PROCEDURE FOR WHISTLEBLOWING MANAGEMENT
Table of contents
2. PURPOSE AND SCOPE OF APPLICATION
3. REGULATORY SOURCES
6. REFERENCE PRINCIPLES.
- Knowledge and awareness
- Ensuring the confidentiality of personal data
- Processing of personal data
- Impartiality, autonomy and independence of judgement
- Protection for reporting persons
- Prohibition of discrimination against the whistleblower
- Obligations of confidentiality on the identity of the whistleblower, the facilitator and removal of the right of access to the whistleblowing report
- Protection for reported persons
- Obligations of confidentiality on the identity of the reported person and of all persons mentioned in the report
- Possibility of interviewing the reported person
- Protecting the reported subject from whistleblowing reports made in bad faith
7. TRAINING AND INFORMATION
8. FOR WHISTLEBLOWERS: HOW AND WHEN TO RAISE A CONCERN USING THE INTERNAL WHISTLEBLOWING CHANNEL
- Who can raise a concern
- When can a concern be raised and submitted?
- What can be the subject of a whistleblowing report?
- Reported subjects
- Content of the whistleblowing report
- Reporting modalities
9. FOR THOSE RECEIVING THE REPORT: WHAT HAPPENS AFTER THE REPORT HAS BEEN MADE
- Preliminary verification
- Preliminary investigation
- Feedback to the whistleblower
10. CHECKS, FILING AND STORAGE OF DOCUMENTATION, TRACEABILITY
11. DISCIPLINARY SYSTEM
- Loss of the protection regime
- Limitations of liability
- Further Provisions
12. ADMINISTRATIVE FINES APPLIED BY ANAC
- ANNEX 1 - INFORMATION PURSUANT TO ART. 13 OF EU REGULATION 2016/679 GENERAL DATA PROTECTION (“GDPR”)
- ANNEX 2 - HOW AND WHEN TO REPORT USING THE EXTERNAL WHISTLEBLOWING CHANNEL
- ANNEX 3 - HOW AND WHEN TO REPORT USING PUBLIC DISCLOSURE
The introduction into national law of a system for whistleblowing management as well as ensuring adequate protection of employees who report unlawful conduct from within the workplace is provided for in international conventions (UN, OECD, Council of Europe) ratified by Italy, as well as in recommendations provided by the Parliamentary Assembly of the Council of Europe.
In particular, Law No. 190 of 6 November 2012, with Article 1, Paragraph 51, introduced Article 54-bis into Italian Legislative Decree No. 165/2001. On the basis of this, a measure was provided, aimed at encouraging the emergence of cases of wrongdoing, known in English-speaking countries as whistleblowing.
With the Regulation for whistleblowing management and for the implementation of a sanctioning power in the area of protecting those who report irregularities or wrongdoings of which they have become aware in the context of an employment relationship pursuant to Article 54-bis of Italian Legislative Decree no. 165/2001, ANAC has defined further operational provisions on the subject.
The obligation for public administrations to equip themselves with anti-corruption systems, including a whistleblowing mechanism, was later extended, in part, to the private sector by Law No. 179 of 30 November 2017.
The European Union subsequently enacted European Directive 2019/1937 regarding the protection of persons who report breaches of Union law, in order to create a minimum standard for the protection of whistleblowers' rights in all member states.
Italy implemented the European Directive with Italian Legislative Decree No. 24 of 10 March 2023.
The purpose of Italian Legislative Decree 24/2023 is to regulate the protection of persons who report violations of national and European Union law that harm the public interest, or the integrity of the public administration or entity, of which they have become aware in a public or private employment context.
One of the main cornerstones of the whistleblowing is the protections provided to the whistleblower for those disclosures. On the one hand, they consist of prohibiting the employer of any acts of retaliation against whistleblowers and, on the other hand, in the cancellation of any retaliatory acts suffered by the whistleblower.
Italian Legislative Decree 24/2023 provides that protection from retaliation applies not only to whistleblowers but also to other persons who, although they may not have made the report directly, are nevertheless deemed worthy of protection.
There are, however, certain conditions (as explained below) that must be met in order for whistleblowers to benefit from the protection regime.
Italian Legislative Decree 24/2023 also sets out certain provisions aimed at guaranteeing the protection of confidentiality and the protection of personal data, as well as regulating the way in which the documentation relating to the whistleblowing is kept.
The provisions of Italian Legislative Decree No. 24/2023 shall have effect for Zenit Italia S.r.l. (hereinafter also referred to as 'Zenit Italia'), as of 17 December 2023.
PURPOSE AND SCOPE OF APPLICATION
The purpose of this procedure (hereinafter also referred to as the 'procedure') is to provide clear operational indications on the subject, content, recipients and method of transmission of reports concerning 'wrongdoings', as well as on the protective measures provided for in the relevant legislation.
‘Violations’ means all conduct, acts or omissions detrimental to the public interest or the integrity of the Company, of which whistleblowers become aware in the context of their work (see section 8.3)
Zenit Italia is strongly committed to preventing the occurrence of offences, adopting the necessary organisational and disciplinary measures to counter any possible occurrence thereof.
For this reason, it considers it essential that employees and third parties report alleged wrongdoings and behaviour that is not in line with the principles of ethical integrity, of which they have become aware through their working relationship and role, in order to ensure compliance with the provisions of the Organisation and Management Model pursuant to Italian Legislative Decree 231/01, the Code of Ethics and the Code of Conduct.
This procedure is therefore aimed at removing factors that may hinder or discourage the use of whistleblowing, such as doubts and uncertainties about the procedure to be followed and fears of retaliation or discrimination, as well as fears that the report itself will not be treated with due confidentiality.
The objectives of this procedure are:
Identify those who may raise a concern;
Define the perimeter of wrongdoings that can be reported;
Identify the way in which concerns may be raised;
Define the various stages of the whistleblowing management process, identifying roles, responsibilities, and operational modalities;
Outline the protection measures envisaged for the whistleblower;
Provide information on the administrative pecuniary sanctions applied by ANAC to the Company and to individuals in the case of wrongdoings as established by law;
Provide information on applicable disciplinary sanctions.
This procedure comes into force on the date of its approval by the Zenit Italia Board of Directors and applies to the Company.
The reference legislation of the procedure is represented by:
Directive (EU) 2019/1937: EU Directive on the protection of persons who report breaches of EU law which come to their attention in a public or private employment context (the so-called Whistleblowing directive).
Italian Legislative Decree No. 24 of 10 March 2023: Italian Legislative Decree implementing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law and laying down provisions regarding the protection of persons who report breaches of national laws.
Italian Legislative Decree No. 231 of 08 June 2001: Italian Legislative Decree containing the 'Regulations on the administrative liability of legal persons, companies and associations, including those without legal status, pursuant to Article 11 of Law No. 300 of 29 September 2000’ and subsequent amendments and additions.
Organisational Model: Organisation, Management and Control Model pursuant to Italian Legislative Decree 231/2001 adopted by Zenit Italia.
Code of Ethics of Zenit Italia: a document that defines the set of values, principles and conduct that must inspire the company's activities and expresses the commitments and ethical responsibilities in the conduct of activities by all collaborators (internal and external).
Code of Conduct of Zenit Italia: an instrument aimed at preventing and combating any form of sexual harassment, bullying and discrimination, with full respect for confidentiality.
ANAC: National Anti-Corruption Authority, whose institutional mission is identified as the prevention of corruption in all areas of administrative activity.
Whistleblowing channel: Zenit Italia's application for transmitting whistleblowing reports, can be accessed from https://www.zenit.com/Whistleblowing or directly from the browser by entering the following address: zenititalia.whistlelink.com.
Employment context: current or past work or professional activities, carried out in the context of the relationships referred to in Article 3(3) or (4) of Italian Legislative Decree No. 24/2023, through which, regardless of the nature of the activities, a person acquires information about violations, in the context of which they could risk retaliation in the event of a public disclosure or report to the judicial or accounting authorities.
Italian Legislative Decree 196/03: Italian Legislative Decree No. 196 of 30 June 2003 - Personal Data Protection Code.
Italian Legislative Decree 231/01 or Decree: Italian Legislative Decree No. 231 of 8 June 2001 on the 'Regulation of the administrative liability of legal persons, companies and associations, including those without legal status' and subsequent amendments and additions.
Public disclosure or public dissemination: making information about violations publicly available through the press or electronic media or otherwise through means of dissemination capable of reaching a large number of people.
Facilitator: a natural person assisting a whistleblower in the reporting process, operating within the same employment context and whose assistance must be kept confidential.
GDPR: Regulation (EU) No 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
Information on violations: information, including well-founded suspicions, concerning violations committed or which, on the basis of concrete elements, could be committed in the organisation with which the whistleblower or the person lodging the complaint with the judicial or accounting authorities has a legal relationship within the meaning of Article 3(11) or (2) of Italian Legislative Decree No. 24/2023, as well as elements concerning conduct aimed at concealing such violations.
Law 146/2006: Law No 146 of 16 March 2006 (Ratification and implementation of the United Nations Convention and Protocols against Transnational Organised Crime, adopted by the General Assembly on 15 November 2000 and 31 May 2001).
Model / MOG: Organisation and Management Model ex artt. 6 and 7 of Italian Legislative Decree 231/01.
Supervisory Board (OdV): body provided for in Article 6 of Italian Legislative Decree 231/01, responsible for supervising the operation of and compliance with the Model and its updating for each Company. For the purposes of this Procedure, the Supervisory Board is also the subject (independent and specifically trained), entrusted with the management of the whistleblowing channel and with the verification of the validity of the circumstances represented in the report.
Person involved: the natural or legal person mentioned in the internal or external report or in the public disclosure as the person to whom the breach is attributed or as a person otherwise involved in the reported or publicly disclosed breach.
Reporting person: the natural person who makes the report or public disclosure of information on violations acquired in their employment context.
Platform: IT tool for whistleblowing management.
Retaliation: any conduct, act or omission, even if only attempted or threatened, committed as a result of the whistleblowing report, the complaint to the judicial or accounting authorities or the public disclosure and which causes or is likely to cause the whistleblower or the person making the complaint, directly or indirectly, unjust damage.
Whistleblowing or reporting: written or oral communication of information on violations.
Anonymous reporting: when the identity of the whistleblower is not made explicit or otherwise identifiable.
Open reporting: when the whistleblower openly raises an issue without any limitations related to confidentiality.
External whistleblowing: the written or oral communication of information on violations submitted through the external whistleblowing channel referred to in Article 7 of Italian Legislative Decree No. 24/2023. External whistleblowing is not covered by this procedure.
Internal whistleblowing: the written or oral communication of information on violations submitted through the internal whistleblowing channel referred to in Article 4 of Italian Legislative Decree No. 24/2023, which is the subject of this procedure.
Confidential reporting: when the identity of the whistleblower is not made explicit, but it is nevertheless possible to trace it in specific and certain cases indicated below.
Unlawful reporting: a whistleblowing report which from the results of the preliminary investigation reveal that it is unfounded on the basis of objective elements, and in respect of which the concrete circumstances ascertained in the course of the same preliminary investigation make it possible to consider that it has been made in bad faith or with serious negligence.
Substantiated/verifiable report: a whistleblowing report in which the whistleblower’s account of the facts, events or circumstances constituting the basic elements of the alleged offence (e.g. type of offence committed, reference period, value, causes and purpose of the offence, company/areas/people/units/entities concerned or involved, anomaly in the internal control system, etc.) is provided in sufficient detail to allow the competent corporate bodies, on the basis of the available investigative tools, to verify the validity or otherwise of the facts or circumstances reported.
Follow-up: the action taken by the person entrusted with the management of the whistleblowing channel to assess the existence of the reported facts, the outcome of the investigation and any measures taken.
Company: Zenit Italia S.r.l.
Private sector entities: entities, other than those falling within the definition of public sector entities, which: 1) have employed, in the last year, an average of at least fifty employees with permanent or fixed-term employment contracts; 2) are covered by the European Union acts referred to in Parts I.B and II of the Annex, even if during the last year they did not reach the average number of employees referred to in number 1); 3) are other than the persons referred to in number 2), fall within the scope of Italian Legislative Decree No. 231 of 8 June 2001, and adopt organisation and management models provided for therein, even if in the last year they did not reach the average number of employees referred to in number 1).
Public sector bodies: public administrations as defined in Article 1, paragraph 2, of Italian Legislative Decree No 165 of 30 March 2001, independent administrative authorities which guarantee, oversee or regulate public economic entities, bodies governed by public law as defined in Article 3, paragraph 1, letter d), of Italian Legislative Decree No. 50 of 18 April 2016, public service concessionaires, publicly controlled companies and in-house companies, as defined, respectively, by Article 2, paragraph 1, letters m) and o), of Italian Legislative Decree No. 175 of 19 August 2016, even if they are listed.
Reported subjects: the person to whom the whistleblower attributes the offence/irregularity represented in the report.
Third Parties: contractual counter parties of Zenit Italia, both natural and legal persons with whom the Company enters into any form of contractually regulated collaboration and who are destined to cooperate with the Company [including but not limited to: collaborators, suppliers; consultants (such as consultancy firms, lawyers); other third parties who have contractual relations with Zenit Italia (for example outsourcing companies, staffing companies and temporary employees)].
Stakeholder: all legitimate stakeholders in the company's business.
Response: communication for the whistleblower with information on the follow-up given or intended to be given to the report.
Violations: conduct, acts or omissions detrimental to the public interest or the integrity of the public administration or private entity and consisting of:
- unlawful conduct within the meaning of Italian Legislative Decree No. 231 of 8 June 2001 or violations of the organisation and management models provided for therein, which do not fall under numbers 3) 4) 5) and 6);
- offences falling within the scope of application of the European Union or national acts indicated in the annex to Italian Legislative Decree no. 24/2023 or of the national acts constituting implementation of the European Union acts indicated in the annex to Directive (EU) 2019/1937, although not indicated in the annex to Italian Legislative Decree no. 24/2023, relating to the following sectors: Public procurement; services, products and financial markets and prevention of money laundering and terrorist financing; product safety and compliance; transport safety; environmental protection; radiation protection and nuclear safety; food and feed safety and animal health and welfare; public health; consumer protection; protection of privacy and protection of personal data and security of networks and information systems;
- acts or omissions affecting the financial interests of the Union referred to in Article 325 of the Treaty on the Functioning of the European Union specified in the relevant secondary legislation of the European Union;
- acts or omissions affecting the internal market, as referred to in Article 26(2) of the Treaty on the Functioning of the European Union, including violations of Union competition and State aid rules, as well as violations affecting the internal market related to acts in breach of corporate tax rules or mechanisms whose purpose is to obtain a tax advantage that thwarts the object or purpose of the applicable corporate tax law
- acts or conduct that thwart the object or purpose of the provisions of Union acts in the areas indicated in points (3), (4) and (5).
Responsibility for checking, approving and updating this document lies with the Management Body of Zenit Italia.
Responsibility for execution lies with all persons carrying out the activities indicated in this procedure.
Knowledge and awareness
This whistleblowing procedure represents a fundamental element in order to ensure full awareness for an effective monitoring of risks and their interrelationships and to guide changes in strategy and the organisational context.
Ensuring the confidentiality of personal data
Whistleblowing reports may not be used beyond what is necessary to adequately follow them up.
All the persons receiving, examining and assessing reports and any other person involved in the process of whistleblowing management are required to ensure the utmost confidentiality of the facts reported, the identity of the reported person, the whistleblower and the facilitator, who are appropriately protected against retaliatory, discriminatory or otherwise unfair conduct.
Processing of personal data
Zenit Italia, as Data Controller, is responsible for complying with the cardinal principles dictated by EU Regulation 2016/679 (hereinafter also "GDPR") and Italian Legislative Decree 196/2003, as amended by Italian Legislative Decree 101/2018, in order to ensure that all personal data processing operations (collection, recording, organisation, storage, consultation, processing, etc.), carried out as part of its business, take place in compliance with the regulations in force. This scope of application therefore also includes activities related to the protection of persons who report violations of national or European Union law that harm the public interest or the integrity of the private entity.
In order to be able to fully comply with the provisions of the law on the processing of personal data, whistleblowing management must be marked by a use of personal data limited to what is strictly necessary to be able to follow up on what is reported.
Furthermore, personal data that is clearly not useful for the processing of a specific whistleblowing report must not be collected or, if collected, must be promptly deleted.
Zenit Italia, in its capacity as Data Controller, is required to assign, in writing, the natural persons authorised to access the information of a personal nature contained in a specific whistleblowing report, including for the purpose of following it up.
The identification of authorised personnel by the data controller must comply with the principle of “data minimisation”: it must be a limited number of persons strictly competent in relation to these activities.
These persons must be formally assigned, by means of a specific letter of instruction to be sent to the relevant person.
When carrying out personal data processing activities, the Controller may also identify specific external parties to whom it entrusts specific tasks. In this case, the Data Controller must:
Only use subjects with sufficient guarantees to put in place appropriate technical and organisational measures so that the processing meets regulatory requirements and guarantees the protection of the rights of the data subject;
Govern this relationship by means of a specific legal act, identifying this person as the 'External Data Processor'. It is therefore necessary for the Controller to appoint the supplier/third party as external processor.
In application of the principle of transparency, information and communications relating to the processing of personal data must be easily accessible and understandable, using simple and clear language. To this end, the Data Controllers must provide appropriate information pursuant to Articles 13-14 GDPR to reporting persons and the persons concerned, ensuring, moreover, within the limits of Article 2-undecies letter f) of Italian Legislative Decree 196/2003, the exercise of the rights set out in Articles 15- 22 GDPR.
Data will be processed in such a way as to ensure the security of personal data, including protection, by means of appropriate technical and organisational measures, from unauthorised or unlawful processing and from accidental loss, destruction and damage.
It is strictly prohibited to track whistleblowing channels.
There is an obligation to ensure, where possible, the tracking of the activity of authorised personnel in compliance with the guarantees for the protection of the whistleblower.
Impartiality, autonomy and independence of judgement
All persons receiving, examining and assessing reports meet the moral and professional requirements and ensure that the necessary conditions of independence and due objectivity, competence and diligence are maintained in the performance of their activities.
Protection for reporting persons
Various protections are granted to the whistleblower for concerns raised in compliance with the discipline, provided that:
It is a person included in the list of enabled reporting persons;
The person has raised a concern, reported or made the public disclosure based on a reasonable belief that the information on the violations reported or disclosed, is true and within the objective scope of the decree;
The reporting or public disclosure was carried out in compliance with the rules set out in Italian Legislative Decree 24/2023;
There is a consequential relationship between the report, disclosure and claim made and the retaliatory measures suffered.
This regime also applies in cases of anonymous whistleblowing or reporting to the judicial or accounting authorities or public disclosure, if the whistleblower is subsequently identified and retaliated against, as well as in cases of external whistleblowing.
The personal and specific reasons that prompted the person to raise a concern, report or publicly disclose are irrelevant for the purposes of dealing with the report and protection from retaliatory measures.
Protection measures also apply:
To the facilitator (a natural person who assists the whistleblower in the reporting process, operating within the same employment context and whose assistance must remain confidential);
To persons in the same employment context as the whistleblower, the whistleblower or the person making a public disclosure and who are linked to them by a stable emotional or family relationship up to the fourth degree;
To work colleagues of the whistleblower or of the person who has made a complaint or made a public disclosure, who work in the same employment context as that person and who have a regular and current relationship with that person;
To entities owned, exclusively or in majority ownership by third parties, by the whistleblower, reported person or the person who has made a public disclosure;
To the entities where the reporting person, whistleblower or person making a public disclosure works;
To entities operating in the same employment context as the reporting person, whistleblower or person making a public disclosure.
Prohibition of discrimination against the whistleblower
Any form of retaliation, including attempted or threatened retaliation, which causes or may cause the person/entity, directly or indirectly, unfair harm for reasons directly or indirectly related to the whistleblowing activity, shall not be permitted or tolerated against the person raising a concern under this procedure (Retaliation constitutes the offences listed in Art. 17, para. 4, of Italian Legislative Decree 24/2023 and, in particular: a. dismissal, suspension or equivalent measures; b. downgrading or lack of promotion; c. change of duties, change of place of work, reduction in salary, change in working hours; d. the suspension of training or any restriction on access to it; e. negative merit notes or negative references; f. the adoption of disciplinary measures or any other sanction, including a fine; g. coercion, intimidation, harassment or ostracism; h. discrimination or otherwise unfavourable treatment; i. failure to convert a fixed-term employment contract into an employment contract of indefinite duration, where the employee had a legitimate expectation of such conversion; l. non-renewal or early termination of a fixed-term employment contract; m. damage, including to a person's reputation, in particular on social media, or economic or financial loss, including loss of economic opportunities and loss of income; n. the early termination or cancellation of a contract for the supply of goods or services; o. the cancellation of a licence or permit; p. the request to undergo psychiatric or medical examinations.).
The management of retaliatory communication in the public and private sectors is the responsibility of ANAC. Where the retaliatory communication is mistakenly received by public or private entities, rather than by ANAC, these entities are required to guarantee the confidentiality of the identity of the person who sent it and to transmit the communication to ANAC, simultaneously notifying the person who sent it.
It is necessary for the whistleblower to provide ANAC with objective elements from which it is possible to deduce the consequentiality between the concern raised, the public disclosure made and the alleged retaliation.
The declaration of invalidity of retaliatory acts is a matter for the judicial authority, which adopts all the measures, including provisional ones, necessary to ensure the protection of the legal situation being asserted, including compensation for damages, reinstatement in the workplace, and an order to cease the retaliatory conduct.
In the context of judicial or administrative proceedings aimed at ascertaining any retaliation against whistleblowers, it is presumed that such conduct or acts were carried out as a result of the whistleblowing. The onus of proving that such conduct or acts are motivated by reasons unrelated to the whistleblowing, public disclosure or complaint is on the person who carried them out.
This benefit does not apply to facilitators, persons in the same employment context with a stable emotional or family link to the fourth degree with the reporting person, whistleblower or person making a public disclosure, co-workers working in the same employment context who have a current relationship with the whistleblower, and also legal entities in cases where they are entities owned by the reporting person, whistleblower, person making a public disclosure or entities in which the whistleblower works or entities operating in the same employment context. The burden of proof lies with all these entities, if they complain of retaliation or harm.
In the event of a claim for damages submitted to the judicial authorities by reporting persons, if such persons prove that they have carried out, pursuant to Italian Legislative Decree 24/2023, a report, public disclosure or complaint to the judicial or accounting authority and having suffered harm, it shall be presumed, unless the contrary is proved, that the harm is the consequence of the whistleblowing report, public disclosure or complaint to the judicial or accounting authority.
Individuals whose working contract has been terminated as a result of their whistleblowing report, public disclosure or complaint to the judicial or accounting authorities are entitled to be reinstated in their jobs.
A whistleblower who considers that they have suffered discrimination or retaliation may also give detailed notice of the discrimination that has occurred: a) to their line manager; b) to the Supervisory Board; c) to the Public Prosecutor's Office in the event of criminal offences.
This is without prejudice to the reporting party's right to inform the trade unions or the competent judicial authority of the incident.
Obligations of confidentiality on the identity of the whistleblower, the facilitator and removal of the right of access to the whistleblowing report
With the exception of cases in which liability for libel and slander can be established pursuant to the provisions of the Criminal Code or Article 2043 of the Civil Code and cases in which anonymity is not enforceable by law (e.g. criminal, tax or administrative investigations, inspections by supervisory bodies), the identity of the whistleblower is protected in any context subsequent to the report.
Therefore, without prejudice to the aforementioned, the identity of the whistleblower and any other information from which that identity may be inferred, directly or indirectly, may not be disclosed, without the express consent of the whistleblower, to persons other than those competent to receive or follow up the reports and expressly authorised to process such data.
Confidentiality is also guaranteed in the case of internal or external whistleblowing reports made verbally through telephone lines or, alternatively, through voice messaging systems or, at the request of the person making the report, through a direct meeting with the person dealing with the report.
The confidentiality of the whistleblower is protected even when the report is received by personnel other than those authorised and competent to handle reports, to whom, in any case, reports must be forwarded without delay.
The same confidentiality obligations are guaranteed for the facilitator assisting the whistleblower, both as regards the identity and the activity in which the assistance takes place.
All those who receive or are involved in whistleblowing management are obliged to protect the confidentiality of such information.
Violation of the duty of confidentiality is a source of disciplinary liability, without prejudice to other forms of liability provided for by law.
With regards to criminal proceedings, the identity of the whistleblower is covered by confidentiality in the manner and to the extent provided for in Article 329 of the Code of Criminal Procedure.
In proceedings before the Court of Auditors, the identity of the whistleblower cannot be disclosed until the preliminary investigation phase is closed.
With regard to disciplinary proceedings, the identity of the whistleblower may not be disclosed where the allegation of the disciplinary charge is based on investigations that are separate from and additional to the report, even if they are a result of the report itself. If the objection is based, in whole or in part, on the report and knowledge of the identity of the whistleblower is essential for the defence, the report may be used for the purposes of disciplinary proceedings only if the whistleblower has consented to the disclosure of their identity.
The whistleblower is to be notified in writing of the reasons for the disclosure of the confidential data, if the disclosure of the identity and the related information is also essential for the defence of the person concerned.
With regards to proceedings established as a result of internal or external whistleblowing reports, the identity of the whistleblower may be disclosed where the disclosure is also essential for the defence of the person concerned only where the whistleblower has consented to the disclosure of their identity.
The whistleblower is to be notified in writing of the reasons for the disclosure of the confidential data, if the disclosure of the identity and the related information is also essential for the defence of the person concerned.
The whistleblowing report is also removed from access to administrative acts and the right of generalised civic access.
With particular reference to the area of privacy, it should be noted that personal data will be processed exclusively for the purpose of handling the report submitted and verifying the information contained therein.
The data will also be processed both with hard copy and electronic/computer/telematic tools/supports, in full compliance with the law, according to principles of lawfulness and fairness and in such a way as to protect the confidentiality of the whistleblower.
Any disclosure of the identity of the whistleblower to persons other than those competent to receive or follow up reports must always be made with the express consent of that person.
Protection for reported persons
Obligations of confidentiality on the identity of the reported person and of all persons mentioned in the report
In compliance with the regulations in force, Zenit Italia has adopted the same forms of protection to guarantee the privacy of the person making the report also for the person allegedly responsible for the breach, as well as for all the persons mentioned in the report, without prejudice to any further form of liability provided for by law which imposes the obligation to disclose the name of the person reported (e.g. requests to the Judicial Authority).
Without prejudice to cases in which the judicial authorities are involved, pending the ascertainment of any disciplinary liability of the reported person, and until the conclusion of the proceedings initiated on the basis of the report, the Supervisory Board must treat the identity of the reported person and of all the persons mentioned in the report as confidential and secret. In particular, it must not reveal the name of the reported person without their consent and must not allow third parties access to the report and to their identity.
Confidentiality is also guaranteed: a) in the case of internal or external whistleblowing reports made verbally through telephone lines or, alternatively, through voice messaging systems or, at the request of the person making the report, through a direct meeting with the person dealing with the report; b) when the report is made by means other than those established by the administrations/entities and by ANAC in accordance with the decree; c) when the report is received by personnel other than those authorised and competent to handle reports, to whom, in any case, the reports must be transmitted without delay.
The Company shall not impose disciplinary sanctions on the reported person on the basis of the allegations made by the whistleblower without objective evidence and without investigating the facts reported, and until the conclusion of the proceedings initiated as a result of the report, in compliance with the same guarantees provided for the whistleblower.
Possibility of interviewing the reported person
The person reported may be interviewed at their request, also by means of a paper procedure through the acquisition of written comments and documents.
This person does not always have the right to be informed of the relevant report, but only within the scope of any proceedings initiated against them following the conclusion of the whistleblowing management, and where such proceedings are based in whole or in part on the report.
Protecting the reported subject from whistleblowing reports made in bad faith
All persons are bound to respect the dignity, honour and reputation of others. To this end, the whistleblower is required to declare whether they have a private interest related to the report.
More generally, the Company guarantees adequate protection against whistleblowing reports made in bad faith, censuring such conduct and informing the persons concerned that reports sent with the aim of harming or otherwise causing damage as well as any other form of abuse of this document are a source of liability, before disciplinary and other competent fora.
TRAINING AND INFORMATION
In order to encourage the use of internal whistleblowing systems and to foster a culture of legality, Zenit Italia illustrates the internal whistleblowing procedure adopted to its own employees and collaborators in a clear, precise and complete manner.
Zenit Italia also ensures the prompt provision of information to all employees and persons who collaborate with it, not only in relation to the whistleblowing procedures adopted, but also with reference to the knowledge, understanding and dissemination of the objectives and spirit with which the concern is to be raised.
Information on the whistleblowing channel, how and under what conditions to raise a concern is made visible:
In the workplace accessible to persons who, although not frequenting the workplace, have a legal relationship with the Company within the scope of this Procedure;
On the Zenit Italia website, https://www.zenit.com/it-IT/Whistleblowing..
The same dissemination methods set out above are adopted for subsequent revisions and additions to the procedure.
In the same way, information is also provided on the conditions for external whistleblowing and public disclosure, as well as on retaliatory reporting to be communicated to ANAC.
8.FOR WHISTLEBLOWERS: HOW AND WHEN TO RAISE A CONCERN USING THE INTERNAL WHISTLEBLOWING CHANNEL
Who can raise a concern
The whistleblowing system can be activated by the following parties:
Employees of the Company;
Self-employed persons working for the Company;
Self-employed persons and workers who perform their work for entities that supply goods or services or carry out works for the Company;
Freelancers and consultants working for the Company;
Volunteers and trainees, both paid and unpaid;
Shareholders and persons with responsibilities of administration, management, control, supervision or representation, even if such functions are exercised de facto at the Company;
Whistleblowers, in their relations with the Company and in accordance with the provisions of the Model, the Code of Ethics and the Code of Conduct, must report what is set out in the paragraph "Object of the whistleblowing report".
When can a concern be raised and submitted?
When the legal relationship is ongoing;
During the probationary period;
When the legal relationship has not yet begun, if information on violations was acquired during the selection process or in other pre-contractual stages;
Subsequent to the dissolution of the legal relationship if the information regarding the breech was acquired prior to the dissolution of the relationship.
What can be the subject of a whistleblowing report?
The subject of a report, public disclosure or whistleblowing report is information on violations, including well-founded suspicions, of national and European Union legislation affecting the public interest or the integrity of the public administration or the private entity committed within the organisation of the entity with which the reporter or whistleblower has one of the qualified legal relationships considered by the legislator and consisting of:
Illegal conduct relevant under Italian Legislative Decree 231/2001, or violations of organisational models;
Offences falling within the scope of EU acts in the following (sensitive) areas: public procurement; financial services, products and markets and prevention of money laundering and terrorist financing; product safety and compliance; transport safety; environmental protection; radiation protection and nuclear safety; food and feed safety and animal health and welfare; public health; consumer protection; privacy and data protection; and network and IT system security;
Acts or omissions affecting the financial interests of the Union as identified in EU regulations, directives, decisions, recommendations and opinions;
Acts or omissions concerning the internal market, including violations of EU competition and state aid rules, as well as violations concerning the internal market related to acts that violate corporate tax rules or mechanisms whose purpose is to obtain a tax advantage that thwarts the object or purpose of the applicable corporate tax law;
Acts or behaviour which thwart the object or purpose of the Union's provisions in the areas indicated in the preceding paragraphs.
Reporting may also include:
Information on conduct aimed at concealing the above violations;
Illegal activities that have not yet taken place but which the whistleblower reasonably believes may occur in the presence of concrete, precise and concordant elements;
Reasonable suspicions, as defined by ANAC Guidelines.
Information on reportable infringements does not include information that is clearly unsubstantiated, information that is already fully in the public domain, or information acquired only on the basis of rumours or unreliable rumours (so-called "rumour mill").
The regulatory provisions do not apply:
To objections, claims or demands linked to a personal interest of the whistleblower or of the person raising a concern with the judicial or accounting authorities that relate exclusively to their individual work or public employment relationships, or inherent to their work relationships with hierarchically superior figures;
To reports of violations where already regulated by EU or national acts concerning: financial services, products and markets, prevention of money laundering and terrorist financing, transport safety and environmental protection;
To national security breaches, as well as procurement relating to defence or national security aspects, unless these aspects are covered by relevant secondary EU law.
This is without prejudice to the application of the provisions on the exercise of the right of employees to consult their representatives or trade unions, on protection against unlawful conduct or acts carried out as a result of such consultations, on the autonomy of the representatives of workers and employers and their right to enter into collective agreements, and on the repression of anti-union conduct as referred to in Article 28 of Law No. 300 of 20 May 1970.
Whistleblowing reports may concern members of corporate bodies, management, employees, partners, external collaborators, collaborators not subordinate to the Company, as well as business partners, suppliers and all those who have relations with the Company, and may relate to any type of unlawful conduct of which they have become aware.
Content of the whistleblowing report
The whistleblower is required to provide all useful elements to enable the competent offices to carry out appropriate checks to verify the facts reported. To this end, the whistleblowing report should preferably contain the following elements:
Personal details of the person raising the concern, indicating the position or function held within the Company;
The clear and complete description of the facts being reported;
If known, the circumstances of time and place in which the acts were committed;
If known, the personal details or other elements (such as job title and the department in which the activity is carried out) that make it possible to identify the person who has carried out the reported facts;
An indication of any other persons who may report on the facts being reported;
An indication of any documents that may confirm the validity of these facts;
Any other information that may provide useful feedback on the existence of the reported facts.
Reports from which the identity of the whistleblower cannot be established are considered anonymous.
It should be noted that anonymous reports, i.e. without any elements enabling the relevant person to be verified, even if delivered by the means set out below, will only be taken into consideration for further verification if:
Adequately substantiated and capable of ensuring that specific facts and situations emerge;
Do not appear prima facie irrelevant, unfounded or unsubstantiated;
They relate to facts of particular gravity and with a content that is adequately detailed, circumstantial and related to specific contexts (e.g. indication of particular names or qualifications, mention of specific offices, proceedings or events).
Anonymous whistleblowing reports will then be handled according to the criteria established for ordinary reports.
This is without prejudice for the requirement of good faith and truthfulness of the facts or situations reported in order to protect the whistleblower.
The whistleblowing report must not concern grievances of a personal nature on the part of the whistleblower or claims falling within the scope of the employment relationship or relations with a hierarchical superior or colleagues, and must not take an insulting tone or contain personal insults or moral judgements designed to offend or harm the honour and/or personal and/or professional decorum of the person or persons to whom the reported facts are allegedly ascribed.
Whistleblowing reports must be transmitted through the Whistlelink whistleblowing channel which can be accessed from the Zenit Italia website and directly from the browser by entering the following address: zenititalia.whistlelink.com.
The application allows whistleblowing reports to be made in the following ways:
In writing, by filling in the relevant form, or by sending a text message;
Verbally, by recording a voice message. This form of whistleblowing does not allow voice morphing. It is therefore recommended to use this method only in cases where it is not the wish of the whistleblower to remain anonymous (confidentiality will be preserved).
The whistleblower may also request for a face-to-face meeting in the application, which will be set within a reasonable period of time from the date of receipt of the request, according to the modalities that will be communicated by the report handler through the application.
Through the use of encryption tools the application guarantees the confidentiality of the identity of the whistleblower, the person involved and the person mentioned in the report, as well as the content of the report and related documentation.
All whistleblowing reports received are encrypted with ISO 27001-certified standards of the highest security and data are stored on secure servers outside the company network.
The application also allows the whistleblower to remain anonymous (subject to the above provisions on verbal reports).
The whistleblower must provide a detailed report, indicating all the useful elements to enable the persons in charge to proceed with the due and appropriate checks and verifications to confirm the validity of the facts reported.
Once the process of entering the report is complete, the application assigns an identification number to the report. By accessing the 'Follow my case' section and entering the report number and password generated when entering the report, it is possible to monitor the progress of the whistleblowing management or to communicate directly with the report handler in the event of a request for further information or a direct meeting.
9.FOR THOSE RECEIVING THE REPORT: WHAT HAPPENS AFTER THE REPORT HAS BEEN MADE
Management of the Whistleblowing channels and verification of the validity of the circumstances represented in the report are entrusted to the Zenit Italia Supervisory Board.
The competent function ensures that all appropriate verifications are carried out on verifiable reported facts, through one or more of the following activities, ensuring that these steps are carried out in the shortest possible time and in accordance with the principles of objectivity, competence and professional diligence. Furthermore, appropriate procedures will be ensured to guarantee transparency and fairness in whistleblowing management, as well as the confidentiality of the identity of the whistleblower (if known), of the person involved and of the persons mentioned in the report.
For the purposes of this procedure, the Supervisory Board is responsible for the following tasks:
Provide the whistleblower with an acknowledgement of receipt within seven days from the date of receipt of the report;
Maintain contact with the whistleblower and request additions if necessary;
Diligently follow up on reports received;
Acknowledge the report within three months of the date of the acknowledgement of receipt or, in the absence of such an acknowledgement, within three months of the expiry of the seven-day period from the submission of the report.
The activities of the whistleblowing management process are described in the following paragraphs.
Upon receipt of the whistleblowing report, the Supervisory Board must issue the reporting party with an acknowledgement of receipt of the report within seven days from the date of receipt, in order to inform them that the report has been taken into account.
If the report is transmitted to a person other than the identified report handler and/or is transmitted by a method other than the one envisaged, there is an obligation to transmit the original copy within seven days of its receipt with attachments (where present), to the Supervisory Board, giving simultaneous notice of transmission to the whistleblower. This is in accordance with criteria of the utmost confidentiality and in a manner suitable to protect the whistleblower and the identity and honour of the persons reported, without prejudice to the effectiveness of the subsequent investigative activities.
The objective of the preliminary verification is to classify the reports received in order to identify the reports to be dealt with under this regulatory instrument, and to assess the presence of the necessary prerequisites for the start of the subsequent investigation phase.
The Supervisory Board carries out an initial eligibility screening assessing the following:
Whether the whistleblower falls within the qualified entities referred to in Article 3 of Italian Legislative Decree 24/2023;
Whether the report falls within the scope of Article 2 of Italian Legislative Decree 24/2023;
Whether the purpose of the report is to bring conduct to the Company's attention that puts business and/or third parties at risk;
The gravity and urgent nature of the risk for the company and/or third parties;
Whether the subject of the whistleblowing report has already been assessed in the past;
Whether the report contains sufficient elements to be verified or, on the contrary, if it is too general or lacks the necessary elements for a subsequent investigation.
After carrying out the appropriate investigations and analyses, the Supervisory Board alternatively:
Proposes, by informing the whistleblower, if known, that reports of the following type are to be filed: i) reports which do not qualify verifiably circumstantial and therefore the preliminary investigation phase cannot be launched; (ii) they are patently unfounded and unlawful; iii) they contain facts that have already been the subject of specific investigative activities in the past and have already been archived, where the preliminary verifications carried out do not reveal new information such as to make further verification activities necessary; iv) they can be verified as circumstantial and in light of the results of the preliminary verifications carried out, it does not consider it necessary to initiate the subsequent investigation phase.
Archived reports may be reopened if new elements arise from which the legitimacy of the report may be ascertained following new information, documents or facts, including those taken on by the Supervisory Board as part of its supervisory and control activities on the effective implementation of the Organisational Model, or in the context of reports made by other reporting persons;
It contacts the whistleblower if it considers the report to be excessively general, in order to ask them to provide elements useful for the investigation, and then proceeds to dismiss the report if no further elements are provided or if they are otherwise considered insufficient;
It transmits the communications received that are not identified as whistleblowing reports to the corporate functions responsible for receiving and processing them on the basis of the relevant regulations, informing, where possible, the sender of the communication that the reported issue does not fall within the scope of the cases envisaged by this regulatory instrument and that it will be taken care of by the competent corporate functions.
The purpose of the assessment activities on the reports is to carry out the specific checks, analyses and assessments as to whether or not the reported facts are well-founded, as well as to make any recommendations as to the adoption of the necessary corrective actions on the areas and business processes concerned by the report.
Following the presentation of the report, the non-anonymous whistleblower may be contacted by the competent body if they need to acquire elements useful for the preliminary investigation phase.
The whistleblower may send further information of which they become aware in order to supplement the facts of the report, as well as to request updates on the status of the report. In this way, a kind of direct dialogue can be established with the whistleblower.
The management and verification of the validity of the circumstances represented in the report are entrusted to the competent body, which does so in compliance with the principles of impartiality and confidentiality, carrying out any activity deemed appropriate, including interviewing, in person, the whistleblower and any other persons who may report on the facts reported.
The Supervisory Board directly carries out all the activities aimed at ascertaining the facts that are the subject of the report.
It may also avail itself of the support and cooperation of corporate structures and functions, when, due to the nature and complexity of the verifications, their involvement is necessary. This is also the case for external consultants, with the related charges borne by the Company.
The Supervisory Board defines the modalities for carrying out the investigations and, if deemed appropriate, may directly interview the whistleblower - if known - or the persons mentioned in the report, or persons who can provide important information for proper whistleblowing management.
During the preliminary investigation, the right to confidentiality and respect for the anonymity of the whistleblower is preserved, unless this is not possible due to the characteristics of the investigation to be carried out. In which case, the same duties of conduct, aimed at maintaining the confidentiality of the whistleblower, apply to the whistleblower.
If, at the end of the preliminary investigation phase, it is found that the report is: (i) not based on objective elements, and (ii) has been presented in bad faith or with gross negligence, the Supervisory Board:
May decide, by reasoned decision, to file it by deleting the names and elements that may allow the identification of the reported persons,
Forwards it to the competent functions for consideration of the adoption of any disciplinary sanctions or other measures against the whistleblower,
It monitors its implementation and ensures that the reported subject is informed in a timely manner through the whistleblowing channel.
Archived reports may be reopened if new elements arise from which the legitimacy of the report may be ascertained following new information, documents or facts, including those taken on by the Supervisory Board as part of its supervisory and control activities on the effective implementation of the Organisational Model, or in the context of reports made by other reporting persons.
If, at the outcome of the verification, the report proves to be well-founded, the Supervisory Board shall take the following actions in relation to the violation:
Inform the Chairman of the Board of Directors and, at the first useful meeting, the entire Board and the Single Statutory Auditor of the outcome of the assessment and its evaluations in a timely manner;
Communicate the result of the assessment to the Head of the structure to which the reported person of the ascertained breach belongs, so that they may, if necessary, provide for further verification, possibly supported by legal counsel, as well as for the adoption of the management and improvement measures falling within their competence, including disciplinary action, if the prerequisites are met;
Take any further measures and/or actions that may be necessary in the specific case to protect the company, including, where necessary, filing a complaint with the competent judicial authority;
Promptly inform the whistleblower through the whistleblowing channel.
The Supervisory Board monitors the status of implementation of corrective actions through follow-ups.
Feedback to the whistleblower
Once the preliminary investigation phase has been completed and the appropriate decisions have been taken on the report, it is the duty of the Supervisory Board:
To provide, through the whistleblowing channel, feedback to the whistleblower within three months of the date of the acknowledgement of receipt or, in the absence of such an acknowledgement, within three months of the expiry of the seven-day period from the submission of the report, in order to inform the whistleblower about the handling and assessment of the report and the activity performed;
With the contribution of any external consultants appointed, prepare a final report indicating the findings of the investigation carried out.
CHECKS, FILING AND STORAGE OF DOCUMENTATION, TRACEABILITY
All reports received through the IT tool are automatically coded and recorded.
All documentation is retained for as long as necessary for the processing of the report and, in any case, no longer than five years from the date of the communication of the final outcome of the reporting procedure, in compliance with the statutory confidentiality obligations.
In the case of reports made by telephone:
If a recorded telephone line or other recorded voice messaging system is used for the report, the report, subject to the consent of the whistleblower, shall be documented by the staff member in charge, using a recording on a device suitable for storage and listening or by means of a verbatim transcript. In the case of a transcript, the whistleblower may verify, rectify or confirm the content of the transcript by signing it;
If an unregistered telephone line or other unregistered voice messaging system is used for reporting, the report is to be documented in writing by means of a detailed record of the conversation by the staff member in charge. The whistleblower may verify, rectify and confirm the contents of the transcript by signing it.
When, at the request of the whistleblower, the report is made verbally in the course of a meeting with the staff member in charge, it is documented, with the consent of the whistleblower, by the Supervisory Board by means of a recording on a device suitable for storage and listening or by minutes.
In the case of minutes of the meeting, the whistleblower may verify, rectify and confirm the minutes of the meeting by signing them.
In order to ensure the management and traceability of the reports and of the preliminary investigation activities, the Supervisory Board prepares and updates the system dedicated to the management, monitoring and reporting of whistleblowing reports, ensuring the filing of all the relevant supporting documentation.
To this end, the Supervisory Board guarantees the preservation of the original documentation of the reports, as well as of the working papers relating to the preliminary investigations and verifications of the reports, in special paper/electronic archives with the highest standards of security/confidentiality in compliance with the regulatory provisions and in accordance with the specific internal rules.
The processing of personal data of the persons involved and/or mentioned in the reports is protected in accordance with the law in force and the company's privacy procedures.
Loss of the protection regime
The criminal and disciplinary liability of the whistleblower remains valid:
Where the criminal liability of the whistleblower for offences of defamation or slander is established, including by a non-final first instance judgement, or where such offences are committed by reporting to the judicial or accounting authorities;
In the event of civil liability for the same title due to wilful misconduct or gross negligence;
Any abuse of this procedure, such as whistleblowing reports that are unfounded, or those that are manifestly opportunistic and/or made for the sole purpose of harming the whistleblower or other persons, and any other instance of misuse or intentional exploitation of this Policy.
All established violations of the measures put in place to protect the whistleblower and the reported person are similarly subject to disciplinary actions.
Appropriate sanctions/disciplinary measures will be applied against the person responsible for the reported offence, if necessary
The disciplinary measures, - provided for or referred to in the 231 Organisational Model, in the sector's CCNL and - where applicable - in the disciplinary code of the company concerned, must be proportionate to the extent and seriousness of the unlawful conduct ascertained and may go as far as the termination of the employment relationship, in compliance with the applicable legal provisions and CCNL regulations.
In particular, in assessing the disciplinary sanction to be adopted against a person who adopts retaliatory or discriminatory measures against a whistleblower, account will be taken of the seriousness of such retaliatory or discriminatory measures, of any damage to the whistleblower's health suffered as a result of such measures, and of the fact that such measures were adopted repeatedly or with the participation of two or more persons
In the event of reports made in obvious bad faith, the Supervisory Board reserves the right to file them, deleting the names and elements that might allow the identification of the persons reported.
Limitations of liability
A person who discloses or disseminates information on violations covered by the obligation of confidentiality or relating to the protection of copyright or the protection of personal data, or who discloses or disseminates information on violations that offend the reputation of the person involved or reported are not to be punishable.
The reputed offence operates 'when, at the time of the disclosure or dissemination, there were reasonable grounds to believe that the disclosure or dissemination of the same information was necessary to disclose the violation and the whistleblowing, public disclosure or report to the judicial or accounting authority was made in the required manner'.
Any further liability, including of a civil or administrative nature, is also excluded in the above cases.
Unless the act constitutes a criminal offence, liability, including civil or administrative liability, for the acquisition of or lawful access to information on violations is excluded.
Criminal liability and any other liability, including civil or administrative liability, is excluded, even for conduct, acts or omissions if they are connected with the whistleblowing, reporting or public disclosure and are strictly necessary to disclose the violation.
Criminal liability and any other liability, including of a civil or administrative nature, is not excluded for conduct, acts or omissions that are not related to the whistleblowing, reporting to the judicial or accounting authorities or public disclosure or that are not strictly necessary to disclose the violation.
Retaliation, cases in which the report was obstructed or an attempt was made to obstruct it, breach of the obligation of confidentiality, lack of verification and analysis of reports received, manifestly opportunistic reports made for the sole purpose of defaming and/or slandering the whistleblower or other persons shall be subject to disciplinary sanctions.
Waivers and settlements, in whole or in part, concerning the rights and protections provided for by this Policy and, in general, by Italian Legislative Decree no. 24/2023 shall not be valid unless they are made in the form and manner provided for in Art. 2113, para. 4, of the Civil Code.
Pursuant to Art. 18 of Italian Legislative Decree 24/2023, a list of Third party entities providing support measures to reporting persons is established at ANAC.
Please refer to Italian Legislative Decree 24/2023 for anything not expressly provided for.
12.ADMINISTRATIVE FINES APPLIED BY ANAC
As provided for in Article 21 of Italian Legislative Decree 24/2023, without prejudice to the other liability profiles (civil, criminal, administrative and disciplinary), ANAC may apply the following administrative pecuniary sanctions to the person responsible (Company or individual):
From €10,000 to €50,000 when it establishes that retaliation was committed or when it establishes that the report was obstructed or that an attempt was made to obstruct it or that the obligation of confidentiality set out in Article 12 of Italian Legislative Decree 24/2023 was breached;
From €10,000 to €50,000 when it establishes that no whistleblowing channels have been set up, that no procedures have been adopted for whistleblowing management or that the adoption of such procedures does not comply with those set out in Articles 4 and 5 of Italian Legislative Decree 24/2023, as well as when it ascertains that no verification and analysis of the reports received has been carried out;
From €500 to €2,500, in the case referred to in Article 16(3) of Italian Legislative Decree 24/2023, unless the whistleblower has been convicted, even in the first instance, of the offences of defamation or slander or, in any event, of the same offences committed with the report to the judicial or accounting authorities.
ANNEX 2 - EXTERNAL WHISTLEBLOWING CHANNEL
ANNEX 3 - PUBLIC DISCLOSURE
ANNEX 1 - INFORMATION PURSUANT TO ART. 13 OF EU REGULATION 2016/679 GENERAL DATA PROTECTION (“GDPR”)
The processing of personal data in the context of the reports will take place in accordance with Regulation (EU) 2016/679 on the protection of personal data of natural persons (GDPR), as well as any other applicable laws and/or regulations to the extent compatible with the GDPR itself, and with the specific information published on the Zenit Italia website.
Any exchange and transmission of information involving the processing of personal data by EU institutions, bodies, offices or agencies must also take place in accordance with Regulation (EU) 2018/1725.
The protection of personal data must be ensured not only for the reporting person or whistleblower but also for the other persons to whom confidentiality protection applies, such as the facilitator, the person involved and the person mentioned in the report as being 'affected' by the data processing.
Within the framework of whistleblowing management, both the personal data of the whistleblower, where the report is made in their name, and the personal data of any third parties, as well as any further information collected in the context of the investigation that is necessary and appropriate to ascertain and verify the validity or otherwise of the report, will be processed.
Zenit Italia acts as an autonomous Controller of the processing of the personal data of its employees in the context of the employment relationship.
It is understood that any processing of personal data carried out by the various functions of the company concerned, by the Control Bodies, by the Supervisory Boards, and as part of the whistleblowing management process, is the responsibility of the Data Processors and of the persons authorised to process personal data for their respective areas in accordance with the provisions of the law and in compliance with the provisions of this regulatory instrument.
The whistleblowing management process is based on the principle 'guaranteeing confidentiality and anonymity' and the 'principle of confidentiality of the whistleblower', and therefore maximum confidentiality will be guaranteed during the internal investigation process.
Interested parties may exercise their rights under the GDPR, where provided for by the applicable legal provisions, by sending a communication by e-mail to the following addresses: firstname.lastname@example.org.
The right of recourse to the data protection authority, competent in matters of unlawful data processing, is also guaranteed. Where there is a risk that exercising the rights granted to the data subject in Chapter III of the GDPR may result in actual and concrete prejudice to the confidentiality of the identity of the whistleblower, and that the ability to effectively verify the merits of the Report or to gather the necessary evidence may be compromised, the right is reserved to limit or delay the exercise of those rights, in accordance with the applicable legal provisions.
Under no circumstances may the reported person or the person mentioned in the report, with reference to their personal data processed in the context of the report, public disclosure or complaint, exercise the rights that Regulation (EU) 2016/679 normally grants to data subjects. Exercising these rights could result in actual and concrete prejudice to the protection of the confidentiality of the identity of the whistleblower. In these cases, therefore, the reported person or the person mentioned in the report is also precluded from addressing the data controller and, in the absence of a reply from the latter, from lodging a complaint with the Garante della protezione dei dati personali if they consider that the processing that concerns them infringes these rights.
ANNEX 2 - HOW AND WHEN TO REPORT USING THE EXTERNAL WHISTLEBLOWING CHANNEL
ANAC is the competent authority for external whistleblowing, including from the private sector.
It is only possible to make a report to the Authority if one of the following conditions is met:
There is no compulsory activation of the internal whistleblowing channel within the employment context, or this channel, even if compulsory, is not active or, even if activated, does not comply with the provisions of this annex;
If the whistleblower has already made an internal whistleblowing report but it has not been followed up;
Where the whistleblower has reasonable grounds to believe that, if they were to make an internal report, the report would not be effectively followed up or that the report might lead to retaliation;
Where the whistleblower has reasonable grounds to believe that the breach may constitute an imminent or obvious danger to the public interest.
The whistleblowing channel set up by ANAC, like the internal whistleblowing channels, must be capable of ensuring, also by means of encryption tools, the confidentiality of the identity of the whistleblower and of those involved in the report, as well as the content of the report itself and of the relevant documentation.
Again, reports can be made either via an IT platform or verbally, (via telephone lines or voice messaging systems) and, if requested by the whistleblower, via a face-to-face meeting to be arranged within a reasonable time frame.
If the external whistleblowing report is submitted to a non-competent entity, it is transmitted, within seven days of receipt, to ANAC, informing the whistleblower of the transmission.
There is an obligation for ANAC to:
Provide any relevant person with information on the use of the external whistleblowing channel and the internal whistleblowing channel, as well as on the protective measures set out in Italian Legislative Decree No. 24/23;
Notify the person concerned of receipt of the report within seven days of its receipt, unless the whistleblower explicitly requests otherwise or unless ANAC considers that the notice would undermine the protection of the confidentiality of the identity of the whistleblower;
Maintain contact with the whistleblower and request additions if necessary;
Diligently follow up on reports received;
Carry out the necessary preliminary investigation to follow up the report, including through hearings and the acquisition of documents;
Acknowledge the report within three months or, if there are justified and substantiated reasons, within six months from the date of receipt of the external report or, in the absence of such notice, from the expiry of seven days from receipt;
Notify the whistleblower of the final outcome.
ANAC may refrain from acting on reports of minor violations and proceed to file them.
The obligations of confidentiality must be ensured even if the report is received through channels other than those provided for or through staff other than those appointed, to whom the report must nevertheless be forwarded without delay.
For whistleblowing management, ANAC must employ appropriately trained staff to provide the persons concerned with information on the use of internal and external whistleblowing systems and the protections to which they are entitled.
ANNEX 3 - HOW AND WHEN TO REPORT USING PUBLIC DISCLOSURE
It is possible for the whistleblower to make a public disclosure while benefiting from the protection.
A whistleblower who makes a public disclosure benefits from protection if one of the following conditions is met:
The whistleblower has previously made an internal and an external whistleblowing report, or has made an external report directly and no response has been received within the specified time limits on the measures envisaged or taken to follow up the reports;
The whistleblower has reasonable grounds to believe, based on concrete circumstances and therefore not on mere inferences, that the breach may constitute an imminent or obvious danger to the public interest;
The whistleblower has reasonable grounds to believe that the external whistleblowing report may entail a risk of retaliation or may not be effectively followed up due to the specific circumstances of the case, such as where evidence may be concealed or destroyed or where there is a well-founded fear that the recipient of the report may be colluding with the reported subject or involved in the violation itself.
The protection of confidentiality does not apply if the whistleblower has intentionally revealed their identity through, for instance, web platforms or social media. The same applies in the event that the subject addresses a journalist directly. In this case, the rules on professional secrecy of journalists, with reference to the source of the news, remain unaffected.
If, on the other hand, the person making the disclosure does not reveal their identity (e.g. by using a pseudonym or nickname in the case of social networking), such disclosures are comparable to anonymous reports.