon agreement with the competent Administrative Body, a different subject competent in relation to the Report, transferring the management of the Follow-up, including the final decision on the merits of the Report, subject to acceptance of this Procedure, to the latter, without delay, giving simultaneous notice of the transmission to the Whistleblower. The different person identified must meet the requirements set out in paragraph 3.4.1;
assess whether immediate measures should be taken to prevent further damage and, if necessary, implement them.

3.6.2. Survey

Once the Report has been admitted to processing, the competent Case Manager proceeds with the preliminary investigation of the facts that are the subject of the Report, carrying out all the necessary acts, procedures and verifications aimed at verifying the truthfulness of the facts that are the subject of the Report, in compliance with the principles and rules set out in this Procedure.

To this end, he shall, by way of example and not limitation:

a)verifies whether the Company has adopted appropriate Procedures to protect against the risk of the Violation that is the subject of the Report;
b)if it deems it necessary or appropriate, requests and receives further information, clarifications, and/or the production of deeds and documents from the Whistleblower – if known – or from other persons (e.g. heads of function or any other internal or external person) in possession of information useful for the preliminary investigation, in particular, reasonably concerning the processes at risk of Violation;
c)has direct and timely access to the Company’s administrative and control bodies (e.g. Board of Statutory Auditors, Auditing Company, Data Protection Officer if designated, etc.);
d)where deemed necessary, may delegate in writing to one or more (internal/external) persons with adequate competences the performance of the above-mentioned investigative tasks sub a-b-c) – within the limits of the powers vested in the delegate as per the corporate delegation system in force (the “Investigative Delegation“) and subject to the delegate’s commitment to comply with this Procedure.

In such a case, the delegating Case Manager retains the power to

i)assessment of the results of the investigation and final decision on the merits of the Report; and
ii)assessment, as far as possible on the basis of the results of the preliminary investigation, as to the possible existence of wilful misconduct or serious misconduct on the part of the Whistleblower and/or of any Involved Persons (such assessment being understood as a non-binding opinion addressed to the function or body competent to manage the disciplinary or sanctioning proceedings against the Whistleblower or the Involved Person).

3.6.3. Obligations to cooperate

The personnel and any other internal and/or external contacts of the Company are required to cooperate loyally and with the utmost diligence in the investigative activity carried out by the Case Manager.

3.6.4. Rights og the Involved Person

In the course of the investigation, the Involved Person must be informed of the Report with a brief account of the acts or omissions attributed to him/her and has the right to be heard at any time.

This communication must take place at a time and in a manner deemed appropriate by the Case Manager, according to prudent discretion, to ensure the proper conduct of the investigation.

This information may be withheld during the hearing of the Involved Person if it is considered that its prior disclosure may facilitate the concealment, destruction or alteration of evidence.

Without prejudice to the right to lodge written complaints, the investigation shall include, where possible, an interview with the Involved Person, in which, always in full respect of the presumption of innocence, he or she is invited to explain his or her version of the facts and to provide the evidence he or she deems appropriate and relevant.

In order to guarantee the Involved Person’s right of defence, he/she shall have access to the file (without revealing information that could identify him/her) and may be heard at any time. They must also be informed of the possibility of being assisted by a lawyer.

In addition, the investigator must listen to all persons concerned and any witnesses and must carry out any procedures he or she deems necessary (examination of documentation, obtaining information from external sources, etc.). The intervention of the witnesses and persons concerned shall be strictly confidential.

The investigator may also obtain any information and documentation he or she deems appropriate from any area or department of the organisation to corroborate the investigation.

Of all the acts of investigation and, in particular, of the explanations or statements provided by the persons involved in the investigation of the Report, a written record shall be drawn up (provided that their prior consent has been obtained), which shall be duly signed by the Persons Involved in order to certify its content and the conformity of their statements.

The contents of this report will be entered into the Portal/Software with the same guarantees of confidentiality as the rest of the file.

In the event that the presence of the Involved Person during the investigation period may jeopardise the conduct of the investigation or the strict observance of the guiding principles of the process set out in this Procedure, the Involved Person may be granted, on the proposal of the investigator, paid leave from work, without loss of pay, in order to ensure that the necessary investigative activities can be carried out without interference that could be detrimental to the person under investigation. Paid leave will be granted for the time necessary to carry out the investigative activities, but may in no case extend beyond the duration of the investigative process.

If the Case Manager deems it appropriate, the presence of external legal advisers at hearings and/or statements of the parties concerned, interested parties, witnesses, etc. is permitted.

3.6.5. Reporting Decision

Upon completion of all investigative actions, the Case Manager prepares and enters into the Portal/Software a report containing at least the following contents (the ‘Investigation Report‘):

– A statement of the reported facts (descriptive information on the Report) together with the identification code of the Report and the date of registration.

– Evaluation of the content of the Report.

– Actions taken to verify the plausibility of the facts.

– The conclusions reached in the investigation and the evaluation of the proceedings and supporting evidence.

– Actions taken (if any).

3.7 Actions following the Report

After the Survey Report is issued, the Case Manager makes one of the following decisions.

3.7.1. Unfoundedness of the Report with wilful misconduct or gross negligence

In this case, the Case Manager rejects the report and proceeds to archive it via the Portal/Software.

If the Case Manager discovers elements that, in its prudent judgement, point to bad faith or gross negligence on the part of the Case Manager, it shall communicate this in writing:

to the Whistleblower;
to the Involved Person; and
to the Head of the functional area to which the Whistleblower belongs, as well as to the HR Function, for the assessment of the application of possible sanctions against the Whistleblower.

The communication may contain, where appropriate, the relevant proposals for action and/or proposal of disciplinary measures.

3.7.2. Report confirmed by investigation

If, at the outcome of the investigation, the Case Manager finds that the facts of the Report are well-founded in substance, it issues a documented decision to accept the Report.

The notice may contain, where appropriate, the relevant proposals for action and/or proposal of disciplinary measures against any Involved Person.

The decision must be communicated without delay:

a)to the Whistleblower, unless the Whistleblower has waived it or the communication is anonymous;

in the case of an external Whistleblower, the communication must be sent:

to the pro tempore legal representative of the third party organisation to which the Whistleblower belongs (or, if the Case Managers consider that the Whistleblower has a conflict of interest with respect to the Violation decided, to the Head of the different functional area of the third party organisation that appears competent to receive such a communication); and
the Head of the internal functional area that has contractual relations with that third party organisation;

b)to the Reported;
c)to the Head of the functional area affected by the Violation, for the assessment and implementation of appropriate remediation actions;
d)to the HR Function, for the evaluation and implementation of possible consequent disciplinary sanctions;
e)to the Board of Directors that approved this Procedure,
f)to the Company’s Board of Auditors.

The aforementioned communication may be delayed in the event that, in the opinion of the Case Manager, it may hinder further investigations or judicial proceedings (e.g. administrative, criminal) for the protection of the rights of the Company and/or third parties, after the investigation has been carried out.

3.7.3. New Violations

If, as a result of the investigation, other facts are discovered that may constitute new irregularities allegedly committed by the same person or by persons other than those under investigation, the Case Manager will, ex officio, open a new file (in which case the related follow-up will take place outside this Procedure) or if it is related to what is being investigated in the current file, the extension of the investigation file, if it deems it more appropriate (in which case the relevant follow-up will take place in accordance with this Procedure only where this appears necessary for a unified handling of the matter).

3.7.4. Administrative, civil or criminal proceedings

The Case Manager,

a)if competent on the basis of the company’s system of delegated powers, consider independently initiating a legal action (civil, criminal or administrative) and/or reports in the Public Prosecutor’s Office or European Public Prosecutor’s Office against any Involved Person and/or any other third party responsible, otherwise
b)informs an internal person competent to initiate action under the system of delegated powers in force, inviting him/her to assess the promotion of judicial initiatives and/or reports to the Public Prosecutor’s Office or the European Public Prosecutor’s Office (unless the latter person has a conflict of interest in relation to the report, in which case the Case Manager shall identify a person not in conflict).

3.7.5. Non-compliance with Internal Procedures

In the event that the investigation reveals (i) the absence or deficiency of corporate Procedures or instructions aimed at preventing the risk of Violations, (ii) the lack of adequate internal and/or external disclosure of the same Procedures and instructions, or (iii) deficiencies in staff awareness of the content of the Procedures and instructions, the Case Manager reports such circumstances and any suggested measures to the functional heads of the areas to which the Violation relates, as well as to the Chief Executive Officer or to the competent administrative body, for appropriate remedies.

3.7.6. Report confirmed by verification, but indeterminate in terms of damage suffered or caused

In such cases (examples: reports in the media, cyber fraud, conflicts of interest and other circumstances or conduct not easily detectable through internal controls, etc.), additional investigative activities should be assessed, with an indication of the professional expertise required (e.g. specific legal or technical expertise on the reported facts or underlying processes).

On the basis of the results of these further investigations, should the reported damage be confirmed, further legal action should be taken or a complaint lodged with the competent authorities.

3.7.7. Reporting on facts that are plausible but cannot be verified

In these cases, too, the actions mentioned in section 3.7.2 above can be pursued.

3.7.8. Referral

The Case Manager may decide to refer the report to the authority, body or third party body deemed competent to deal with it.

Whichever of the decisions set out in Sections 3.7.3 to 3.7.8 is taken, it must be communicated to the Whistleblower, unless the Whistleblower has renounced it or the communication is anonymous , as well as to all other interested parties.

CONSERVATION

The Company will keep a register of all Reports received, coinciding with the Portal/Software database.

The Whistleblowings Register is not public, therefore the records and data contained therein shall be kept confidential, and – with the sole exception of each Whistleblower, Involved Person, Case Manager or his delegate, authorised Admin role, within the respective limits – only upon reasoned request of the competent judicial authority, by order, and within the framework of judicial proceedings and under the protection of such authority, may all or part of its content be accessed.

The Admin role, in any case, cannot access the content of individual Reports and their processing.

Records will not be kept longer than necessary and, in any case, for as long as necessary to comply with any applicable legal requirements at any given time.

The Company will keep the personal data of the Whistleblower for the time necessary to decide whether to start an investigation into the reported facts or conduct and, once decided, they will be deleted from the Portal/Software, and may be processed outside the Portal/Software to investigate the facts for the time necessary to make a decision.

Reports relating to irregularities or other cases that do not qualify as Violations included in this Procedure must be deleted, unless an obligation to further retain them arises from other Procedures in force at the Company, in which case they will be dealt with within the limits provided for by those Procedures.

Once the investigation of the Report has been concluded and appropriate action has been taken, as the case may be, the data of the Report that has been followed up will be duly blocked in order to comply with the legal obligations that may be applicable in each case.

The personal data will be deleted from the Portal/Software within a maximum period of three (3) months from the receipt of the communication, unless the retention is for the purpose of leaving evidence of the operation of the Portal/Software, and may continue to be processed outside the Portal/Software in the event that the investigation of the Report has not been completed, for as long as necessary.

In no case may the data (report, related documentation) be retained for a period longer than 5 years from the date of the documentation of the final outcome of the reporting procedure .

If a decision is made not to follow up the Report submitted, the Information may be kept anonymous.

LEGAL PROTECTION

The Whistleblower and other Protected Persons are granted by the Company the Safeguards set out in Appendix B.

DISTRIBUTION

The Case Manager shall make available to the addressees of this Procedure, clear information on the Reporting Channels, the prerequisites for internal and external Reporting and Public Disclosures, using the following methods:

a) Posting in a visible place in the workplace (company notice board),
b) Publication in a separate, easily identifiable section of the Company’s website (the URL address of which is communicated by the Company to the main addressees, if reasonably possible),
c) Made available via link/icon on the first electronic page of the Portal/Software,
d) Making available

hands and/or
by e-mail, or
via company intranet or
via another software application (e.g. personnel and/or payroll software or policies distribution software).

DISCIPLINARY MEASURES AND SANCTIONS

This Procedure is a mandatory rule for all members of the Company. Its violation may give rise – in addition to the other civil and criminal liabilities provided for by the laws in force – to disciplinary sanctions by the Company, in accordance with the provisions of labour legislation and the National Collective Labour Agreement and/or the Company Collective Labour Agreement (if any) (to be understood therefore as expressly referred to herein).

When it is determined that the reported conduct constitutes a labour offence, the Company may take appropriate measures in accordance with the applicable disciplinary regime and, in particular, the provisions of the collective agreement and labour regulations applicable to the Company.

Notwithstanding the adoption of disciplinary measures, if the facts may be suspected of constituting a criminal offence, the competent body under the system of delegation and powers considers forwarding the information to the Public Prosecutor’s Office or, if the facts concern the financial interests of the European Union, to the European Public Prosecutor’s Office.

The following sanctions are also provided for:

Who:

obstructs or attempts to obstruct one of the Whistleblowers or the other Protected Persons, in connection with any Report, or puts them under pressure through deliberate judicial or administrative proceedings, or
adopts a retaliatory act,
violates confidentiality provisions,
does not carry out verification and analysis of reports received

commits an administrative offence and, unless the offence is punished with a more severe penalty by another provision of law, is punished by the ANAC – National Anti-Corruption Authority, with an administrative fine ranging from EUR 10,000.00 to EUR 50,000.00.

OTHER

For matters not expressly provided for in this Procedure, the Whistleblowing Decree applies.

APPENDIX A – SECTORAL VIOLATIONS

Sectoral Violations include:

a) offences falling withinthescope of the following Union Sectoral Acts[1]:

SECTOR

Privacy and data protection

E.g. breaches of privacy obligations such as information to data subjects, collection of consent on processing, application of legal bases, technical and organisational measures to protect (e.g. compliance procedures) data and processing, necessary documentation, etc.

Environmental Protection

E.g. so-called environmental offences, such as the discharge, emission or other release of hazardous materials into the air, soil or water, or the unlawful collection, transport, recovery and disposal of hazardous waste.

E.g. violations of administrative requirements punished with administrative sanctions (pecuniary and/or prohibitory).

Consumer product safety and quality

E.g. violation of obligations aimed at ensuring that any product manufactured or marketed by the Company[…], under normal or reasonably foreseeable conditions of use, including duration and, where appropriate, commissioning, installation and maintenance, does not present any risk or only presents minimal risks, compatible with the use of the product and considered acceptable in compliance with a high level of protection of the health and safety of persons […].

E.g. breach of the producer’s obligation to provide the consumer with all information relevant to the assessment and prevention of risks arising from normal or reasonably foreseeable use of the product.

E.g. Infringement of the producer’s obligation to take measures proportionate to the characteristics of the product supplied to enable the consumer to be informed of the risks.

NB: A product is defective when it does not offer the safety that may legitimately be expected in view of all the circumstances, including:

(a) the manner in which the product was put into circulation, its presentation, its obvious characteristics, and the instructions and warnings provided;

(b) the use for which the product may reasonably be intended and the behaviour which may reasonably be expected in connection therewith; the time when the product was put into circulation.

A product is defective if it does not offer the safety normally offered by the others in the same series.

N.B. The scope of risk relevant here goes beyond the mere presence of flaws and defects in the product (e.g. damage, failure to function, aesthetic appearance not corresponding to the agreed description, etc.) which, however, do not result in a real safety risk for the purchaser/user even though they affect the suitability for use or the promised qualities.

Consumer Protection

E.g. prohibition of unfair/aggressive commercial practices in the promotion of services/products

[1] See Annex to EU Directive 1937/2019

b) acts or omissions affecting the financial interests of the Union asreferred to in Article 325 TFEU specified in the relevant EU secondary legislation; g. cross-border VAT fraud, EU fund fraud.
c) acts or omissions relating to the internal market,as referred to in Article 26(2) TFEU, including:1) violations of EU competition and state aid rules, 2) infringements concerning the internal market related to acts violating corporate tax rules (in the case of Italy: IRES, IRAP) or 3) practices whose purpose is to obtain a tax advantage that distorts the object or purpose of the applicable corporate tax law;
d) acts or omissions that frustrate the object or purpose of the provisions ofUnion acts in the areas referred to in (a), (b) and (c).
For a detailed description of these relevant sectors, please refer to theAnnex (Part I and Part II) of the Decreeavailable at www.normattiva.it.

APPENDIX B – SAFEGUARDS

PROTECTED SUBJECTS

Protected Subjects include,

– the Whistleblower (even anonymous, whose identity is discovered at a later stage),

– those who make a complaint to the Judicial Authority in relation to a Violation,

– those who make a Public Disclosure, and

– the following categories of persons:

Facilitators,
Persons in the same Working context as the Whistleblower, the person who filed a complaint with the judicial authority or the person who made a Public Disclosure and who are related to them by a stable emotional or kinship link up to the fourth degree (cousins),
Co-workers of the Whistleblower, of the person who has filed a complaint with the judicial authority or made a Public Disclosure, who work in the same work context as the Whistleblower and who have a usual and current relationship with that Whistleblower, Representatives of employees in the exercise of their functions of advising and supporting the Whistleblower,
Entities owned by, or which are employers, or which operate in the same Working context, as the aforementioned persons, or with which the aforementioned persons have any other type of employment relationship or in which they hold a significant interest. For this purpose, an interest in the capital or voting rights attached to shares or participations is considered significant when, by virtue of its proportion, it enables the person holding it to exercise influence over the legal entity in which the interest is held.

PROTECTION

In the event of a Report, all Protected Persons are guaranteed the following three mandatory categories of legal protection:

PROTECTIVE MEASURES,
SUPPORTING MEASURES,
RIGHT TO CONFIDENTIALITY,

as detailed below.

In addition, with regard to Whistleblowers only, the Safeguards also apply if the Reporting or Public Disclosure occurs in the following cases:

(a) when the legal relationship with the Company has not yet begun, if information on Violations was acquired during the selection process or in other pre-contractual stages;

(b) during the probationary period;

(c) after termination of the legal relationship, if the Information on Violations was acquired during the course of the legal relationship.

The reasons that led the person to report or publicly disclose are irrelevant for the purposes of Protection.

PROTECTIVE MEASURES[1]

The following Protection Measures apply to Protected Persons:

Prohibition of Retaliation,
Protection from Retaliation,
Limitations of liability,
Waivers and conditional settlements.

NB: Protective Measures also apply:

(a) in cases of anonymous Reporting or Public Disclosure, if the Whistleblower was subsequently identified and retaliated against, and

b) in cases of External Alerts submitted to the competent institutions, bodies, offices and agencies of the European Union (g. the European Anti-Fraud Office), in accordance with the conditions for External Alerts themselves.

3.1. Prohibition of retaliation

The Protected Subjects may not be subjected to any Retaliation (by which is meant any behaviour, act or omission, even if only attempted or threatened, which is forbidden by the law or carried out as a consequence of the Report or the complaint to the Judicial Authority or Public Disclosure and which causes or may cause to the Whistleblower in good faith, directly or indirectly, an unfair damage or a particular disadvantage in the working or professional context) (prohibition of retaliatory acts). The Company undertakes to strictly enforce this prohibition.

Retaliation’ is to be understood broadly, including but not limited to;

(a) dismissal, suspension or equivalent measures;

(b) downgrading or non-promotion;

(d) suspension of training or any restriction of access to it;

(e) demerit notes or negative references;

(f) the adoption of disciplinary measures or other sanctions, including fines;

(g) coercion, intimidation, harassment or ostracism;

(h) discrimination or otherwise unfavourable treatment;

(i) failure to convert a fixed-term employment contract into an employment contract of indefinite duration, where the employee had legitimate expectations of such conversion;

(j) non-renewal or early termination of a fixed-term employment contract;

(k) damage, including to a person’s reputation, particularly on social media, or economic or financial loss, including loss of economic opportunities and loss of income;

(l) inclusion on improper lists (e.g. black lists) on the basis of a formal or informal sectoral or industry agreement, which may result in the person being unable to find employment in the sector or industry in the future;

m) theearlytermination (termination) or cancellation of the contract for the supply of goods or services; the introduction of detrimental changes to the service or supply contract;

(n) cancellation of a licence or permit;

(o) the request to undergo psychiatric or medical examinations.

3.2. Protection from Retaliation

3.2.1 Reaction

In the event that a member of the Company, in contravention of the provisions of this Procedure, engages in direct or indirect retaliatory acts, the Company itself shall take the necessary measures to ensure that such acts cease as soon as possible and, where appropriate, shall take the necessary disciplinary or liability measures against those responsible.

3.2.2 Invalidity of Acts

In the event of non-application or non-observance, even partial, of the prohibition of retaliatory acts by the Company, the Protected Person may invoke, even cumulatively:

a) Thenullity ex lege of the acts of retaliation, as well as of administrative acts aimed at preventing or hindering the submission of Reports, and the restoration of the situation prior to them.
b) Reinstatementinthe workplace under the same conditions ex ante, pursuant to the legislation applicable to the worker, if the Protected Person was dismissed because of the Report.

Non-exhaustive examples of restorative actions:

Equal access to any promotion and training that may have been denied
Withdrawal of litigation against the Whistleblower
Deletion of any record/data/document that could constitute a file for a blacklist or subsequent retaliation
Reopening of a tender procedure
Reinstatement of a cancelled contract
Apologies
Acknowledgement for upholding the values or interest of the Company through the Reporting of Violations
Financial compensation for past, present and future losses
Financial compensation for pain and suffering, including medical expenses

c) Damages,if any.

3.2.3 Complaint to the ANAC

Whistleblowers may inform ANAC of retaliation they believe they have suffered.

In order to acquire preliminary elements that are indispensable for ascertaining the retaliation, the ANAC may avail itself of the cooperation of the Civil Service Inspectorate and of the INL, within the limits of their respective competences, without prejudice to the exclusive competence of the ANAC as regards the assessment of the elements acquired and the possible application of administrative sanctions.

3.2.3 Burden of Proof

In the context of judicial or administrative proceedings or extrajudicial disputes concerning the ascertainment of the conduct, acts or omissions, constituting Prohibited Retaliation, it shall be presumed that the same have been committed as a result of the Reporting or Public Disclosure.

The burden of proving that they are motivated by duly justified reasons unrelated to the Reporting or Public Disclosure therefore rests on those accused of having carried them out.

In the event of a claim for damages brought before the court by the Whistleblower (not, therefore, also by other Protected Persons), if the Whistleblower reasonably proves that it has made a Report or Public Disclosure and has suffered damage, it shall be presumed, unless the accused proves otherwise, that the damage is a consequence of such Report or Public Disclosure.

3.3. Limitations of liability

Provided that there were reasonable grounds to believe that the Reporting or Public Disclosure of the same Information was necessary to disclose the Violation, the Whistleblower or entity shall not be criminally liable, and any further civil or administrative liability, in judicial proceedings, for the disclosure or dissemination of Information on Violations is also excluded:

covered by obligations of secrecy (official, business, professional, scientific, commercial or industrial) (punishable by Articles 326, 622, 623 of the Criminal Code),
related to copyright protection,
relating to the protection of personal data (privacy),
which offend the reputation of the Involved Person (defamation).

The aforementioned criminal, civil and administrative exemption, however, does not apply:

a) in the case ofcriminal conduct that the Whistleblower engages in to acquire or access the Informationthat is the subject of the Report.

E.g., the offence of unauthorised access to a computer system exists in relation to the act of a person who intentionally hacked into the e-mail system of a work colleague in order to obtain evidence in support of a report, and

b) for conduct, acts or omissions not related to theReporting, Judicial Reporting or Public Disclosure or not strictly necessary to disclose the Violation.

The Company may also order the imposition of disciplinary sanctions against persons who decide to carry out retaliation, in accordance with the provisions of the National Collective Labour Agreement, any company Collective Labour Agreement (to be understood therefore as expressly referred to herein).

3.4. Limitations o

3.4. Mandatory form of the transaction or waiver

The rights and protections provided for in favour of the Signatory may not be waived or settled, in whole or in part, which shall therefore be deemed invalid, unless they are made in the form and manner provided for in Article 2113(4) of the Civil Code.

SUPPORTING MEASURES

The Whistleblower is also entitled to support measures consisting of free information, assistance and counselling on the modalities of Whistleblowing and on the protection from retaliation offered by national and European Union law provisions, on the rights of the Whistleblower, and on the terms and conditions of access to legal aid.

These support measures are provided by Third Sector Entities that have entered into agreements with ANAC. The list of Third Sector Entities is published on the website: https://www.anticorruzione.it/-/whistleblowing.

Such free information, assistance and advice may be requested at any time by the Whistleblower from these Third Sector Bodies, even before the actual communication of the Report.

CONFIDENTIALITY

5.1. Generalities

Reports may not be used beyond what is necessary for the purpose of proper follow-up.

The non-anonymous Whistleblower must be guaranteed confidentiality by the Company, the Case Manager and anyone else involved in receiving and processing a Whistleblowing:

the identity of the Whistleblower and Facilitators (right to confidentiality), throughout the Whistleblowing process, to anyone who is not the Whistleblower or otherwise authorised, and
the content of the Report, including the documentation attached thereto, to the extent that its disclosure, even indirectly, might allow the identification of the Whistleblower.

At all stages of the activity, it is forbidden to reveal the identity of the Whistleblower, without the express written consent of the Whistleblower.

The Internal Reporting Channels adopted by the Company must, therefore, guarantee the aforementioned confidentiality, which also extends to the identity of any other interested person mentioned in the Report (e.g. Involved Person, witnesses, etc.) or whose name is identified in the course of the assessments and investigations following the Report.

In this regard, specific confidentiality commitments will also be signed with the persons in charge of their management.

5.2. Exclusion of confidentiality

The obligation of confidentiality does not apply in the following cases:

(i) when the disclosure of the identity of the Whistleblower represents a necessary and proportionate obligation imposed by Union or national law in the context of investigations by national authorities or judicial proceedings, including for the purpose of safeguarding the rights of defence of the reported person.

For this purpose, the Alerted Person must be warned without delay by the Case Manager of an unfounded Report made in bad faith or with gross negligence against him/her in order to be able to assess whether to exercise any rights against the Whistleblower[2] ; or

(ii) the existence of an obligation to communicate the name of the Whistleblower to the judicial authority (Court, Public Prosecutor’s Office), or the Police, or

(iii) any voluntary waiver in writing of confidentiality at any time by the Whistleblower, or

(iv) if knowledge of the identity of the Whistleblower is indispensable for the accused’s defence, only if the Whistleblower has expressly consented to the disclosure of his/her identity.

Such disclosures are subject to the safeguards laid down in the applicable rules. In any case, the Whistleblower must be informed in writing by the Case Manager or the competent authority of the reasons for disclosing confidential data before his/her identity is disclosed, unless this would prejudice the relevant investigation or judicial proceedings[3] .

The Company, the Case Manager and any other person involved in the receipt and processing of a Report must also protect the identity of the Persons Involved and of the other persons mentioned in the Report until the conclusion of the proceedings initiated on account of the Report, in compliance with the same guarantees of confidentiality provided for in favour of the Whistleblower.

PREREQUISITES FOR PROTECTION. UNFOUNDED, BAD FAITH OR GROSSLY NEGLIGENT REPORTING

The Protection Measures described above apply if the following conditions are met:

(a) at the time of the Report or Complaint to the Judicial Authority or Public Disclosure, the Whistleblower had reasonable grounds to believe that the Reported or Complained or Publicly Disclosed Information on Violations was true, even if no conclusive evidence is provided, and was within the objective scope of Section 2.3; and

(b) the Report or Public Disclosure was made on the basis of the provisions of this Procedure and applicable law.

The Protection of Protected Persons also exists in the case of Reports or Disclosures that later turn out to be unfounded, if the Whistleblower, at the time of the Report or Public Disclosure, had reasonable grounds to believe that the Report was necessary to disclose the Violation and the Report or Public Disclosure or report to the Judicial Authority that the Information was within the scope of this Procedure.

Safeguards in favour of the Protected Subjects are not guaranteed, and a disciplinary sanction is also imposed on the Whistleblower, if it is established, even by a judgment of first instance,

i)the criminal liability of the Whistleblower for offences of slander or defamation in relation to the facts reported, or
ii)the Whistleblower’s civil liability, for the same reason (pursuant to Article 2043 of the Civil Code, which provides for the right to compensation for damages in favour of anyone who is the victim of an extra-contractual damage caused by a third party), in cases of wilful misconduct or gross negligence.

Reports made in the knowledge of the abuse/exploitation of this Whistleblowing Procedure, e.g. those that are manifestly unfounded, opportunistic and/or made for the sole purpose of harming the reported person or other persons mentioned in the Report (employees, members of corporate bodies, suppliers, partners, etc.) shall be considered in bad faith/grievous misconduct (and therefore a source of liability, in disciplinary and other competent fora).

In the event of a Public Disclosure the Whistleblower benefits from Legal Protection if, in addition to the basic condition, one of the Public Disclosure Prerequisites set out in Chapter 3.3.2.2 is also fulfilled.

[1] The protection afforded to the Whistleblower will be guaranteed only in the case of reports made by clearly identified persons. Disclosure of the identity by the Whistleblower may take place at any time even after the Report, without prejudice to the protection granted above.

[2] In order to allow the reported person to file a complaint-complaint for the offence of slander, defamation or any other offence that may be found in the specific case, and also in view of the fact that the reported person, in Italy, may entrust a lawyer with the task of carrying out “preventive defensive investigations” (pursuant to Articles 327 bis and 391 nonies of the Code of Criminal Procedure, institutes that can also serve the person unjustly accused of a crime to identify the identity of the person who made an anonymous report against him/her).

[3] When informing the Whistleblower as above, the competent authority shall send him/her a written explanation of the reasons for disclosing the confidential data in question.

APPENDIX C – PROCESSING OF PERSONAL DATA

1.1 Any processing of personal data carried out for the purpose of handling the Report must be carried out in accordance with the legislation on the protection of personal data (GDPR, Supervisory Measures, Legislative Decree 196/2003)[1] .

Accordingly, anyone involved in the receipt and processing of non-anonymous Reports is required to comply with all the policies, delegations, appointments, authorisations, procedures, protocols and written security instructions laid down in the Company’s privacy system, without prejudice to the further rules laid down in this Procedure.

1.2 Personal data that appear not reasonably relevant and useful for the processing of a specific Report shall not be collected or, if accidentally received or collected, shall be promptly deleted by the Case Manager.

Likewise, any personal data reported and referring to conduct not covered by the law and/or this Procedure will be deleted.

If the information received contains personal data included in the special categories of data under Article 9 of the GDPR, it will be deleted immediately, without being recorded and processed.

1.3 If it is established that the information provided or part of it is untrue, it shall be deleted immediately as soon as this circumstance emerges, unless the untruthfulness may constitute a criminal offence, in which case the information shall be retained for as long as necessary during the legal proceedings.

1.4 The aforementioned processing operations must be carried out by the Company (data controller) in compliance with the general principles set out in Articles 5[2] and 25[3] of the GDPR, and by taking appropriate measures to protect the rights and freedoms of the data subjects.

1.5 The Case Manager, in coordination with the Company’s IT Function, PRIVACY Function and HR Function:

defines, by means of this Procedure and the annexes thereto, its own model for receiving and managing Internal Reports, identifying technical and organisational measures suitable for ensuring a level of security appropriate to the specific risks arising from the processing operations performed,
carries out the Data Protection Impact Assessment (DPIA) carried out by the Privacy Function itself, and
governs the relationship with any external suppliers that process personal data on behalf of the Company pursuant to Article 28 of the GDPR (e.g., external Case Manager(s) designated by the Company, third-party technical managers of the Portal/Software);
provides, and/or identifies the different corporate Functions, if any, entrusted with providing, to the Whistleblower, the Involved Persons and other relevant categories of data subjects, appropriate information on the processing of personal data (pursuant to Articles 13 and 14 of the GDPR), in accordance with the texts approved by the competent administrative body of the Company.

1.6 Configuration of the basic functionality of the Portal/Software is the responsibility of the designated Admin role, while technical maintenance is the responsibility of the third party provider of the Portal/Software (EQS/Adacta).

1.7 Access to the personal data contained in the Portal/Software shall be limited, within the scope of their respective competences and functions, exclusively to

a)system administrators (Admins) who manage it directly, within the limits of the privileges assigned to them,
b)the Case Managers designated under this Procedure, and, upon their authorisation, the external consultants delegated in the investigation, with whom prior confidentiality agreements will be signed,
c)any appointed data processors and/or external data processors designated by the Company.

1.8 The security measures applied to the Portal/Software are outlined in the mandatory DPIA document prepared by the Company as well as in the additional documents referred to therein from time to time.

1.9 The Whistleblowing Privacy Notice must be made available to Whistleblowers by the relevant Case Manager in the following main ways:

via a special link/text that can be viewed on the landing page of the Portal/Software;
by hand delivery, or as an attachment to a chat via videoconference, at the earliest opportunity, in the case of a personal meeting with the Whistleblower who has not used the Reporting Portal/Software;
in the event that the first contact with the data subject is made by telephone: by verbal notice of the availability of the Privacy Policy on the Portal/Software landing page and/or in the separate “whistleblowing” section of the Company’s website.

[1] E, by the competent authorities for the purposes of prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, of Directive (EU) 2016/680.

[2] 1. Art. 5 GDPR: Personal data are:

(a) processed lawfully, fairly and transparently vis-à-vis the data subject (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes, and subsequently processed in a way that is not incompatible with those purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; all reasonable steps must be taken to delete or rectify in a timely manner data that are inaccurate in relation to the purposes for which they are processed (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than the purposes for which they are processed (‘limitation of storage’);

(f) processed in such a way as to ensure appropriate security of personal data, including protection, by appropriate technical and organisational measures, against unauthorised or unlawful processing and accidental loss, destruction or damage (‘integrity and confidentiality’)

[3] Art. 25 GDPR: Article 25 Data protection by design and data protection by default

Taking into account the state of the art and the costs of implementation, as well as the nature, scope, context and purposes of the processing, and taking into account the risks to the rights and freedoms of natural persons represented by the processing which are likely and likely to vary in severity both when determining the means of the processing and at the time of the processing itself, the controller shall implement appropriate technical and organisational measures, such as pseudonymisation, to implement effectively the principles of data protection, such as minimisation, and to integrate in the processing the necessary safeguards in order to meet the requirements of this Regulation and to protect the rights of data subjects.
The controller shall implementappropriate technical and organisational measuresto ensure that only personal data necessary for each specific purpose of the processing are processed by default. This obligation shall apply to the amount of personal data collected, the scope of the processing, the storage period and the accessibility. In particular, these measures ensure that, by default, personal data are not made accessible to an indefinite number of natural persons without the intervention of the natural person.

Whistleblowing

Follow us

ISCRIVITI ALLA NOSTRA NEWSLETTER

Whistleblowing

Follow us

ISCRIVITI ALLA NOSTRA NEWSLETTER

Iscriviti Alla nostra Newsletter