Regulatory References: Procedure 
Issue Date: …………….
Review Date/Version   First Version of the document
Author: …………………..
Valid from: President of the BoD: Alfredo Delehaye
WHISTLEBLOWING GENERAL PROCEDURE
Date Approved by Approval Signature
07/02/22 Board of Directors
Verification of the principles of Leg. D. 231/01
Date  Audit Function Acknowledgement Signature
07/03/22 Supervisory Body

 

Summary

Preamble

  1. Purpose
  2. Regulatory References
  3. Reportable Conducts
  4. Content of the Report
  5. Recipients of the Procedure (Whistleblowers)
  6. Recipient of the Report
  7. Reporting Methods

7.1 Whistleblowing Reporting Platform

  1. Report Management
  2. Whistleblower Protection and Responsibilities
  3. Suspect Protection
  4. Data Retention and Privacy Policy
  5. Sanctions
  6. Policy Reviews
  7. Awareness
  8. Annexes

 

Preamble

Law N. 179, “Provisions for the protection of whistleblowers who report crimes or misconduct of which they become aware in the context of private or public employment” (published in the Official Journal, General Series N. 291, of 14 December 2017), entered into force on 29 December 2017. 

The legislation introduced a distinction between the public sector (article 1) and the private sector (article 2), and integrated the regime on the obligation of official, corporate, professional, scientific and industrial secrecy (article 3). 

With reference to the private sector, article 2 of Law N. 179/17 amended Decree 231 and added article 6 (“Subjects in top- level management positions and corporate organization models”), a new provision that puts the measures pertaining to the submission and management of whistleblowing reports in direct relation with the Organizational Model pursuant to Italian Leg. D. 231/01. 

The law aims to encourage employee collaboration to facilitate the identification of episodes of corruption within public and private entities, including by implementing systems that allow employees to safely report any crimes or misconduct of which they become aware. 

The law provides: 

  • the prohibition of direct or indirect retaliatory or discriminatory acts against the whistleblower for reasons that are directly or indirectly related to the report. 
  • sanctions against anyone who violates the measures of protection for the whistleblower, and anyone who makes groundless reports with malice or grave negligence. 
  • the option to report the application of discriminatory measures against the whistleblowers to the National Labour Inspectorate, not only by the whistleblower but also by the union organization indicated by them. 
  • the retaliatory or discriminatory dismissal of the whistleblower shall be null and void, and change of duties set forth in Article 2103 of the Italian Civil Code shall also be null and void, as well as any other retaliatory or discriminatory measure applied to the whistleblower. 
  • the burden is on the employer, in the case of controversies related to the implementation of disciplinary sanctions or demotions, dismissals, transfers, or subjecting the whistleblower to other organizational measures having direct or indirect adverse consequences on their employment conditions after making a report, to demonstrate that such measures are based on reasons unrelated to the report. 

Interkom S.p.A. (hereinafter the “Company”) with the aim of implementing article 6, par. 2-bis, lett. a) and b), of Leg. D. 231/2001, as introduced by Law 179/2017, in addition to the traditional whistleblowing report channel, involving sending a registered letter, has made available a “Whistleblowing Portal” designed to protect – with the use of IT solutions – the identity of the whistleblower and ensure confidentiality during the procedures following the submission of a report.

1. Purpose

This whistleblowing procedure (hereinafter the “Procedure”) aims to regulate the reception, assessment, and management of Reports submitted by employees or third parties with regard to possible crimes or misconduct, management irregularities, activities or facts that may constitute a violation of internal or external rules that govern Company operations, the principles and behavioural rules in the Code of Ethics, or any provisions included in the Model 231 adopted by the Company. 

2. Regulatory References 

 External

  •  Leg. D. 231/01 on “Corporate responsibility of legal entities, including companies and associations that are not legal entities, pursuant to article 11 of Law N. 300, of 29 September 2000”, of 08/06/2011 and subsequent amendments.
  •  Leg. D. N.196 of 30 June 2003 – Personal Data Protection Code – and subsequent amendments.
  • Regulation EU 2016/679 of the Parliament and Council, of 27 April 2016, on the protection of individuals with regard to the processing of personal data.
  • Law N. 179 of 30 November 2017, Official Journal 14/12/2017 “Provisions for the protection of whistleblowers who report crimes or misconduct of which they become aware in the context of private or public employment.”

Internal

  • Interkom S.p.A. Organizational Model 231 
  • Interkom S.p.A. Code of Ethics

3. Reportable Conducts

Reporting is mandatory for all Model Recipients who have knowledge or legitimately suspect – in both cases based on accurate and consistent elements – criminal behaviour or any conduct aimed at avoiding the provisions of the Model perpetrated by other Model Recipients (whether or not in a top-level management position). 

In particular, the report should denounce the following conducts:

  • Illegal behaviour within the meaning of Leg. D. 231/01, i.e. criminal activities – or mere attempts thereof – qualified as “predicate offences” by Leg. D. 231/01, of which Model Recipients have become aware based on serious, accurate, and consistent elements.
  • Violations of the Code of Ethics, of the Organizational Model 231, or of internal procedures based on accurate and consistent elements, of which the Model Recipients became aware by reason of their duties. In this case, even if the conduct does not directly constitute a crime, it consists in the violation of the rules of the system put in place by the Company to prevent crimes, because it violates the general or specific control principals, the measures and procedures set in the Organizational Model.

With reference to the above, examples of possible reports may include among others:

  • conflicts of interest the Company may not be aware of.
  • manager or employee attempts/acts of corruption towards third parties (public officials or private individuals).

 

  • fraud committed in the interest of the company.
  • intentional communication of false information to Public Administrations.
  • company or business operations that may expose the Company to sanctions pursuant to Leg. D. 231/01.

The following should not be the subject of reports: 

  • rumours or things heard on the grapevine. 
  • personal grievances, demands or claims.

 

Reports must be made in good faith, responsibly, for common interests, and to report the nonconforming conducts for which the system was implemented. 

 

4. Content of the Report

Reports must not contain an excess of data and only include the details necessary to demonstrate the substance of the report. Therefore, normally reports will not include specific data* or personal details that reveal health conditions or judicial situations. If a report includes any of these categories of personal data, reported by the whistleblower or by a third party, and such data are found to be unnecessary for the purposes mentioned above, the Company will destroy them or, if this is not possible, redact them out, except in cases authorised by law or by a decision from the Data Protection Authority. 

If a report is outside the sphere of competence of the SB as just defined above, the Body will encourage the whistleblower to forward it to the company department/competent body and/or to the competent Authorities. In any case, these reports are “protected”. This means that the prescribed body will not reveal the identity or any personal data of the whistleblower without their prior explicit consent – as long as the disclosure is not required by law, inquires, or subsequent judiciary procedures.

In all the cases of disclosure mentioned above, the Data Controller ensures that all necessary measures are adopted to prevent the information from circulating and guarantee confidentiality in view of the special purposes of the processing. 

 

5. Recipients of the Procedure (Whistleblowers)

Specifically, this procedure applies to: 

  • top-level management and members of management bodies. 
  • employees, customers, suppliers, consultants, collaborators, and in general any stakeholder in the above-mentioned companies.

 

Recipients potentially aware of reportable conducts are required to make a report providing any elements useful for the assessment and verification of the allegations and must include at least the following elements:

  • unless the report is made anonymously, the personal details of the whistleblower, including their role or position within the company.
  • description of the alleged facts and the circumstances in which they occurred (how, when, and where).
  • all information or evidence that may be useful to prove the solidity of the allegations, especially the existence of any witnesses who may be able to provide information regarding the facts in the report.
  • confirmation of the absence of private interests in connection with the report and declaration of good faith.
  • identification details of the suspect.
  • any other information deemed useful to support of the report.

6. Recipient of the Report

The Supervisory Body pursuant to Leg. D. 231/2001 is the recipient of crime and misconduct reports.

The Body ensures the correct functioning of the whistleblowing procedure and, if the violations are confirmed, immediately refers the information contained in the report to the Administrative Body. 

 As the Recipient of the Report, the Supervisory Body:

  • is autonomous and independent from Company functions, as it does not report to any of them.
  • ensures a fair and impartial assessment of the reports received.
  • respects the right to confidentiality of the whistleblower and the suspect.  

7. Reporting Methods

Whistleblowers who have reason to suspect that one of the above-mentioned violations has taken place or may take place, can submit a report to the SB (Supervisory Body) using one of the following channels: 

  • Post, by sending the Whistleblowing Reporting Form (Annex 1) in a registered letter addressed to the SB Avv. Vincenzo Adinolfi, Via Roma, Parco Europa n. 11, 81100, Caserta, Italy .
  •  Via the Whistleblowing Reporting Platform  (the “Platform”), as explained below.

7.1 Whistleblowing Reporting Platform

Whistleblowers may access the Platform from the website: 

https://interkomspa.whistlelink.com

 

The Platform allows anyone (employees and collaborators, suppliers and anyone who had or intends to have a business relationship with the Company) to make an anonymous report simply following the guided process online; the systems allows to submit a report without registering or providing any personal details. If the whistleblower decides to provide their personal details, such details are treated as confidential.

The Platform guarantees the confidentiality of all communications between the whistleblower and the recipient of the report, excluding the possibility for the recipient or any other subject to trace the origin of the report.

Access to the Platform is based on a “no-log” policy, to prevent the identification of whistleblowers who prefer to remain anonymous: this means that the company’s IT systems are not able to identify the point of access (IP address) even if the Platform is accessed from a computer on the Company’s network. 

Reports sent via the Platform are received exclusively by the members of the Supervisory Body. The direct association between the whistleblower and the report can be made only by the prescribed body (SB – Supervisory Body).

The data included in the report will be processed using organization logic and methods conceived to ensure the security, integrity, and confidentiality of the data, in compliance with the organizational and physical measures and with the logic prescribed by the applicable regulations.

In the case of reports sent via the Platform, data are transferred using the HTTPS communication protocol. Data are also encrypted, ensuring the confidentiality of all information transferred. 

Anonymous reports, in which senders do not reveal their identity, will be taken into consideration if adequately supported by sufficient details, i.e. if they reveal facts and situations that make solid reference to specific contexts.

After accessing the Platform, the whistleblower will be guided through the questionnaire process that includes open questions to allow them to provide any specific elements (facts, dates, sums involved, etc.) 

After filling in the form, the whistleblower will have the option to reveal their identity by entering their personal details in the relevant box. In any case, whistleblowers may reveal their identity at a later stage, through the messaging service provided on the Platform. 

When a report is submitted, the Platform issues the whistleblower a unique ID Code (Ticket). If the number – known only to the whistleblower – is lost, it cannot be retrieved in any way. The Ticket can be used to access the report via the Platform in order to: monitor progress, enter further information regarding the report, provide personal details, and answer any questions or requests for further information.  

8. Report Management

Reports received by the Supervisory Body are subject to the following process. 

Any report too generic to even start an assessment process that may lead to tangible progress, will not be taken into consideration and archived.

 

Reports and supporting documents will be the object of a preliminary assessment by the Supervisory Body, in order to determine if there are sufficient details and information to establish the solidity of the report and carry out further inquiries. 

Once the preliminary assessment is complete, even if the SB finds that the report has no bearing in relation to Leg. D. 231/01, it may be relevant to the Company who will encourage the whistleblower to forward it to the competent body.

However, if the Supervisory Body finds reasons to believe that the report is sound/reliable, the process will move to the next step consisting in a thorough inquiry to confirm its solidity. During the preliminary assessment, the Supervisory Body may avail itself – in relation to specific aspects of the report and where deemed necessary – of the support of other company functions, each within their area of competence, and request further information and/or documentation from the whistleblower, directly via the Platform. 

If at the end of the preliminary assessment it finds insufficient elements or finds that the allegations are groundless, the report is archived together with the motivation of the decision. In this case, the Supervisory Body informs the whistleblower of the results of the inquiry and its dismissal.

If at the end of the preliminary assessment useful and sufficient elements to support the report can be found or deduced, the process will move to the next step consisting in a thorough inquiry. 

 The Supervisory Body will: 

  • start specific inquiries availing itself, if deemed necessary, of the support of the competent Company structures. 
  • agree on an action plan with the management of the relevant Company function in order to remove the weaknesses identified in the control system. 
  • agree with the CEO and the relevant functions on any initiatives to undertake to protect the interests of the Company.   
  • request, if possible, the initiation of a disciplinary procedure against the whistleblower if the report is found to have been made with malice and/or for defamatory purposes, potentially also confirmed by the groundlessness of the report itself. 
  • after the inquiry is completed, present the assessment to the CEO or the Board of Statutory Auditors, depending on the conducts reported, to allow for the necessary measures to be taken. 
  • put an end to the inquiry at any time, if during the inquiry the report is found to be groundless.

The steps above may not necessarily be taken sequentially. 

9. Whistleblower Protection and Responsibilities

The Company guarantees the protection of the identity of the whistleblower from the moment the report is received, in compliance with the applicable law. To this end, the identifying data of the whistleblower are stored with methods that make them accessible only to the body prescribed to manage the reports (SB – Supervisory Body). The Company adopts all the measures prescribed by the law to protect the identity of the whistleblower and ensure it is not disclosed without the whistleblower’s express consent, except in the case of defamatory allegations or reports sent with malice.

 

No direct or indirect retaliatory or discriminatory act can be applied against a whistleblower who has made a report in good faith, whether or not the facts in the report are confirmed. 

Sanctions apply against anyone who violates the confidentiality and measures of protection for the whistleblower. 

The protection of the whistleblower is not guaranteed if the report is sent with malice or grave negligence or if the allegations therein are found to be false, unfounded, defamatory or made for the sole purpose of damaging the Company, the suspect, or other subjects involved in the report.

In the event of a disciplinary procedure, the identity of the whistleblower cannot be revealed if the disciplinary charge is based on additional inquiries separate from the report, albeit consequential. The identity of the whistleblower may be revealed only if:

  • the allegations are founded entirely or partially on the report and the identity of the whistleblower is absolutely essential to the defence of the suspect; and
  • the whistleblower has agreed thereto.

Sanctions apply against the whistleblower if the report is sent with malice or grave negligence or if the allegations therein are found to be false, unfounded, defamatory or made for the sole purpose of damaging the Company, the suspect, or other subjects involved in the report. 

In this case the Company may also take any legal action it deems appropriate. 

 10. Suspect Protection

The Company guarantees adequate protection to any individuals directly or indirectly involved in the report.

A report is not sufficient to start a disciplinary procedure against a suspect. 

Therefore, a suspect cannot be subject to disciplinary sanctions on the basis of the information in the report if this is not confirmed by objective findings and if no inquiry into the facts alleged in the report has taken place.

This may happen based on other assessed and confirmed evidence emerged as a consequence of the report.

If the Supervisory Body, after finding tangible evidence in support of the report, decides to proceed with a thorough inquiry, the suspect may be contacted and granted the chance to provide clarifications, where necessary. 

11. Data Retention and Privacy Policy

Personal data provided by the whistleblower at the time the “Whistleblowing Reporting Form” was submitted and the information contained in the form and in any documents attached, as well as any data acquired during the inquiry led by the prescribed body, will be processed in compliance with the Company Privacy Policy, fairly, lawfully, transparently, and respecting the privacy and the rights of all involved (whistleblower, suspect, and any third party), in compliance with the applicable privacy regulation and law N. 179 of 30 November 2017 – “Provisions for the protection of whistleblowers who report crimes or misconduct of which they become aware in the context of private or public employment”.

 

The Supervisory Body saves and archived all supporting documents pertaining to the report. Personal data pertaining to reports can be saved and retained for the time necessary to complete the assessment of the facts included in the report and for 5 years after the report is archived, unless additional procedures (disciplinary, criminal, financial) stemming from the report are brought against the suspect or the whistleblower (in the case of false or defamatory allegations, or reports filed with malice). In this case, data will be retained until the procedure has come to a conclusion and until the deadline to appeal the decision expires. 

Personal data included in reports may also be communicated to the competent Company offices, to trigger any judiciary and/or disciplinary measures in connection with the report, or to the relevant Authorities, in the case of violations of applicable laws and regulations.

All details pertaining to the processing of the personal data of the individuals involved in the report are outlined in the Privacy Policy drawn in compliance with article 13 of the GDPR and provided at the time the report is filed through the Whistleblowing Platform and attached herein.

12. Sanctions

Any violation of the provisions herein will be duly and timely prosecuted.

Interkom S.p.A. reserves the right to take disciplinary action against abusers of the whistleblowing channels. For example, in the case of obviously opportunistic reports and/or reports filed with the only purpose of causing damage to the suspect or to anyone involved in the report and in any case of improper use or exploitation of the procedure herein.

Sanctions will be applied in compliance with Law N. 300/1970 – Workers’ Statute  and the individual National Collective Contracts.

13. Policy Reviews

This Procedure and the Platform will be regularly reviewed to ensure constant alignment with the applicable legislation and in light of the circumstances and experience gained.

14. Awareness

The Company actively raises awareness and promotes the procedure herein through the website and through training initiatives involving all personnel, explaining the purposes, methods, and correct use of the whistleblowing tool, providing informing about rights, obligations, the consequences of its misuse, and the results obtained from its application.

ANNEX 1

Whistleblowing Reporting Form for crimes or violations of the Model as per Legislative Decree 231/01
1. Whistleblower Details
(if you wish to send an anonymous report DO NOT fill in the following section)
Whistleblower Name/Surname
Identity Document Number*
Role/Position
Email address**
Telephone Number**

*a copy of a signed identity document is required in order to identify the Whistleblower.
**to ensure the confidentiality of all communications, we recommend providing a personal email address
and telephone number, rather than using any provided by the Company.
2. Report Details
(the provision of the following information is mandatory)
When did the incident occur?

Where did the incident take place?

Who (name, surname, position) is
the perpetrator?

What happened (description of the
incident)?

Are any third parties involved
(name, surname of people aware
of/involved in the incident)?

13

Other (enter further information)*

*We recommend attaching any documents that support the facts described in this form.

This form must be sent by post; to ensure confidentiality, the form must be placed inside a sealed envelope
marked “reserved/personal” and addressed directly to the Supervisory Body at Studio Legale Avv. Vincenzo
Adinolfi – Via Roma, Parco Europa n. 11 – 81100 Caserta, Italy.
________, on ____/____/_____

SIGNATURE _________________________________

Privacy Policy
The personal data provided by the whistleblower in this “Whistleblowing Reporting Form” and the
information contained in any documents attached, as well as any data acquired during the inquiry led by
the prescribed body, will be processed fairly, lawfully, transparently, and respecting the privacy and the
rights of all involved (whistleblower, suspect, and any third party), in compliance with the applicable
regulation on personal data protection and law N. 179 of 30 November 2017 – “Provisions for the
protection of whistleblowers who report crimes or misconduct of which they become aware in the context
of private or public employment”. For further information, please read the Privacy Policy (Annex 2)

ANNEX 2

PRIVACY POLICY DRAWN IN ACCORDANCE WITH ARTICLES 13 AND 14 OF REG. EU 2016/679

(GDPR – GENERAL DATA PROTECTION REGULATION)
PARTIES INVOLVED DEFINITIONS
Whistleblower (Reporter) The physical person who reports an alleged violation of
Organizational Model 231 or of the company’s Code of
Ethics, or any alleged misconduct pursuant to law
231/01 through the whistleblowing channels provided
by the Company.

Suspect (Accused) The physical person who is accused of the alleged

violations mentioned above.

Third Party Any physical person, other than the Whistleblower and
the Suspect, whose personal data may be included in
the report or acquired during the inquiry.

SCOPE
As “Data Controller”, Interkom S.p.A., VAT N. 01347530634, with registered office in Naples, Via Bernini n.
20, 80129, in the person of its pro tempore legal representative, hereby informs you about the
characteristics and methods of the processing of personal data provided via the “Whistleblowing Reporting
Platform”, or in the “Whistleblowing Reporting Form” sent by registered post. The whistleblowing process
is regulated by a dedicated procedure adopted by the Company, which all employees are required to read.
The policy is accessible to employees on the Intranet and is also published on the company website at
https://www.interkom.it/en/whistleblowing/gdpr-whistleblower-ENG
The personal data provided by the whistleblower at the time the “Whistleblowing Reporting Form” was
sent and the information contained in the form and in any documents attached, as well as any data
acquired during the inquiry led by the prescribed body, will be processed fairly, lawfully, transparently, and
respecting the privacy and the rights of anyone involved (whistleblower, suspect, and any third party), in
compliance with the applicable personal data protection regulation and law N. 179 of 30 November 2017 –
“Provisions for the protection of whistleblowers who report crimes or misconduct of which they become
aware in the context of private or public employment”.
As reports can be sent anonymously, whistleblowers are not required to provide their personal details. It
must be noted that anonymous reports may expose whistleblowers to retaliation from the suspect while
not allowing the Company to implement the protective measures applicable to non-anonymous, yet
confidential, reports. Furthermore, without prejudice to any evidence obtained by the prescribed body
during its inquiry, anonymous reports cannot be used in any disciplinary procedures against the suspect.

15
However, during the assessment of anonymous reports, the prescribed body may nevertheless receive
information containing identifying data, professional data, or financial data pertaining to the other
categories of subjects mentioned above (suspect, third parties), which will be processed in compliance with
this policy.
PURPOSES AND LEGAL BASIS OF PROCESSING
Any personal data provided by the whistleblower and/or acquired by the prescribed body (SB – Supervisory
Body) during the inquiry will be processed in compliance with Law 179/2017.
More specifically, personal data will be processed for the following purposes:
– Dealing with reports (to verify the facts alleged in reports). The main legal basis of the processing is the
legitimate interest of the Data Controller [art. 6, par. 1, lett. f) of the GDPR] to conform the Organization,
Management, and Control Model (OMCM), adopted pursuant to Legislative Decree 231/01, to the
amendments introduced by said law with reference to the OMCM requirements (art. 6, par. 2-bis et seq. of
Legislative Decree 231/01 introduced by art. 2 of Law N. 179/2017). In consideration of the main purpose of
the legislation on corporate liability of legal entities, said legitimate interest prevails over the personal data
protection rights of the data subjects.
– Dealing with disciplinary procedures based entirely or partially on reports. In order to ensure the
suspect’s right of defence, the information included in the report may be used, together with any other
externally verified evidence, in the disciplinary procedure started against the suspect. On the other hand,
the identity of the whistleblower may be revealed within the disciplinary procedure – therefore also to the
suspect – only if the procedure is based exclusively on the report, in order to ensure the suspect’s right of
defence and, in any case, with the express consent of the whistleblower. The whistleblower’s consent to
reveal their identity within a disciplinary procedure is not mandatory; however, if the disciplinary
procedure is solely based on the report, failure to provide consent will result in the impossibility to proceed
against the suspect.
TYPE OF DATA PROCESSED
The two channels made available by the Company acquire only the personal data of the whistleblower (if
provided) and the data included in the report. However, the following personal data may be acquired
during the process:
– Identity document, and any other contact details provided by the whistleblower;

– Information (identifying data 1 , professional data 2 , financial data 3 ) regarding the suspect, whether
1 for example: name, surname, date and place of birth, address, telephone number, fax, email address;
2 for example: profession, employer, role;
3 for example: payslip, bank accounts, investments.

16

included in the report or acquired during the inquiry;
– Information (identifying data, professional data, financial data) regarding third parties, which may be
included in the report and in any documents attached, or acquired during the inquiry.
When provided, any personal data that identify the whistleblower can be accessed exclusively by the
prescribed body (SB – Supervisory Body). The Company adopts all the measures prescribed by the law to
protect the identity of the whistleblower and ensure it is not disclosed without their express consent,
except in the case of defamatory allegations or reports sent with malice.
Reports must not contain an excess of data and only include the details necessary to demonstrate the
substance of the report. Therefore, reports will not usually include specific details 4 or personal details that
reveal health conditions or judicial information. If a report includes any of these categories of personal
data, reported by the whistleblower or by a third party, and such data are found to be unnecessary for the
purposes mentioned above, they will be destroyed or, if this is not possible, redacted out, except in cases
authorised by law or by a decision from the Data Protection Authority.
DATA PROCESSING METHOD
Data will be processed according to the organization logic and procedures strictly relevant to the purposes
mentioned above and in any case using methods that guarantee the security, integrity, and privacy of the
data, and complying with the organizational and physical measures and logic prescribed by the applicable
regulations.
In the case of reports sent online: https://interkomspa.whistlelink.com, any data provided by the
whistleblower via the platform is transferred using the HTTPS communication protocol. Data are also
encrypted, ensuring the confidentiality of all information transferred.
Please be reminded that any identifying data pertaining to the whistleblower – whether acquired through
the Platform or the Whistleblowing Reporting Form – are saved using methods that guarantee
confidentiality. The direct association between the whistleblower and the report can be made only by the
prescribed body (SB – Supervisory Body).
DATA RETENTION
Personal data pertaining to reports can be saved and retained for the time necessary to complete the
assessment of the facts included in the report and for 5 years after the report is archived, unless additional
procedures (disciplinary, criminal, financial) stemming from the report are brought against the suspect or
the whistleblower (in the case of false or defamatory allegations, or reports filed with malice). In this case,
data are retained until the procedure has come to a conclusion and until the deadline to appeal the
decision expires. If the allegations in a report are obviously groundless, data are immediately erased.

4 information revealing racial or ethnic origin, sexual orientation, religious or philosophical beliefs, political opinion,
political party or trade union membership, or affiliation to religious, philosophical, political, or trade union associations
or organizations.

17

DATA RECIPIENTS
For the purposes mentioned above, the information sent via the Platform or the Whistleblowing Reporting
Form, is received by the Supervisory Body (SB), the body appointed by the Company to receive reports.
Please be reminded that only the Supervisory Body has access to the data that identifies the whistleblower,
acquired through the above-mentioned channels. Furthermore, the members of the SB are bound by strict
confidentiality rules.
On the other hand, data included in the report may be processed by Company employees appointed
specifically to carry out the processing, who operate following the instructions provided by the Data
Controller. Data may also be processed by external consultants or service providers acting as designated
Data Processors pursuant to article 28 of the GDPR, who operate following the instructions provided by the
Data Controller, especially with regard to the adoption of the measures required to guarantee data
confidentiality and security. Data Processors also include Whistleblowing Solutions AB, who provides the
platform, processes the information uploaded on it, and stores it on its server located within the European
Union. This service provider only provides the infrastructure required to implement the whistleblowing
procedure but does not have access to its content (whistleblower identity, details of the report, documents
attached, messages exchanged between the whistleblower and the Supervisory Body, etc.) All content is
encrypted, therefore it is not accessible by the provider, not even during maintenance activities.
Personal data included in reports may also be communicated to the competent Company departments, in
order to trigger any judiciary and/or disciplinary measures in connection with the report, or to the relevant
Authorities, in the case of violations of laws or regulations.
Even if the facts reported are not in the realm of competence of the SB, as defined in the scope of the
procedure adopted, the report is “protected”. This means that the prescribed body will not reveal the
identity of the whistleblower without their prior explicit consent – as long as the disclosure is not required
by laws, investigations, or subsequent judiciary procedures.
In all the cases of disclosure mentioned above, the Data Controller ensures that all necessary measures are
adopted to prevent the information from circulating and guarantee confidentiality in view of the special
purposes of the processing.
DATA DISCLOSURE
Personal data are not published or disclosed to unidentified recipients.

INTERNATIONAL DATA TRANSFERS
Personal data are not transferred outside the EU.

18

DATA SUBJECT RIGHTS
1. Whistleblower Rights
The whistleblower, compatibly with any existing legal requirements, can exercise the rights recognised by
articles 15-22 of the EU Regulation:
– right to access personal data;
– right to obtain the rectification or erasure of the data (except for the content of the report);
– right to revoke consent, where applicable: revoking consent does not affect the data processing carried
out before the consent was revoked; once consent is revoked the whistleblower will not be able to
access their profile, however will have access to the reports via their codes; consent cannot be revoked
when processing is necessary to comply with the legal obligations to which the Data Controller is
subject;
– right to file a complaint with the Data Protection Authority, pursuant to article 77 of the GDPR, or
appeal to the competent Judicial Authorities, pursuant to article 79 of the GDPR, within the limits set by
the applicable national regulations (Legislative Decree 196/2003).
2. Suspect Rights
Pursuant to article 2-undecies of Legislative Decree 196/2003 (Personal Data Protection Code), the Data
Controller informs the suspect that the exercise of the above-mentioned rights (Data Subject Rights
recognised in articles 15-22 of the GDPR), and in particular the right to access data, may be delayed,
limited, or excluded for the entire time during which it constitutes a necessary and proportionate measure,
having taken into account the fundamental rights and legitimate interests of the data subject, in order to
protect the confidentiality of the whistleblower and ensure that the inquiry is not compromised (tampering
with evidence, hiding information).
The above-mentioned rights cannot be exercised by submitting a request to the Data Controller, or filing a
complaint pursuant to article 77, if the exercise of said rights may cause actual prejudice to the
whistleblower’s right to confidentiality. However, in these cases, data subject rights can be exercised via
the Data Protection Authority pursuant to article 160 of Legislative Decree 196/2003, according to which
the Data Protection Authority informs the data subject that all necessary checks have been carried out or
that a review has been completed, without prejudice to the right of the data subject to seek judicial
remedy.
In any case, Data Subject rights can be exercised through the following channels:
– via email at marketing@interkom.it

19

COOKIES
The platform does not acquire the personal details of its users.
Cookies are not used to transmit personal data and no persistent cookies are used for tracing purposes.
The platform only uses technical cookies strictly necessary for the efficient use of the platform. Session
cookies (cookies that are not permanently saved on user devices, instead disappear once the browser is
closed) are used to transmit session details (random numbers generated by the server) required to allow
users to browse the platform safely and efficiently.