On 15 March 2023, published in the Official Journal, Italian Legislative Decree 24 of 10 March 2023 (hereinafter also referred to as the "Whistleblowing Decree"), on "Implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law and on provisions concerning the protection of persons who report breaches of national laws".
The Whistleblowing Decree introduces the new whistleblowing legislation in Italy, repealing the previous one, and regulates the protection of persons who report violations of national or European Union law that harm the public interest or the integrity of public administration or private entities, of which they have become aware in a public or private employment context.
In view of the above, with this document (hereinafter referred to as the "Whistleblowing Policy" or the "Policy"), Auriga S.p.A. (hereinafter referred to as the "Company") intends to illustrate the tools that can be used, within a corporate context, to report unlawful conduct.
Therefore, the purpose of the Policy is to:
- identify the persons who may make reports
- circumscribe the perimeter of conduct, events or actions that may be subject to reporting
- identify the channels through which reports can be made
- represent the operational modalities for the submission and handling of alerts, as well as for any subsequent investigation activities
- inform the whistleblower and the reported party of the forms of protection that are recognised and guaranteed.
It should be noted that, in drafting this Policy, the Company has taken into account the values that form the foundations of its organisation, and is committed to carrying out its activities according to the highest standards of fairness, ethics, legality, transparency, responsibility and business integrity.
The principles set out in this Policy do not prejudice or limit the obligations to report to the competent Judicial, Supervisory or Regulatory Authorities in the countries in which the Company operates, nor those of reporting to any supervisory bodies that may be set up within the Company, but aim to strike a fair balance between the legitimate interests of the Company, in preventing unlawful conduct, and the fundamental rights of its employees and in general of the addressees of the Policy, in particular as regards the processing of personal data concerning them.
For the purposes of this Policy, the terms listed shall have the meaning specified below:
|Employees of the Company hired on an indefinite and fixed-term basis (executives, middle management, white collar workers, blue collar workers), directors, members of corporate bodies and supervisory bodies, as well as all those who, for various reasons, have employment, collaboration or business relations with the Company, including collaborators, trainees, temporary workers, consultants, agents, suppliers and business partners, even before the legal relationship with the Company began, or after it was terminated.
|Placing information about violations in the public domain through the press or electronic media or otherwise through means of dissemination capable of reaching many people.
|Persons assisting the whistleblower in the reporting process, operating within the same work context and whose assistance is kept confidential.
|Organisational, Management and Supervisory Model adopted by the Company, which defines a structured and organic system of principles, internal rules, operating procedures and control activities, adopted for the purpose of preventing conduct liable to give rise to the types of offences and crimes provided for in Italian Legislative Decree 231/2001.
|Code of Ethics
|A document with which the Company affirms, in implementation of the values of legality, loyalty, honesty and professionalism, the principles and rules of conduct that its employees, the members of its administration and control bodies, suppliers, consultants, partners and those who have relations, directly or indirectly, permanently or temporarily with it, are required to comply with when carrying out their activities on its behalf.
|The Supervisory Board of the Company appointed pursuant to
Italian Legislative Decree 231/2001.
|A natural person who makes an internal or external report or public disclosure of information about violations acquired in the context of his or her work.
|Person mentioned in the internal or external report, or in the public disclosure, understood as the person to whom the breach is attributed or as a person otherwise implicated in the reported or publicly disclosed breach.
|Written or oral communication of information on violations, including reasonable suspicions concerning violations committed or which, based on concrete elements, could be committed by the Company, as well as elements concerning conduct aimed at concealing such violations.
|Written or oral communication of information on violations submitted through the external reporting channel referred to in paragraph 7.1(b).
|Reporting in bad faith
|Any communication received by the Company that proves to be unfounded based on objective elements and that proves, again on the basis of objective elements, to have been made for the purpose of causing harm.
|Written or oral communication of information on violations submitted through the internal reporting channel referred to in paragraph 7.1(a).
|Any communication received by the Company concerning conduct that does not constitute a violation. All those communications received by the Company that, based on the vagueness of their contents, do not allow for adequate checks to be carried out, are also considered non-significant reports.
|Conduct, acts or omissions detrimental to the public interest or the integrity of the Company and consisting of the conduct referred to in paragraph 5.
Below are the main references relevant to this Policy:
- Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019
concerning the protection of persons reporting breaches of Union law;
- Data Protection Regulation (EU) 2016/679 ("GDPR");
- Legislative Decree 24 of 10 March 2023 on "Implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 concerning the protection of persons who report breaches of Union law and laying down provisions concerning the protection of persons who report breaches of national law";
- ANAC Guidelines on the protection of persons reporting violations of Union law and protection of persons reporting violations of national law provisions;
- Italian Legislative Decree 231 of 8 June 2001, concerning "Regulations on the administrative liability of legal persons, companies and associations, including those without legal personality";
- Organisational, management and supervisory model adopted pursuant to Italian Legislative Decree 231/2001, adopted by the Company;
- Code of Ethics adopted by the Company.
In accordance with the provisions of Article 3 of the Whistleblowing Decree, the following persons, i.e. the Whistleblowers, may submit a Report:
- company employees, including part-time and casual workers
- self-employed workers and holders of a collaborative relationship who work for the Company
- workers or collaborators of the Company, who supply goods or services or perform works for third parties
- the Company's freelancers and consultants
- volunteers and trainees, paid and unpaid
- shareholders and persons with administrative, management, supervisory, vigilance or representative functions in the Company, even if such functions are exercised on a de facto basis
- terminated employees, when information on violations was acquired during the period they were working for the Company
- those who acquired the information on violations during a trial period
- persons not yet employed, when information on violations was acquired during the pre-contractual stages or in the selection process.
The Company, in keeping with the provisions of Article 3(5) of the Whistleblowing Decree, guarantees the protection and safeguarding not only of the Whistleblowers, as referred to above, but also of the persons assisting the Whistleblower during the process, such as Facilitators, as well as of persons connected with the Whistleblower, such as colleagues/family members, i.e. persons in the same work environment who are linked to the Whistleblower by a stable emotional or family relationship up to the fourth degree, or who have regular and current relations with the Whistleblower.
The Company also guarantees protection to the entities owned by the Whistleblower or for which the Whistleblower performs work, as well as to entities operating in the same work environment as the Whistleblower.
4. SUBJECT TO REPORTING
Pursuant to Article 2(1)(a) of the Whistleblowing Decree, whistleblowing may be reported:
- for conduct or a situation contrary to Model 231, the Code of Ethics or the regulations, directives, policies and internal procedures adopted by the Company and relevant under Legislative Decree 231/2001
- for violations of European Union law1.
1 To be understood as:
- offences that fall within the scope of European Union or national acts (set out in the Annex to the Whistleblowing Decree) or national acts constituting implementation of European Union acts (set out in the Annex to EU Directive 2019/1937, even if not provided for in the Annex to the Whistleblowing Decree), concerning:
- public procurement
- financial services, products and markets and the prevention of money laundering and terrorist financing
- safety and conformity of products
- transport security
- environmental protection
- radiation protection and nuclear safety
- food and feed safety and animal health and welfare
- public health
- consumer protection
- protection of privacy and data protection, and security of networks and information systems
- acts or omissions affecting the financial interests of the European Union referred to in Article 325 TFEU
- acts or omissions relating to the internal market, as referred to in Article 26(2) TFEU (including the
- competition and state aid violations and corporate tax violations)
- acts or conduct that, while not constituting an offence, frustrate the object or purpose of the provisions of the acts of the European Union in the areas indicated in the preceding points.
Reports concerning facts other than those described above are not admissible. For this reason, in the event of the submission of Reports with a content different from that set out in this Policy, they shall be deemed inexecutable and shall be rejected by the person/office designated to receive them.
In particular, the following Reports are not worthy of protection and are prohibited:
|relating to situations of a personal nature, concerning claims or grievances regarding relations with hierarchical superiors or colleagues
|in insulting tones or containing personal insults or moral judgements and intended to offend or harm the honour and/or personal and/or professional decorum of the person or persons to whom the reported facts refer
|based on mere suspicions or rumours concerning personal facts not constituting an offence
|for purely defamatory or slanderous purposes
|of a discriminatory nature, insofar as they relate to the sexual orientation, religion and political or racial or ethnic origin of the Reported Party
The Report must be made in good faith and must be substantiated, i.e. made in sufficient detail to enable the persons in charge/office responsible to ascertain the facts reported. To this end, the Reports must have a minimum content, i.e. contain at least the elements indicated in the following paragraphs.
5. REPORTING IN GOOD OR BAD FAITH
5.1 Reporting in good faith
The Whistleblower is invited to make Reports only after obtaining sufficiently comprehensive information that leads him/her to believe that it is highly probable that the Breach is occurring or has occurred and that the Reported Party has committed it. Reports should be as detailed as possible and provide as much information as possible, in order to allow due verification and adequate feedback.
After making a Report, a Whistleblower who discovers any errors may immediately inform someone of this through the same channel to which the Report was submitted.
5.2 Reporting in bad faith
Reports shall be deemed to have been made in bad faith if they turn out to be deliberately frivolous, false or unfounded, with defamatory content or in any case concerning deliberately erroneous or misleading information for the sole purpose of damaging the Company, the Reported Party or other persons concerned in the Report.
In such a case, the Company reserves the right to take appropriate action – also by adopting appropriate disciplinary sanctions – against the Whistleblower.
6. WHISTLEBLOWING PROCESS
6.1 Operating modes
Reports must be submitted using one of the reporting channels made known to company staff, consultants, collaborators, suppliers and, in general, to third parties who have professional or business relations with the Company.
- Internal report
- email: Whistlebowers may send their Reports by written communication delivered by email to firstname.lastname@example.org
- the request by the Whistleblower for a direct meeting with the body in charge of managing the internal reporting channel, referred to in paragraph 9 below. To this end, the Whistleblower must send his/her request for a meeting in the manner described in the preceding paragraph.
- External Report and Public Disclosure
- he/she has already made an internal report, and it has not been followed up
- he/she has reasonable grounds to believe that, if he/she were to make an internal Report, the Report would not be effectively followed up, or that the same Report might lead to the risk of retaliation
- he/she has well-founded reasons to believe that the breach may constitute an imminent or obvious danger to the public interest.
In accordance with the provisions of Article 4 of the Whistleblowing Decree, the Company has set up an internal whistleblowing channel that allows Reports to be submitted in writing or orally.
The Report may be made in writing, by:
The Whistleblower may submit his/her Report to ANAC (National Anti-Corruption Authority) through the external reporting channel made available by that Authority if:
The Whistleblower may proceed by public disclosure if:
- he/she has already made an internal and external report and received no feedback
- he/she has well-founded reasons to believe that, due to the specific circumstances of the case, the External Report may entail a risk of retaliation or may not be effectively followed up.
6.2 Content of the Report
Reports must, in any case and regardless of the method used, be circumstantiated and based on precise and concordant factual elements, to enable the office in charge of receiving them to prepare the due measures and to carry out the appropriate checks and in-depth investigations, also by carrying out investigations and formulating requests for clarifications to the Whistleblower. To this end, the latter may permit his/her identification, indicating the contact details where he/she can be contacted (by way of example only: name and surname, email address, telephone number).
What must the report contain?
|A clear and complete description of the facts that are the subject of the Report
|Any information and any useful indication aimed at identifying the identity of the subjects who committed the breach and to whom the Report relates
|The nature, reference context and any useful details describing the conduct that is the subject of the Report
|The circumstances of time and place, if known, relating to the subject of the Report
|Any further information deemed useful for the investigation of the Report
|Any documentary or evidentiary allegations in support of the Report, including the indication of witnesses or persons who may report on the facts that are the subject of the Report
7. RECIPIENTS OF THE REPORT
The Company has set up its own internal reporting channel, which guarantees the confidentiality of the identity of the Whistleblower, the Reported Party and any persons involved, as well as the content of the Report and of the documentation attached to it.
This Policy ensures that the Report is known by a limited number of persons and that only authorised persons have access to the documents relating to the Report. In particular, in order to ensure proper management of Reports and in line with the provisions of Article 2(4) of the Whistleblowing Decree, the Company ensures that the management of the internal reporting channel is entrusted to a dedicated autonomous internal person or office with specifically trained staff for the management of Reports, or to an external person, also autonomous and with specifically trained staff.
To this end, the management of the internal reporting channel is entrusted to the Management Board, appointed by the Company's Management Board by resolutions of 18.05.2021, 11.05.2022, 05.05.2023 as an autonomous entity with specifically trained personnel.
8. PROTECTION FOR THE WHISTLEBLOWER
The protections afforded to the Whistleblower can only be guaranteed by the Company if the indications provided in this Policy are complied with. No protection is granted to the Whistleblower in the event that he/she has contributed to the commission of the unlawful conduct.
The protections afforded to the Whistleblower are also extended:
- to the Facilitator
- to persons in the same work environment as the Whistleblower with a stable emotional or family link up to the fourth degree
- to the Whistleblower's work colleagues with whom there is a regular and current relationship
- to entities owned by the Whistleblower or for which the Whistleblower works, as well as entities operating in the same employment context.
The Company, in setting up and implementing its internal reporting channel, guarantees the confidentiality of the identity of the Whistleblower, the Reported Party and any other persons involved in the Report, as well as of the content of the Report and of the related documentation.
Reports may not be used beyond what is necessary to adequately follow them up.
The identity of the Whistleblower and any other information from which it can be deduced, directly or indirectly, cannot be disclosed, without the Whistleblower's express consent, to persons other than those competent to receive or follow up the Reports and expressly authorised to process such data, in accordance with the provisions of Articles 29 and 32 of the GDPR.
In addition, express forms of protection of the Whistleblower's identity are provided for in criminal proceedings, before the Court of Auditors and in disciplinary proceedings (in the latter case, the identity of the Whistleblower cannot be disclosed when the accusation of the disciplinary charge is based on investigations that are separate and additional to the report, even if they follow it).
In the context of disciplinary proceedings, if the charge is based, fully or partially, on the Report and knowledge of the identity of the Whistleblower is indispensable for the Reported Party's defence, the Report will be usable for the purposes of the disciplinary proceedings only if the Whistleblower expressly consents to the disclosure of his/her identity. In any case, the Company shall protect the Whistleblower's right to information by notifying him/her, in writing, of the reasons that make it necessary to disclose confidential data, or when disclosure of the Whistleblower's identity is also indispensable for the Reported Party's defence.
In any case, the Report file is exempt from the right of access provided for in Articles 22 et
seq. of Law 241, 7 August 1990, as well as Articles 5 et seq. of Legislative Decree 33 of 14 March 2013.
- Prohibition of retaliation and protection measures
The Company shall not tolerate any kind of threat, retaliation, unjustified sanction or discrimination against the Whistleblower, the Reported Party and any person who has cooperated in the investigation of the merits of the Report. The adoption of discriminatory or retaliatory measures against the Whistleblower may give rise to disciplinary proceedings against the person responsible.
In view of the provisions of Article 19(1) of the Whistleblowing Decree, it is still possible for the Whistleblower to report any retaliation he/she believes to have suffered within his/her work context to the ANAC (National Anti-Corruption Authority).
Examples of retaliatory conduct include, but are not limited to:
|dismissal, suspension or equivalent measures
|downgrading or non-promotion
|change of duties, change of workplace, reduction of salary modification of working hours
|suspension of training or any restriction of access to it
|demerit notes or negative references
|the adoption of disciplinary measures or other sanctions, including fines
|coercion, intimidation, harassment or ostracism
|discrimination or otherwise unfavourable treatment
|failure to convert a fixed-term employment contract into an employment contract of indefinite duration, where the employee had a legitimate expectation of such conversion
|non-renewal or early termination of a fixed-term employment contract
|damage to a person's reputation, particularly on social media, or economic or financial harm, including loss of economic opportunities and/or loss of income
|inclusion on improper lists, on the basis of a formal or informal sectoral or industry agreement, which may result in the person being unable to find employment in the sector or industry in the future
|early termination or cancellation of the contract for the supply of goods or services
|cancellation of a licence or permit
|the request to undergo psychiatric or medical examinations
The adoption of discriminatory or retaliatory measures against the Whistleblower may give rise to disciplinary proceedings against the person responsible.
The protections afforded to the Whistleblower can only be guaranteed by the Company if he/she complies with the instructions given in this Policy. No protection is granted to the Whistleblower in the event that he/she has contributed to the commission of the unlawful conduct.
9. PROTECTION OF THE REPORTED PARTY
Appropriate protective measures are also provided for the benefit of the Reported Party, in order to prevent any discrimination.
The submission and receipt of a Report is not sufficient to initiate any disciplinary proceedings against the Reported Party.
If it is decided to proceed with the investigation, the Reported Party may be contacted and will be given the opportunity to provide any necessary clarification.
10. METHODS TO HANDLE REPORTS
a. Receipt of the Report and preliminary verification
The Supervisory Board has exclusive access to the channels dedicated to receiving Reports, which are managed securely and in such a way as to guarantee the confidentiality of the identity of the Whistleblower and the protection of any third parties mentioned in the Report, as well as to prevent access by unauthorised personnel. The Supervisory Board ensures complete and confidential record-keeping in compliance with the relevant regulations.
In order to guarantee and protect the Whistleblower's confidentiality:
- the appropriate computerised and, if necessary, paper register will be kept at the Company's registered office
- the only entity with access to the register will be the Supervisory Board.
All the Reports received are subject to a preliminary check by the Supervisory Board, which makes an initial assessment of the plausibility and credibility of the reported conduct, carrying out an analysis aimed at verifying the existence of the legal and factual prerequisites, as well as the relevance and the presence of sufficient elements to be able to investigate the Report further (also by requesting further information from the Whistleblower).
Following this analysis, the Supervisory Board decides whether to carry out further investigations with formal
initiation of the inquiry, requesting additional information from the Whistleblower, if necessary, or to close and file the Report.
- if the Report relates to facts that belong to one of the cases as specified in paragraph 5 above and does not fall within one of the cases that the present Policy identifies as prohibited reports, the Supervisory Board shall communicate the outcome of its investigation to the Whistleblower in accordance with the provisions of letter b of this paragraph;
- if the Reports concern facts that do not fall within the objective scope of paragraph 5 above or are of such general content that they do not allow for any verification thereof, the Supervisory Board shall file the Report as regulated by letter c of this paragraph.
b. Establishment and communication of outcome
The purpose of the investigation phase is to verify the validity of the Report received.
The Supervisory Board shall carry out any activity it deems appropriate, including the hearing of the Whistleblower and of any other person who may report circumstances useful for the purposes of ascertaining the facts reported, also in order to assess any remedial action.
The Supervisory Board may also avail itself of the support and cooperation of external consultants, appointed for the purpose, and of corporate functions when, due to the nature and complexity of the checks, their involvement is necessary. These persons are bound by the same protection obligations as the Whistleblower and the Reported Party as set out above. It is everyone's duty to cooperate with the Supervisory Board and with any other parties involved by the Company during the assessment activity.
If, in the course of the investigation, objective elements emerge proving a "lack of good faith" on the part of the Whistleblower, the Supervisory Board shall immediately notify the Company Management Board, in order to assess the beginning of any sanctioning procedures.
At the end of the preliminary investigation, having ascertained that the Report is well founded, the Supervisory Board draws up a report summarising the checks carried out and the evidence that emerged, in order to share the adoption of sanctioning actions with the Management Board, or the preparation of any corrective actions.
The decision on the filing of the Report is formalised in a specific report containing the grounds for the filing. The report is shared with the governing body.
The Report is filed if:
|it is not relevant
|it refers to facts of such general content that they cannot be verified in any way
|it was carried out in bad faith
|the preliminary investigation has proved its groundlessness
d. Timing of the Whistleblowing Process
|Sending the Whistleblower an acknowledgement of receipt of the Report
|• within 7 days of receipt thereof
|Responding to the Report
|• within 3 months (extendable up to 6 months in the case of justified and reasoned grounds) from the date of the notice of receipt
• in the absence of an acknowledgement of receipt, within 3 months (extendable up to 6 months in the case of justified and reasoned grounds) of the expiry of the 7-day period from the submission of the Report
|Response to request for a face-to-face meeting
|• no later than 7 days after receipt of the request for a face-to-face meeting
|Setting the date of the face-to-face meeting
|• within 10 days of receipt of the request for a face-to-face meeting
• in cases of proven urgency, within 5 days of receipt of the request for a face-to-face meeting
How long can documents relating to the Report be kept?
The Supervisory Board is required to document its entire management process by computerised and/or paper media, and to keep all the relevant documentation in order to ensure complete traceability of the actions undertaken to perform its institutional functions.
All documentation must be kept for as long as necessary for the handling of the Report and, in any case, no longer than five (5) years from the closing of the Report procedure.
Where should the documents relating to the Report be kept?
Documents in electronic format must be stored in a repository protected by authentication credentials, known only to the Supervisory Board or expressly authorised persons.
Paper documents are filed in an identified locked location, access to which is permitted only to the Supervisory Board or expressly authorised persons.
How are verbal Reports and Reports made through face-to-face meetings documented?
If a telephone line is used, the Report is documented in writing by means of a detailed record of the conversation. The Whistleblower may verify, rectify and confirm the contents of the transcript by signing it.
If the Report is made orally in the course of a face-to-face meeting, it is documented, subject to the Whistleblower's consent, either by recording it on a device suitable for storing and listening to it, or by minutes. In the case of minutes, the Whistleblower may verify, rectify and confirm the minutes of the meeting by signing.
11. SANCTION MEASURES
Effective, proportionate and dissuasive sanctions may be applied:
- against the Reported Party, if the reports prove to be well-founded
- against the Whistleblower, if Reports are made in bad faith
- against the person responsible, if the protection principles laid down in the Policy have been violated or if reports have been obstructed or attempted to be obstructed.
Disciplinary proceedings against employees of the Company may be initiated according to the seriousness of the breach itself, in application of the principles of proportionality, as well as the correlation criteria between the breach and the sanction and in compliance with the procedures provided for by the laws in force and the disciplinary system outlined within the Company's Model 231.
In order to ensure impartiality and avoid conflicts of interest, decisions on any disciplinary measures, complaints or other necessary actions are taken by the relevant corporate organisational functions and by persons other than the person who conducted the whistleblowing investigation.
12. DATA PROCESSING
Any processing of personal data, as set out in the Policy, must be carried out in accordance with the GDPR, Italian Legislative Decree 196 of 30 June 2003, and Italian Legislative Decree 51 of 18 May 2018.
Personal data that are manifestly not useful for the processing of a specific Report are not collected or, if accidentally collected, are deleted immediately.
The rights referred to in Articles 15 to 22 of the GDPR may be exercised within the limits of the provisions of Article 2-undecies of Italian Legislative Decree 196 of 30 June 2003.
The Company has purposely appointed the members of the Supervisory Board authorised to process also pursuant to Articles 5, 24, 29 and 32 of the GDPR and Article 2-quaterdecies(2) of Italian Legislative Decree 196 of 30 June 2003.
The Company, moreover, in line with the provisions of Article 13 of the Whistleblowing Decree, as well as in compliance with the provisions of Article 23 of the GDPR, identifies suitable technical and organisational measures to guarantee a level of security appropriate to the specific risks arising from the processing carried out, based on a data protection impact assessment (so-called DPIA), as well as regulating the relationship with any external suppliers that process personal data on its behalf pursuant to Article 28 of the GDPR or Article 18 of Italian Legislative Decree 51/2018.
It is the duty of the Supervisory Board to periodically review - at least once a year - this Policy and the reporting channels provided for herein, according to the operations and experience gained and to ensure, in any case, their constant alignment with the reference legislation.
14. DISSEMINATION, INFORMATION AND TRAINING
The Whistleblowing Policy, defined on the basis of the provisions of the Whistleblowing Decree, in addition to being an integral part of the 231 document set, is disseminated through publication on the company website, inclusion on the company intranet, and other forms deemed useful.
The Company promotes communication, information and training on whistleblowing legislation and this Policy , in order to ensure the widest possible knowledge and the most effective application thereof, by illustrating the rules on Whistleblowing, the functioning of and access to the channels and tools made available to make Reports, as well as the measures applicable in the event of violations.