Whistleblowing

 

7. TRAINING AND INFORMATION

In order to encourage the use of internal whistleblowing systems and to foster a culture of legality, Zenit Italia illustrates the internal whistleblowing procedure adopted to its own employees and collaborators in a clear, precise and complete manner.

Zenit Italia also ensures the prompt provision of information to all employees and persons who collaborate with it, not only in relation to the whistleblowing procedures adopted, but also with reference to the knowledge, understanding and dissemination of the objectives and spirit with which the concern is to be raised.
Information on the whistleblowing channel, how and under what conditions to raise a concern is made visible:

1. In the workplace accessible to persons who, although not frequenting the workplace, have a legal relationship with the Company within the scope of this Procedure;

2. On the Zenit Italia website, https://www.zenit.com/it-IT/Whistleblowing..

 
The same dissemination methods set out above are adopted for subsequent revisions and additions to the procedure.
 
In the same way, information is also provided on the conditions for external whistleblowing and public disclosure, as well as on retaliatory reporting to be communicated to ANAC.
 

8.FOR WHISTLEBLOWERS: HOW AND WHEN TO RAISE A CONCERN USING THE INTERNAL WHISTLEBLOWING CHANNEL

 
Who can raise a concern
The whistleblowing system can be activated by the following parties:

1. Employees of the Company;

2. Self-employed persons working for the Company;

3. Self-employed persons and workers who perform their work for entities that supply goods or services or carry out works for the Company;

4. Freelancers and consultants working for the Company;

5. Volunteers and trainees, both paid and unpaid;

6. Shareholders and persons with responsibilities of administration, management, control, supervision or representation, even if such functions are exercised de facto at the Company;

Whistleblowers, in their relations with the Company and in accordance with the provisions of the Model, the Code of Ethics and the Code of Conduct, must report what is set out in the paragraph "Object of the whistleblowing report".
                                                                     
When can a concern be raised and submitted?

1. When the legal relationship is ongoing;

2. During the probationary period;

3. When the legal relationship has not yet begun, if information on violations was acquired during the selection process or in other pre-contractual stages;

4. Subsequent to the dissolution of the legal relationship if the information regarding the breech was acquired prior to the dissolution of the relationship.

 
What can be the subject of a whistleblowing report?
The subject of a report, public disclosure or whistleblowing report is information on violations, including well-founded suspicions, of national and European Union legislation affecting the public interest or the integrity of the public administration or the private entity committed within the organisation of the entity with which the reporter or whistleblower has one of the qualified legal relationships considered by the legislator and consisting of:

1. Illegal conduct relevant under Italian Legislative Decree 231/2001, or violations of organisational models;

2. Offences falling within the scope of EU acts in the following (sensitive) areas: public procurement; financial services, products and markets and prevention of money laundering and terrorist financing; product safety and compliance; transport safety; environmental protection; radiation protection and nuclear safety; food and feed safety and animal health and welfare; public health; consumer protection; privacy and data protection; and network and IT system security;

3. Acts or omissions affecting the financial interests of the Union as identified in EU regulations, directives, decisions, recommendations and opinions;

4. Acts or omissions concerning the internal market, including violations of EU competition and state aid rules, as well as violations concerning the internal market related to acts that violate corporate tax rules or mechanisms whose purpose is to obtain a tax advantage that thwarts the object or purpose of the applicable corporate tax law;

5. Acts or behaviour which thwart the object or purpose of the Union's provisions in the areas indicated in the preceding paragraphs.

 
Reporting may also include:

1. Information on conduct aimed at concealing the above violations;

2. Illegal activities that have not yet taken place but which the whistleblower reasonably believes may occur in the presence of concrete, precise and concordant elements;

3. Reasonable suspicions, as defined by ANAC Guidelines.

 
Information on reportable infringements does not include information that is clearly unsubstantiated, information that is already fully in the public domain, or information acquired only on the basis of rumours or unreliable rumours (so-called "rumour mill").
 
The regulatory provisions do not apply:

1. To objections, claims or demands linked to a personal interest of the whistleblower or of the person raising a concern with the judicial or accounting authorities that relate exclusively to their individual work or public employment relationships, or inherent to their work relationships with hierarchically superior figures;

2. To reports of violations where already regulated by EU or national acts concerning: financial services, products and markets, prevention of money laundering and terrorist financing, transport safety and environmental protection;

3. To national security breaches, as well as procurement relating to defence or national security aspects, unless these aspects are covered by relevant secondary EU law.

 
This is without prejudice to the application of the provisions on the exercise of the right of employees to consult their representatives or trade unions, on protection against unlawful conduct or acts carried out as a result of such consultations, on the autonomy of the representatives of workers and employers and their right to enter into collective agreements, and on the repression of anti-union conduct as referred to in Article 28 of Law No. 300 of 20 May 1970.
 
Reported subjects
Whistleblowing reports may concern members of corporate bodies, management, employees, partners, external collaborators, collaborators not subordinate to the Company, as well as business partners, suppliers and all those who have relations with the Company, and may relate to any type of unlawful conduct of which they have become aware.
 
Content of the whistleblowing report
The whistleblower is required to provide all useful elements to enable the competent offices to carry out appropriate checks to verify the facts reported.  To this end, the whistleblowing report should preferably contain the following elements:

1. Personal details of the person raising the concern, indicating the position or function held within the Company;

2. The clear and complete description of the facts being reported;

3. If known, the circumstances of time and place in which the acts were committed;

4. If known, the personal details or other elements (such as job title and the department in which the activity is carried out) that make it possible to identify the person who has carried out the reported facts;

5. An indication of any other persons who may report on the facts being reported;

6. An indication of any documents that may confirm the validity of these facts;

7. Any other information that may provide useful feedback on the existence of the reported facts.

 
Reports from which the identity of the whistleblower cannot be established are considered anonymous.
It should be noted that anonymous reports, i.e. without any elements enabling the relevant person to be verified, even if delivered by the means set out below, will only be taken into consideration for further verification if:

1. Adequately substantiated and capable of ensuring that specific facts and situations emerge;

2. Do not appear prima facie irrelevant, unfounded or unsubstantiated;

3. They relate to facts of particular gravity and with a content that is adequately detailed, circumstantial and related to specific contexts (e.g. indication of particular names or qualifications, mention of specific offices, proceedings or events).

Anonymous whistleblowing reports will then be handled according to the criteria established for ordinary reports. 
This is without prejudice for the requirement of good faith and truthfulness of the facts or situations reported in order to protect the whistleblower.
The whistleblowing report must not concern grievances of a personal nature on the part of the whistleblower or claims falling within the scope of the employment relationship or relations with a hierarchical superior or colleagues, and must not take an insulting tone or contain personal insults or moral judgements designed to offend or harm the honour and/or personal and/or professional decorum of the person or persons to whom the reported facts are allegedly ascribed.
 
Reporting modalities
Whistleblowing reports must be transmitted through the Whistlelink whistleblowing channel which can be accessed from the Zenit Italia website and directly from the browser by entering the following address: zenititalia.whistlelink.com.
The application allows whistleblowing reports to be made in the following ways:

1. In writing, by filling in the relevant form, or by sending a text message;

2. Verbally, by recording a voice message. This form of whistleblowing does not allow voice morphing. It is therefore recommended to use this method only in cases where it is not the wish of the whistleblower to remain anonymous (confidentiality will be preserved).

The whistleblower may also request for a face-to-face meeting in the application, which will be set within a reasonable period of time from the date of receipt of the request, according to the modalities that will be communicated by the report handler through the application.
Through the use of encryption tools the application guarantees the confidentiality of the identity of the whistleblower, the person involved and the person mentioned in the report, as well as the content of the report and related documentation.
All whistleblowing reports received are encrypted with ISO 27001-certified standards of the highest security and data are stored on secure servers outside the company network.
The application also allows the whistleblower to remain anonymous (subject to the above provisions on verbal reports).
The whistleblower must provide a detailed report, indicating all the useful elements to enable the persons in charge to proceed with the due and appropriate checks and verifications to confirm the validity of the facts reported.
Once the process of entering the report is complete, the application assigns an identification number to the report. By accessing the 'Follow my case' section and entering the report number and password generated when entering the report, it is possible to monitor the progress of the whistleblowing management or to communicate directly with the report handler in the event of a request for further information or a direct meeting.
 

9.FOR THOSE RECEIVING THE REPORT: WHAT HAPPENS AFTER THE REPORT HAS BEEN MADE

Management of the Whistleblowing channels and verification of the validity of the circumstances represented in the report are entrusted to the Zenit Italia Supervisory Board.
The competent function ensures that all appropriate verifications are carried out on verifiable reported facts, through one or more of the following activities, ensuring that these steps are carried out in the shortest possible time and in accordance with the principles of objectivity, competence and professional diligence.  Furthermore, appropriate procedures will be ensured to guarantee transparency and fairness in whistleblowing management, as well as the confidentiality of the identity of the whistleblower (if known), of the person involved and of the persons mentioned in the report.
 
For the purposes of this procedure, the Supervisory Board is responsible for the following tasks:

1. Provide the whistleblower with an acknowledgement of receipt within seven days from the date of receipt of the report;

2. Maintain contact with the whistleblower and request additions if necessary;

3. Diligently follow up on reports received;

4. Acknowledge the report within three months of the date of the acknowledgement of receipt or, in the absence of such an acknowledgement, within three months of the expiry of the seven-day period from the submission of the report.

 
The activities of the whistleblowing management process are described in the following paragraphs.
 
Receipt
Upon receipt of the whistleblowing report, the Supervisory Board must issue the reporting party with an acknowledgement of receipt of the report within seven days from the date of receipt, in order to inform them that the report has been taken into account.
If the report is transmitted to a person other than the identified report handler and/or is transmitted by a method other than the one envisaged, there is an obligation to transmit the original copy within seven days of its receipt with attachments (where present), to the Supervisory Board, giving simultaneous notice of transmission to the whistleblower. This is in accordance with criteria of the utmost confidentiality and in a manner suitable to protect the whistleblower and the identity and honour of the persons reported, without prejudice to the effectiveness of the subsequent investigative activities.
 
Preliminary verification
The objective of the preliminary verification is to classify the reports received in order to identify the reports to be dealt with under this regulatory instrument, and to assess the presence of the necessary prerequisites for the start of the subsequent investigation phase.
The Supervisory Board carries out an initial eligibility screening assessing the following:

1. Whether the whistleblower falls within the qualified entities referred to in Article 3 of Italian Legislative Decree 24/2023;

2. Whether the report falls within the scope of Article 2 of Italian Legislative Decree 24/2023;

3. Whether the purpose of the report is to bring conduct to the Company's attention that puts business and/or third parties at risk;

4. The gravity and urgent nature of the risk for the company and/or third parties;

5. Whether the subject of the whistleblowing report has already been assessed in the past;

6. Whether the report contains sufficient elements to be verified or, on the contrary, if it is too general or lacks the necessary elements for a subsequent investigation.

After carrying out the appropriate investigations and analyses, the Supervisory Board alternatively:

• Proposes, by informing the whistleblower, if known, that reports of the following type are to be filed: i) reports which do not qualify verifiably circumstantial and therefore the preliminary investigation phase cannot be launched; (ii) they are patently unfounded and unlawful; iii) they contain facts that have already been the subject of specific investigative activities in the past and have already been archived, where the preliminary verifications carried out do not reveal new information such as to make further verification activities necessary; iv) they can be verified as circumstantial and in light of the results of the preliminary verifications carried out, it does not consider it necessary to initiate the subsequent investigation phase.

Archived reports may be reopened if new elements arise from which the legitimacy of the report may be ascertained following new information, documents or facts, including those taken on by the Supervisory Board as part of its supervisory and control activities on the effective implementation of the Organisational Model, or in the context of reports made by other reporting persons;

1. It contacts the whistleblower if it considers the report to be excessively general, in order to ask them to provide elements useful for the investigation, and then proceeds to dismiss the report if no further elements are provided or if they are otherwise considered insufficient;

2. It transmits the communications received that are not identified as whistleblowing reports to the corporate functions responsible for receiving and processing them on the basis of the relevant regulations, informing, where possible, the sender of the communication that the reported issue does not fall within the scope of the cases envisaged by this regulatory instrument and that it will be taken care of by the competent corporate functions.

 
Preliminary investigation
The purpose of the assessment activities on the reports is to carry out the specific checks, analyses and assessments as to whether or not the reported facts are well-founded, as well as to make any recommendations as to the adoption of the necessary corrective actions on the areas and business processes concerned by the report.
Following the presentation of the report, the non-anonymous whistleblower may be contacted by the competent body if they need to acquire elements useful for the preliminary investigation phase.
The whistleblower may send further information of which they become aware in order to supplement the facts of the report, as well as to request updates on the status of the report. In this way, a kind of direct dialogue can be established with the whistleblower.
 
The management and verification of the validity of the circumstances represented in the report are entrusted to the competent body, which does so in compliance with the principles of impartiality and confidentiality, carrying out any activity deemed appropriate, including interviewing, in person, the whistleblower and any other persons who may report on the facts reported.
The Supervisory Board directly carries out all the activities aimed at ascertaining the facts that are the subject of the report.
It may also avail itself of the support and cooperation of corporate structures and functions, when, due to the nature and complexity of the verifications, their involvement is necessary. This is also the case for external consultants, with the related charges borne by the Company. 
The Supervisory Board defines the modalities for carrying out the investigations and, if deemed appropriate, may directly interview the whistleblower - if known - or the persons mentioned in the report, or persons who can provide important information for proper whistleblowing management.
During the preliminary investigation, the right to confidentiality and respect for the anonymity of the whistleblower is preserved, unless this is not possible due to the characteristics of the investigation to be carried out. In which case, the same duties of conduct, aimed at maintaining the confidentiality of the whistleblower, apply to the whistleblower.
 
If, at the end of the preliminary investigation phase, it is found that the report is: (i) not based on objective elements, and (ii) has been presented in bad faith or with gross negligence, the Supervisory Board:

1. May decide, by reasoned decision, to file it by deleting the names and elements that may allow the identification of the reported persons,

2. Forwards it to the competent functions for consideration of the adoption of any disciplinary sanctions or other measures against the whistleblower,

3. It monitors its implementation and ensures that the reported subject is informed in a timely manner through the whistleblowing channel.

Archived reports may be reopened if new elements arise from which the legitimacy of the report may be ascertained following new information, documents or facts, including those taken on by the Supervisory Board as part of its supervisory and control activities on the effective implementation of the Organisational Model, or in the context of reports made by other reporting persons.
If, at the outcome of the verification, the report proves to be well-founded, the Supervisory Board shall take the following actions in relation to the violation:

1. Inform the Chairman of the Board of Directors and, at the first useful meeting, the entire Board and the Single Statutory Auditor of the outcome of the assessment and its evaluations in a timely manner;

2. Communicate the result of the assessment to the Head of the structure to which the reported person of the ascertained breach belongs, so that they may, if necessary, provide for further verification, possibly supported by legal counsel, as well as for the adoption of the management and improvement measures falling within their competence, including disciplinary action, if the prerequisites are met;

3. Take any further measures and/or actions that may be necessary in the specific case to protect the company, including, where necessary, filing a complaint with the competent judicial authority;

4. Promptly inform the whistleblower through the whistleblowing channel.

 
The Supervisory Board monitors the status of implementation of corrective actions through follow-ups.
 
Feedback to the whistleblower
Once the preliminary investigation phase has been completed and the appropriate decisions have been taken on the report, it is the duty of the Supervisory Board:

1. To provide, through the whistleblowing channel, feedback to the whistleblower within three months of the date of the acknowledgement of receipt or, in the absence of such an acknowledgement, within three months of the expiry of the seven-day period from the submission of the report, in order to inform the whistleblower about the handling and assessment of the report and the activity performed;

2. With the contribution of any external consultants appointed, prepare a final report indicating the findings of the investigation carried out.

 
 

10. CHECKS, FILING AND STORAGE OF DOCUMENTATION, TRACEABILITY

All reports received through the IT tool are automatically coded and recorded.
All documentation is retained for as long as necessary for the processing of the report and, in any case, no longer than five years from the date of the communication of the final outcome of the reporting procedure, in compliance with the statutory confidentiality obligations.
In the case of reports made by telephone:

1. If a recorded telephone line or other recorded voice messaging system is used for the report, the report, subject to the consent of the whistleblower, shall be documented by the staff member in charge, using a recording on a device suitable for storage and listening or by means of a verbatim transcript. In the case of a transcript, the whistleblower may verify, rectify or confirm the content of the transcript by signing it;

2. If an unregistered telephone line or other unregistered voice messaging system is used for reporting, the report is to be documented in writing by means of a detailed record of the conversation by the staff member in charge. The whistleblower may verify, rectify and confirm the contents of the transcript by signing it.

When, at the request of the whistleblower, the report is made verbally in the course of a meeting with the staff member in charge, it is documented, with the consent of the whistleblower, by the Supervisory Board by means of a recording on a device suitable for storage and listening or by minutes.
In the case of minutes of the meeting, the whistleblower may verify, rectify and confirm the minutes of the meeting by signing them.
In order to ensure the management and traceability of the reports and of the preliminary investigation activities, the Supervisory Board prepares and updates the system dedicated to the management, monitoring and reporting of whistleblowing reports, ensuring the filing of all the relevant supporting documentation.
To this end, the Supervisory Board guarantees the preservation of the original documentation of the reports, as well as of the working papers relating to the preliminary investigations and verifications of the reports, in special paper/electronic archives with the highest standards of security/confidentiality in compliance with the regulatory provisions and in accordance with the specific internal rules.
The processing of personal data of the persons involved and/or mentioned in the reports is protected in accordance with the law in force and the company's privacy procedures.
 
 

11.DISCIPLINARY SYSTEM

 
Loss of the protection regime
The criminal and disciplinary liability of the whistleblower remains valid:

1. Where the criminal liability of the whistleblower for offences of defamation or slander is established, including by a non-final first instance judgement, or where such offences are committed by reporting to the judicial or accounting authorities;

2. In the event of civil liability for the same title due to wilful misconduct or gross negligence;

 
Any abuse of this procedure, such as whistleblowing reports that are unfounded, or those that are manifestly opportunistic and/or made for the sole purpose of harming the whistleblower or other persons, and any other instance of misuse or intentional exploitation of this Policy.
 
All established violations of the measures put in place to protect the whistleblower and the reported person are similarly subject to disciplinary actions.
 
Appropriate sanctions/disciplinary measures will be applied against the person responsible for the reported offence, if necessary
 
The disciplinary measures, - provided for or referred to in the 231 Organisational Model, in the sector's CCNL and - where applicable - in the disciplinary code of the company concerned, must be proportionate to the extent and seriousness of the unlawful conduct ascertained and may go as far as the termination of the employment relationship, in compliance with the applicable legal provisions and CCNL regulations.
In particular, in assessing the disciplinary sanction to be adopted against a person who adopts retaliatory or discriminatory measures against a whistleblower, account will be taken of the seriousness of such retaliatory or discriminatory measures, of any damage to the whistleblower's health suffered as a result of such measures, and of the fact that such measures were adopted repeatedly or with the participation of two or more persons
In the event of reports made in obvious bad faith, the Supervisory Board reserves the right to file them, deleting the names and elements that might allow the identification of the persons reported.
 
Limitations of liability
A person who discloses or disseminates information on violations covered by the obligation of confidentiality or relating to the protection of copyright or the protection of personal data, or who discloses or disseminates information on violations that offend the reputation of the person involved or reported are not to be punishable.
The reputed offence operates 'when, at the time of the disclosure or dissemination, there were reasonable grounds to believe that the disclosure or dissemination of the same information was necessary to disclose the violation and the whistleblowing, public disclosure or report to the judicial or accounting authority was made in the required manner'.
Any further liability, including of a civil or administrative nature, is also excluded in the above cases.
Unless the act constitutes a criminal offence, liability, including civil or administrative liability, for the acquisition of or lawful access to information on violations is excluded.
Criminal liability and any other liability, including civil or administrative liability, is excluded, even for conduct, acts or omissions if they are connected with the whistleblowing, reporting or public disclosure and are strictly necessary to disclose the violation.
Criminal liability and any other liability, including of a civil or administrative nature, is not excluded for conduct, acts or omissions that are not related to the whistleblowing, reporting to the judicial or accounting authorities or public disclosure or that are not strictly necessary to disclose the violation.
 

Further Provisions

Retaliation, cases in which the report was obstructed or an attempt was made to obstruct it, breach of the obligation of confidentiality, lack of verification and analysis of reports received, manifestly opportunistic reports made for the sole purpose of defaming and/or slandering the whistleblower or other persons shall be subject to disciplinary sanctions.
Waivers and settlements, in whole or in part, concerning the rights and protections provided for by this Policy and, in general, by Italian Legislative Decree no. 24/2023 shall not be valid unless they are made in the form and manner provided for in Art. 2113, para. 4, of the Civil Code.
Pursuant to Art. 18 of Italian Legislative Decree 24/2023, a list of Third party entities providing support measures to reporting persons is established at ANAC.
Please refer to Italian Legislative Decree 24/2023 for anything not expressly provided for.
 

12.ADMINISTRATIVE FINES APPLIED BY ANAC

As provided for in Article 21 of Italian Legislative Decree 24/2023, without prejudice to the other liability profiles (civil, criminal, administrative and disciplinary), ANAC may apply the following administrative pecuniary sanctions to the person responsible (Company or individual):

1. From €10,000 to €50,000 when it establishes that retaliation was committed or when it establishes that the report was obstructed or that an attempt was made to obstruct it or that the obligation of confidentiality set out in Article 12 of Italian Legislative Decree 24/2023 was breached;

2. From €10,000 to €50,000 when it establishes that no whistleblowing channels have been set up, that no procedures have been adopted for whistleblowing management or that the adoption of such procedures does not comply with those set out in Articles 4 and 5 of Italian Legislative Decree 24/2023, as well as when it ascertains that no verification and analysis of the reports received has been carried out;

3. From €500 to €2,500, in the case referred to in Article 16(3) of Italian Legislative Decree 24/2023, unless the whistleblower has been convicted, even in the first instance, of the offences of defamation or slander or, in any event, of the same offences committed with the report to the judicial or accounting authorities.

 

13.ANNEXES

ANNEX 1 - PRIVACY POLICY
ANNEX 2 - EXTERNAL WHISTLEBLOWING CHANNEL
ANNEX 3 - PUBLIC DISCLOSURE
 
ANNEX 1 - INFORMATION PURSUANT TO ART. 13 OF EU REGULATION 2016/679 GENERAL DATA PROTECTION (“GDPR”)
The processing of personal data in the context of the reports will take place in accordance with Regulation (EU) 2016/679 on the protection of personal data of natural persons (GDPR), as well as any other applicable laws and/or regulations to the extent compatible with the GDPR itself, and with the specific information published on the Zenit Italia website.
Any exchange and transmission of information involving the processing of personal data by EU institutions, bodies, offices or agencies must also take place in accordance with Regulation (EU) 2018/1725.
The protection of personal data must be ensured not only for the reporting person or whistleblower but also for the other persons to whom confidentiality protection applies, such as the facilitator, the person involved and the person mentioned in the report as being 'affected' by the data processing.
 
Within the framework of whistleblowing management, both the personal data of the whistleblower, where the report is made in their name, and the personal data of any third parties, as well as any further information collected in the context of the investigation that is necessary and appropriate to ascertain and verify the validity or otherwise of the report, will be processed.
 
Zenit Italia acts as an autonomous Controller of the processing of the personal data of its employees in the context of the employment relationship.
 
It is understood that any processing of personal data carried out by the various functions of the company concerned, by the Control Bodies, by the Supervisory Boards, and as part of the whistleblowing management process, is the responsibility of the Data Processors and of the persons authorised to process personal data for their respective areas in accordance with the provisions of the law and in compliance with the provisions of this regulatory instrument.
 
The whistleblowing management process is based on the principle 'guaranteeing confidentiality and anonymity' and the 'principle of confidentiality of the whistleblower', and therefore maximum confidentiality will be guaranteed during the internal investigation process.
 
Interested parties may exercise their rights under the GDPR, where provided for by the applicable legal provisions, by sending a communication by e-mail to the following addresses: info.it@zenit.com.
 
The right of recourse to the data protection authority, competent in matters of unlawful data processing, is also guaranteed. Where there is a risk that exercising the rights granted to the data subject in Chapter III of the GDPR may result in actual and concrete prejudice to the confidentiality of the identity of the whistleblower, and that the ability to effectively verify the merits of the Report or to gather the necessary evidence may be compromised, the right is reserved to limit or delay the exercise of those rights, in accordance with the applicable legal provisions.
Under no circumstances may the reported person or the person mentioned in the report, with reference to their personal data processed in the context of the report, public disclosure or complaint, exercise the rights that Regulation (EU) 2016/679 normally grants to data subjects. Exercising these rights could result in actual and concrete prejudice to the protection of the confidentiality of the identity of the whistleblower. In these cases, therefore, the reported person or the person mentioned in the report is also precluded from addressing the data controller and, in the absence of a reply from the latter, from lodging a complaint with the Garante della protezione dei dati personali if they consider that the processing that concerns them infringes these rights.
 
 
ANNEX 2 - HOW AND WHEN TO REPORT USING THE EXTERNAL WHISTLEBLOWING CHANNEL
ANAC is the competent authority for external whistleblowing, including from the private sector.
It is only possible to make a report to the Authority if one of the following conditions is met:

1. There is no compulsory activation of the internal whistleblowing channel within the employment context, or this channel, even if compulsory, is not active or, even if activated, does not comply with the provisions of this annex;

2. If the whistleblower has already made an internal whistleblowing report but it has not been followed up;

3. Where the whistleblower has reasonable grounds to believe that, if they were to make an internal report, the report would not be effectively followed up or that the report might lead to retaliation;

4. Where the whistleblower has reasonable grounds to believe that the breach may constitute an imminent or obvious danger to the public interest.

 
The whistleblowing channel set up by ANAC, like the internal whistleblowing channels, must be capable of ensuring, also by means of encryption tools, the confidentiality of the identity of the whistleblower and of those involved in the report, as well as the content of the report itself and of the relevant documentation.
 
Again, reports can be made either via an IT platform or verbally, (via telephone lines or voice messaging systems) and, if requested by the whistleblower, via a face-to-face meeting to be arranged within a reasonable time frame.
 
If the external whistleblowing report is submitted to a non-competent entity, it is transmitted, within seven days of receipt, to ANAC, informing the whistleblower of the transmission.
 
There is an obligation for ANAC to:

1. Provide any relevant person with information on the use of the external whistleblowing channel and the internal whistleblowing channel, as well as on the protective measures set out in Italian Legislative Decree No. 24/23;

2. Notify the person concerned of receipt of the report within seven days of its receipt, unless the whistleblower explicitly requests otherwise or unless ANAC considers that the notice would undermine the protection of the confidentiality of the identity of the whistleblower;

3. Maintain contact with the whistleblower and request additions if necessary;

4. Diligently follow up on reports received;

5. Carry out the necessary preliminary investigation to follow up the report, including through hearings and the acquisition of documents; 

6. Acknowledge the report within three months or, if there are justified and substantiated reasons, within six months from the date of receipt of the external report or, in the absence of such notice, from the expiry of seven days from receipt;

7. Notify the whistleblower of the final outcome.

ANAC may refrain from acting on reports of minor violations and proceed to file them.
 
The obligations of confidentiality must be ensured even if the report is received through channels other than those provided for or through staff other than those appointed, to whom the report must nevertheless be forwarded without delay.
 
For whistleblowing management, ANAC must employ appropriately trained staff to provide the persons concerned with information on the use of internal and external whistleblowing systems and the protections to which they are entitled.
 
 
ANNEX 3 - HOW AND WHEN TO REPORT USING PUBLIC DISCLOSURE
It is possible for the whistleblower to make a public disclosure while benefiting from the protection.
A whistleblower who makes a public disclosure benefits from protection if one of the following conditions is met:

1. The whistleblower has previously made an internal and an external whistleblowing report, or has made an external report directly and no response has been received within the specified time limits on the measures envisaged or taken to follow up the reports;

2. The whistleblower has reasonable grounds to believe, based on concrete circumstances and therefore not on mere inferences, that the breach may constitute an imminent or obvious danger to the public interest;

3. The whistleblower has reasonable grounds to believe that the external whistleblowing report may entail a risk of retaliation or may not be effectively followed up due to the specific circumstances of the case, such as where evidence may be concealed or destroyed or where there is a well-founded fear that the recipient of the report may be colluding with the reported subject or involved in the violation itself.

 
The protection of confidentiality does not apply if the whistleblower has intentionally revealed their identity through, for instance, web platforms or social media. The same applies in the event that the subject addresses a journalist directly. In this case, the rules on professional secrecy of journalists, with reference to the source of the news, remain unaffected.
 
If, on the other hand, the person making the disclosure does not reveal their identity (e.g. by using a pseudonym or nickname in the case of social networking), such disclosures are comparable to anonymous reports.