Whistleblowing

1.    Legal references

Whistleblowing was introduced in Italy with specific legislation at the end of 2017, with Law No. 179. This regulation comprehensively covered the institute for public administration and introduced provisions for private sector organisations with an organisational management and control model under Legislative Decree No. 231/2001.

Law No. 179/2017 was superseded by Legislative Decree No. 24/2023, which implements Directive (EU) 2019/1937 of the European Parliament and Council of 23 October 2019, concerning the protection of persons who report breaches of Union law and containing provisions regarding the protection of persons who report breaches of national regulatory provisions.

The new legislation imposes obligations on both public and private organisations, specifically: all public entities must establish internal procedures for managing reports; the same obligation applies to private sector entities with an organisational model under Legislative Decree No. 231/2001 and all private organisations with at least 50 employees.

2.    Who can make a report

Whistleblowing procedures encourage anyone who acquires information about illegal activities committed by or on behalf of the organisation in the context of their work to report it.

The purpose of the procedure is to facilitate the communication of information related to breaches observed during work activities. The range of potential reporters is broad. The procedure aims to protect these individuals when they report illegal conduct related to the company.

The following categories of individuals can make a report through the procedure:

• Employees
• Collaborators
• Suppliers, subcontractors, and their employees and collaborators
• Freelancers, consultants, and independent workers
• Volunteers and interns, paid or unpaid
• Shareholders or individuals with roles in administration, management, supervision, control, or representation
• Former employees, former collaborators, or individuals who no longer hold any of the previously mentioned positions
• Individuals in the selection phase, on probation, or whose legal relationship with the company has not yet begun

The procedure also protects the identity of facilitators, individuals who assist a whistleblower in the reporting process, operating within the same work context.

3.    What can be reported

This procedure covers the reporting of illegal acts known in the context of one’s work activities. Suspicions of crimes or other breaches of legal provisions or potential risks of such breaches can also be reported.

The whistleblower is not required to fully prove the commission of an illegal act, but reports should be as detailed as possible to allow for an investigation of the reported facts by the recipients. At the same time, whistleblowers are not encouraged to conduct investigative activities that could expose them individually.

Reports may concern criminal, civil, administrative, or accounting offences, as well as breaches of EU regulations.

Personal matters, such as those related to one's employment contract, which are regulated by other company procedures, are not within the scope of this procedure.

4.    Who receives and manages the reports

The whistleblowing officer, or the designated whistleblowing office, receives the reports and communicates with the whistleblower to clarify and delve into the received information. Communication with the whistleblower continues during the investigation phase.

The officer or office, after an initial assessment, carries out an investigation of the reported information, which may include requesting specific information from other departments and functions within the organisation.

The recipient provides periodic updates to the whistleblower and, at the end of the investigation, communicates the outcome of the investigation. The outcome communication does not include references to personal data related to the reported individual.

Possible outcomes communicated to the whistleblower include:

• Correction of internal processes
• Initiation of a disciplinary procedure
• Transfer of the investigation results to the Public Prosecutor’s Office
• Archiving due to lack of evidence

A report incorrectly sent to a hierarchical superior may not be treated as a whistleblowing report, as the superior does not have the same confidentiality obligations as the designated recipient.

5.    Reporting channels

The company provides various channels for whistleblowers to report violations under this procedure. In particular, reports can be made orally or in writing.

For written reports, the company provides an encrypted IT platform, supplied by NTS Project S.p.A.

The platform includes a questionnaire that guides the whistleblower through the reporting process with open and closed questions, some of which are mandatory. Documents can also be attached to the report. At the end of the report, the whistleblower receives a unique code, allowing them to access the report and communicate bidirectionally with the recipient, exchange messages, and provide new information. All information on the platform is encrypted and can only be read by authorised personnel.

Other written reports cannot be processed. If received, the recipient will, where possible, ask the whistleblower to resubmit the report via the IT platform.

For oral reports, the whistleblower is encouraged to contact the recipient to arrange a phone call or, if necessary, a personal meeting. Oral reports are recorded, and the record must be signed by the whistleblower to be processed. It is important to remember that oral reports do not offer the same technological confidentiality as reports made via the encrypted platform.

6.    Timelines for managing reports

At the end of the reporting process, the platform shows a receipt code confirming that the report has been submitted and taken up by the recipient.

Within 7 days, the recipient confirms receipt of the report to the whistleblower and invites them to monitor their report on the platform to respond to any requests for clarification or further information.



Within 3 months from the date of the report, the recipient communicates to the whistleblower feedback regarding the investigation conducted to verify the information provided in the report.

The feedback provided within 3 months may coincide with the outcome of the investigation. If the investigation is not concluded, the recipient invites the whistleblower to monitor the platform until the final outcome is known.

7.    Confidentiality and anonymity

The recipient is required to handle reports with confidentiality. Information regarding the identity of the whistleblower, the reported individual, and any other persons mentioned in the report is treated according to confidentiality principles. Similarly, all information contained in the report is treated confidentially.

The identity of the whistleblower cannot be revealed without their consent. Knowledge of reports and related investigation acts is also exempt from administrative access rights by interested parties.

The only potential reason for revealing the whistleblower’s identity may occur if investigation acts are forwarded to an ordinary or accounting prosecutor, and knowledge of the identity is necessary for the right of defence during judicial proceedings.

Confidentiality is ensured through technological means, such as the encrypted reporting platform and a confidential protocol, as well as through organisational processes aimed at minimising the circulation of information.

Anonymous reports can also be submitted. The recipient may decide whether to process them or not. In any case, reports are handled according to the same confidentiality principles. However, in the case of anonymous reports, the recipient does not know the identity of the whistleblower and may inadvertently expose them during the investigation.

8.    Management of personal data

Reports received, investigation activities, and communications between the whistleblower and the recipient are documented and stored in accordance with confidentiality and data protection regulations.

Reports contain personal data and can only be processed and retained for the time necessary for their handling: this includes analysis, investigation activities, communication of outcomes, and any additional time for potential further comments. In no case will reports be retained beyond 5 years after the communication of the outcome of the investigation to the whistleblower.

Regarding access to personal data, it is known only to the recipient and, if specified in a specific organisational document, to the staff members supporting the management of the report.

During the investigation, the recipient may share anonymised and minimised information with other functions within the company related to the specific activities of these functions.

9.    Safeguards and protections

The person identified in the report as responsible for the suspected wrongdoing benefits from identity protection measures similar to those of the whistleblower and other individuals mentioned in the report.

In addition to safeguarding the confidentiality of the whistleblower’s identity and the identities of those mentioned in the report, as well as the content of the report itself, other forms of protection are guaranteed through this procedure.

Protection is guaranteed to the whistleblower against any form of retaliation or discrimination that they might suffer as a result of making a report. Retaliation is defined as any threatened or actual, direct or indirect, action or omission related to or arising from reports of actual or suspected wrongdoing, which causes or may cause physical or psychological harm, damage to the person's reputation, or financial losses.

Possible forms of discrimination include:

• Dismissal, suspension, or equivalent measures
• Demotion or denial of promotion
• Change of duties, change of workplace, salary reduction, alteration of working hours
• Suspension of training or any restriction on access to it
• Negative performance notes or references
• Disciplinary measures or other sanctions, including financial penalties
• Coercion, intimidation, harassment, or ostracism
• Discrimination or unfavourable treatment
• Failure to convert a fixed-term contract into a permanent one when the employee had a legitimate expectation of such a conversion
• Non-renewal or early termination of a fixed-term contract
• Harm, including damage to the person's reputation, financial or economic prejudice, including loss of economic opportunities and income
• Inclusion in improper lists based on a formal or informal sectoral or industrial agreement, potentially making it difficult for the individual to find future employment in the sector
• Early termination or cancellation of a supply contract for goods or services; cancellation of a license or permit; request for psychiatric or medical examinations

10.   Sanctions

Legislative Decree No. 24/2023 provides for administrative sanctions, which may be imposed by the National Anti-Corruption Authority in the event of violations of whistleblowing regulations.

Sanctions specifically target retaliation against whistleblowers, breaches of confidentiality obligations, sabotage of a reporting attempt, failure to take charge of a report, or insufficient investigative activities following a report. Misuse of the reporting system, including possible sanctions for defamation or slander through the procedure, is also punishable. The company may proceed with disciplinary actions against individuals responsible for such conduct.

11.  External reporting channels

Beyond the internal reporting procedure, the law allows for external reporting to the National Anti-Corruption Authority.

A whistleblower may report externally if they have already made a report that has not been followed up, if they have reasonable grounds to believe that an internal report will not be acted upon or that it might lead to retaliation, or if they have reasonable grounds to believe that the violation poses an imminent or obvious risk to the public interest.

The procedures for reporting to the National Anti-Corruption Authority are available on the ANAC website: anticorruzione.it/-/whistleblowing.

Additional conditions for public disclosure by a whistleblower include: lack of response to a previously made internal or external report, imminent or obvious danger to the public interest, reasonable grounds that an internal report will not be handled or that evidence may be destroyed or concealed.

 Rev. 01 of 28/11/2023