Information Notice

This information notice is intended to communicate to all company stakeholders the contents, methods, and guarantees for the confidential submission of reports of violations and offenses pursuant to Legislative Decree No. 24 of March 10, 2023, implementing “Directive (EU) 2019/1937 of the European Parliament and of the Council of October 29, 2019, on the protection of persons who report violations of Union law and containing provisions regarding the protection of persons who report violations of national regulatory provisions.”

Recipient of the Report

The management of the internal reporting channel is entrusted to the Reporting Manager appointed by resolution of the Board of Directors. It is also possible to submit the report to the National Anti-Corruption Authority (ANAC) through the external channel (Article 7 of Legislative Decree 24/2023) or through public disclosure via the press or electronic means.

Content of the Report

The whistleblower is required to provide all elements useful to allow a diligent and appropriate verification, particularly:

• Their personal details (name, surname, place and date of birth) or other information from which the identity of the whistleblower can be directly or indirectly inferred, indicating the position or function held within the organization of the entity, except in cases of anonymous reporting;
• A contact to which subsequent updates can be communicated;
• A clear and complete presentation of the facts subject to reporting, with a statement of well-founded suspicions regarding violations committed or which, based on concrete elements, could be committed within the Company’s organization, as well as elements regarding conduct aimed at concealing such violations;
• The personal details of the subjects involved, to whom the violation is attributed, or other elements that enable their identification;
• The provisions, procedures, protocols, and/or company operating instructions that are assumed to be violated;
• Any documents that may confirm or support the validity of the report;
• The desire to benefit from the confidentiality protections provided by Legislative Decree 24/2023 on whistleblowing.

Any anonymous reports may be considered for further verification only when the information contained therein allows for an adequate investigation in compliance with the provisions of this procedure and Articles 4, 5, and 12 of Legislative Decree 24/2023.

Methods of Submission and Management of the Report

Reports are made in written or oral form using the following methods:

• In written form, through IT methods, via an online platform available at the URL https://wb.genya.it/05051750635;
• In written form, through regular mail or express courier, by sending a registered letter to the address of the Reporting Manager. It is necessary that the report be inserted in two sealed envelopes: the first with the identifying data of the whistleblower together with a photocopy of their identification document; the second with the report, in order to separate the whistleblower’s identifying data from the report. Both should then be inserted into a third sealed envelope that bears the external label “Reserved for the reporting manager.” The report is then subject to confidential registration, including through an autonomous register, by the manager.
• In oral form by requesting a direct meeting with the Reporting Manager, scheduled within a reasonable timeframe. In such cases, with the consent of the reporting person, the internal report may be documented by the Reporting Manager through recording on a device suitable for storage and playback or by drafting a specific transcript. In case of drafting the minutes, the reporting person may verify, rectify, and confirm them by signing.

In the case of a report made orally, with the consent of the reporting person, it is documented by recording on a device or by minutes, which the reporting person can verify, rectify, and confirm the minutes of the meeting by signing.

An internal report presented to a subject other than the Reporting Manager is transmitted by the recipient, respecting the guarantees of confidentiality, to the latter within seven days of its receipt, simultaneously notifying the reporting person of the transmission.

The Reporting Manager issues an acknowledgment of receipt of the report to the reporting person within seven days of the date of receipt, and may request any useful or necessary integration. They proceed to hear the person involved, even if requested, also through a paper-based procedure, through the acquisition of written observations and documents. The Manager provides feedback on the report within three months from the date of the acknowledgment of receipt or, in the absence of such notice, within three months from the expiry of the seven-day period from the submission of the report. At any time, the whistleblower may request information from the Reporting Manager on the progress of the procedure by sending a specific request, using the same methods used for transmitting the report.

Obligation of Confidentiality

The content and identity of the reporting person and any other information from which they can be directly or indirectly inferred may not be disclosed, without the consent of the reporting person, to persons other than those competent to receive or follow up on reports and expressly authorized to process such data.

Protection Measures

The protection measures provided by Chapter III of Legislative Decree 24/2023 apply to the whistleblower, in particular:

• Prohibition of Retaliation – the whistleblower may not be the target of retaliation due to the report made, including: dismissal, suspension, or equivalent measures; demotion or lack of promotion; change of functions, change of workplace, reduction of salary, change of working hours; suspension of training or any restriction of access to it; negative merit notes or negative references; adoption of disciplinary measures or other sanctions, including pecuniary ones; coercion, intimidation, harassment, ostracism; discrimination or otherwise unfavorable treatment; failure to convert a fixed-term employment contract into a permanent employment contract, where the worker had a legitimate expectation of such conversion; non-renewal or early termination of a fixed-term contract; damage, including to the person’s reputation, especially on social media, or economic or financial prejudices, including loss of economic opportunities and loss of income; inclusion in improper lists based on a formal or informal sectoral or industrial agreement, which may result in the person being unable to find employment in the sector or industry in the future; early termination or cancellation of a contract for the supply of goods or services; cancellation of a license or permit; request for psychiatric or medical examinations.

Acts taken in violation of the prohibition of retaliation are null and void. People who have been dismissed because of the report have the right to be reinstated in the workplace, pursuant to Article 18 of Law 300/1970 or Article 2 of Legislative Decree 23/2015, according to the specific discipline applicable to the worker. The whistleblower who is the recipient of discriminatory acts also has the right to appeal to the judicial authority so that it may adopt all measures, including provisional ones, to ensure protection of the subjective legal situation asserted, including compensation for damages, reinstatement in the workplace, the order to cease the violation of the prohibition of discrimination, and the declaration of nullity of the acts thus adopted.

• Limitation of Liability – an entity or person who reveals or disseminates information on violations covered by the obligation of secrecy or relating to the protection of copyright or the protection of personal data, or reveals or disseminates information on violations that offend the reputation of the person involved or reported, is not punishable when, at the time of the revelation or dissemination, there were well-founded reasons to believe that the revelation or dissemination of the same information was necessary to reveal the violation and the report was made.
• Waivers and Settlements – waivers and settlements, total or partial, that have as their object the rights and protections provided by Legislative Decree 24/2023 are not valid, unless they are made in the forms and manner referred to in Article 2113, paragraph 4 of the Civil Code.

Information Note

• With this communication, it is also noted that:
• Reports cannot be used beyond what is necessary to adequately follow up on them.
• In the context of any disciplinary proceeding, the identity of the reporting person cannot be revealed, where the disciplinary charge is based on separate and additional findings compared to the report, even if consequent to it. If the dispute is based, in whole or in part, on the report and knowledge of the identity of the reporting person is essential for the defense of the accused, the report will be usable for the purposes of the disciplinary proceeding only with the express consent of the reporting person to the disclosure of their identity.
• The reporting person must be notified in writing of the reasons for the disclosure of confidential data, in the hypothesis mentioned above, as well as in internal and external reporting procedures when the disclosure of the identity of the reporting person and information relating to them is also essential for the defense of the person involved.
• Where the criminal liability of the reporting person is established, even with a first-degree judgment, for the crimes of defamation or calumny or in any case for the same crimes committed with the complaint to the judicial or accounting authority, or their civil liability, for the same title, in cases of intent or gross negligence, the protections referred to in Chapter III of Legislative Decree 24/2023 are not guaranteed and a disciplinary sanction is imposed on the reporting or complaining person. The provision also applies in cases of anonymous reporting or complaint to the judicial or accounting authority or public disclosure, if the reporting person was subsequently identified and has suffered retaliation, as well as in cases of reporting submitted to the institutions, bodies, and organizations of the European Union.

Privacy and Processing of Personal Data – Information Pursuant to Article 13 of EU Regulation 679/16

The Data Controller is AET SRL with registered office in Via Marcello Chiatante, 72/74 73100 LECCE (LE) VAT 05051750635, in the person of the legal representative, who operates through the Reporting Manager appointed by the Board of Directors.

Categories of Personal Data

In principle, the system for reporting offenses can be used by the whistleblower even while maintaining anonymity and therefore without providing personal data, particularly their identity. The provision of personal data is optional, and therefore any failure to provide data will not prejudice the right to receive a response to the report and to enjoy the protections provided by law.

Personal data may be acquired by the Company as contained in the report or in the acts and documents attached to these, or through specific investigative inquiries. The people to whom the processed personal data refer are, among others, i) people aware of the reported facts, or who in any case are requested to provide information in response to a report, ii) “involved subjects” (i.e., accused of the violation subject of the report), iii) “protected subjects” (i.e., who enjoy the mandatory protections provided by the regulations in response to a report), iv) other people who for various reasons may be made aware of the report.

Transfer and Recipients of Personal Data

The Data Controller, respecting the protection of the confidentiality of the whistleblower’s identity, may share the data, in accordance with the principle of strict necessity, proportionality, and minimization, with:

• Third parties expressly designated as External Data Processors;
• Competent external authorities (e.g., judicial or administrative authorities, police bodies, financial police, ANAC – National Anti-Corruption Authority, etc.) only in the context of a criminal, administrative, or civil investigation or judgment;
• Legal firms and/or consultants, corporate compliance consultants, and/or other subjects necessarily involved in the report management process.

Processing Methods and Security Measures

The Company adopts adequate technical and organizational measures to guarantee data protection and confidentiality, without prejudice to the provisions of Article 12 of Legislative Decree No. 24/2023 – with particular reference to the identity of the whistleblower, the persons involved and/or otherwise mentioned in the reports, the content of the same, and related documentation.

Data processing is carried out using paper and electronic methods by formally appointed subjects. The processing does not include automated decision-making processes, including profiling, falling within the scope of application of Article 22 of EU Regulation 2016/679.

Personal data is stored on a server located within the European Union. The controller has carried out an impact assessment and prepared adequate security measures to protect personal data.

Legal Basis and Purposes of Processing

The data will be processed for the following purposes: i) to evaluate the admissibility and validity of the reported violations, ii) to apply the protection and support measures for subjects protected by the regulations, iii) to follow up on the report and, if possible, response measures to the results of a report, iv) to apply any disciplinary measures or other sanctions against those who report with intent or gross negligence, or against any involved subjects to whom the reported violation is attributable, v) defense or ascertainment of our rights in the context of judicial, administrative, or extrajudicial proceedings and in the context of civil, administrative, or criminal disputes arising in relation to the report made, vi) to fulfill any obligation provided by a law, a regulation, or another applicable regulation.

Given the reference legislation, the processing of data is based on the legal obligation to which the Company is subject as the Data Controller (Article 6, paragraph 1, letter c) of the GDPR) for the purposes of complying with the requirements of Legislative Decree 24/2023, and, as regards any special categories of data voluntarily reported by the Whistleblower, the enabling condition is to be found in the reasons of substantial public interest based on Union law and Member States’ law in relation to the motivation for which the whistleblowing legislation was established (Article 9, paragraph 2, letter g) of the GDPR and Article 2 sexies paragraph 1 of Legislative Decree 196/03), as well as, in relation to special categories of data, in the fulfillment of obligations and on the exercise of specific rights of the Data Controller and the Data Subject in the field of labor law (Article 9, paragraph 2, letter b), GDPR).

The prior consent of the Whistleblower (Article 6 paragraph 1 letter a) of the GDPR) will be requested, case by case, pursuant to Legislative Decree 24/2023, in particular:

• in the event that following up on the Report involves, by the Company, the adoption of disciplinary proceedings and if the dispute is based, in whole or in part, on the report received and knowledge of the identity of the reporting person is essential for the defense of the accused, said Report will be usable for the purposes of the disciplinary proceeding only in the presence of the express consent of the reporting person to the revelation of their identity;
• when the Report is made via a recorded voice messaging system (as provided in the Procedure), to allow, by the assigned personnel, the relative documentation by recording on a device suitable for storage and playback or by full transcription. In case of transcription, the reporting person can verify, rectify, or confirm the content of the transcription by their signature;
• when, at the request of the reporting person, the report is made orally during a meeting with the assigned personnel, for which, with the consent of the reporting person, the report is documented by the assigned personnel by recording on a device suitable for storage and playback or by minutes (as provided in the Procedure). In case of minutes, the reporting person can verify, rectify, and confirm the minutes of the meeting by their signature.

The legal basis for processing for the purposes under i), ii), and iii) (in relation to the purposes of implementing response measures to the results of a report, strictly necessary to remove the consequences of the reported Violation) is the need to fulfill the obligations provided for the Data Controller by law, regulation, or other regulations.

In relation to the purposes of implementing response measures to the results of a report, possibly different from those strictly necessary to remove the consequences of the reported Violation, the legal basis is the legitimate interest of the Data Controller to improve the organization’s structure.

In relation to disciplinary or sanctioning purposes, the legal basis is the legitimate interest of the Data Controller to pursue in a disciplinary or sanctioning venue any non-compliance with the Data Controller’s Whistleblowing Procedure and/or, more generally, the whistleblowing regulations.

In relation to the purposes of defense or ascertainment of our rights in the context of judicial, administrative, or extrajudicial proceedings and in the context of civil, administrative, or criminal disputes arising in relation to the report made, the legal basis is the legitimate interest of the Data Controller to exercise the defense of their rights.

Personal data that appear not reasonably pertinent and useful for the processing of a specific Report are not collected or, if accidentally received or collected, must be promptly deleted by the Report Managers competent with respect to the Violation.

Similarly, personal data eventually reported and referring to behaviors not included in the scope of application of the law and/or the Data Controller’s Whistleblowing Procedure will be deleted. If the information received contains special categories of personal data as per Article 9 of the GDPR, it will be deleted immediately, without being recorded and processed. If it is established that the information provided or part of it is not truthful, it must be immediately deleted as soon as such circumstance emerges, unless the lack of truthfulness may constitute a crime, in which case the information will be kept for the time necessary during the legal proceeding.

Retention of Personal Data

The reporting data and related documentation will be kept for the time necessary for the processing of the report and in any case no later than 5 (five) years (in Italy) from the date of communication of the final outcome of the reporting procedure (in compliance with the obligations of confidentiality of information as well as limitation of storage, provided by the applicable regulations on the matter). After this period, the reports will be deleted from the system, or kept in anonymized form, without prejudice to the possible need for retention for all the additional time necessary for the completion of an administrative or judicial proceeding already initiated or for investigative proceedings under the Code of Criminal Procedure.