WHISTLEBLOWING SYSTEM
Whistleblowing is a system of direct communication between each SIRIO SpA member of staff and the Supervisory Body through which it is possible to report unlawful conduct which a person has become aware of by reason of their employment relationship.
This system will contribute to the growth of the company’s organisation and bring issues relevant to compliance with Model 231 to the attention of the Supervisory Body.
The aim is to introduce, in addition to the system of ordinary controls, a mode of direct communication between each individual employee and the Supervisory Body which, while guaranteeing the anonymity of the whistleblower, can achieve the goal of continuous improvement of the company’s organisation.
The channels through which it will be possible to send the above-mentioned reports are:
Freephone number: 800 668 271 – MONDAY to FRIDAY – Hours 9:00/12:30 – 15:00/19:00;
Registered mail: ADR SRL, Via Carducci n. 63, 62100 Macerata (MC);
WEB platform accessible through the following link: www.siriospa.it
In the case of reporting by registered mail, please prepare two separate envelopes:
the first with the whistleblower’s identification data, address and telephone number to be contacted, as well as a copy of his or her identification document;
the second with the subject, description of the report and the name of the company where he/she is employed;
Both envelopes should be placed in a third outer envelope marked ‘RESERVED FOR THE SUPERVISORY BODY’.
Please refer to the approved procedure for further details.
ATTENTION
Reports, if anonymous, will only be considered if they are supported by serious and consistent evidence. Failing this, the person who wishes to make a report must ALWAYS indicate their name and surname. The Supervisory Body will take the appropriate measures to ensure the anonymity of the whistleblower with respect to his/her identity, the content of the report and the documentation provided.
Complete privacy policy available on the company website.
Protocol B
WHISTLEBLOWING SYSTEM
Communication of accident, accident, near accident.
-
- Subject and purpose
The Whistleblowing System is a tool through which employees or third parties of a company (such as suppliers or customers) can confidentially and securely report any wrongdoing they have become aware of as a result of their work context.
Following the transposition of EU Directive 2019/1937 through Legislative Decree No. 24 of 10 March 2023, the adoption of the tool has become mandatory for companies with more than 50 employees.
Pursuant to Article 4 of Legislative Decree No. 24/2023, ‘the organisation and management models referred to in Article 6(1)(a) of Legislative Decree No. 231 of 2001 shall provide for the internal reporting channels referred to in this decree’ and therefore previously approved protocols must also be implemented with the new features.
Under the new legislation, there is an obligation to set up 3 reporting channels to be used progressively and additionally (and NOT alternatively):
- Internal Channel,
- External Channel,
- Public disclosure or complaint to the Prosecuting Authority.
Aims:
To introduce, in addition to ordinary controls, a reciprocal control system extended to each individual member of staff that can guarantee anonymity. The information is, in fact, sent to the Supervisory Body, represented by the President pro-tempore, who will be fully responsible for guaranteeing the anonymity of the person making the report.
To adopt a monitoring and reporting system that allows for constant improvement of Model 231.
To be compliant with relevant national and European legislation.
SIRIO S.P.A. is required to provide its various stakeholders with clear information on the channels, procedures and prerequisites for making internal and external reports.
1.a. Parties involved
They are stakeholders and therefore recipients of the safeguards and protection guaranteed by the legislation:
- Employees;
- Self-employed persons working for the organisation;
- Suppliers, subcontractors and their employees;
- Freelancers and consultants;
- Temporary workers;
- Volunteers and trainees, regardless of whether or not expenses are reimbursed to them;
- Shareholders and persons with administration, management, control, supervision or representation roles, even if such roles are exercised on a de facto basis;
- Those who do not yet have a legal relationship with the organisation (in pre-contract negotiations), as well as those whose relationship has ended or who are on probation.
- Reports
2.1 Subject matter of the Report
The subject matter of reporting for the purposes of the Whistleblowing legislation are violations that harm the public interest or the integrity of the Public Administration or the private entity committed within the work context of which the whistleblower has become aware by reason of the employment relationship.
Pursuant to Art. 2, Legislative Decree 24/2023, “violations” are defined as:
Administrative, accounting, civil or criminal offences that do not fall under numbers 3), 4), 5), 6);
Illegal conduct within the meaning of Legislative Decree No. 231 of 8 June 2001 or violations of the organisation and management models provided for therein, which do not fall under numbers 3), 4), 5), 6);
Offences falling within the scope of application of European Union or national regulations […] relating to the following areas: public procurement, services, products and financial markets and the prevention of money laundering and financing of terrorism; product safety and compliance; transport safety; environmental protection; radiation protection and nuclear safety; food and animal feed safety and animal health and welfare; public health; consumer protection; privacy and personal data protection and the security of networks and information systems;
Acts or omissions detrimental to the financial interests of the European Union as referred to in Article 325 of the Treaty on the Functioning of the European Union specified in the relevant secondary legislation of the European Union;
Acts or omissions relating to the internal market, as referred to in Article 26(2) of the Treaty on the Functioning of the European Union, including violations of European Union competition and state aid rules, as well as violations relating to the internal market related to acts that violate corporate tax rules or mechanisms whose purpose is to obtain a tax advantage that frustrates the object or purpose of the applicable corporate tax law;
Acts or conduct that frustrate the objective or purpose of the provisions of acts of the European Union in the areas indicated in numbers 3), 4) and 5);
The following do NOT constitute violations and therefore cannot be reported:
– news that is patently unfounded;
– information that is already in the public domain;
– so-called ‘rumours’, i.e., information acquired solely on the basis of indiscretions or rumours that are by their very nature unreliable;
– mere personal grievances of the whistleblower;
– claims pertaining to the employment or contractual relationship or to relations with hierarchical superiors or colleagues;
– so-called ‘irregularities’ are to be understood as situations in which, in the course of administrative activity, there is improper conduct on the part of a public official who, also in order to look after their own interest or that of third parties, takes or contributes to the taking of a decision that deviates from the impartial care of the public interest. Such violations, which were previously counted among the violations of national law, do not, following the amendment, in themselves comprise the subject matter of a report but may constitute symptomatic elements falling under Article 2(1)(b) of Legislative Decree 24/2023 such as to lead the whistleblower to believe that one of the violations provided for in the decree might have been committed.
2.2. Content of the report
In order to allow for the correct reconstruction of the facts and irregular conduct, the worker is required to substantiate the report as much as possible, which must therefore contain the following essential elements:
– the particulars of the person making the report (except in the case of anonymous reports – see Section 2.3);
– the circumstances of time and place in which the facts that are the subject matter of the report occurred;
– a clear, complete and circumstantial description of the facts;
– personal details or other elements enabling identification of the person to whom the reported facts are attributed and any other persons involved;
– contact details for possible confidential contact.
It is useful to attach supporting documents in order to provide evidence of the facts being reported, as well as to indicate other parties potentially aware of the facts.
If the report is not adequately substantiated, the reporting manager may ask the whistleblower for further details through the same dedicated channel, or also in person if the whistleblower has requested a face-to-face meeting.
2.3. Anonymous Reports
Reports from which the identity of the author cannot be established are classified as anonymous.
Anonymous reports are treated in the same way as ordinary reports and handled according to the same criteria.
2.4. Report sent to non-competent person
If the internal report is submitted to a person other than the person identified and authorised by the Company, and when the whistleblower declares that he/she wishes to avail him/herself of the Whistleblowing protections, or this intention can be inferred from the content of the report, the report shall be considered a “Whistleblowing report” and shall be forwarded within 7 days of receipt to the competent internal person, with simultaneous notification of the transmission to the whistleblower.
The above also applies if the report is submitted to the hierarchical superior.
- Requirements
After consulting the most representative national trade union representatives and organisations, the company activates appropriate internal reporting channels, defining the procedures for receiving reports in a specific organisational document.
The organisational document includes:
– the role and tasks of the parties managing reports;
– the methods and terms of appropriate and proportionate data retention in relation to the Whistleblowing procedure and the legal provisions.
The management of internal reporting channels is assigned alternatively to:
– an internal party or office with autonomous staff dedicated and specifically trained for this purpose;
– an external party, also autonomous and specifically trained;
– (mandatorily) the Head of Prevention of Corruption and Transparency (HPCT) in public sector entities with the obligation to establish such a figure.
Private entities that have adopted Organisation and Management Models pursuant to Legislative Decree 231/2001 provide for internal channels within those models or in the organisational document to which the Model explicitly refers.
SIRIO SpA has chosen to appoint a Supervisory Body in order to guarantee autonomy and independence in the management of reporting.
- Safeguards
Legislative Decree 24/2023 provided for a system of protections that include:
The protection of the confidentiality of the whistleblower, the facilitator, the persons involved and those mentioned in the report;
The protection against possible retaliation taken by the entity by reason of the report, public disclosure or complaint made and the conditions for its application;
Limitations of liability with respect to the disclosure and dissemination of certain categories of information occurring under certain conditions.
Waivers and settlements concerning the means of protection provided for in the decree are not valid unless they are signed in protected judicial, administrative or trade union contexts pursuant to Art. 2113(4) of the Civil Code.
Due to the extension of the subjective scope of application of the relevant legislation, the following are also recipients of the safeguards and protection guaranteed by the legislation:
- Facilitator, i.e., the natural person who possibly assists (advises or supports) the whistleblower in the reporting process, operating within the same work context;
- Persons in the same work environment as the whistleblower, who are linked to him/her by a stable emotional or family bond up to the fourth degree;
- Colleagues who work in the same work environment as the whistleblower and have a regular and current relationship with that person;
- Entities owned exclusively by the whistleblower or through joint majority shareholding with third parties;
- Entities for which the whistleblower works;
- Entities operating in the same work environment as the whistleblower.
4.1. Protection of confidentiality
The company that receives and handles the reports takes all necessary measures, including computerised encryption and cryptography systems, to guarantee the confidentiality of the whistleblower’s identity; the principles of limitation and minimisation laid down in the legislation on the protection of personal data are complied with, and the data collected may not be used beyond what is necessary to follow up the report.
Without the consent of the person concerned, neither the identity of the whistleblower nor any other information from which such identity may be directly or indirectly inferred may be disclosed to persons other than those responsible for receiving the report.
In criminal proceedings, the identity of the whistleblower is covered by secrecy according to the procedures and limits provided for by Article 329 of the Code of Criminal Procedure, which imposes the obligation of secrecy of the records of the preliminary investigation until when the person under investigation has the right to have knowledge of them – and in any case no later than the closure of that phase.
In the context of proceedings before the Court of Auditors, the identity of the whistleblower cannot be disclosed until the investigation phase is closed.
In the context of disciplinary proceedings, the identity of the whistleblower may not be disclosed if the disciplinary charge is based on investigations that are separate and additional to the report, even if they are consequent to it. If the charge is based in whole or in part on the report and knowledge of the whistleblower’s identity is indispensable for the accused’s defence, the report shall be usable for the purposes of disciplinary proceedings only if the whistleblower has given his/her express consent to the disclosure of his/her identity.
The report is exempt from access to administrative documents pursuant to Articles 22 et seq. of Law No. 241/1990 and from the right of generalised civic access pursuant to Articles 5 et seq. of Legislative Decree No. 33/2013.
The protection of the confidentiality of the facilitator assisting the whistleblower and of persons other than the whistleblower but mentioned in the report is similarly ensured.
4.2. Protection against retaliation
The whistleblower is protected against any retaliation to his/her detriment, to be understood as “any conduct, act or omission, even if only attempted or threatened, put in place as a result of the report, of the complaint to the Judicial Authority or of public disclosure and which causes or may cause the whistleblower or complainant, directly or indirectly, unjust damage”. It also provides for the reversal of the burden of proof as regards the retaliatory nature of the conduct and the damage suffered.
By way of example, and not in exhaustive terms, the following are classified as examples of retaliation:
- Dismissal, suspension or equivalent measures;
- Downgrading or non-promotion;
- Change of duties, change of place of work or working hours, reduction of salary;
- Suspension of training or restrictions on access to it;
- Demerits or negative references;
- Adoption of disciplinary measures or other sanctions, including fines;
- Coercion, intimidation, harassment or ostracism;
- Discrimination or similar forms of unfavourable treatment;
- Failure to convert a fixed-term employment contract into a permanent employment contract for which the employee had a legitimate expectation of such conversion;
- Failed renewal or early termination of a fixed-term employment contract;
- Damage to the person’s reputation or financial harm, such as loss of income or economic opportunities;
- Inclusion in improper lists on the basis of a formal or informal sectoral or industrial agreement, which may result in the person being unable to find future employment in the sector or industry;
- Early termination or cancellation of the contract for the supply of goods or services;
- Cancellation of a licence or permit;
- Request for psychiatric or medical examinations.
In order to benefit from protection against retaliation, it is necessary that they file a report/public disclosure/complaint to the Judicial Authority:
- – was made on the basis of a reasonable belief that the information reported, disclosed or declared was true and fell within the objective scope of the decree;
- – was made in compliance with the regulations set out in Legislative Decree 24/2023;
- – has a consequential relationship with the retaliatory measures suffered;
- – is not based solely on mere suspicions or rumours.
Without prejudice to the specific assumptions of limitation of liability (see below – 4.3), the protection provided in the event of retaliation is not guaranteed when the criminal liability of the whistleblower is established, also with a first degree sentence, for the offences of slander and defamation or, in any case, for the same offences committed with the report to the Judicial or Accounting Authorities, or their civil liability is established, in the same way, in cases of wilful misconduct or gross negligence.
4.3 Limitations of liability for whistleblowers, those who report or who make public disclosures
In addition to the protections afforded to the whistleblower/complainant/discloser, the law recognises certain limitations of liability following the disclosure or dissemination of certain categories of information that, under different circumstances, would entail civil, criminal or administrative liability on the part of the author.
More specifically, the fact does not constitute an offence if committed in the presence of the aforementioned exemption, in the following cases:
Disclosure and use of official secrets (Article 326 of the Criminal Code);
Disclosure of professional secrecy (Article 622 of the Criminal Code);
Revelation of scientific and industrial secrets (Article 623 of the Criminal Code);
Breach of the duty of fidelity and loyalty (Article 2105 of the Civil Code);
Infringement of copyright protection provisions;
Infringement of data protection provisions;
Disclosure or dissemination of information about violations that offend the reputation of the person involved.
To benefit from the exclusion of liability, two specific requirements must be met simultaneously:
Reasonable grounds at the time of the disclosure or dissemination of the information to consider that such disclosure or dissemination is necessary to disclose the breach;
The report/disclosure/complaint must have been made in compliance with the conditions set out in Legislative Decree 24/2023 (well-founded reason to believe that the information underlying the reports is true, use of the internal or external channel, public disclosure in accordance with the law).
(i) USE OF THE INTERNAL CHANNEL
Since SIRIO SpA has adopted Model 231, the internal channel responsible for receiving reports is the Supervisory Body, which can be contacted at the following addresses:
– registered mail: Organismo di Vigilanza c/o ADR Srl, Via Giosuè Carducci n. 63, 62100 – Macerata (MC). It is recommended that the report be sent in two sealed envelopes: the first with the identification data of the whistleblower, an address and a telephone number where he/she can be contacted, together with a photocopy of an identification document; the second with the subject and description of the report, so as to separate the identification data of the whistleblower from the report. Both should then be placed in a third sealed envelope marked on the outside “reserved for the report manager” (e.g., “reserved for the Supervisory Body”);
– Freephone number operated by the Supervisory Body: from a landline or mobile phone on 800 668 271;
– WEB platform accessible at the following link: www.siriospa.it
Acknowledgement of receipt of the report will be issued to the whistleblower within 7 days of receipt.
The managing entity keeps a written record of all reports received by preparing a Report Register. Completeness checks are carried out periodically to ensure that all reports received have been processed and entered in the Report Register.
Once a report has been acquired, a preliminary check on its admissibility and merits will be carried out. Personal data that are clearly not useful for processing the report will not be collected or, if accidentally collected, will be immediately deleted. In the event of a positive outcome of the preliminary check, the report will be followed up appropriately, making use, where appropriate, of conversations with the whistleblower and requests for clarifications, documents and further information via the dedicated channel or also through face-to-face meetings, if he/she agrees.
If necessary, records and documents will be acquired and third persons will be involved through hearings or other types of requests.
The reporting system adopted internally ensures appropriate confidentiality for the whistleblower with regard to his or her identity, the content of the report and the documentation provided.
Protection is extended not only to the name of the whistleblower but also to all the elements of the report from which the identification of the whistleblower can be derived, even indirectly.
Information about violations provided by the whistleblower shall be used by the Supervisory Body solely and exclusively for the purpose of following up the report itself and shall not be used or disclosed in any other way.
If, at the request of the whistleblower, the report is made orally during a meeting with the staff member in charge, it is documented, subject to the consent of the whistleblower, by the staff member in charge by means of a recording on a device suitable for storage and listening or of minutes. In the case of minutes, the whistleblower may verify, correct and confirm the minutes of the meeting by signing them.
A response to a report must be provided within three months of the date of acknowledgement of its receipt, or alternatively within three months of the expiry of the seven-day period from its submission.
(ii) USE OF EXTERNAL CHANNEL
Please note that the new Legislative Decree 24/2023 has also introduced an “external” reporting channel, “Canale Esterno”, managed by ANAC (the National Anti-Corruption Authority) and is accessible at the following link: https://www.anticorruzione.it/-/whistleblowing.
The External Channel is to be used under certain conditions:
- if the internal reporting channel is not present because it is not compulsory, or is present but not operative, or operative but not compliant with Legislative Decree No. 24/2023;
- if the whistleblower has reasonable grounds to believe that, in the event of an internal report, it would not be followed up or would expose him/her to a risk of retaliation;
- if the whistleblower has already made an internal report that has not been followed up;
- if the whistleblower has reasonable grounds to believe that the breach may constitute an imminent or obvious danger to the public interest.
(ii) USE OF PUBLIC DISCLOSURE OR COMPLAINT TO THE JUDICIAL AUTHORITY
Finally, Legislative Decree 24/2023 has provided for the Public Disclosure channel, which consists of making information on violations available to the public through the press, electronic media or, in general, by using means of dissemination capable of reaching a large number of people (e.g., TV, radio, social networks). This latter channel is to be used on a residual basis, i.e., when:
- reports through the other channels have not been followed up;
- use of the other channels exposes the whistleblower to a risk of retaliation (e.g., when there is a well-founded fear that the person to whom the report has been made is in collusion with the perpetrator or is even personally involved);
- the breach constitutes an imminent or obvious danger to the public interest.
- Protocol contact person
President of the Supervisory Body.
- Frequency
When necessary.
- Equipment, products and software used
Not applicable.
- Activities
Flow chart
Reporting through the use of the internal channel, in a gradual manner the external channel, and in a further gradual manner the others
Handling of reports according to procedure
Adoption of relevant measures
I LEVEL |
II LEVEL |
III LEVEL |
||
PROCEDURAL CAUTION |
SUBSTANTIAL CAUTION |
CHECKS |
||
Input |
Output |
Phase referent |
Traceability: checks, recordings and reports |
Information to the Supervisory Body |
USE OF THE INTERNAL CHANNEL |
||||
|
Reporting the attempted breach to the Supervisory Body by using the so-called ‘internal channel’. |
Whistleblower |
In writing by registered mail, by using the web platform following the appropriate procedure or orally via a freephone number or, at the express request of the whistleblower, by a face-to-face meeting set within a reasonable time limit.
If, at the request of the whistleblower, the report is made orally during a meeting with the staff member in charge, it is to be documented, subject to the consent of the whistleblower, by the staff member in charge by means of a recording on a device suitable for storage and listening, or by means of minutes. In the case of minutes, the whistleblower may verify, correct and confirm the minutes of the meeting by signing them. |
The Supervisory Body takes note of the report |
Receipt of a report |
The report is taken on board, issuing the whistleblower with an acknowledgement of receipt of the report within 7 days of receipt.
If anonymous, serious and consistent evidence attached in support of the report is verified. |
President of the Supervisory Body |
In the case of an oral report and subject to the consent of the person making the report, it shall be documented by the staff member in charge by means of a recording on a device suitable for storage and listening, or by means of a verbatim transcription. The whistleblower has the right to verify, rectify or confirm the content of the transcription. |
The Supervisory Body takes note of the report |
Except in complex cases, assessment of the report is completed within the following 10 days: it is decided whether or not the report is well-founded, whether the whistleblower is a qualified person and whether the reported case or conduct represents a violation, or even only a potential threat, of Model 231 |
If unfounded, the claim is dismissed.
If well-founded, a request for clarification is to be sent to the person who attempted to violate or violated Model 231. |
President of the Supervisory Body |
Internal Communications
Analysis of databases to identify possible links between the reported person and third parties
Analysis of relevant company documents
Forensic analysis of company devices assigned to the reported person to search for corroborating evidence
Hearing of persons able to report information that proves or exonerates the reported violation
Update communications to the whistleblower
Anonymity guarantee
Supervisory Body archive of reports (Register of Reports) |
Report management – investigation |
The person who attempted to violate or violated the 231 Model must respond within the time limit granted by the Supervisory Body. |
Receipt of justifications. |
President of the Supervisory Body |
Supervisory Body archive of reports (Register of Reports) |
The Supervisory Body assesses the adequacy of the Model |
If the justifications are sufficient and well-founded,
if the justifications are NOT sufficient and/or not well-founded, |
filing of the procedure. the President of the Supervisory Body will provide a report to the CEO or the HR Manager within 7 days so that they can take the appropriate measures within the following 15 days. the President of the Supervisory Body provides feedback to the whistleblower within three months from the date of receipt. |
President of the Supervisory Body / CEO / HR / DG |
Supervisory Body archive of measures (Register of Reports).
Communications to the whistleblower.
Monitoring by the Supervisory Body that the procedure is successfully concluded, protecting the whistleblower and the subject matter of the report.
Report to the Board of Directors of the register of anonymous reports and the outcome of analyses carried out. |
Sending of a copy of the measure to the CEO, CFO and/or HR for them to assess the adequacy of the protocol |
USE OF THE EXTERNAL CHANNEL |
||||
Same Inputs as the internal channel
Whistleblowers may use the external channel (ANAC – the National Anti-Corruption Authority) when:
– compulsory activation of the internal reporting channel within the work context is not provided for, or this channel, even if compulsory, is not operative or, even if operative, does not comply with what is required by law;
|
Reporting the attempted violation to the ANAC using the so-called ‘external channel’. |
Whistleblower |
Via the dedicated web portal on the ANAC website and accessible at the link: anticorruzione.it/-/whistleblowing |
ANAC takes note of the report
Communication to the Supervisory Body by the whistleblower by due use of the External Channel. |
Receipt of a report |
The report is taken on board. If anonymous, serious and consistent evidence that is attached in support of the report is verified. Notice is given to the whistleblower of receipt of the report within 7 days of receipt, unless explicitly requested otherwise by the whistleblower or unless the ANAC considers that the notice would undermine the protection of the confidentiality of the whistleblower’s identity. |
ANAC |
ANAC opens the reporting management procedure |
|
Report Management |
ANAC liaises with the whistleblower and requests, where necessary, appropriate further information from the latter. |
ANAC |
The preliminary investigation necessary to follow up the report is carried out, including through hearings and the acquisition of documents. |
The investigation is completed |
Communication to the whistleblower of the final outcome of the report |
ANAC gives feedback to the whistleblower within 3 months or, if there are justified reasons, 6 months from the date of receipt of the external report or, in the absence of such notice, from the expiry of 7 days from receipt |
ANAC |
Conclusion of the reporting procedure. |
|
UTILIZZO DIVULGAZIONE PUBBLICA O DENUNCIA ALL’A.G. |
||||
Same Inputs as internal and external channel reporting.
Whistleblowers may make a public disclosure or report to the Judicial Authorities when:
– the whistleblower has previously made an internal and an external report, or has made an external report directly and no response has been received within the prescribed time limits on the measures envisaged or taken to follow up the reports;
– the reporting person has reasonable grounds to believe that the violation may constitute an imminent or obvious danger to the public interest;
– the whistleblower has reasonable grounds to believe that the external report may involve a risk of retaliation or may not be effectively followed up due to the specific circumstances of the case, such as where evidence may be concealed or destroyed, or where there is a well-founded fear that the recipient of the report may be colluding with or involved in the violation itself.
|
The whistleblower makes information about violations public through the press, electronic media or any other means of dissemination capable of reaching a large number of people (e.g., TV, radio, social networks, etc.).
The whistleblower files a report/complaint with the Judicial Authorities |
Whistleblower |
The report has been made.
Communication to the Supervisory Body by the whistleblower of the use of Public Disclosure. |
- Checks, records and reports
Minutes of the meeting with the Supervisory Body.
Supervisory Body archives of reports and measures.
- Operating instructions and related documents
- a) Operating instructions
The Supervisory Body receives the reports through the above-mentioned channels and issues an acknowledgement to the reporting party within seven days from the date of receipt. At the same time, a communication channel is established between the reporting party and the Supervisory Body for any requests or additions. The whistleblower may monitor the status of the investigation by requesting information through the above-mentioned channels, indicating the receipt number issued to the notice of acceptance of the report.
The Supervisory Body, in compliance with the principles of impartiality and confidentiality, may decide, in order to diligently follow up the reports, to involve Contract workers, also specifically trained and authorised, to verify:
that the whistleblower is among those qualified to make a report;
that the violation features among reportable violations;
the validity of the report, filing it if unfounded, proceeding with internal investigations if considered well-founded.
The Supervisory Body shall acknowledge the report within three months from the date of acknowledgement of receipt or, in the absence of such notice, within three months from the expiry of the period of seven days from the submission of the report.
As part of internal investigations, in order to verify the validity of the reports and the truthfulness of the reported facts, the Supervisory Body may analyse databases to identify possible links between the reported person and third parties; collect relevant corporate documents; analyse the devices assigned to the reported person to verify the existence of evidence confirming the report, such as e-mails or messages, in accordance with the provisions of the corporate Regulations on the use of IT devices; conduct interviews with persons who may report information relevant to prove the reported violations.
For the purposes of the verification activity, the Supervisory Body may engage specialised Offices and/or third parties for in-depth investigations, taking care to:
issue a formal mandate, defining the scope of action and specifying the information it intends to obtain from the in-depth investigation requested;
omit any information that might, even indirectly, lead to the identity of the whistleblower;
omit any information relating to the reported person where not strictly necessary for the proper performance of the assignment;
reiterate to the person in charge the obligation of confidentiality of the data processed (in the case of persons external to the Company, this obligation must be formalized);
For complete transparency of the process, reports filed as non-significant are noted reporting the subject matter of the report and the reasons for not proceeding with the subsequent investigation.
Any data and documentation attached to the report will be kept for as long as necessary for the management and assessment of the report, but no longer than five years from the date of the communication of the final outcome of the reporting procedure.
The identity of the whistleblower and of other persons to whom the whistleblowing legislation extends the scope of protection may not be disclosed to persons other than the members of the Supervisory Body competent to receive and handle reports unless specifically authorised.
The measures adopted to guarantee the confidentiality of the whistleblower are not limited to protecting his or her identification data, but also all the elements of the report from which his or her identity may be inferred, even indirectly. Any disclosure of the identity of the whistleblower to persons other than those responsible for receiving or following up reports or otherwise authorised will be subject to the express consent of the whistleblower.
The Company undertakes to ensure protection against any act of retaliation, discrimination or penalisation, whether direct or indirect, against the whistleblower for reasons directly or indirectly linked to the report. All personnel involved, in any capacity whatsoever, in the various phases relating to the management of reports are required to guarantee the highest level of confidentiality regarding the contents of reports and on the persons involved in the report.
The protection of the whistleblower cannot be guaranteed if it is established that the report is unfounded and defamatory, thus constituting wilful misconduct on the part of the whistleblower.
If the checks on the reports, conducted pursuant to this document, reveal unlawful conduct attributable to employees, the Company shall act promptly and immediately, through appropriate and proportionate measures and sanctions, taking into account the seriousness as well as the criminal relevance of such conduct and the initiation of criminal proceedings in cases where it constitutes an offence for the purposes of the applicable national legislation.
On this point, reference should be made to the provisions of the Corporate Sanctions Regulations.
Should the investigations conducted reveal wilful/intentional misconduct on the part of third parties who have had and/or have ongoing relations with the Company, the Company shall act promptly by taking all measures identified as necessary for its own protection.
(b) Related documents
Notice of activation of the whistleblowing system.
Whistleblowing Notice
Information pursuant to Articles 13 and 14, Reg. (EU) 2016/679
(c) regulatory references
- Legislative Decree No. 231 of 8 June 2001 (‘Regulations on the administrative liability of legal persons, companies and associations, including those without legal personality, pursuant to Article 11 of Law No. 300 of 29 September 2000);
- Regulation (EU) No 2016/679 (General Data Protection Regulation – GDPR);
- Legislative Decree No 196 of 30 June 2003 (Personal Data Protection Code) as amended;
- EU Directive 2019/1937 on the protection of persons who report breaches of Union law (so-called Whistleblowing);
- Legislative Decree No. 24 of 10/03/2023, published in the Official Gazette on 15/03/2023, transposing Directive (EU) 2019/1937;
- ANAC Resolution No. 311 of 12 July 2023 – Guidelines on the protection of persons who report breaches of Union law and the protection of persons who report breaches of national legislation. Procedures for the submission and management of external reports;
- “New Whistleblowing Discipline – Operational Guide for Private Entities” of October 2023 – Confindustria;
- Code of Ethics
Privacy Policy
WHISTLEBLOWING SYSTEM
Constantly updated: last revision 07/14/2023
This privacy policy has been drawn up pursuant to and for the purposes of Article 13 of the Regulation (EU) 2016/679 (hereinafter referred to simply as “Regulation” or “GDPR”) in order to inform you that your personal data may be collected and processed as part of the activities of reporting unlawful conduct and suspicious behaviour of which you have become aware by reason of your employment relationship (hereinafter referred to simply as “whistleblowing report”) and which may constitute a breach of the rules governing the activities of SIRIO S.p.A.
This document is intended as a supplement to other privacy policies already delivered to you (e.g., the privacy policy to employees) and will not reiterate their content.
- DATA CONTROLLER
The data controller, to be understood as the entity that defines the methods and purposes of the processing of your personal data, is SIRIO S.p.A. with registered office in Ravenna (RA), Via Filippo Re no. 43/45, postcode 48124. For any information relating to the processing of personal data by SIRIO S.p.A. you may make a specific request to the e-mail address dpo.privacy@siriospa.it or by registered mail to the address: SIRIO S.p.A. – Ravenna (RA), Via Filippo Re n. 43/45, Post Code 48124.
The company has appointed a DPO (Data Protection Officer) who can be contacted at dpo.privacy@siriospa.it.
- SOURCE OF PROCESSED DATA
Information can be provided:
in the report, by the reporting party;
in the course of the necessary investigative activities (e.g., from public sources, third-party interviewees, etc.);
during the report management process;
- TYPE OF DATA PROCESSED
If the whistleblower does not decide to remain anonymous, personal data referring to him/her may be processed, specifically:
- personal data;
- contact details;
- any data of a particular nature in accordance with Article 9 GDPR, insofar as they are likely to reveal a general state of health (absence due to illness, maternity, accident, etc.), suitability for carrying out specific tasks, membership of a trade union and/or political party, holding elected public office or, finally, religious beliefs;
- any so-called judicial data pursuant to Article 10 GDPR insofar as they relate to criminal convictions and offences or related security measures;
- any personal data contained in the subject of the report.
Personal data relating to third parties (potential perpetrators of an offence or irregularity that falls within the scope of reportable offences or persons informed of the facts) may be processed as a result of the report, specifically:
- personal data;
- contact details;
- any data of a particular nature in accordance with Article 9 of the GDPR, insofar as they are likely to reveal a general state of health (absence due to illness, maternity, accident, etc.), suitability for carrying out specific tasks, membership of a trade union and/or political party, holding elected public office or, finally, religious beliefs;
- any so-called judicial data pursuant to Article 10 of the GDPR insofar as they relate to criminal convictions and offences or related security measures;
- any personal data contained in the subject of the report.
- Personal data that may emerge from subsequent investigative activities;
Only personal data that is strictly necessary and pertinent to achieving the purposes set out below will be acquired, in compliance with the principle of minimisation as per Article 5(1)(c) of the GDPR.
- PURPOSE AND LEGAL BASIS OF PROCESSING
The Data Controller will process the above-mentioned personal data:
- In order to manage and diligently follow up the reports received, including assessment activities and internal investigations related to the verification of the reported conduct and the establishment of proceedings, including disciplinary proceedings, to the extent required by the applicable regulations. In addition, personal data may be processed in order to comply with requests by the competent administrative or judicial authorities and, more generally, by public entities in compliance with legal formalities. The data will also be processed to effectively prevent and combat fraudulent and unlawful or irregular conduct.
The legal basis, therefore, justifying the lawfulness of the processing, is represented by the need to fulfil legal obligations and to perform tasks in the public interest to which the Data Controller is subject and provisions of Authorities legitimated by law (Art. 6(1)(c) and (e); Art. 9(2)(b) and (g); Art. 10 of the GDPR).
Any disclosure of the identity of the whistleblower to persons other than those responsible for receiving or following up reports or otherwise authorised will be made subject to the express consent of the whistleblower (Art. 6(1)(a) of the GDPR).
In order to: i) meet the Data Controller’s needs for internal control and the monitoring of business risks, as well as for the optimisation and streamlining of internal business and administrative processes; ii) ascertain, exercise or defend a right or legitimate interest of the Data Controller in any competent legal forum to guarantee the exercise of the right of defence pursuant to Art. 24 of the Constitution; iii) manage IT security and protect data assets and security, the assistance of users and maintenance of security systems and perimeter protection of traffic logs concerning connections to the Whistleblowing Platform recorded on company systems.
The legal basis, therefore, justifying the lawfulness of the processing, is the need to pursue a legitimate interest of the Data Controller (Art. 6(1)(f) GDPR).
Failure to consent to the processing of data for the above-mentioned purposes does not allow the whistleblower to transmit Whistleblowing reports.
The provision of common data, such as personal or contact data, by the whistleblower, must be considered voluntary, as the possibility of reporting anonymously is recognised by law (see below).
- ANONYMOUS REPORTING
In the event you need to submit a Whistleblowing Report, the provision of your personal data should be understood as absolutely optional.
In the event of failure to provide the data, the report will be taken into consideration provided that it is supported by circumstantiated and detailed elements; this implies that reports made anonymously will also be accepted and examined, whereby ‘anonymous’ shall mean that they do not contain any indication of the identity of the whistleblower.
With regard to the identity of the reported person, the provision of personal data is similarly optional but, failing this, the report will only be processed if further elements are available that make it possible to identify the author of the contested act and to proceed with the appropriate checks.
In the event that you have decided to voluntarily disclose your identity in the Whistleblowing Report, your data will only be processed by staff expressly authorised to do so and bound by strict confidentiality obligations, both with regard to your identity and the content of the report.
This is in any case without prejudice to the sharing of the content of the report with certain persons expressly identified by law (see below, p. 6 – c).
- RECIPIENTS AND COMMUNICATION OF DATA
All the personal data included in the report, including your personal data, and, more generally, the documentation produced in support thereof, shall not be disclosed, except where communication or disclosure is required by law, by public entities for purposes of defence, security or prevention, investigation or suppression of offences.
In the performance of its activities and for the pursuit of the purposes set out in paragraph 3 above, the data may be shared by SIRIO S.p.A. to the extent strictly necessary with certain third parties, where investigative needs require it to make such parties aware of the content of the report or the content of the attached documentation.
All the parties in question, listed below, are formally authorised to process and duly instructed and trained to do so, as well as bound by the obligation of secrecy with regard to information of any kind obtained in connection with Whistleblowing reports.
The parties in question are:
- The Supervisory Body and any other person acting under its authority, duly authorised to process data in accordance with the provisions of Article 2-quaterdecies, Legislative Decree No. 196/2003;
- suppliers and external consultants with whom SIRIO S.p.A. has entered into agreements pursuant to Article 28 GDPR for the processing of data and who therefore act as data processors providing support to the Company in relation to the activities of managing Whistleblowing reports;
- parties, bodies or authorities to whom it is mandatory to communicate your personal data due to legal provisions or orders of the authorities. These parties are all autonomous data controllers.
1.PROCESSING METHODS
The information as identified above is processed by the members of the Supervisory Body, which is composed of persons specifically appointed as authorised persons and adequately trained for this purpose.
Data are collected in digital and analogue form, as defined in the Whistleblowing Protocol, in order to guarantee the confidentiality of the whistleblowers and any other persons involved and the confidentiality of the information contained in the reports.
The processing of personal data will be carried out in a lawful, correct and transparent manner, in compliance with all applicable legislation and in a manner that is balanced with respect to the different interests involved.
Data will be collected and recorded for explicit and legitimate purposes, i.e., for the sole purpose of handling and following up the reports received; personal data that are manifestly useless for processing the report will not be collected or, if accidentally collected, will be deleted without delay.
The Data Controller ensures that the data is accurate and, if necessary, arranges for it to be updated; it also ensures that all reasonable steps are taken to delete or rectify inaccurate data relating to the specific report to be handled in a timely manner.
Data will be processed using digital and analogue supports and tools in the manner and timing strictly necessary to achieve the purposes for which it was collected. SIRIO S.p.A. employs appropriate organisational, technical and physical security measures to protect information from possible alteration, destruction, loss, theft, improper or unlawful use.
- DATA TRANSFER ABROAD
The Data Controller does not transfer personal data to third countries. Should it become necessary to transfer data outside the EU, the Company will verify that the suppliers provide adequate guarantees, as provided for in Article 44 et seq. of the GDPR.
The complete and up-to-date list of data recipients can be requested from the Data Controller or the DPO at the above-mentioned addresses.
- DATA RETENTION PERIODS
The personal data collected shall be kept for the time strictly necessary to fulfil the purposes already indicated in the preceding paragraphs, and in any case for no longer than five years from the date of the communication of the final outcome of the report, unless further storage is required by law (e.g., in the event of judicial or disciplinary proceedings, until the conclusion thereof). The Data Controller will delete the personal data once this period has expired.
- RIGHTS OF THE DATA SUBJECT
As a general rule and subject to proof of their identity, data subjects have the right to request the Data Controller, at any time:
- Confirmation of the existence or otherwise of the data provided, the purposes, the categories of data processed, the recipients, the storage period and, where applicable, the source of the data (Art. 15, GDPR). The person who is the subject of a Whistleblowing report is not entitled to exercise this right;
- The rectification without undue delay of inaccurate personal data and the integration of incomplete personal data (Art. 16, GDPR);
- The deletion without undue delay of your data (Art. 17 of the GDPR);
- Limitation of the processing of your data as per art. 18 of the GDPR if, for example, you consider that the processing carried out by SIRIO S.p.A. is unlawful and/or inappropriate;
- The portability of your data as per Art. 20 of the GDPR, where applicable. Upon your express request, we will provide you with a list of your personal data in a structured, commonly used and machine-readable format (e.g., excel file);
- Withdrawal of any consent given for any purpose. This does not affect the lawfulness of processing based on consent carried out prior to the request.
- You may object to the processing of your personal data pursuant to Art. 21 of the GDPR.
With particular reference to the last point, the right to object to the processing carried out on the basis of the company’s legitimate interest may be exercised, in accordance with the provisions of Art. 21, para. 1 of the GDPR, by setting out the specific reasons related to your particular situation on which the objection is based; in such cases SIRIO S.p.A. will refrain from further processing your personal data unless there are compelling legitimate grounds for processing that override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
Your request will be processed no later than one month after receipt; the deadline may be extended by up to a further two months in cases of particular complexity.
SIRIO S.p.A. declares that, pursuant to Article 2-undecies, Legislative Decree no. 196/2003, the rights listed above may not be exercised by making a request to the Data Controller or by lodging a complaint pursuant to Article 77 of the GDPR, if their exercise may result in an actual and concrete prejudice to the confidentiality of the identity of the person making a Whistleblowing report. Such prejudice will be assessed on a concrete case-by-case basis. SIRIO S.p.A. declares that it intends to avail itself of the above-mentioned limitation only if it is a necessary and proportionate measure and that, in such eventuality, it will be communicated to you in writing and without delay.
In any event, if you consider that the processing of your personal data is contrary to applicable legislation, you:
– have the right to appeal to the competent courts pursuant to Article 79 of the GDPR, subject to the limits set out in Article 2-undecies, Legislative Decree 196/2003;
– always have the right to lodge a complaint with the Italian Data Protection Authority, as the competent supervisory authority. Further information on your data protection rights can be found on the Authority’s website at www.garanteprivacy.it.
DATE, 14/07/2023.