Whistleblowing procedure

Whistleblowing procedure
Index
1. INTRODUCTION 2
2. RECIPIENTS 2
3. PURPOSE AND FIELD OF APPLICATION 3
4.REFERENCES 4
5. DESCRIPTION OF THE PROCESS AND RESPONSIBILITY 5
5.1 Purpose and description of the process 5
5.2 Transmission of the Report 5
5.3 Registration of the Report 6
5.4 Classification and preliminary analysis of the Report 6
5.5 The execution of the investigation 8
5.6 Reporting 8
5.7 Corrective actions: monitoring 9
5.8 Processing of personal data and storage of documentation 10
5.9 Periodic checks 10
6. GUARANTEES AND PROTECTIONS 10
6.1 Protection of the Whistleblower 10
6.2 Protective measures 11
7.GLOSSARY 12
COLELLA GROUP SRL – Whistleblowing Procedure – Version 22/06/2023 Page 2 of 13
1. INTRODUCTION
This procedure (hereinafter Procedure) has the purpose of regulating the process of transmission, reception, analysis and management of Reports (so-called Whistleblowing) on ​​information, adequately detailed, referable to Staff and/or Third Parties relating to violations of laws and regulations , of the Code of Ethics and Conduct of the COLELLA GROUP SRL Group, of the Organizational Model 231, as well as of the system of rules and procedures in force in the COLELLA GROUP SRL Group. The procedure is also aimed at implementing Legislative Decree 10 March 2023 n. 24, published in the Official Journal on 15.03.2023, containing the transposition of Directive (EU) 2019/1937 concerning "the protection of people who report violations of Union law (so-called Whistleblowing discipline)". For anything not expressly indicated in this Procedure, the provisions of the aforementioned Legislative Decree remain fully applicable. The aforementioned legislation provides, in summary:
- a protection regime for specific categories of subjects who report information, acquired in the work context, relating to violations of national or European Union regulatory provisions which harm the public interest or the integrity of the entity;
-protection measures, including the prohibition of retaliation, to protect the Reporter as well as the Facilitators, colleagues and relatives of the Reporter and the legal entities connected to the Reporter;
- the establishment of internal reporting channels within the entity (one of which is IT-based) for the transmission of reports which guarantee, also through the use of encryption tools, the protection of the confidentiality of the identity of the Reporter, the Person involved and/or or in any case mentioned in the Report, the content of the Report and the related documentation;
- in addition to the right to file a complaint with the judicial or accounting authority, the possibility (if one of the conditions provided for in art. 6, paragraph 1, of Legislative Decree no. 24/2023 occurs) to make external reports via the channel managed by National Anti-Corruption Authority (hereinafter ANAC), as well as to make public disclosures (in the event of one of the conditions provided for in art. 15, paragraph 1, of Legislative Decree no. 24/2023), through the press or electronic means or of diffusion capable of reaching a large number of people;
- disciplinary measures as well as administrative pecuniary sanctions imposed by ANAC in the cases provided for by the articles. 16 and 21 of Legislative Decree no. 24/2023.
2. RECIPIENTS
Recipients of the Procedure are:
- top management and members of the corporate bodies and Supervisory Body of COLELLA GROUP SRL and its Subsidiaries, - employees, former employees and candidates for job positions, members, customers of COLELLA GROUP SRL and its Subsidiaries , as well as - but not limited to - partners, suppliers (also under contract/subcontract), consultants, collaborators in carrying out their work activities at COLELLA GROUP SRL and/or the Subsidiaries,
who are in possession of Information on violations as defined in this Procedure.
The Recipients also include physical and legal entities not included in the previous categories but to whom the protection measures provided for by this Procedure apply.
The provisions of this document also apply to anonymous reports, provided they are adequately substantiated, as defined in this Procedure.
COLELLA GROUP SRL – Whistleblowing Procedure – Version 17/12/2023 Page 3 of 13
3. PURPOSE AND FIELD OF APPLICATION
The Procedure aims to regulate the process of transmission, reception, analysis and management of Reports, including the archiving and subsequent deletion of both the Reports and the documentation related to them, in the manner indicated in this document. The Procedure applies to COLELLA GROUP SRL and to the Subsidiaries (as defined in this Procedure), which guarantee its correct and constant application, as well as maximum internal and external dissemination, in compliance with the prerogatives of autonomy and independence of each Company. They are Reports relating to:
- disputes, claims or requests linked to a personal interest of the Reporter, which concern exclusively the discipline of the employment relationship or relations with hierarchically superior figures, unless they are connected or referable to the violation of regulations or internal rules/procedures ;-violations relating to national security, as well as procurement relating to aspects of defense or national security, unless such aspects fall under secondary law of the European Union;-violations regulated on a mandatory basis by European Union or national acts , as indicated in the art. 1, co. 2, letter. b), of Legislative Decree no. 24/2023 (regarding services, products and financial markets and prevention of money laundering and terrorist financing, transport safety and environmental protection); - facts or circumstances falling within the application of national or European Union provisions in matters of classified information, forensic or medical secrecy and secrecy of the deliberations of judicial bodies, or falling within the application of national provisions on criminal procedure, autonomy and independence of the judiciary, provisions on the functions and powers of the Superior Council of the Judiciary , in matters of national defense and public order and security, as well as in matters of exercise and protection of the right of workers to consult their representatives or trade unions, of protections against illegal conduct or acts carried out as a result of such consultations, of autonomy of the social partners and their right to stipulate collective agreements, as well as the repression of anti-union conduct; - communications relating to conflicts of interest, pursuant to the procedure "The management of conflicts of interests Gruppo COLELLA GROUP SRL". If these circumstances are also relevant pursuant to Organizational Model 231, they must be reported, as required by this Procedure; - the activities falling within the competence of the Security and Government Liaison Officer, relating to the processing and management of classified information pursuant to the Prime Ministerial Decree of 6 November 2015 n. 5 ("Provisions for the administrative protection of state secrets and classified information for exclusive distribution") and subsequent amendments; - commercial complaints, for which please refer to services 119, 187, 191; - requests to exercise the rights in the matter of protection of personal data towards the COLELLA GROUP SRL Group (so-called privacy rights), pursuant to Regulation (EU) no. 2016/679 (General Data Protection Regulation GDPR) and Legislative Decree no. 30 June 2003. 196 (Code regarding the protection of personal data) and legislative decree 10 August 2018, n. 101 and subsequent amendments and additions, - If said circumstances are also relevant pursuant to Organizational Model 231, they must be reported, as required by this Procedure.
COLELLA GROUP SRL – Whistleblowing Procedure – Version 17/12/2023 Page 4 of 13
4. REFERENCES
EXTERNAL REGULATORY REFERENCES
-Legislative Decree 8 June 2001 n. 231 ("Discipline of the administrative liability of legal persons, companies and associations even without legal personality, pursuant to article 11 of law 29 September 2000, n.300");-Regulation (EU) no. 2016/679 (General Data Protection Regulation - GDPR); - Legislative Decree 30 June 2003 n. 196 (Code regarding the protection of personal data) and subsequent amendments and additions, including Legislative Decree 10 August 2018, n. 101, as well as the related legislative provisions; - Directive (EU) 2019/1937 concerning the protection of people who report violations of Union law (so-called Whistleblowing); - Legislative Decree 10 March 2023 n. 24, published in the Official Journal on 15.03.2023, containing the transposition of Directive (EU) 2019/1937;-
INTERNAL REGULATORY REFERENCES
-Organizational Model 231 of COLELLA GROUP SRL and its Subsidiaries;-Code of Ethics and Conduct of the COLELLA GROUP SRL Group;-Definition and Formalization of Group Policies, Procedures and Operating Instructions;-
Page 5 of 13
5. DESCRIPTION OF THE PROCESS AND RESPONSIBILITY
5.1 Purpose and description of the process For reports concerning COLELLA GROUP SRL, the owner of the management process is the Supervisory Body of COLELLA GROUP SRL, without prejudice to the responsibilities and prerogatives of the Board of Statutory Auditors on reports addressed to it, including complaints pursuant to art. 2408 of the Civil Code. For Reports concerning Subsidiaries, the owner of the process is the respective Supervisory Body, without prejudice to the aforementioned responsibilities and prerogatives of the relevant Board of Auditors. In order to follow up on the Reports, the Supervisory Bodies of COLELLA GROUP SRL and its Subsidiaries avail themselves of the support of the HUMAN RESOURCES RESPONSIBLE Function in compliance with the principles established by the International Standards for the professional practice of Internal Audit issued by the Institute of Internal Auditors (IIA) and by the Code of Ethics and Conduct of the COLELLA GROUP SRL Group. The Function RESPONSIBLE FOR HUMAN RESOURCES as part of the support activities for the Supervisory Body, also carries out the in-depth investigations requested by ANAC on external reports or on Public disclosures regarding COLELLA GROUP SRL or its Subsidiaries, informing the relevant Supervisory Body. The corporate functions of COLELLA GROUP SRL and its Subsidiaries, possibly affected by external bodies, institutions or authorities regarding external reports or public disclosures, promptly activate the HUMAN RESOURCES Function for further information. 5.2 Transmission of the Report The Recipients of this Procedure who become aware of Information on violations are required to make a Report through the internal reporting channels described below. Anyone who receives a Report, in any form (oral or written), must transmit it promptly, and in any case within 7 days of its receipt, to the relevant Supervisory Body, also through the HUMAN RESOURCES Function through the reporting channels internal information described below, giving simultaneous notice of the transmission to the Reporter (where known). He is also required to transmit the original of the Report, including any supporting documentation, as well as evidence of the communication to the Reporter of the forwarding of the Report. He cannot retain a copy of the original and must eliminate any copies in digital format, refraining from undertaking any independent analysis and/or in-depth initiative. The same is required to maintain confidentiality of the identity of the Reporter, of the Persons involved and/or in any case mentioned in the Report, of the content of the Report and of the related documentation. Failure to communicate a Report received as well as violation of the confidentiality obligation constitute a violation of the Procedure and may lead to the adoption of disciplinary measures. In order to diligently follow up on the internal reports received, COLELLA GROUP SRL and the Subsidiaries have equipped themselves with their own IT portal, accessible from the page dedicated to "Whistleblowing" present both on the website of COLELLA GROUP SRL and the Subsidiaries (where activated) and on the respective company intranet pages. The Portal allows you to transmit, even anonymously, both your own Report and a Report received from a third party, after having read the "Privacy Policy", published on the page dedicated to "Whistleblowing" present and on the COLELLA GROUP SRL website and of the Subsidiaries (where activated) and on the respective company intranet pages. This Procedure is also published on the aforementioned sites and intranet pages dedicated to Whistleblowing and information is available on the prerequisites for making a Report via an internal channel as well as information on the channels, procedures and prerequisites for making external Reports and public disclosures. Furthermore, a Frequently Asked Questions (FAQ) section is available which contains the answers to the most frequently asked questions useful for ensuring the correct transmission of the Reports to
Page 6 of 13
allows you to follow the processing status of the Report over time, guaranteeing confidentiality and anonymity.
Reports can also be sent:
- in oral form, via voice messaging systems, to the toll-free number indicated on the aforementioned websites and intranet pages dedicated to the "Whistleblowing" of COLELLA GROUP SRL of the Subsidiaries (where activated). The oral channel is operationally managed by the HUMAN RESOURCES MANAGER Function on behalf of the Supervisory Body of COLELLA GROUP S.R. and/or of the relevant Subsidiaries, with the guarantees of confidentiality provided for by this Procedure; - by ordinary mail, addressed to the Body 231 of COLELLA GROUP SRL and/or its Subsidiaries, at the registered office of the relevant company.
The Reporter may also request to make an oral report through a direct meeting with a member of the Supervisory Body of COLELLA GROUP SRL and/or of the relevant Subsidiaries and/or, on his behalf, with the Audit Function staff involved in the activities to support the Supervisory Body referred to in this Procedure. In this case, with the consent of the Reporter, the interview is documented by the personnel in charge by recording on a device suitable for storage and listening or by means of a report, which the Reporter can verify, rectify and confirm by signature. Any reports addressed to the Board of Statutory Auditors of COLELLA GROUP SRL or one of the Subsidiary Companies, including reports pursuant to art. 2408 of the Civil Code, received by the Supervisory Body of TIM and/or one of the Subsidiaries and/or the Audit Function are promptly transmitted to the Board of Statutory Auditors of COLELLA GROUP SRL or of the relevant Subsidiaries. The Supervisory Body of COLELLA GROUP SRL and/or of the relevant Subsidiary Company remains entitled to carry out independent investigations, directly or with the support of the Audit Function, on facts and circumstances of relevance pursuant to Organizational Model 231. Similarly , the Board of Auditors of COLELLA GROUP SRL or of the Subsidiaries promptly transmits, and in any case within 7 days of its receipt, to the Supervisory Body of COLELLA GROUP SRL or one of the Subsidiaries, also through the Audit Function, any Reports received to the aforementioned corporate body but addressed to and/or within the competence of the relevant Supervisory Body pursuant to Organizational Model 231, giving simultaneous notice of the transmission to the Reporter. 5.3 Registration of the Report All Reports, regardless of the method of receipt, are recorded in the Portal, which constitutes the summary database of the essential data of the Reports and their management (tracked via workflow) and also ensures the archiving of all attached documentation, as well as that produced or acquired during the analysis activities. Consultation of the information on the Portal is limited only to Audit Function personnel involved in support activities for the Supervisory Body referred to in this Procedure, enabled with specific functional profiles for access to the system, traced through logs. The members of the Supervisory Body of COLELLA GROUP SRL and the Subsidiary Companies can however access the Portal directly, via a specific view-only functional profile, to view the Reports under their respective competence. 5.4 Classification and preliminary analysis of the Report The Audit Function staff involved in the support activities for the Supervisory Body referred to in this Procedure analyzes and classifies the Reports, to define those potentially falling within - within 7 days from the date of receipt of the Report, an acknowledgment of receipt thereof;
- within 3 months of the acknowledgment of receipt of the Report or, in the absence of such notice, within 3 months of the expiry of the deadline of 7 days from the submission of the same, a response with information on the follow-up
Page 7 of 13
that is given or intended to be given to the Report, specifying whether or not the Report falls within the scope of application of Legislative Decree no. 24/2023.
Reports regarding episodes of gender, sexual and bullying harassment are transmitted by the Audit Function, for follow-up, to the Chief Human Resources & Organization Office Function, in application of the provisions of the Policy "Management of episodes of gender harassment, sexual and bullying". At the end of the Report management process, the commission envisaged by the aforementioned Policy communicates to the Audit Function the results of the checks carried out and any measures adopted by the Chief Human Resources & Organization Office Function, for subsequent information and closure proposal to the Supervisory Body Reference supervision. The Audit Function preliminarily evaluates, also through any documentary analysis, the existence of the necessary conditions for starting the subsequent investigation phase, giving priority to adequately detailed reports, and communicates the aforementioned evidence to the Supervisory Body of COLELLA GROUP SRL, for Reports on Subsidiaries, also to the Supervisory Body of the relevant Subsidiary. For the Reports under its responsibility, the Supervisory Body, on a documentary basis and also in consideration of the results of the preliminary analyzes carried out by the Audit Function, evaluates:
- the start of the subsequent investigation phase;
-for "Reports relating to significant facts", timely reporting to the Control and Risk Committee and to the relevant Board of Statutory Auditors, for independent assessments;
- the closure of the Reports, as: i) generic or not adequately detailed; ii) clearly unfounded; iii) referring to facts and/or circumstances which have previously been the subject of specific investigative activities already concluded, where no new information emerges from the preliminary checks carried out such as to make further investigations necessary; iv) "verifiably detailed", for which, in light of the results of the preliminary checks carried out, no elements emerge that would support the start of the subsequent investigation phase; v) "substantiated and unverifiable", for which, in light of the results of the preliminary checks carried out, it is not possible, on the basis of the analysis tools available, to carry out further investigations to verify the validity of the Report.
In order to acquire information, the Supervisory Body has the right to:
- request the Audit Function, without prejudice to the current information flows, to activate audits on the reported facts; - carry out, even directly, in compliance with any specific applicable regulations, in-depth investigations through, for example, formal summons and hearings of the Reporter, the Reported and/or the Persons involved in the Report and/or in any case informed of the facts, as well as requesting the aforementioned subjects to produce information reports and/or documents; - make use, if deemed appropriate, of experts or experts external to COLELLA GROUP SRL and/or or to the Subsidiaries.--
In the event that the Report concerns one or more members of the Board of Directors, the Board of Auditors or the Supervisory Body of COLELLA GROUP SRL, the President of the Supervisory Body of TIM informs the Presidents of the Board of Directors and the Board of Auditors of COLELLA GROUP SRL for joint management. If the Report involves one of the three Presidents, the same is replaced by the most senior member of the corporate body/Supervisory Body of COLELLA GROUP SRL. If the Report involves the entire corporate body/Supervisory Body of COLELLA GROUP SRL, the investigation will be managed by the Presidents of the other two corporate bodies/Supervisory Body of COLELLA GROUP SRL. If the Report concerns the Head of the Audit Function of COLELLA GROUP SRL/or the Functions employed by him, the President of the Supervisory Body of COLELLA GROUP SRL informs the Presidents of the Board of Directors and the Board of Statutory Auditors of COLELLA GROUP SRL for joint management . In the aforementioned cases, the results of the in-depth investigations are the subject of a closing note of the Report jointly signed by the Presidents who jointly managed the Report.
Page 8 of 13
5.5 The execution of the investigation
The investigation phase of the Report has the objective of:
- proceed, within the limits of the tools available to the Audit Function, with in-depth analyzes and specific analyzes to verify the reasonable basis of the factual circumstances reported;
- reconstruct the management and decision-making processes followed on the basis of the documentation and available evidence;
-provide any indications regarding the adoption of the necessary remedial actions aimed at correcting possible control deficiencies, anomalies or irregularities detected in the areas and company processes examined.
The evaluations of merit or opportunity, whether discretionary or technical-discretionary, of the decision-making and management aspects carried out from time to time by the company structures/positions involved, in as falling within the exclusive competence of the latter. During investigations, the Audit Function may request additions or clarifications from the Reporter. Furthermore, where deemed useful for further investigation, it can acquire information from the Persons involved in the Report, who also have the right to request to be heard or to produce written observations or documents. In such cases, also in order to guarantee the right of defence, the Person involved is notified of the existence of the Report, while guaranteeing confidentiality regarding the identity of the Reporter and the other Persons involved and/or mentioned in the Report. The Audit Function takes care of carrying out the investigation also by acquiring the necessary information elements from the structures involved, involving the competent company functions and making use, if deemed appropriate, of experts or experts external to COLELLA GROUP SRL. The investigative activities are carried out using, but not limited to,: i) company data/documents useful for the purposes of the investigation (e.g. extractions from company systems and/or other specific systems used); ii) external databases (e.g. info provider/databases on company information); iii) open sources; iv) documentary evidence acquired from company structures; v) where appropriate, statements made by interested parties or acquired during verbalized interviews. 5.6 Reporting At the conclusion of each preliminary investigation, the results are communicated to the Supervisory Body of COLELLA GROUP SRL and, for Reports on Subsidiaries, also to the Supervisory Body of the relevant Subsidiary. The results of the in-depth analyzes are summarized in a report or, for Reports "relating to relevant facts" and/or with complex analyses, in an investigation note, which reports:
- an opinion of reasonable validity/non-substantiation on the facts reported;
- the outcome of the activities carried out and the results of any previous investigative activities carried out on the same facts/subjects reported or on facts similar to those covered by the Report;
- any indications regarding the necessary corrective actions on the areas and company processes examined, adopted by the competent management who is informed of the results of the analyses.
At the end of the preliminary investigation, the relevant Supervisory Body decides to close the Report, highlighting any non-compliance with the rules/procedures, without prejudice to the exclusive prerogatives and responsibilities of the Chief Human Resources & Organization Office Function regarding the exercise of the disciplinary action.
Furthermore, if the outcome of the investigation reveals:
- possible cases of criminal or civil liability relevance, the Supervisory Body may decide to communicate the findings to the Legal & Tax Function, for the relevant assessments;
Page 9 of 13
- hypothesis of non-compliance with rules/procedures or facts of possible relevance from a disciplinary or labor law perspective, the Supervisory Body orders to communicate the results to the Chief Human Resources & Organization Office Function, for the relevant assessments, which will communicate the Supervisory Body of the decisions taken. Furthermore, the Chief Human Resources & Organization Office Function of COLELLA GROUP SRL provides the Supervisory Body with information on the disciplinary measures taken following an in-depth investigation of Reports on a quarterly basis.
Closed reports, as they are clearly unfounded, if not anonymous, are sent to the Chief Human Resources & Organization Office function so that it can evaluate with the other competent company structures whether the report was made for the sole purpose of harming the reputation or of damaging or in any case of cause harm to the reported person and/or company, for the purposes of activating any appropriate initiative against the Reporter. The Audit Function provides the Supervisory Body of COLELLA GROUP SRL with a monthly summary report of all the Reports received during the period and details of those falling within the scope of the Procedure, with evidence of the state of progress and the results of the completed investigations, for which he proposes closure. Following the reporting to the Supervisory Body of COLELLA GROUP SRL, the Audit Function periodically provides the Control and Risk Committee and the Board of Statutory Auditors with a summary report of the Reports received and the results of the preliminary investigation activities concluded. Also at the request of the aforementioned corporate bodies, the Supervisory Body may order the communication of the details of the investigations carried out or the transmission of the preliminary notes closing the Reports. Furthermore, following the reporting to the Supervisory Body, the Audit Function of COLELLA GROUP SRL communicates any elements of feedback emerging from the investigations regarding suspected frauds with potential impacts:
- from a tax perspective, to the Compliance Function - Compliance Operations, to the extent applicable, and to the Legal & Tax Function - Tax Office - Reporting and Fiscal Monitoring, for the activation of the investigation process with the involvement of the competent Tax Office Function, as envisaged by the "Tax risk management" Procedure of ;-in matters of anti-corruption, to the Compliance Function for the prevention of corruption of COLELLA GROUP SRL and/or of the relevant Subsidiary, identified pursuant to the Anti-corruption Management System, according to the ISO 37001 standard, for the relevant activities.
Furthermore, the Audit Function provides:
- every six months to the Compliance Function for the prevention of corruption of COLELLA GROUP SRL and the relevant Subsidiaries, summary information on the number and type of Reports received regarding possible corruption offenses; - every six months to the Chief Regulatory Affairs Function of TIM information on summary of the number and type of reports received regarding suspicious conduct or alleged violations of antitrust legislation and the Antitrust Code of Conduct of the COLELLA GROUP SRL Group; - annually to the Sustainability Function of COLELLA GROUP SRL the relevant contributions for the purposes of drafting the Sustainability Report of the COLELLA GROUP SRL Group with particular reference to the Reports falling within the scope of application of the Policy "Respecting Human Rights in the COLELLA GROUP SRL Group".
5.7 Corrective actions: monitoring
If the need to formulate recommendations aimed at adopting appropriate remedial actions emerges from the analyzes of the areas and company processes examined, it is the responsibility of the management of the areas/processes subject to verification to define a corrective action plan for the removal of the critical issues identified and to guarantee its implementation within the defined timescales, communicating this to the Audit Function which monitors the implementation status of the actions.
The relevant Supervisory Body monitors the progress of the corrective actions through the information periodically provided by the Audit Function.
Page 10 of 13
5.8 Processing of personal data and storage of documentation
Any processing of personal data, including in the context of the Portal, is carried out in compliance with the confidentiality obligations referred to in the art. 12 of Legislative Decree no. 24/2023 and in compliance with the legislation on the protection of personal data referred to in Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR), Legislative Decree 30 June 2003 n. 196 and the legislative decree of 18 May 2018 n. 51.
The protection of personal data is ensured not only to the Reporter (for non-anonymous reports), to the Facilitator as well as to the Person involved or mentioned in the report.
Potential interested parties are provided with information on the processing of personal data through publication on the dedicated portal.
In compliance with the art. 13, paragraph 6, of Legislative Decree no. 24/2023, a Privacy Impact Assessment (PIA) was carried out, drawn up pursuant to art. 35 of Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR), in order to define the technical and organizational measures necessary to reduce the risk to the rights of interested parties, including the security measures necessary to prevent unauthorized processing authorized or illicit.
In order to guarantee the management and traceability of the Reports and the consequent activities, the Audit Function takes care of the preparation and updating of all the information regarding the Reports and ensures, using the Portal, the conservation of all the related supporting documentation for the time strictly necessary for their definition, and in any case for no more than 5 years, starting from the date of communication of the final outcome of the Report to the Supervisory Body.
Personal data that is clearly not useful for processing a specific report are not collected or, if collected accidentally, are promptly deleted.
The originals of the reports received in paper form are stored in a special protected environment.
5.9 Periodic checks
On a six-monthly basis, a completeness check is carried out by Audit Function personnel other than those involved in the support activities for the Supervisory Body referred to in this Procedure, in order to ensure that all the Reports received have been treated, duly forwarded to the relevant recipients and reported in accordance with the provisions of this Procedure.
6.GUARANTEES AND PROTECTIONS
6.1 Protection of the identity of the Reporter
Reports cannot be used beyond what is necessary to adequately follow up on them.
Without prejudice to legal obligations, the identity of the Reporter and any other information from which it can be deduced, directly or indirectly, such identity cannot be revealed, without the express consent of the same, to people other than those competent to receive or follow up to Reports, expressly authorized to process such data pursuant to articles. 29 and 32, par. 4, of Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and of art. 2 -quaterdecies of the legislative decree of 30 June 2003, n.196 (Code regarding the protection of personal data).
In particular, the identity of the Reporter and any other information from which such identity can be deduced, directly or indirectly, can only be revealed with the express consent of the same:
- in the context of disciplinary proceedings, if the dispute is based, in whole or in part, on the Report and knowledge of the identity of the Reporter is essential for the defense of the accused;
-in the context of the proceedings established following internal or external Reports, if the disclosure of the identity of the Reporter or of any other information from which such identity can be deduced, directly or indirectly, is also indispensable for the purposes of the defense of the Person involved.
Page 11 of 13
To this end, in such cases, prior written communication is given to the Reporter of the reasons for revealing the confidential data. The personnel of the COLELLA GROUP SRL Group involved in the management of the Reports are required to maintain confidentiality of the identity of the Reporter, of the Persons involved and/or in any case mentioned in the Report, of the content of the Report and of the related documentation. Confidentiality is also guaranteed to those who report before the start or after the termination of the employment relationship, or during the probationary period, if said information was acquired within the working context or in the selective or pre-contractual phase. Confidentiality is also guaranteed on the identity of the Persons involved and/or mentioned in the Report, as well as on the identity and assistance provided by the Facilitators, with the same guarantees provided for the Reporter. Violation of the obligation of confidentiality, without prejudice to the exceptions above, may result in the imposition of administrative fines by ANAC on the interested party as well as the adoption of disciplinary measures by the Chief Human Resources & Organization Function Office, in line with the provisions of paragraph 8 of Organizational Model 231 (“Disciplinary System”). 6.2 Protection measures It is prohibited to carry out retaliatory acts against the Whistleblower, understood as any behaviour, act or omission, even if only attempted or threatened, carried out as a result of the internal or external Report/Public disclosure/complaint, which causes or may cause the Reporter, directly or indirectly, unfair damage. Protection is also guaranteed to the anonymous whistleblower, who believes he or she has suffered retaliation and was subsequently identified. The protection measures apply within the limits and conditions set out in chapter III of Legislative Decree no. 24/2023 and are also extended to:
- the categories of Reporters who do not fall within the objective and/or subjective scope of application envisaged by Legislative Decree no. 24/2023;
- the Facilitators, the people from the same work context as the Reporter who are linked to it by a stable emotional or kinship bond within the fourth degree, the work colleagues of the Reporter who work in the same work context and who have a usual and current relationship with it ;
- the entities owned by the Reporter or for which he works as well as the entities that operate in the same working context as the Reporter.
Anyone who believes they have suffered retaliation as a result of the Report can report it to ANAC.
Any retaliatory acts undertaken as a result of the Report are null and void and the people who have been fired as a result of the Report have the right to be reinstated in the workplace in implementation of the regulations applicable to the worker.
Without prejudice to the exclusive competence of ANAC regarding the possible application of the administrative sanctions referred to in the art. 21 of Legislative Decree no. 24/2023, please refer to the specific regulations contained in paragraph 8 of Organizational Model 231 ("Disciplinary System") for any consequences on the disciplinary level under the responsibility of the Chief Human Resources & Organization Office Function.
T Page 12 of 13
7.GLOSSARY
For the purposes of this Procedure:
- Work context: the work or professional activities, present or past, carried out by COLELLA GROUP SRL Personnel or by Third Parties within the context of the legal relationships established by them with COLELLA GROUP SRL/or with the Subsidiary Companies; - Public disclosure: make public domain information on violations through the press or electronic means or in any case through means of dissemination capable of reaching a large number of people. Pursuant to art. 15, paragraph 1, of Legislative Decree no. 24/2023, the Reporter may make a public disclosure if one of the following conditions is met: i) he has already made both an internal and external Report, or he has directly made an external Report and no response has been given within the established deadlines regarding the measures envisaged or adopted to follow up on the Reports; ii) has reasonable grounds to believe that the violation may constitute an imminent or obvious danger to the public interest; iii) has reasonable grounds to believe that the external Report may involve the risk of retaliation or may not be effectively followed up due to the specific circumstances of the specific case, such as those in which evidence may be hidden or destroyed or in which there is a well-founded fear that whoever received the Report may be colluding with the author of the violation or involved in the violation itself; - Facilitator: the natural person who assists the Reporter in the Reporting process and who operates in the same work context and whose assistance must be kept confidential; -Gruppo COLELLA GROUP SRL-Information on violations: information, adequately detailed, including well-founded suspicions, regarding violations resulting from behaviour, acts or omissions committed or which, on the basis of concrete elements, could be committed as well as elements concerning conduct, including omissions, aimed at concealing such violations. This also includes information on violations acquired in the context of a legal relationship that has not yet begun or has ended in the meantime, if such information has been acquired within the working context, including the probationary period, or in the selective or pre-contractual phase; - Model Organizational 231: the organisation, management and control model adopted by COLELLA GROUP SRL and its Subsidiaries pursuant to Legislative Decree no. 231/2001;-Supervisory Body: the Body of COLELLA GROUP SRL, or the Board of Auditors of the Subsidiary Companies in the functions of Supervisory Body, appointed pursuant to art. 6, point 1, letter. b) of Legislative Decree no. 231/2001, equipped with autonomous powers of initiative and control which has the task of supervising the functioning and observance of the 231 Organizational Model and of ensuring its updating; - Person involved: the natural or legal person mentioned in the Report made via the internal or external channel, complaint, public disclosure, as the subject to whom the violation is attributed or in any case referable; - COLELLA GROUP SRL personnel" those who are linked to COLELLA GROUP SRL or to the Subsidiaries by an employment relationship or occasional service as well as the top management and members of the corporate bodies and of the Supervisory Body of COLELLA GROUP SRL" and of the Subsidiaries (even if they exercise these functions on a purely de facto basis); - Reporter: the person who makes a Report through the reporting channel Internal or external reporting, denunciation, public disclosure; - Reporting: the communication, written or oral, of information relating to COLELLA GROUP SRL Staff and/or to third parties on violations of laws and regulations, of the Code of Ethics and Conduct of the COLELLA GROUP SRL Group" , of the Organizational Model 231, as well as the system of rules and procedures in force in the COLELLA GROUP SRL Group, including - but not limited to - the Policy "Respecting Human Rights in the COLELLA GROUP SRL Group", the "Tax Risk Management" Procedure , the Anti-Corruption Management System of COLELLA GROUP SRL” and the Anti-Corruption Policy of the COLELLA GROUP SRL Group”;-
Page 13 of 13
-Anonymous report: Report in which the personal details of the Reporter are not explained nor are they uniquely identifiable; -Detailed report: Report in which the information/assertions are characterized by a sufficient degree of detail, at least abstractly, to reveal circumstances and facts precise and concordant and related to specific contexts, as well as to allow the identification of useful elements for the purposes of verifying the validity of the Report itself (for example, elements that allow the identification of the person who carried out the reported facts, the context, the place and the time period of the circumstances reported, value, causes and purposes of the conduct, anomalies relating to the internal control system, supporting documentation, etc.). In the context of detailed reports, information/assertions are distinguished: i) "verifiable", if on the basis of the contents of the report it is actually possible to carry out checks within the company on its validity, within the limits of the activities and with the analysis tools available of Audits; ii) "unverifiable", if on the basis of the analysis tools available, it is not possible to carry out checks on the validity of the Report. The checks on circumstances and assessments attributable to intentional and/or subjective elements are affected by the limits of the Audit activities and the related tools available; - External reporting: the communication, written or oral, of information on violations carried out by the Reporter through the channel external reporting activated by the National Anti-Corruption Authority (ANAC). Pursuant to art. 6, paragraph 1, of Legislative Decree no. 24/2023, the Reporter may make an external Report if one of the following conditions occurs: i) the mandatory activation of the internal reporting channel is not envisaged within his/her work context or this, even if mandatory, is not active or, even if activated, is not compliant; ii) has already made an internal report and it has not been followed up on; iii) has reasonable grounds to believe that, if he were to make an internal report, it would not be followed up effectively or would lead to retaliatory conduct; iv) has reasonable grounds to believe that the violation may constitute an imminent or obvious danger to the public interest; - Internal reporting: the communication, written or oral, of information on violations carried out by the reporting party via the internal channel; - Report relating to facts relevant: i) Report concerning the top management and members of the corporate bodies and the Supervisory Body of COLELLA GROUP SRL” and/or the Subsidiaries; ii) Report for which, even from the preliminary analyses, serious violations of the Organizational Model 231 can be identified, such as to expose the company to the risk of criminal-administrative liability pursuant to Legislative Decree no. 231/2021; iii) Report on company operational anomalies and/or illicit acts and/or fraud and/or abuse for which, following the preliminary checks, a significant qualitative-quantitative impact can be estimated for COLELLA GROUP SRL” and/or for the Subsidiaries on the financial statements (in terms of accounting issues, statutory auditing, internal controls on financial reporting). The impact is "significant" from a qualitative point of view if the operational anomalies and/or frauds and/or abuses are able to influence the economic and investment decisions of the potential recipients of the financial information. The significance of the impact from a quantitative point of view is assessed by the Supervisory Body in agreement with the Chief Financial Office of the reference company; - Subsidiary Companies: the subsidiaries of the COLELLA GROUP SRL Group, excluding listed companies and those foreign countries, to which this Procedure applies directly; -Third parties: natural or legal persons, other than COLELLA GROUP SRL personnel", who have, in various capacities, employment, collaboration or business relationships with COLELLA GROUP SRL” and/or with the Subsidiaries, including - but not limited to - customers, partners, suppliers (also under contract/subcontract), self-employed workers or holders of collaborative relationships, freelancers, consultants, agents and intermediaries, volunteers and interns (paid or unpaid), or anyone who is a legitimate bearer of interest in the corporate activity of the COLELLA GROUP SRL Group".

whistleblowing@spadaroma.com