WHISTLEBLOWING POLICY
(“Policy”)
Summary
9. WHISTLEBLOWER PROTECTION.. 8
10. REPORTED PERSON PROTECTION.. 9
11. PERSONAL DATA PROCESSING.. 9
13. COMMUNICATION AND TRAINING.. 10
1.INTRODUCTION
The purpose of this Policy, implemented by Peck S.p.A., is to regulate the process of transmitting, receiving, analyzing and managing reports, adequately motivated, on breaches of laws and regulations (as identified below) by Staff (so-called Whistleblowing).
The purpose of the Policy is to implement Legislative Decree No. 24/2023, published in the O.G. on 15.3.2023, transposing Directive (EU) 2019/1937 concerning the "protection of persons who report breaches of Union law (so-called Whistleblowing discipline)."
For matters not expressly indicated by this Policy, the provisions of Legislative Decree No. 24/2023 referred to above remain fully applicable.
In a nutshell, the purpose of the Policy is to:
- identify the persons who may make reports;
- circumscribe the perimeter of conduct, events or actions that may constitute the subject of reporting;
- identify the channels through which eligible parties may make reports;
- illustrate the operational procedures for the submission and handling of reports, as well as any subsequent investigation activities;
- inform the Whistleblower and the Reported Person about the forms of protection that are guaranteed.
2.DEFINITIONS
For the purposes of this Policy, the following expressions have the meanings indicated:
- ANAC: National Anticorruption Authority, website www.anticorruzione.it
- Anonymous report: reports without elements allowing their author to be identified;
- Breaches: behaviours, acts or omissions that harm the public interest or the integrity of Peck S.p.A. and that consist in the conduct described in paragraph 4.
- Company: Peck S.p.A., with registered office in Milan, Via Spadari 9;
- External reporting: communication, written or oral, of information on Breaches, submitted through the external reporting channel referred to in the paragraph. 5.2
- Facilitator: a person who assists the whistleblower in the reporting process, connected to the latter through a working relationship and whose assistance is kept confidential;
- Internal reporting: written or oral communication of information on Breaches, submitted via the internal reporting channel mentioned in the paragraph. 5.1
- Non-relevant report: any communication received concerning conduct that does not constitute a breach. Non-relevant reports shall also include all those communications received which, on the basis of the vagueness of their contents, do not permit adequate verification;
- Public disclosure: putting information about Breaches in the public domain through press or electronic media or otherwise through means of dissemination capable of reaching a large number of people;
- Reported Person: the person mentioned in the internal or external report or in the Public Disclosure, understood as the person to whom the breach is attributed or as the person in any way implicated in the breach reported or publicly disclosed;
- Report: written or oral communication of information on Breaches, including well-founded suspicions concerning Breaches committed or that, on the basis of concrete elements, could be committed in Peck S.p.A., as well as elements concerning conduct aimed at concealing such Breaches;
- Whistleblowing Manager: LIGHTMILL S.r.l. company between lawyers in the person of Mr. Filippo Ganci, attorney (also appointed as Data Processor) appointed by Peck S.p.A. to manage the Reports covered by this Policy;
- Whistleblower: an individual who makes an internal or external report or public disclosure of information on Breaches known in the context of his/her work;
3.RECIPIENTS
All employees of Peck S.p.A. (executives, middle managers, white collars, blue collars), directors, members of corporate bodies and supervisory bodies, as well as all those who, for various reasons, have employment, collaboration or business relations with the Company, including collaborators, trainees, temporary workers, consultants, agents, suppliers and business partners, even before the legal relationship with the Company began or after it was terminated.
4.OBJECT OF THE REPORT
4.1 The following may be the subject of the Report
- Breaches relevant under Legislative Decree No. 231 of 8 June 2001;
- Breaches of European Union law, namely:
- offences falling within the scope of European Union acts relating to the following areas:
- public procurement;
- financial services, products and markets and prevention of money laundering and terrorism financing;
- product safety and compliance;
- transport security;
- environmental protection;
- radiation protection and nuclear safety;
- food and feed safety, animal health and welfare;
- public health;
- consumer protection;
- protection of privacy and protection of personal data and security of networks and information systems.
- acts or omissions affecting the financial interests of the European Union, as well as those affecting the internal market, including Breaches of European Union competition and state aid rules
- acts or conduct that frustrate the object or purpose of the provisions of European Union acts in the aforementioned areas.
4.2 Reports concerning the following are excluded from the scope of application of the Policy:
- disputes, claims or requests linked to an interest of a personal nature of the Whistleblower, pertaining exclusively to the discipline of the employment relationship or to relations with hierarchically superior figures, unless they are connected with or refer to the Breaches of rules or internal rules/procedures;
- Breaches of national security, as well as of procurement relating to defence or national security aspects, unless such aspects are covered by secondary European Union law;
- Breaches mandatorily regulated by acts of the European Union or national laws, as indicated in Article 1, co. 2, lett. b), of Legislative Decree no. 24/2023 (concerning financial services, products and markets and prevention of money laundering and financing of terrorism, transport safety and environmental protection)
- requests to exercise personal data protection rights vis-à-vis Peck S.p.A., pursuant to Regulation (EU) No. 2016/679 (General Data Protection Regulation - GDPR) and Legislative Decree No. 196/2003 2003 (Personal Data Protection Code) and Legislative Decree No. 101/2018, as amended and supplemented, for which please refer to the contact details of the Company's DPO.
5.REPORTING OF BREACHES
Addressees of this Policy who become aware of Breaches are required to make a Report through the internal reporting channels described below, which allow for the submission of such Reports in writing or orally.
5.1 Internal Channel
The Report:
- shall be sent by registered letter with return receipt to the address via Lentasio n. 9, 20122 Milan (MI) to the Whistleblowing Manager. In order to better protect the confidentiality of the Whistleblower as well as to facilitate the process of filing the Report according to the necessary confidentiality criteria, it is advisable to prepare two sealed envelopes: the first one with the Whistleblower's identification data together with a photocopy of the ID document; the second one with the Report, so as to separate the Whistleblower’s identification data from the Report. Both should then be placed in a third sealed envelope marked "confidential - personal" on the outside to the Whistleblowing Manager;
- shall be transmitted via the dedicated telephone line at +39 0236693161.
At the request of the Whistleblower, a face-to-face meeting with the Whistleblowing Manager may be arranged; the Whistleblowing Manager shall inform the Whistleblower in writing of the date of the meeting, which shall be set no later than 15 days after receipt of the request. In this case, subject to the consent of the person making the report, the meeting shall be documented by the staff member in charge by means of a recording on a device suitable for storage and listening, or by means of minutes, which the Whistleblower may verify, correct and confirm by signing.
Anyone who receives a Report outside the channels indicated above shall promptly forward the original and any attachments to the Whistleblowing Manager.
5.2 External Report
The Whistleblower may submit its Report to ANAC, through the external reporting channel provided by ANAC, only if:
- he/she has already made an internal Report and the same has not been followed up;
- has well-founded reasons to believe that, if it made an internal Report, it would not be effectively followed up, or that the same Report might give rise to the risk of retaliation;
- has reasonable grounds to believe that the Breach may constitute an imminent or obvious danger to the public interest
5.3 Public disclosure
The Whistleblower may proceed by public disclosure only if:
- he/she has already made an internal and external Report and has not received any feedback;
- has a well-founded reason to believe that, due to the specific circumstances of the case, the external Report may entail a risk of retaliation or may not be effectively followed up.
5.4 Anonymous Report
Anonymous Reports may also be taken into consideration, provided they are adequately substantiated and detailed. Anonymous Reports limit the possibility for Peck S.p.A. to investigate effectively, since it is impossible to establish an easy information channel with the Whistleblower. Peck S.p.A. considers, among the relevant factors for assessing an anonymous Report, the seriousness of the reported Breach, the credibility of the facts represented and the possibility of verifying the truthfulness of the Breach from reliable sources.
In any case, the protections referred to in paragraph 9 below shall be ensured only if the Whistleblower is subsequently identified or his identity emerges at a later stage.
6.CONTENTS OF THE REPORT
6.1 The Reports must be, in any case and regardless of the channel used for their submission, circumstantiated and well-founded, so as to allow the necessary measures to be taken and the appropriate checks and investigations to be carried out, also by carrying out investigations and formulating requests for clarifications to the Whistleblower, where identified.
In particular, the Report should have the following minimum content and therefore indicate:
- a detailed description of the events that occurred (including date and location) and, in known, and how the Whistleblower became aware of them;
- the personal details or other elements allowing the identification of the Reported Person.
6.2 The Whistleblower may allow his/her own identification, by indicating the contact details where he/she can be contacted (by way of example only: name and surname, e-mail address, telephone number), possibly different from the professional ones. If such information are not provided, and therefore the Whistleblowing Manager is not in the position of interacting with the Whistleblower for the management of the Report, the Report may be considered as unmanageable under the whistleblowing rules and will eventually be treated as an ordinary Report.
After having made a Report, the Whistleblower that detects any errors may immediately inform the Whistleblowing Manager through the same channel by which the Report was made.
6.3 Reports are to be considered irrelevant if they prove to be intentionally futile, false or unfounded, with purely defamatory content or in any case concerning deliberately erroneous or misleading information, for the sole purpose of damaging the Company, the Reported Person or other persons concerned by the Report, as well as Reports of a discriminatory nature, insofar as they refer to sexual, religious or political orientation or to the Reported Person's racial or ethnic origin.
In such a case, the Company reserves the right to take appropriate action - including through the adoption of suitable disciplinary sanctions - against the Whistleblower, without prejudice to his/her possible criminal liability and/or liability pursuant to Article 2043 of the Civil Code.
7.REPORTS MANAGEMENT
- The procedures for handling internal Reports are as follows:
- within 7 days of receipt of the Report, the Whistleblowing Manager sends the Whistleblower a confirmation of receipt of the Report; this confirmation does not imply any assessment by the Whistleblowing Manager of the contents of the Report, but is solely aimed at informing the Whistleblower that the Report has been correctly received;
- the Manager shall verify the admissibility requirements of the Report (e.g. the details identifying the Reported Person, or whether the Whistleblower is a person entitled to make the Report and that the Report falls within the scope of application of the Policy);
- within 3 months (up to 6 months in case of justified and motivated reasons) from the date of the confirmation of receipt, the Whistleblowing Manager shall communicate the feedback on the Report.
If a direct meeting is requested, the same shall be scheduled within 10 days from the date of receipt of the request, or, in the event of proven urgency, within 5 days from the same date.
- During preliminary investigation phase, targeted checks on the Report shall be carried out, in order to identify, analyze and assess the elements confirming the truthfulness of the reported facts, also by requesting integrations to the Whistleblower, if identified and if necessary. The Whistleblowing Manager may avail himself of the assistance of internal functions of Peck S.p.A. as well as of the support of external professionals and/or technical consultants, depending on the subject of the Report. The Whistleblowing Manager shall ensure that the preliminary investigation is carried out in a fair and impartial way; each person involved in the investigation shall be informed - once the preliminary investigation is completed - about the statements made and the evidence found against him/her and shall be granted to reply to them.
- If during the investigation objective elements emerge proving the lack of good faith on the Whistleblower, Peck S.p.A. shall be immediately informed in order to assess the activation of possible sanctioning procedures against the Whistleblower; the Report shall be archived. The Report shall also be archived when the investigation reveals that it is unfounded.
- If, at the end of the investigation, the Report is assessed as well-founded, a report summarizing the checks carried out and the evidence emerged is drawn up, in order to share with the administrative body the adoption of sanctions and/or the preparation of corrective actions. The administrative body also assesses the adoption of actions to protect the Company, including before courts.
- The Manager is required to document the entire process of its management, by means of digital and/or hardcopy archive, and to keep all the relevant documentation, in order to ensure the complete traceability of the actions undertaken for the fulfilment of its institutional functions. All the documentation must be kept for as long as necessary for the management of the Report and, in any case, no longer than 5 years from the closure of the Reporting procedure.
8.CONFLICT OF INTEREST
In the event that the Whistleblowing Manager coincides with the Whistleblower, or with the Reported Person, the Report shall be handled by another person designated by the firm so that it can be handled effectively, independently and autonomously, in compliance with the confidentiality obligation provided for by the law.
9.WHISTLEBLOWER PROTECTION
- The protections afforded to the Whistleblower may be guaranteed by the Company only if the indications provided by the Policy are complied with.
No protection is granted to the Whistleblower in case he/she contributed to the commission of the unlawful conduct. The protections afforded to the Whistleblower are also extended to:
- the Facilitator;
- persons in the same work environment as the Whistleblower with a stable emotional or family link up to the fourth degree;
- co-workers of the Whistleblower with whom they have a habitual and current relationship;
- entities owned by the Whistleblower or for which the Whistleblower works, as well as entities operating in the same work context.
- The Company, in setting up and implementing its internal reporting channels, guarantees the confidentiality of the identity of the Whistleblower, of the Reported Person and of any other persons involved, as well as the content of the Report and of the relevant documentation. Reports cannot be used beyond what is necessary to adequately follow them up. The identity of the Whistleblower and any information from which it may be inferred, directly or indirectly, cannot be disclosed, without the Whistleblower's express consent, to persons other than those competent to receive or follow up the Reports and expressly authorised to process such data.
In addition:
- specific forms of protection of the Whistleblower's identity are provided for in criminal proceedings, before the Corte dei Conti, and in disciplinary proceedings (in the latter case, the Whistleblower’s identity cannot be disclosed when the disciplinary charge is based on investigations that are separate and additional to the report, even if they follow it);
- in the context of disciplinary proceedings, if the accusation is based, in whole or in part, on the Report and knowledge of the identity of the Whistleblower is indispensable for the Reported Person's defence, the Report shall be usable for the purposes of the disciplinary proceedings only if the Whistleblower gives his/her express consent to the disclosure of his/her identity. In any case, the Company shall inform the Whistleblower in writing of the reasons that make the disclosure of confidential data necessary, or when the disclosure of the identity of the Whistleblower is also indispensable for the defence of the Reported Person;
- the reporting file is exempt from the right of access referred to in Articles 22 et seq. L. 241/1990, as well as by Articles 5 et seq. of Legislative Decree 33/2013.
- The Company shall not tolerate any kind of threat, retaliation, unjustified sanction or discrimination against the Whistleblower, the Reported Person and any person who has cooperated in the activities of investigating the merits of the Report. The adoption of discriminatory or retaliatory measures against the Whistleblower may give rise to disciplinary proceedings against the person responsible.
In the light of the provisions of Article 19(1) of Legislative Decree no. 24/2023, this does not affect the possibility for the Whistleblower to communicate to the ANAC any retaliation that he/she believes he/she has suffered in his/her work context.
10.REPORTED PERSON PROTECTION
Appropriate protection measures are also in place for the benefit of the Reported Person, in order to prevent any discrimination. The submission and receipt of a Report is not sufficient to initiate any disciplinary proceedings against the Reported Person. If it is decided to proceed with the investigation, the Whistleblower may be contacted and will be given the opportunity to provide any necessary clarification.
11.PERSONAL DATA PROCESSING
The receipt and management of Reports determine the processing of the data of the Whistleblowers.
Any personal data processing under this Policy must be carried out in compliance with the provisions of Regulation (EU) 2016/679 (GDPR) and Legislative Decree no. 196/2003, the so-called Privacy Code.
Personal data that are manifestly not useful for the processing of a specific Report shall not be collected or, if accidentally collected, shall be deleted immediately. The rights referred to in Articles 15 to 22 of the GDPR may be exercised within the limits of Article 23 of the GDPR and 2-undecies of Legislative Decree No. 196/2003.
Personal data processing that relates to the receipt and management of Reports is carried out by the Company in its capacity as Data Controller, in compliance with the principles set out in Articles 5 and 25 of the GDPR, providing appropriate information to the Whistleblower and the persons involved pursuant to Articles 13 and 14 of the GDPR, as well as adopting appropriate measures to protect the rights of the persons concerned. To this end, the Company provides specific information on the processing of personal data carried out in connection with the acquisition and management of the Reports governed by this Policy.
In addition, the Company, in compliance with the provisions of Article 13 of Legislative Decree No. 24/2023 and Articles 24 and 32 of the GDPR, identifies technical and organizational measures suitable for guaranteeing a level of security appropriate to the specific risks arising from the processing operations performed, on the basis of a data protection impact assessment (DPIA), regulating by contract or other legal act pursuant to Article 28 of the GDPR the relationship with any external suppliers that process personal data on its behalf with the status of data controller.
12.UPDATE
The Whistleblowing Manager periodically reviews, and if necessary updates, the Policy, to ensure its constant alignment with company practice and regulations.
13.COMMUNICATION AND TRAINING
The Policy is communicated by uploading it on the corporate website, displaying it on company notice boards and any other tool deemed appropriate in order to ensure a conscious, accurate and professional handling of Reports. The Company promotes communication, information and training activity on the Policy, to ensure the most effective application of the same and the widest knowledge of the rules on Whistleblowing, of the functioning of and access to the channels and tools made available to make Reports and of the measures applicable in the event of Breaches. This, in particular, in order to fulfil the training and information obligations referred to in Articles 4(2) and 5(1)(e) of the Decree.