Whistleblowing Procedure

WHISTLEBLOWING

Procedure for managing reports pursuant to Legislative Decree 10 March 2023 n. 24

Summary

1. PREMISE
   2. DEFINITIONS CONTAINED IN THE LEGISLATIVE DECREE
   3. PURPOSE OF THE REGULATION
   4. RELEVANT VIOLATIONS
   5. THE OBLIGED SUBJECTS
   6. INTERNAL REPORTING CHANNEL
   7. SUBJECT RESPONSIBLE FOR MANAGING THE INTERNAL REPORTING CHANNEL
   8. FORM OF INTERNAL REPORTING
   9. ACTIVITIES OF THE INTERNAL REPORTING CHANNEL MANAGER
   10. PUBLICATION OF THE INTERNAL REPORTING CHANNEL
   11. HEARING OF THE PERSON INVOLVED
   12. OBLIGATION OF CONFIDENTIALITY
   13. ORGANIZATIONAL AND SAFETY MEASURES
   14. STORAGE OF DOCUMENTATION RELATING TO THE REPORT
   15. EXTERNAL REPORTS
   16. PROTECTION MEASURES
   17. PUBLIC DISCLOSURES
   18. SANCTIONS
   19. WAIVER AND TRANSACTIONS
   20. ATTACHMENT: WHISTLEBLOWING crime reporting form
   21. ATTACHMENT: Legislative Decree 24/2023.
2. PREMISE

SBS SPA, hereinafter also the Company, conforms its business policy to compliance with Legislative Decree 10 March 2023, n. 24, containing “Implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons reporting breaches of Union law and containing provisions concerning the protection of persons reporting breaches of national regulatory provisions”.
The Company also conforms its business policy to the principles of legality and correctness provided for by the Organization, Management and Control Model for the prevention of the risk of crime adopted pursuant to Legislative Decree 231/2001 and the Code of Ethics.
This procedure integrates the Model pursuant to Legislative Decree 231/01, if it exists, and constitutes an integral part of it.

2. DEFINITIONS CONTAINED IN THE LEGISLATIVE DECREE

In this document, the following expressions have the meaning indicated below, pursuant to Legislative Decree no. 24/2023, the attached decree:
(a) "violations": behaviours, acts or omissions which harm the public interest or the integrity of the public administration or private entity and which consist of:
1) administrative, accounting, civil or criminal offences which do not fall under points 3), 4), 5) and 6) of this paragraph and below;
2) unlawful conduct relevant pursuant to Legislative Decree 8 June 2001, no. 231, or violations of the organisation and management models provided for therein, which do not fall under numbers 3), 4), 5) and 6) of this paragraph and below;
3) offences falling within the scope of the European Union or national acts indicated in the Annex to this Decree or of the national acts implementing the European Union acts indicated in the Annex to Directive (EU) 2019/1937, even if not indicated in the Annex to this Decree, relating to the following sectors: public procurement; financial services, products and markets and prevention of money laundering and terrorist financing; product safety and compliance; transport safety; environmental protection; radiation protection and nuclear safety; food and feed safety and animal health and welfare; public health; consumer protection; protection of privacy and protection of personal data and security of networks and information systems;
4) acts or omissions affecting the financial interests of the Union as referred to in Article 325 of the Treaty on the Functioning of the European Union as specified in the relevant secondary legislation of the European Union;
5) acts or omissions affecting the internal market, as referred to in Article 26(2) of the Treaty on the Functioning of the European Union, including infringements of European Union rules on competition and State aid, as well as infringements affecting the internal market related to acts which infringe corporate tax rules or mechanisms aimed at obtaining a tax advantage which defeats the object or purpose of the applicable corporate tax law;
6) acts or behaviours which frustrate the object or purpose of the provisions of the Union acts in the areas indicated in numbers 3), 4) and 5) of this Chapter and above;
(b) "information on violations": information, including reasonable suspicions, regarding violations committed or which, on the basis of concrete elements, could be committed in the organisation with which the reporting person or the person making the complaint to the judicial or accounting authority has a legal relationship pursuant to Article 3, paragraph 1 or 2, as well as elements regarding conduct aimed at concealing such violations;
(c) “reporting” or “reporting”: the written or oral communication of information on violations;
d) "internal reporting": the communication, written or oral, of information on violations, submitted through the internal reporting channel referred to in Article 4 of Legislative Decree 24/2023;
(e) ‘external reporting’ means the communication, written or oral, of information on infringements, submitted through the external reporting channel referred to in Article 7;
(f) “public disclosure” or “publicly disseminate”: making information about infringements publicly available through the press or electronic means or in any case through means of dissemination capable of reaching a large number of people;
(g) 'reporting person' means the natural person who reports or publicly discloses information on breaches acquired in the context of his/her work;
(h) ‘facilitator’ means a natural person who assists a reporting person in the reporting process, operating within the same work context and whose assistance must be kept confidential;
(i) "work context": the work or professional activities, present or past, carried out in the context of the relationships referred to in Article 3, paragraphs 3 or 4, through which, regardless of the nature of such activities, a person acquires information on infringements and in the context of which he or she could risk suffering retaliation in the event of reporting or public disclosure or reporting to the judicial or accounting authority;
(l) ‘person involved’ means the natural or legal person mentioned in the internal or external reporting or in the public disclosure as the person to whom the infringement is attributed or as a person otherwise implicated in the reported or publicly disclosed infringement;
(m) "retaliation": any conduct, act or omission, even if only attempted or threatened, carried out as a result of the report, the complaint to the judicial or accounting authority or the public disclosure and which causes or may cause the reporting person or the person who filed the complaint, directly or indirectly, unjust damage;
(n) “follow-up”: the action taken by the person responsible for managing the reporting channel to assess the existence of the reported facts, the outcome of the investigations and any measures adopted;
o) “feedback”: communication to the reporting person of information relating to the follow-up that is being given or intended to be given to the report;
p) "public sector entities": the public administrations referred to in Article 1, paragraph 2, of Legislative Decree No. 165 of 30 March 2001, the independent administrative authorities for guarantee, supervision or regulation, the public economic bodies, the public law bodies referred to in Article 3, paragraph 1, letter d), of Legislative Decree No. 50 of 18 April 2016, the public service concessionaires, the publicly controlled companies and the in-house companies, as defined, respectively, in Article 2, paragraph 1, letters m) and o), of Legislative Decree No. 175 of 19 August 2016, even if listed;
q) 'private sector entities' means entities, other than those falling within the definition of public sector entities, which:
1) have employed, in the last year, an average of at least fifty subordinate workers with permanent or fixed-term employment contracts;
2) fall within the scope of the Union acts referred to in Parts IB and II of the Annex, even if in the last year they have not reached the average number of employed workers referred to in point 1);
3) are different from the subjects referred to in number 2), fall within the scope of application of Legislative Decree 8 June 2001, n. 231, and adopt the organisation and management models provided for therein, even if in the last year they have not reached the average number of subordinate workers referred to in number 1).

3. PURPOSE OF THE REGULATION

The aim of Legislative Decree no. 24/2023 is to protect reporting persons, i.e. natural persons who report or publicly disclose information on violations.

4. RELEVANT VIOLATIONS

Violations consist of behaviors, which are acts or omissions, that harm the public interest or the integrity of the public administration or private entity and consist of administrative, accounting, civil or criminal offenses.
The following are significant offences:
- the underlying crimes of Legislative Decree 231/2001, and therefore the violations of the related organizational model;
- the offences indicated in the annex to Legislative Decree 24/2023;
- offences, even if not indicated in the Annex, relating to the following sectors: public procurement; financial services, products and markets and prevention of money laundering and terrorist financing; product safety and compliance; transport safety; environmental protection; radiation protection and nuclear safety; food and feed safety and animal health and welfare; public health; consumer protection; protection of privacy and personal data and security of networks and information systems;
- administrative, accounting, civil or criminal offences which are not included among those indicated above;
- acts or omissions that harm the financial interests of the European Union as per art. 325 of the Treaty on the Functioning of the European Union or art. 26, paragraph 2 of the same Treaty, including violations in the field of competition and State aid or in the field of corporate tax, referring to art. Legislative Decree 24/23;
- acts or behaviors that frustrate the object or purpose of the provisions of the European Union acts in the sectors indicated in the annex to Legislative Decree 24/23 or in the sectors indicated above.

5. THE OBLIGED SUBJECTS

They are required to activate the internal reporting channel:
- all companies which, in the last year, have had an average of at least fifty subordinate workers with permanent or fixed-term contracts;
- all companies that adopt organizational and management models provided for by Legislative Decree 8 June 2001 n. 231, even if in the last year they have not reached the average number of subordinate workers mentioned above;
- all companies falling within the scope of the European Union acts, referred to in parts IB and II of the annex to Legislative Decree 24/23, even if in the last year they have not reached the average number of subordinate workers mentioned above.

6. INTERNAL REPORTING CHANNEL

The Company, after consulting the representatives or trade unions referred to in Article 51 of Legislative Decree no. 81 of 2015, activates its own reporting channels, which guarantee, also through the use of encryption tools, the confidentiality of the identity of the reporting person, of the person involved and of the person mentioned in the report, as well as of the content of the report and the related documentation.
This procedure is an integral part of the Model pursuant to Legislative Decree 231/2001 if adopted.

7. SUBJECT RESPONSIBLE FOR MANAGING THE INTERNAL REPORTING CHANNEL

The management of the internal reporting channel is entrusted to two resources, the Human Resources Director and the Company's Safety Delegate, who are specifically trained on Legislative Decree 24/2023 and on this procedure.
The Human Resources Director and the Safety Delegate are the persons responsible for receiving reports, even separately, hereinafter referred to as the person responsible for managing the internal reporting channel.
Where the facts are relevant pursuant to Legislative Decree 231/01, the person in charge of managing the internal reporting channel shall communicate them to the Supervisory Body, if established pursuant to the same Legislative Decree 231/01. Where the facts are not relevant pursuant to Legislative Decree 231/01, the person in charge of management shall communicate them to the Sole Director of SBS SPA
If the communication of relevant facts pursuant to Legislative Decree 231/01 is made to the Sole Director, the latter will inform the Supervisory Body, if one exists.
If the communication of non-relevant facts pursuant to Legislative Decree 231/01 is made to the Supervisory Body, if it exists, the latter will inform the Sole Director of SBS SPA
The internal report submitted to a subject other than the one indicated above is transmitted, in any case, within seven days of its receipt, to the competent subject, giving simultaneous notice of the transmission to the reporting person.
All processing of personal data is carried out in compliance with current legislation on the protection of personal data.
The entity managing the internal reporting channel is considered the data controller pursuant to the legislation in force on the protection of personal data and assumes all the obligations and responsibilities provided for by such legislation.

8. FORM OF INTERNAL REPORTING

Reports are made in written form, including electronically, or orally.
To report, even anonymously, you can:
Send the report in a sealed envelope to the address of SBS SPA at Via Circonvallazione sn in Miasino (28013) in a sealed envelope with the wording "For the attention of the Internal reporting channel manager" Using the form at the following link: https://www.sbsmobile.tools/Wb/Segnalazioni.php

The above reports will be read only by the person managing the internal reporting channel.
For internal reports in oral form, whether made via telephone lines to the entity managing the internal reporting channel or through a direct meeting with the entity managing the internal reporting channel itself, a report shall be drawn up by the same entity in charge of managing the internal reporting channel.

9. ACTIVITIES OF THE INTERNAL REPORTING CHANNEL MANAGER

The entity managing the internal reporting channel:
a) issues the reporting person with a notice of receipt of the report within seven days of the date of receipt as well as the privacy information;
b) maintain dialogue with the reporting person and may request additions from the latter if necessary;
c) diligently follow up on the reports received. The report is communicated to the Supervisory Body or to the General Manager as established above. The persons in charge of managing the internal reporting channel transmit the report of the facts omitting the identity and personal data of the reporting person. If due to the nature of the report, the latter could not be communicated without communicating the identity or personal data of the reporting person (because, for example, in order to understand the report it is necessary to report the identity and personal data of the reporting person), the person in charge of managing the internal reporting channel asks the reporting person for consent to process his/her personal data; in the event of refusal of consent, the person in charge of managing the internal reporting channel informs the reporting person that the report cannot be followed up;
d) carry out any necessary investigation activity, as indicated by the General Manager, and report the results to said body. The person in charge of managing the internal reporting channel draws up a specific report of the investigation activity carried out;
e) provide feedback to the reporting party within three months of the date of the acknowledgement of receipt or, in the absence of such acknowledgement, within three months of the expiry of the seven-day period from the submission of the report.

10. PUBLICITY OF INTERNAL REPORTING CHANNEL

The entity managing the internal reporting channel shall publicize clear information on the channel, procedures and prerequisites for making internal reports, as well as on the channel, procedures and prerequisites for making external reports through this procedure. This procedure is displayed and made easily visible on the notice board located at the entrance of the two offices of the Company; these notice boards are accessible to employees and also to persons who, although not attending the workplace, have a legal relationship highlighted above in the Subjective scope of application.
Furthermore, SBS SPA sends an internal email to all employees, publicizing this procedure and publishes it on the Company's website.

11. HEARING OF THE PERSON INVOLVED

The person involved may be heard orally by the person in charge of managing the internal reporting channel, or, upon his request, he may be heard, including through the acquisition of written observations and documents. The person in charge of managing the internal reporting channel shall draw up minutes of the oral hearing.

12. OBLIGATION OF CONFIDENTIALITY

Reports may not be used beyond what is necessary to adequately follow up on them. Personal data that is clearly not useful for processing a specific report is not collected or, if accidentally collected, is deleted immediately.
All processing of personal data is carried out in compliance with current legislation on the protection of personal data.
The identity of the reporting person and any other information from which such identity may be deduced, directly or indirectly, may not be revealed, without the express consent of the reporting person, to persons other than those competent to receive or follow up on the reports, expressly authorised to process such data pursuant to the legislation on the processing of personal data.
In the context of the disciplinary proceedings, the identity of the reporting person cannot be revealed, where the challenge of the disciplinary charge is based on investigations that are separate and additional to the report, even if consequent to the same. If the challenge is based, in whole or in part, on the report and knowledge of the identity of the reporting person is indispensable for the defense of the accused, the report may be used for the purposes of the disciplinary proceedings only in the presence of the express consent of the reporting person to the disclosure of his or her identity.
The reporting person is given notice through written communication of the reasons for the disclosure of confidential data, as well as in internal and external reporting procedures when disclosure of the identity of the reporting person is also essential for the purposes of the defense of the person involved.

13. ORGANIZATIONAL AND SAFETY MEASURES

SBS SPA identifies technical and organizational measures suitable for guaranteeing a level of security adequate to the specific risks arising from the processing of data referred to in this procedure, on the basis of a data protection impact assessment.
In particular, the minutes and all paper documents relating to internal reporting are kept by the person in charge of managing the internal reporting channel in a locked cabinet, the key of which is kept by the same person.
Each digital document is stored by the person in charge of managing the internal reporting channel on his/her own PC and/or on the company server protected by a specific password. The technical and organizational measures of the IT system are regulated in a specific company procedure of the Company.

14. STORAGE OF DOCUMENTATION RELATING TO THE REPORT

Internal reports and related documentation are retained only for the time necessary to process the report and in any case no longer than five years from the date of communication of the final outcome of the reporting procedure, in compliance with the confidentiality obligations set forth in this procedure.
If a telephone line is used for reporting, the report, with the prior consent of the reporting person, is documented by the person managing the internal reporting channel in a report. The reporting person may verify, correct or confirm the content of the transcript.
When, at the request of the reporting person, the report is made orally during a meeting with the relevant personnel, it is, with the prior consent of the reporting person, documented by the person managing the internal reporting channel in minutes. The reporting person may verify, rectify and confirm the minutes of the meeting by signing.
The storage of paper and digital documents relating to reports is kept by the person in charge of managing the internal reporting channel and stored with the security measures indicated above, only for the time strictly necessary to manage the report.

15. EXTERNAL REPORTS

The reporting person may make an external report to the National Anti-Corruption Authority (ANAC) if, at the time of its submission, one of the following conditions applies:
a) the mandatory activation of the internal reporting channel is not foreseen within his/her work context or this, even if mandatory, is not active or, even if activated, does not comply with the provisions of Legislative Decree 24/2023;
b) the reporting person has already made an internal report pursuant to Legislative Decree 24/2023 and the same has not been followed up;
c) the reporting person has reasonable grounds to believe that, if he or she were to make an internal report, it would not be followed up effectively or that the report itself could give rise to the risk of retaliation;
d) the reporting person has reasonable grounds to believe that the infringement may constitute an imminent or manifest danger to the public interest.

16. PROTECTION MEASURES

Reporters cannot suffer any retaliation: in fact, there is a ban on retaliation.
In the context of judicial or administrative proceedings or in any case of extrajudicial disputes, having as their object the ascertainment of prohibited behaviors, acts or omissions, it is presumed that the same behaviors were carried out due to the reporting, public disclosure or complaint to the judicial or accounting authority.
The burden of proving that such conduct or acts are motivated by reasons other than the reporting, public disclosure or denunciation lies with the person who carried them out.
In the event of a claim for compensation submitted to the judicial authority by the reporting persons, if such persons demonstrate that they have made a report, a public disclosure or a complaint to the judicial or accounting authority and that they have suffered damage, it is presumed, unless proven otherwise, that the damage is a consequence of such report, public disclosure or complaint to the judicial or accounting authority. It is therefore up to the person contesting the damage alleged by the reporting person to demonstrate that such damage is not a consequence of the report.
The following behaviors are presumed to be retaliatory:
a) dismissal, suspension or equivalent measures;
b) demotion or failure to promote;
c) change of duties, change of place of work, reduction of salary, modification of working hours;
d) suspension of training or any restriction
e) access to it;
f) negative marks of merit or negative references;
g) the adoption of disciplinary measures or other sanctions, including pecuniary ones;
(h) coercion, intimidation, harassment or ostracism;
i) discrimination or otherwise unfavourable treatment;
j) the failure to convert a fixed-term employment contract into a permanent employment contract, where the worker had a legitimate expectation of such conversion;
k) failure to renew or early termination of a fixed-term employment contract;
l) damage, including to the person's reputation, particularly on social media, or economic or financial harm, including loss of economic opportunities and loss of income;
(m) improper listing on the basis of a formal or informal sectoral or industry agreement, which may result in the person being unable to find employment in the sector or industry in the future;
n) the early termination or cancellation of the contract for the supply of goods or services;
o) the cancellation of a license or permit;
p) the request to undergo psychiatric or medical examinations.
Acts taken in violation of the prohibition of retaliation are void.
Reporting persons who have been dismissed as a result of reporting, public disclosure or reporting to the judicial or accounting authority are entitled to reinstatement in their jobs, pursuant to Article 18 of Law No. 300 of 20 May 1970 or Article 2 of Legislative Decree No. 23 of 4 March 2015, based on the specific rules applicable to the worker.
The judicial authority shall adopt all measures, including provisional ones, necessary to ensure the protection of the legal situation of the individual in question, including compensation for damages, reinstatement in the workplace, an order to cease conduct in violation of the prohibition of retaliation and a declaration of nullity of the acts adopted in violation of the prohibition of retaliation.
Reporting persons may communicate to ANAC the retaliations they believe they have suffered. ANAC informs the National Labor Inspectorate and may avail itself of the same body to carry out the necessary investigation.
ANAC also applies the administrative sanctions indicated below to the person who committed the violation of Legislative Decree 24/2023.
ANAC also provides the support measures referred to in art. 18 of Legislative Decree 24/2023. These consist of free information, assistance and consultancy on the methods of reporting on protection from retaliation.
The reasons that led the person to report or denounce or publicly disclose are irrelevant to his or her protection.
The protective measures also apply to anonymous reports or complaints or disclosures, if the reporting person has subsequently been identified.
If criminal liability for the crimes of defamation or slander of the reporting person for the reported facts is ascertained, the protective measures provided for by Legislative Decree 24/2023 do not apply.

17. PUBLIC DISCLOSURES

The reporting person who makes a public disclosure shall benefit from the protection provided for by this decree if, at the time of the public disclosure, one of the following conditions applies:
a) the reporting person has previously made an internal and external report or has directly made an external report, under the conditions and in the manner provided for by this procedure and no feedback has been given within the terms provided for by this procedure regarding the measures envisaged or adopted to follow up on the reports;
(b) the reporting person has reasonable grounds to believe that the infringement may constitute an imminent or manifest danger to the public interest;
c) the reporting person has reasonable grounds to believe that the external report may entail the risk of retaliation or may not have an effective follow-up due to the specific circumstances of the specific case, such as those in which evidence may be hidden or destroyed or in which there is a well-founded fear that the person receiving the report may be in collusion with the perpetrator of the violation or involved in the violation itself.

18. SANCTIONS

Legislative Decree 24/2023 provides for administrative pecuniary sanctions for violation of the same, applied by ANAC.

19. WAIVER AND TRANSACTIONS

Waivers and transactions, whether complete or partial, which have as their object the rights and protections provided for by Legislative Decree 24/203 are not valid, unless they are carried out in the forms and ways set out in Article 2113, fourth paragraph, of the Civil Code.