Whistleblowing

Description

To combat and prevent corruption, maladministration, and, more generally, violations of the law, Ciro Paone S.p.A. has established special internal channels, in compliance with Italian Legislative Decree No. 24 of March 10, 2023. These channels allow stakeholders to securely and confidentially report behaviors, actions, or omissions that may violate internal or external regulations.

Who can report?

Anyone working at the company is eligible to report, including:

  • employees;
  • self-employed workers;
  • collaborators, freelancers, and consultants;
  • interns and trainees, paid and unpaid;
  • shareholders and individuals with roles involving administration, management, control, supervision, or representation, even when such roles are exercised de facto.

Whistleblowing can take place:

  • while the legal relationship is ongoing;
  • during the trial period, if the information was acquired during the selection process or other pre-contractual stages;
  • before the legal relationship begins, if information about violations was acquired during the selection process or other pre-contractual stages;
  • after the dissolution of the legal relationship, if the information on violations was acquired before the dissolution of the relationship (e.g., retirees).

Is anonymous whistleblowing allowed?

Anonymous whistleblowing is allowed, provided reports are sufficiently detailed to identify specific facts and situations.

What can be reported?

Reports can relate to two types of violations, as outlined below:

National regulatory violations

  1. Offenses related to matters covered by Article 2(I)(a) numbers 3 to 6 (public procurement, public health, personal data protection, consumer protection, the environment, competition, and state aid, etc.)
  2. Where a Model 231 is adopted: Illegal conduct under Italian Legislative Decree No. 231 of June 8, 2001 (examples of predicate offenses include: Undue receipt of disbursements, fraud to the detriment of the state, a public entity, or the European
    Union to obtain public funds, computer fraud
    against the state or a public entity, fraud in public supplies), or
    violations of the Organization and Management Model adopted under
    Italian Legislative Decree 231/01 or the Company’s Code of Ethics.

European regulatory violations

  1. Offenses falling within the scope of European Union acts in the following areas: public procurement; financial services, products, and markets; prevention of money laundering and terrorist financing; product safety and compliance; transport safety; environmental protection; radiation protection and nuclear safety; food and feed safety; animal health and welfare; and public health;
  2. Acts or omissions that harm the financial interests of the Union (e.g., fraud, corruption, and other illegal activities related to Union expenditures).
  3. Acts or omissions concerning the internal market (e.g., competition and state aid violations).
  4. Acts or conduct that undermine the subject or purpose of provisions set forth in EU acts (e.g., actions that harm the principle of free competition).

What can NOT be reported?

  • information that is clearly unsubstantiated, information that is already entirely in the public domain, or information acquired based solely on indiscretions or unreliable rumors (‘gossip’ or ‘hearsay’).
  • disputes, claims, or demands related to the personal interests of the whistleblower or the individual making a complaint 
     to the judicial or accounting authority, relating solely to their own individual labor or public employment relationships, or relating to their own labor or public employment
    relationships with hierarchically higher level figures. For example, reports regarding labor disputes and pre-litigation matters, discrimination between colleagues, interpersonal conflicts between the whistleblower and another worker or supervisor, or reports about data processing carried out within an individual employment relationship are therefore excluded, unless they harm the public interest or the integrity of the public administration or private entity;
  • violations already mandatorily regulated by the European Union or national acts referenced in Part II of the annex to the decree, or national acts implementing European Union acts mentioned in Part II of the annex to Directive (EU) 2019/1937, even if not specifically included in Part II of the annex to the decree. (for example, reports regulated by Italian Legislative Decree No. 385 of September 1, 1993, ‘Consolidated Law on Banking and Credit’, and Italian Legislative Decree No. 58 of February 24, 1998, Consolidated Law on Provisions on Financial Intermediation, are excluded).
  • national security breaches, as well as procurement related to defense or national security matters, unless covered by relevant secondary law of the European Union.
  • Issues related to goods and services provided by the Company (e.g., complaints).

What information should the report contain?

Reports should be as detailed as possible, including all relevant information to enable the Management Body to conduct necessary checks and investigations to assess the merits of the report.
To this end, whistleblowers should provide at least the following:

  • the time and place the reported event occurred;
  • a description of the event, including known circumstances (such as manner, time, and place);
  • the general information of or other details that could help identify the person to whom the reported facts can be attributed (the reported individual).
  • Unless the report is anonymous, the contact details of the person making the report, including his/her position or role within the company;
  • confirmation that there are no private interests related to the report and that the whistleblower is acting in good faith;
  • any information or evidence (including relevant documents) that may provide useful insight into the reported facts, especially any other individuals who may corroborate the events;
  • If the whistleblowing report is not anonymous, the identifying details of the whistleblower (such as first name, last name, job title, etc.). As will be further discussed, specific technical and organizational security measures are in place to ensure the absolute confidentiality of the whistleblower’s identity.

If the report is submitted in written form through the Whistleblowing Portal, the whistleblower will be guided through providing the necessary details by the questions on the whistleblowing form.

In any case, if the report is not adequately substantiated, the Management Body may request additional information from the whistleblower, either via the Whistleblowing Portal or in person, if the whistleblower has requested a face-to-face meeting.

Reports should not include excessive personal data, but only the information necessary to substantiate the complaint. Therefore, as a rule, no sensitive data, such as health or judicial information, should be provided.

How can a report be made?

The whistleblower can submit a written or verbal report using the following internal channels:

Ciro Paone S.p.A. has implemented an IT platform that allows reports to be submitted in writing via a questionnaire or orally via a voicemail box.

The Portal will ask whistleblowers whether they wish to disclose their identity. In any case, whistleblowers may choose to provide their personal details at a later time, including
via the messaging system in the Portal.

Upon submission, the Portal will provide the whistleblower with a unique identification code (ticket). This number, known only to the whistleblower, cannot be recovered in any way if lost. The ticket can be used by whistleblowers to access their report via the Portal in order to: monitor its progress; enter further information to substantiate the report; provide personal details; answer any further questions. 

Via a face-to-face meeting: The request should be sent to the following address/
phone no. +39 081.5855206. To ensure the confidentiality and
security of the communication, the whistleblower is asked NOT
to provide any details about the report (such as facts, the name
of the reported individual and/or witnesses) but only to arrange the terms of the meeting.

Who can provide assistance to the whistleblower?

The whistleblower may seek assistance from a trusted individual, who can act as a ‘Facilitator’ under the applicable regulations. The Facilitator receives similar protection to the whistleblower.

How can one consult a submitted report and track its outcome?

When submitting a report through the Whistleblowing Portal, whistleblowers will receive a code that they can use to access their report through the Portal in order to: monitor its progress; enter further information to substantiate the report; provide personal details; answer any further questions. 

In any case, the Management Body:

  • issues an acknowledgment of receipt to whistleblowers within 7 days of receiving the report:
  • provides timely feedback to any requests submitted by whistleblowers through the reporting channels (via the messaging system on the platform)
  • provides an update on the report within three months of the date of acknowledgment of receipt or, if no acknowledgment was issued, within three months of the end of the 7-day period following the report’s submission.

Who handles the reporting?

The Management Body consists of an internal office composed of the following resources: Purchasing Manager, Finance Manager, and Facility Manager.

The Management Body, as the Recipient of the Report:

  • is autonomous and independent;
  • ensures fair and impartial judgment on the reports received;
  • adheres to confidentiality obligations, particularly regarding the identities of the whistleblower, the reported individual, and others involved (such as facilitators, family members, co-workers, witnesses, etc.);
  • manages the report (assesses its admissibility and investigates the reported facts or conduct);
  • handles communications with the whistleblower (notices of receipt and closure of the report and exchanges of information);
  • communicates the outcome to the whistleblower (explaining the measures planned or taken or to be taken to follow up on the report and the reasons for the choice made).
  • Ensures adequate publicity of this procedure and of the other channels (external channel, public disclosure, complaint) required by Italian Legislative Decree 24/2023, particularly with reference to the conditions for access to the competent subjects and procedures.

If the report is submitted to a person other than the one designated and authorized by the administration or entity, the latter will forward it to the appropriate person within seven days of receipt, at the same time notifying the whistleblower that it is being forwarded.

What protections are in place for the whistleblower?

The system provided by Italian Legislative Decree No. 24/2023 includes the following types of protection:

  1. the protection of the confidentiality of the whistleblower, the facilitator, the individual involved, and the individuals mentioned in the report;
  2. protection against any retaliatory measures taken by the entity as a result of the report, public disclosure, or complaint made, and the conditions for its application;
  3. limitations of liability with respect to the disclosure and dissemination of certain categories of information that apply under certain conditions;
  4. the establishment of support measures by Third Sector bodies included on a special list published by ANAC.

In addition to the whistleblower, these measures apply to the following individuals:

  • to the facilitator (an individual who assists the whistleblower in the reporting process, operating within the same work environment and whose assistance must remain confidential). As an example, the facilitator could be a colleague from a different office than the whistleblower who assists the whistleblower in the reporting process on a confidential basis, that is, without disclosing the information learned. The facilitator could be a colleague who also has trade union status, if he or she assists the whistleblower on behalf of the union, without disclosing the trade union organization;
  • to individuals in the same work environment as the whistleblower, complainant or disclosing individual who are related to them by a stable emotional or blood relationship up to the fourth degree;
  • to co-workers of the whistleblower, complainant or disclosing individual, who work in the same work environment as the whistleblower and who have a usual and current relationship with that person;
  • to entities owned by the whistleblower or for which those same individuals work as well as entities that operate in the same work environment as those individuals.

Any waiver or settlement, in whole or in part, concerning the rights and protections established by the Decree shall be null and void, except in the cases set forth in Article 2113, paragraph 4 of the Italian Civil Code.

How is whistleblower confidentiality protected?

The Company guarantees the confidentiality of the whistleblower’s identity from the moment the report is received, in compliance with the law. To this end, the personal identifying data of the whistleblower is stored so that it is visible only to the body responsible for handling the report. The Company adopts all guarantees and takes all technical and organizational measures required by law to protect the confidentiality of the whistleblower’s identity so that it will not be disclosed to third parties without the express consent of the whistleblower, except in the case of malicious or defamatory reports. These measures include the obfuscation of personal data, not only for the whistleblower but also for other individuals whose identities must remain confidential under Italian Legislative Decree 24/2023, such as facilitators, the reported individual.