Regulatory References: | Procedure |
Issue Date: | ……………. |
Review Date/Version | First Version of the document |
Author: | ………………….. |
Valid from: | President of the BoD: Alfredo Delehaye |
WHISTLEBLOWING GENERAL PROCEDURE |
Date | Approved by | Approval Signature |
07/02/22 | Board of Directors |
Verification of the principles of Leg. D. 231/01 | ||
Date | Audit Function | Acknowledgement Signature |
07/03/22 | Supervisory Body |
Summary
Preamble
- Purpose
- Regulatory References
- Reportable Conducts
- Content of the Report
- Recipients of the Procedure (Whistleblowers)
- Recipient of the Report
- Reporting Methods
7.1 Whistleblowing Reporting Platform
- Report Management
- Whistleblower Protection and Responsibilities
- Suspect Protection
- Data Retention and Privacy Policy
- Sanctions
- Policy Reviews
- Awareness
- Annexes
Preamble
Law N. 179, “Provisions for the protection of whistleblowers who report crimes or misconduct of which they become aware in the context of private or public employment” (published in the Official Journal, General Series N. 291, of 14 December 2017), entered into force on 29 December 2017.
The legislation introduced a distinction between the public sector (article 1) and the private sector (article 2), and integrated the regime on the obligation of official, corporate, professional, scientific and industrial secrecy (article 3).
With reference to the private sector, article 2 of Law N. 179/17 amended Decree 231 and added article 6 (“Subjects in top- level management positions and corporate organization models”), a new provision that puts the measures pertaining to the submission and management of whistleblowing reports in direct relation with the Organizational Model pursuant to Italian Leg. D. 231/01.
The law aims to encourage employee collaboration to facilitate the identification of episodes of corruption within public and private entities, including by implementing systems that allow employees to safely report any crimes or misconduct of which they become aware.
The law provides:
- the prohibition of direct or indirect retaliatory or discriminatory acts against the whistleblower for reasons that are directly or indirectly related to the report.
- sanctions against anyone who violates the measures of protection for the whistleblower, and anyone who makes groundless reports with malice or grave negligence.
- the option to report the application of discriminatory measures against the whistleblowers to the National Labour Inspectorate, not only by the whistleblower but also by the union organization indicated by them.
- the retaliatory or discriminatory dismissal of the whistleblower shall be null and void, and change of duties set forth in Article 2103 of the Italian Civil Code shall also be null and void, as well as any other retaliatory or discriminatory measure applied to the whistleblower.
- the burden is on the employer, in the case of controversies related to the implementation of disciplinary sanctions or demotions, dismissals, transfers, or subjecting the whistleblower to other organizational measures having direct or indirect adverse consequences on their employment conditions after making a report, to demonstrate that such measures are based on reasons unrelated to the report.
Interkom S.p.A. (hereinafter the “Company”) with the aim of implementing article 6, par. 2-bis, lett. a) and b), of Leg. D. 231/2001, as introduced by Law 179/2017, in addition to the traditional whistleblowing report channel, involving sending a registered letter, has made available a “Whistleblowing Portal” designed to protect – with the use of IT solutions – the identity of the whistleblower and ensure confidentiality during the procedures following the submission of a report.
1. Purpose
This whistleblowing procedure (hereinafter the “Procedure”) aims to regulate the reception, assessment, and management of Reports submitted by employees or third parties with regard to possible crimes or misconduct, management irregularities, activities or facts that may constitute a violation of internal or external rules that govern Company operations, the principles and behavioural rules in the Code of Ethics, or any provisions included in the Model 231 adopted by the Company.
2. Regulatory References
External
- Leg. D. 231/01 on “Corporate responsibility of legal entities, including companies and associations that are not legal entities, pursuant to article 11 of Law N. 300, of 29 September 2000”, of 08/06/2011 and subsequent amendments.
- Leg. D. N.196 of 30 June 2003 – Personal Data Protection Code – and subsequent amendments.
- Regulation EU 2016/679 of the Parliament and Council, of 27 April 2016, on the protection of individuals with regard to the processing of personal data.
- Law N. 179 of 30 November 2017, Official Journal 14/12/2017 “Provisions for the protection of whistleblowers who report crimes or misconduct of which they become aware in the context of private or public employment.”
Internal
- Interkom S.p.A. Organizational Model 231
- Interkom S.p.A. Code of Ethics
3. Reportable Conducts
Reporting is mandatory for all Model Recipients who have knowledge or legitimately suspect – in both cases based on accurate and consistent elements – criminal behaviour or any conduct aimed at avoiding the provisions of the Model perpetrated by other Model Recipients (whether or not in a top-level management position).
In particular, the report should denounce the following conducts:
- Illegal behaviour within the meaning of Leg. D. 231/01, i.e. criminal activities – or mere attempts thereof – qualified as “predicate offences” by Leg. D. 231/01, of which Model Recipients have become aware based on serious, accurate, and consistent elements.
- Violations of the Code of Ethics, of the Organizational Model 231, or of internal procedures based on accurate and consistent elements, of which the Model Recipients became aware by reason of their duties. In this case, even if the conduct does not directly constitute a crime, it consists in the violation of the rules of the system put in place by the Company to prevent crimes, because it violates the general or specific control principals, the measures and procedures set in the Organizational Model.
With reference to the above, examples of possible reports may include among others:
- conflicts of interest the Company may not be aware of.
- manager or employee attempts/acts of corruption towards third parties (public officials or private individuals).
- fraud committed in the interest of the company.
- intentional communication of false information to Public Administrations.
- company or business operations that may expose the Company to sanctions pursuant to Leg. D. 231/01.
The following should not be the subject of reports:
- rumours or things heard on the grapevine.
- personal grievances, demands or claims.
Reports must be made in good faith, responsibly, for common interests, and to report the nonconforming conducts for which the system was implemented.
4. Content of the Report
Reports must not contain an excess of data and only include the details necessary to demonstrate the substance of the report. Therefore, normally reports will not include specific data* or personal details that reveal health conditions or judicial situations. If a report includes any of these categories of personal data, reported by the whistleblower or by a third party, and such data are found to be unnecessary for the purposes mentioned above, the Company will destroy them or, if this is not possible, redact them out, except in cases authorised by law or by a decision from the Data Protection Authority.
If a report is outside the sphere of competence of the SB as just defined above, the Body will encourage the whistleblower to forward it to the company department/competent body and/or to the competent Authorities. In any case, these reports are “protected”. This means that the prescribed body will not reveal the identity or any personal data of the whistleblower without their prior explicit consent – as long as the disclosure is not required by law, inquires, or subsequent judiciary procedures.
In all the cases of disclosure mentioned above, the Data Controller ensures that all necessary measures are adopted to prevent the information from circulating and guarantee confidentiality in view of the special purposes of the processing.
5. Recipients of the Procedure (Whistleblowers)
Specifically, this procedure applies to:
- top-level management and members of management bodies.
- employees, customers, suppliers, consultants, collaborators, and in general any stakeholder in the above-mentioned companies.
Recipients potentially aware of reportable conducts are required to make a report providing any elements useful for the assessment and verification of the allegations and must include at least the following elements:
- unless the report is made anonymously, the personal details of the whistleblower, including their role or position within the company.
- description of the alleged facts and the circumstances in which they occurred (how, when, and where).
- all information or evidence that may be useful to prove the solidity of the allegations, especially the existence of any witnesses who may be able to provide information regarding the facts in the report.
- confirmation of the absence of private interests in connection with the report and declaration of good faith.
- identification details of the suspect.
- any other information deemed useful to support of the report.
6. Recipient of the Report
The Supervisory Body pursuant to Leg. D. 231/2001 is the recipient of crime and misconduct reports.
The Body ensures the correct functioning of the whistleblowing procedure and, if the violations are confirmed, immediately refers the information contained in the report to the Administrative Body.
As the Recipient of the Report, the Supervisory Body:
- is autonomous and independent from Company functions, as it does not report to any of them.
- ensures a fair and impartial assessment of the reports received.
- respects the right to confidentiality of the whistleblower and the suspect.
7. Reporting Methods
Whistleblowers who have reason to suspect that one of the above-mentioned violations has taken place or may take place, can submit a report to the SB (Supervisory Body) using one of the following channels:
- Post, by sending the Whistleblowing Reporting Form (Annex 1) in a registered letter addressed to the SB Avv. Vincenzo Adinolfi, Via Roma, Parco Europa n. 11, 81100, Caserta, Italy .
- Via the Whistleblowing Reporting Platform (the “Platform”), as explained below.
7.1 Whistleblowing Reporting Platform
Whistleblowers may access the Platform from the website:
https://interkomspa.whistlelink.com
The Platform allows anyone (employees and collaborators, suppliers and anyone who had or intends to have a business relationship with the Company) to make an anonymous report simply following the guided process online; the systems allows to submit a report without registering or providing any personal details. If the whistleblower decides to provide their personal details, such details are treated as confidential.
The Platform guarantees the confidentiality of all communications between the whistleblower and the recipient of the report, excluding the possibility for the recipient or any other subject to trace the origin of the report.
Access to the Platform is based on a “no-log” policy, to prevent the identification of whistleblowers who prefer to remain anonymous: this means that the company’s IT systems are not able to identify the point of access (IP address) even if the Platform is accessed from a computer on the Company’s network.
Reports sent via the Platform are received exclusively by the members of the Supervisory Body. The direct association between the whistleblower and the report can be made only by the prescribed body (SB – Supervisory Body).
The data included in the report will be processed using organization logic and methods conceived to ensure the security, integrity, and confidentiality of the data, in compliance with the organizational and physical measures and with the logic prescribed by the applicable regulations.
In the case of reports sent via the Platform, data are transferred using the HTTPS communication protocol. Data are also encrypted, ensuring the confidentiality of all information transferred.
Anonymous reports, in which senders do not reveal their identity, will be taken into consideration if adequately supported by sufficient details, i.e. if they reveal facts and situations that make solid reference to specific contexts.
After accessing the Platform, the whistleblower will be guided through the questionnaire process that includes open questions to allow them to provide any specific elements (facts, dates, sums involved, etc.)
After filling in the form, the whistleblower will have the option to reveal their identity by entering their personal details in the relevant box. In any case, whistleblowers may reveal their identity at a later stage, through the messaging service provided on the Platform.
When a report is submitted, the Platform issues the whistleblower a unique ID Code (Ticket). If the number – known only to the whistleblower – is lost, it cannot be retrieved in any way. The Ticket can be used to access the report via the Platform in order to: monitor progress, enter further information regarding the report, provide personal details, and answer any questions or requests for further information.
8. Report Management
Reports received by the Supervisory Body are subject to the following process.
Any report too generic to even start an assessment process that may lead to tangible progress, will not be taken into consideration and archived.
Reports and supporting documents will be the object of a preliminary assessment by the Supervisory Body, in order to determine if there are sufficient details and information to establish the solidity of the report and carry out further inquiries.
Once the preliminary assessment is complete, even if the SB finds that the report has no bearing in relation to Leg. D. 231/01, it may be relevant to the Company who will encourage the whistleblower to forward it to the competent body.
However, if the Supervisory Body finds reasons to believe that the report is sound/reliable, the process will move to the next step consisting in a thorough inquiry to confirm its solidity. During the preliminary assessment, the Supervisory Body may avail itself – in relation to specific aspects of the report and where deemed necessary – of the support of other company functions, each within their area of competence, and request further information and/or documentation from the whistleblower, directly via the Platform.
If at the end of the preliminary assessment it finds insufficient elements or finds that the allegations are groundless, the report is archived together with the motivation of the decision. In this case, the Supervisory Body informs the whistleblower of the results of the inquiry and its dismissal.
If at the end of the preliminary assessment useful and sufficient elements to support the report can be found or deduced, the process will move to the next step consisting in a thorough inquiry.
The Supervisory Body will:
- start specific inquiries availing itself, if deemed necessary, of the support of the competent Company structures.
- agree on an action plan with the management of the relevant Company function in order to remove the weaknesses identified in the control system.
- agree with the CEO and the relevant functions on any initiatives to undertake to protect the interests of the Company.
- request, if possible, the initiation of a disciplinary procedure against the whistleblower if the report is found to have been made with malice and/or for defamatory purposes, potentially also confirmed by the groundlessness of the report itself.
- after the inquiry is completed, present the assessment to the CEO or the Board of Statutory Auditors, depending on the conducts reported, to allow for the necessary measures to be taken.
- put an end to the inquiry at any time, if during the inquiry the report is found to be groundless.
The steps above may not necessarily be taken sequentially.
9. Whistleblower Protection and Responsibilities
The Company guarantees the protection of the identity of the whistleblower from the moment the report is received, in compliance with the applicable law. To this end, the identifying data of the whistleblower are stored with methods that make them accessible only to the body prescribed to manage the reports (SB – Supervisory Body). The Company adopts all the measures prescribed by the law to protect the identity of the whistleblower and ensure it is not disclosed without the whistleblower’s express consent, except in the case of defamatory allegations or reports sent with malice.
No direct or indirect retaliatory or discriminatory act can be applied against a whistleblower who has made a report in good faith, whether or not the facts in the report are confirmed.
Sanctions apply against anyone who violates the confidentiality and measures of protection for the whistleblower.
The protection of the whistleblower is not guaranteed if the report is sent with malice or grave negligence or if the allegations therein are found to be false, unfounded, defamatory or made for the sole purpose of damaging the Company, the suspect, or other subjects involved in the report.
In the event of a disciplinary procedure, the identity of the whistleblower cannot be revealed if the disciplinary charge is based on additional inquiries separate from the report, albeit consequential. The identity of the whistleblower may be revealed only if:
- the allegations are founded entirely or partially on the report and the identity of the whistleblower is absolutely essential to the defence of the suspect; and
- the whistleblower has agreed thereto.
Sanctions apply against the whistleblower if the report is sent with malice or grave negligence or if the allegations therein are found to be false, unfounded, defamatory or made for the sole purpose of damaging the Company, the suspect, or other subjects involved in the report.
In this case the Company may also take any legal action it deems appropriate.
10. Suspect Protection
The Company guarantees adequate protection to any individuals directly or indirectly involved in the report.
A report is not sufficient to start a disciplinary procedure against a suspect.
Therefore, a suspect cannot be subject to disciplinary sanctions on the basis of the information in the report if this is not confirmed by objective findings and if no inquiry into the facts alleged in the report has taken place.
This may happen based on other assessed and confirmed evidence emerged as a consequence of the report.
If the Supervisory Body, after finding tangible evidence in support of the report, decides to proceed with a thorough inquiry, the suspect may be contacted and granted the chance to provide clarifications, where necessary.
11. Data Retention and Privacy Policy
Personal data provided by the whistleblower at the time the “Whistleblowing Reporting Form” was submitted and the information contained in the form and in any documents attached, as well as any data acquired during the inquiry led by the prescribed body, will be processed in compliance with the Company Privacy Policy, fairly, lawfully, transparently, and respecting the privacy and the rights of all involved (whistleblower, suspect, and any third party), in compliance with the applicable privacy regulation and law N. 179 of 30 November 2017 – “Provisions for the protection of whistleblowers who report crimes or misconduct of which they become aware in the context of private or public employment”.
The Supervisory Body saves and archived all supporting documents pertaining to the report. Personal data pertaining to reports can be saved and retained for the time necessary to complete the assessment of the facts included in the report and for 5 years after the report is archived, unless additional procedures (disciplinary, criminal, financial) stemming from the report are brought against the suspect or the whistleblower (in the case of false or defamatory allegations, or reports filed with malice). In this case, data will be retained until the procedure has come to a conclusion and until the deadline to appeal the decision expires.
Personal data included in reports may also be communicated to the competent Company offices, to trigger any judiciary and/or disciplinary measures in connection with the report, or to the relevant Authorities, in the case of violations of applicable laws and regulations.
All details pertaining to the processing of the personal data of the individuals involved in the report are outlined in the Privacy Policy drawn in compliance with article 13 of the GDPR and provided at the time the report is filed through the Whistleblowing Platform and attached herein.
12. Sanctions
Any violation of the provisions herein will be duly and timely prosecuted.
Interkom S.p.A. reserves the right to take disciplinary action against abusers of the whistleblowing channels. For example, in the case of obviously opportunistic reports and/or reports filed with the only purpose of causing damage to the suspect or to anyone involved in the report and in any case of improper use or exploitation of the procedure herein.
Sanctions will be applied in compliance with Law N. 300/1970 – Workers’ Statute and the individual National Collective Contracts.
13. Policy Reviews
This Procedure and the Platform will be regularly reviewed to ensure constant alignment with the applicable legislation and in light of the circumstances and experience gained.
14. Awareness
The Company actively raises awareness and promotes the procedure herein through the website and through training initiatives involving all personnel, explaining the purposes, methods, and correct use of the whistleblowing tool, providing informing about rights, obligations, the consequences of its misuse, and the results obtained from its application.