Whistleblowing

WHISTLEBLOWING PROCEDURE


INTRODUCTION, REFERENCE LEGISLATION AND DOCUMENTS

Legislative Decree No 24 of 10 March 2023, implementing Directive (EU) 2019/1937 (hereinafter the “Decree”), has significantly extended the scope of application of the whistleblowing rules in the public and private sector; in particular, it describes and governs the requirements and protections companies are bound to implement and guarantee in order to manage whistleblowing.

Having assessed that these activities necessarily lead to the collection and processing of personal data, Regulation (EU) 2016/679 is fully and significantly applied herein.

In particular, the national and international reference legislation is the following:

• Legislative Decree No 24 of 10 March 2023

• Directive (EU) 2019/1937

• Regulation (EU) 2016/679 (GDPR)

• Legislative Decree No. 196 of 30 June 2003

• Legislative Decree No. 101 of 10 August 2018


SCOPE AND FIELD OF APPLICATION

This procedure relating to the whistleblowing system (hereinafter, the “Procedure”) aims to describe and regulate the whistleblowing system implemented by the Controller, providing precise and appropriate indications for reporting as well as describing and defining the management process.

In particular, this document:

• defines the field of application of the whistleblowing system;

• identifies the persons who can submit whistleblowing reports;

• defines the scope of conduct, events or actions undertaken that may be reported;

• identifies the whistleblowing channels, illustrating the internal and external channels available;

• defines the various phases of the whistleblowing management process, identifying the roles, responsibilities and operational methods;

• guarantees the confidentiality of the personal data of the whistleblower and the person reported (without prejudice to the rules on investigations or proceedings initiated by judicial authorities in relation to the reported facts, or in any case disciplinary proceedings in the event of whistleblowing in bad faith).


DEFINITIONS

• Whistleblowing: the reporting of conduct, acts or omissions in breach of the provisions of the Organisational, Management and Control Model pursuant to Italian Legislative Decree (D.Lgs.) 231/2001 or the national or European Union legislative provisions that are harmful to the public interest or integrity of a public administration or private entity, by a person who has acquired information on them in a public or private work-related context;

• Platform: IT tool for whistleblowing management, in particular the SaaS platform provided by Isweb;

• Report: any news relating to presumed findings, irregularities, breaches, reprehensible conduct or facts and in any case any practice that does not comply with national and Community legislation, corporate procedures or contracts:

• Anonymous report: when the le personal details of the whistleblower are not made explicit or are otherwise identifiable.

• Open report: when the whistleblower openly raises an issue without limits related to its confidentiality.

• Confidential report: when the identity of the whistleblower is not made explicit, but can nevertheless be traced back to them in specific and certain instances indicated below.

• Report made in bad faith: a report made for the sole purpose of harming or, in any case, prejudicing the reported individuals, including reports made with malice or gross negligence that turn out to be unfounded.

• Whistleblowers: persons reporting irregularities to the Company.

• Reported individuals: the persons indicated in the whistleblowing report as those who have committed presumed findings, irregularities, breaches, reprehensible conduct or facts and in any case any practice that does not comply with national and Community legislation, corporate procedures or contracts.

• Third Parties: contractual counterparts, both natural persons and legal persons (suppliers, consultants, etc.) with whom the company has established any form of contractually regulated collaboration, and who are bound to cooperate with the company in the context of activities at risk.


RESPONSIBILITIES AND DISSEMINATION

This procedure, which is an integral part of the corporate organisation, is approved by the BoD.

The Whistleblowing Manager, where necessary with the support of other corporate functions, is responsible for updating and integrating this procedure.


WHAT CAN BE REPORTED? (Objective scope)

Reports may be submitted in relation to significant breaches of conduct, acts or omissions that are harmful to the integrity of the Controller of which the whistleblower has obtained information in a work-related context.

The Report relates to breaches:

- that have been or could be committed, on the basis of reasonable and substantiated suspicions;

- that have not yet been committed but which the whistleblower thinks could be committed, on the basis of reasonable and substantiated suspicions;

- in conduct aiming to conceal the above-indicated Breaches.

Specifically, they refer to the commission or attempted commission of:

• relevant unlawful conduct pursuant to D.Lgs. 231/2001 of 8 June and breaches of the Model 231, where present;

• offences that fall within the scope of European or national legislation referred to in the Annex to the Decree and internal legislation implementing the deeds of the European Union indicated in the annex to Directive (EU) 2019/1937, relating to the following sectors: public procurement; financial services, products and markets and the prevention of money laundering and terrorist financing; product safety and conformity; transport safety; protection of the environment; radiation protection and nuclear safety; food and feed safety, animal health and welfare; public health; consumer protection; protection of privacy and personal data, and security of network and information systems;

• acts or omissions affecting the financial interests of the European Union (including fraud, corruption and any other illegal activity linked to European Union expenditure);

• acts or omissions relating to the internal market.

It excludes:

- disputes, claims or requests linked to a personal interest of the whistleblower relating exclusively to individual working relations, or work relations with superiors;

- reports made in relation to national defence and security;

- reports relating to breaches already governed by European Union directives and regulations and in the implementing provisions of Italian law, which already guarantee specific reporting procedures in some special sectors (financial services; prevention of money laundering and terrorist financing; transport safety; protection of the environment).


In order to facilitate the identification of facts that may be reported, relevant conduct/behaviour includes, but is not limited to, the following:

• the promise or gift of money or other utility (gifts, hospitality, lunches, dinners, etc. forbidden by company procedures) to a public official or representative of a public service in exchange for the exercise of their functions or to perform an act that is contrary to their official duties (e.g. facilitation of a procedure);

• tampering of documents through the modification or falsification of company or official documents, in order to obtain undue advantage or mislead the relevant authorities;

• the promise or gift of money or other utility (gifts of modest value, hospitality, lunches, dinners, etc. forbidden by company procedures) aiming to bribe suppliers or customers;

• agreements with suppliers or consultants to confirm the provision of non-existent services.


WHO CAN WHISTLEBLOW? (Subjective scope)

Any person who, in their relations with the company, has reasonable suspicion that one of the indicated breaches has occurred or could occur, may submit whistleblowing reports.

When the report is submitted, this person becomes the “whistleblower” and all protections laid down in the referred legislation shall apply to them.


HOW TO MAKE A WHISTLEBLOWING REPORT

As required by the legislation, in order to facilitate whistleblowing reports, the Controller has activated internal channels.

External channels that can be used by whistleblowers are also indicated, at the following conditions.

• ACTIVE INTERNAL

• CHANNELS

For reports managed within the company organisation, whistleblowers may use the channels described here and decide whether to act anonymously or otherwise.

It is recalled that anonymous reports must be made only via the specific platform available on the company website (checking the “anonymous report” box).

Generally reports can be sent using the following channels:

• In writing

• orally.

In both cases, the platform adopted and available on the institutional websites of each company are used.

A guided procedure is used to correctly enter all the required information.

It is recalled that the online portal service is provided by a specialised service provider and can guarantee:

• compliance with the principles of personal data protection and full confidentiality,

• specifically authorised accesses;

• availability 24/7.

Access to the platform is via the following web address:

https://riellointernational.wbisweb.it .

When sending the report, the platform provides the whistleblower the protocol code on screen that is used to call up the report submitted thereafter, to check its status, obtain information on the results and communicate with the Whistleblowing Manager.


a.2) The report may be made using the specific voice messaging system built into the platform which, among the measures to protect confidentiality, has the possibility to camouflage the voice.

The report is recorded for documentation purposes.


a.3) Whistleblowers have the possibility to request a meeting directly with the manager. Also in this case, the report is documented by the manager by recording it on a suitable storage and reproduction device, or in written minutes. The document is entered digitally in the platform.


In any case, it is important that reports be substantiated and based on precise, consistent elements, relating to provable facts and known directly by the whistleblower; they must contain the following essential elements:

- a clear description of the reported breach, with an indication of the times and place in which the described facts/conducts were committed;

- any useful element (e.g., company function/role) to allow the easy identification of the presumed author/s of the reported breach or any other persons involved.

Furthermore, the whistleblower may provide other elements, such as:

- their own personal details;

- any documentation that may confirm the soundness of the breach;

- any other information which may facilitate the collection of evidence of the reported matter.


• EXTERNAL CHANNELS

The whistleblower may also make an external report if:

- no internal reporting channel has been established or if it is not active;

- the internal channel adopted does not comply with the provisions of Article 4 of the Decree;

- the report made using the internal channel was not followed up;

- the whistleblower has reasonable grounds - on the basis of the specific, precise and consistent circumstances of the case - for deeming that, if a report was made through the internal channels, it would not be effectively followed up or could lead to the risk of retaliation;

- the whistleblower has reasonable grounds - on the basis of the specific, precise and consistent circumstances of the case - for deeming that the breach may constitute an imminent or clear danger to the public interest.

This report can be made using one of the channels made available by ANAC which, also using cryptographic tools, guarantee the confidentiality of the whistleblower, the person reported, and the contents of the report and related documentation.

Here is the link to the ANAC whistleblowing procedures:

Whistleblowing - Form for reporting unlawful conduct pursuant to Legislative Decree 24/2023 (anticorruzione.it)


WHO MANAGES THE WHISTLEBLOWING

The party in charge of receiving and analysing the reports is GRIG S.p.A., and specifically the Human Resources Manager, appointed as Whistleblowing Manager, and the Administrative Manager, as identity keeper.

These persons have received suitable and specific vocational training also in relation to the protection and security of personal data.


The Whistleblowing Manager has the following tasks:

• give due notice of receipt and follow-up of the Report;

• adopt measures to verify the completeness and soundness of the information;

• maintain relations with the whistleblower, requesting - where necessary - integrations or additional discussions and investigations, as well as informing them of the progress and definition of the report;

• liaise and/or collaborate with other company functions and figures and with authorised external consultants to ensure the smooth operation of the investigations and verifications.


WHISTLEBLOWING PROCEDURE

The whistleblowing management process is described below. It consists of the following phases:

• receipt and registration;

• preliminary assessment and classification;

• verifications and investigations;

• feedback on the report;

• reporting and filing.

Receipt and registration of the report

When a whistleblowing report is received through internal channels, the whistleblowing manager sends the whistleblower a notice of receipt within 7 (seven) days following the receipt of the report.

On receipt of a report, if this is not submitted through the platform, the whistleblowing manager adds the report to the platform and destroys all hard copies.

Report classification

After the preliminary analysis and evaluation, the whistleblowing manager classifies the report as:

not relevant: not related to breaches admissible under this procedure or made by persons not included in the list of whistleblowers.

not manageable: after the examination and/or following any requests for further information, it was not possible to gather sufficient information to be able to proceed with further investigations;

relevant and manageable: the report is confirmed as sufficiently substantiated and relating to the scope of this procedure.

In this case, the whistleblowing manager will launch the verifications and investigations.

Internal verifications and investigations

If the report received is classified as “relevant and manageable”, the manager proceeds with the internal verifications and investigations.

In the investigation phase, the whistleblowing manager may use the support of appropriately qualified company departments/functions and/or external consultants.

Feedback on the report (outcomes)

Within 3 (three) months following the date of notice of receipt, or, if such notice is not given, within 3 (three) months following the expiry period of 7 (seven) days following the submission of the report, the manager shall provide feedback to the whistleblower, through the platform or using other suitable means.

The feedback contains the outcome of the investigations and the motivated decisions taken subsequently by the manager, which may be:

• ARCHIVING

This decision is taken if the report:

• is not relevant; it refers to such generic facts and contents as to not allow any verification;

• it was made in bad faith or the investigation proved that it was unfounded.

• THE REQUEST FOR ASSESSMENT BY THE COMPETENT COMPANY DEPARTMENTS FOR DISCIPLINARY PURPOSES AND SANCTIONS

If from the investigations the legal and disciplinary responsibility of the person reported is confirmed, the competent internal body will adopt statutory sanctions that are proportionate to the case.

• REPORTING TO THE COMPETENT EXTERNAL PUBLIC BODIES

If the whistleblowing report concerned relevant criminal matters, the competent company body will report it to the public authority.


SUMMARY TABLE

Whistleblowing reports are managed according to the following activities:


ACTIVITY

PARTIES INVOLVED

RECEIPT, REGISTRATION, FIRST FEEDBACK

Platform, Manager

CLASSIFICATION

Manager

VERIFICATIONS AND INVESTIGATIONS

Manager, company functions deemed affected, external consultants

FEEDBACK (outcome)

Manager

REPORTING

Platform, manager

ARCHIVING

Platform



REPORTING AND FILING

The outcome of the assessments of all reports received are collected in a specific report describing the outcome of any investigations conducted and the assessments made in relation to the substantiated reports.

The reports and related documentation are kept for the time required for their processing and, in any case, no longer than 5 (five) years following the date of notification of the final outcome of the whistleblowing procedure, or following the conclusion of any legal or disciplinary proceedings towards the person reported or the whistleblower, in compliance with the obligations of confidentiality and the principle of retention, which is explicitly regulated.

Documents in electronic format shall be kept on the platform or in a specific whistleblowing directory accessible only to the whistleblowing managers.

Any hard copies produced to ensure the optimal management of the report, are filled in the whistleblowing manager’s office in locked cabinets; access thereto is permitted only to formally authorised persons.


PROTECTIONS FOR THE PARTIES INVOLVED

• For the whistleblower

In compliance with the reference legislation, and in order to foster the dissemination of a culture of legality and encourage the reporting of offences, the company ensures the confidential nature of the information of the personal data of the whistleblower and the confidentiality of the information contained in the report and received by all persons involved in the procedure.

The whistleblowing manager is responsible for ensuring the confidentiality of the whistleblower from the moment of receipt of the report, even in the event that the report is incorrect or unfounded.

Failure to comply with this obligation is a breach of this procedure and implies the liability of the manager.

In particular, the company guarantees that the identity of the whistleblower may not be disclosed without their express consent and that everyone involved in the management of the report are bound to protect such confidentiality, except in the event that:

- the report is found to be made for the purpose of harming or otherwise causing prejudice to the person reported (so-called reporting in “bad faith”) and constitutes a legal liability for slander or defamation;

- confidentiality is not opposable by law (e.g. criminal investigations, etc.);

As regards, particularly, disciplinary proceedings, the identity of the whistleblower may not be disclosed if the dispute over the disciplinary action is based on separate investigations in addition to the report, even where this is a consequence of it.

If for the purpose of managing the dispute and to defend the person accused it is necessary to know the identity of the whistleblower, the report may be used for the purpose of disciplinary proceedings only with the consent of the whistleblower to disclose their identity.

In this case, the whistleblower must be informed in writing of the reasons for disclosing confidential data, and they must be asked in writing if they intend to provide consent to have their identity disclosed, with the warning that – if they do not – the Whistleblowing report may not be used in the disciplinary proceedings. The Whistleblower is also informed in writing of the reasons why confidential data has to be disclosed, if the disclosure of the whistleblower’s identity and the information that may, directly or indirectly, disclose such identity, is indispensable for the defence of the person reported.

No form of direct or indirect retaliation or discrimination is permitted towards the whistleblower, in relation to working conditions for reasons linked directly or indirectly to the report.

It is recalled that whistleblowers who reveal or disclose information on breaches covered by the obligation to secrecy (other than classified information, medical or legal secrets and resolutions of legal bodies), or relating to the protection of copyright or personal data or offending the reputation of the person concerned or reported, shall not be punishable if, at the time of revealing or disclosing the facts, there were reasonable grounds for believing that the revelation or disclosure of such information was necessary in order to reveal the breach. In these cases, all further civil or administrative responsibility is excluded. In any case, criminal, civil or administrative liability is not excluded for conduct, acts or omissions not linked to the report, reporting to the legal or accounting authorities or public disclosure, or which are not strictly necessary for disclosing the breach.


• For the person reported

In compliance with the laws in force, the company has adopted the same forms of protection of the personal data of the whistleblower also for the person presumed to be responsible for the breach, without prejudice to any other form of responsibility provided for by law which imposes the obligation to provide the name of the person reported (e.g. requests from judicial authorities, etc.).

The identities of the person reported and any persons in any case involved and mentioned in the report are protected until the conclusion of the proceedings initiated following the report, with the same guarantees provided to the whistleblower.


PRIVACY AND CONFIDENTIALITY

The Company guarantees the confidentiality of the identity of the Whistleblower, the person reported, the contents of the report and the submitted documentation. Reports may not be used for any purpose other than for their own follow-up. The identity of the whistleblower and any other information which may disclose – directly or indirectly – their identity may not be disclosed without the express consent of the whistleblower to parties other than those in charge or receiving or following up the Reports, as identified in this Procedure.

Furthermore, the identity of the Whistleblower:

• in criminal proceedings, is covered by secrecy in the methods and limits provided for in Article 329 of the Code of Criminal Procedure;

• in proceedings before the Court of Auditors, may not be disclosed until the closure of the investigations;

• in disciplinary proceedings, may not be disclosed if the dispute over the disciplinary action is based on separate investigations in addition to the report, even where this is a consequence thereof.

In this case, the whistleblower must be informed in writing of the reasons for disclosing confidential data, and they must be asked in writing if they intend to provide consent to have their identity disclosed, with the warning that – if they do not – the Whistleblowing report may not be used in the disciplinary proceedings. The Whistleblower is also informed in writing of the reasons why confidential data has to be disclosed, if the disclosure of the whistleblower’s identity and the information that may, directly or indirectly, disclose such identity, is indispensable for the defence of the person reported.

For the privacy policies, refer to the documents adopted by each company.


DISCIPLINARY SANCTIONS

In relation to sanctions, the Controller confirms that the breach and/or abuse of this procedure is a disciplinary matter and, in compliance with the labour laws in force, including the referred collective bargaining contract, may be pursued and proportionate disciplinary sanctions imposed.

Generally, the Controller may impose disciplinary sanctions on anyone hindering or attempting to hinder the whistleblowing reports, acting with the intention of preventing or delaying the activities relating to its management, or who breaches the confidentiality obligations, or adopt methods of retaliation or discrimination towards the whistleblower and/or the person reported.

In particular, they may issue sanctions:

• to the whistleblower; in the event of reports made in bad faith, or reports that are fraudulent, slanderous or defamatory - for which civil and criminal liability is applicable -, or those that are manifestly opportunistic and/or made only for the purpose of harming the person reported or other persons, and all other cases of improper use of this procedure.

• to the whistleblowing manager; in the event of a breach of the confidentiality obligation, a delay in or failure to perform the verifications and investigations, or a delay in the definition of the report or the failure to define it.

• to the person reported; if the offence reported is ascertained, in the event of retaliation or discrimination towards the whistleblower.