Whistleblowing

Provisions on whistleblowing were introduced into the Italian legal system with the publication of Legislative Decree 24/2023  in the Official Gazette,  which transposes the  provisions of  (EU) Directive 2019/1937 of the European Union Parliament and the Council on the protection of persons who report breaches of Union law and breaches of national legislative provisions. The decree came into force on 30 March 2023 and the provisions set out therein take effect on 17 December 2023.

To guarantee protection for whistleblowers, i.e. those people who - subject to various conditions - report a breach, legislation provides for the obligation to set up reporting channels for companies that have employed an average of at least 50 employees during the previous year or have adopted the organisational and management model envisaged by Italian legislative decree n.  231/2001. It is possible to report conduct, acts, or omissions that are detrimental to the public interest or the integrity of a private-sector company, which constitute one of the predicate offences provided for by the aforesaid legislative decree n. 231/2001 or breaches any EU legislation, as specified in Annex 1 to Italian legislative decree n. 24 dated 10/03/2023.

The aforesaid legislative decree 24/2023 provides for a series of safeguards and protection measures for whistleblowers, in particular, the duty of confidentiality, the prohibition of retaliation, support for whistleblowers and facilitators, and limitations of liability.

DEPECHE SRL Unipersonale has adopted the following whistleblowing procedure.

GENERAL INFORMATION ON THE PROCESSING OF PERSONAL DATA RELATING TO ANY PERSON WHO REPORTS MISCONDUCT WITHIN THE SCOPE OF THE MECHANISM KNOWN AS “WHISTLEBLOWING”
(art. 13 of Reg. EU 679/2016)

1. WHO WILL PROCESSES MY DATA?

Your personal  data will be process by the Data Controller, namely DEPECHE S.R.L. with registered premises at Via dell'Agricoltura 47/49 – 41012 Carpi (MO)

You can email the Data Controller at: [email protected]

2. FOR WHAT PURPOSES IS MY DATA PROCESSED AND WHY IS THE PROCESSING LAWFUL?

Your data is processed to carry out investigations to establish the validity of the misconduct report you have made, as well as, if necessary, to take appropriate corrective measures and appropriate disciplinary and/or legal action against those responsible for the misconduct.

The processing of your data is lawful without your consent because it is necessary to fulfil a legal obligation imposed on the Data Controller (art. 6.1.c) of the GDPR) and, with regards to special categories of data (art. 9.2.b of the Regulation and art. 54-bis of Italian legislative decree n. 165/2001) or to data concerning criminal convictions and offences, it may also be considered necessary in order to fulfil a duty in the public interest provided for by law (art. 6.1.e, art. 9.2.g, and art. 10 of the GDPR).

3. WHO CAN ACCESS MY DATA?

Your identity or information from which it can be inferred will not be revealed, without your express consent, to any parties other than those tasked with its processing and authorised by law. Furthermore, the report is excluded from rights available to citizens to access documents made available by public administration authorities.

Therefore:

  • Your data is disclosed the legal person tasked with managing your report, i.e. the Supervisory Body.

  • Furthermore, your data may be disclosed to judicial authorities for the matters respectively within their scope of competence.

As regards any proceedings that may be brought:

  • In criminal proceedings, the identity of the reporting person is covered by the duty of confidentiality in the ways and within the limits established by art. 329 of the Italian Code of Criminal Procedure. This provision provides for the duty of confidentiality in relation to activities carried out during preliminary investigations "for as long as the accused has no knowledge thereof and, in any case, not beyond closure of the preliminary investigations" (notice of which is served in accordance with the provisions of art. 415-bis of the Italian Code of Criminal Procedure).

  • In proceedings before the Court of Auditors, the duty of confidentiality during investigations is required by law until completion of preliminary investigations. Subsequently, the identity of the reporting person may be revealed by the audit authority for use in the said proceedings (art. 67, Italian legislative decree n. 174 dated 26 August 2016).

  • In disciplinary proceedings initiated against the alleged perpetrator of the reported misconduct, the identity of the reporting party may only be disclosed with the consent of the latter. In the event that the identity of the reporting person is indispensable for the defence of the person liable for disciplinary action, the organisation will not be able to proceed with the disciplinary proceedings if the person making the report does not expressly consent to the disclosure of their identity.

You can request the list of recipients or categories of recipients to whom your personal data has been or will be disclosed by emailing us at: [email protected]

4. WILL MY DATA BE TRANSFERRED OUTSIDE THE EUROPEAN UNION?

Your data will not be transferred abroad.

5. HOW LONG WILL MY DATA BE RETAINED?

The Data Controller will retain your personal data for no longer than is necessary to achieve the purposes for which it is processing it. More specifically, the reports and the related documentation will be kept for as long as is necessary to process them and in any case no longer than five years as of the date of notification of the final outcome of the procedure.

6. WILL I BE PROFILED?

In no event will your data will be used to obtain information about your preferences or conduct, nor will you be subjected to any automated decision-making based solely on the processing of your personal data.

7. WHAT RIGHTS DO I HAVE?

You have the following data rights:

  • Right of access: you have the right to obtain confirmation from the Data Controller as to whether or not personal data concerning you is being processed and, in the event, to have access to your personal data - and a copy thereof - and to receive information relating to its processing;

  • Right to rectification: you have the right to obtain from the Data Controller rectification of inaccurate personal data concerning you without undue delay and to supplement incomplete personal data, which may be achieved by providing a supplementary statement.

  • Right to erasure: you have the right to obtain from the Data Controller the erasure of personal data concerning you without undue delay in any of the following events:

    • your personal data is no longer required for the purposes for which it was collected or otherwise processed;

    • you object to the processing and there is no overriding lawful reason to proceed with the processing;

    • your personal data has been processed unlawfully;

    • your personal data must be erased to comply with a legal obligation imposed on the Data Controller.

  • Right to restriction of processing: you have the right to obtain from the Data Controller restriction of processing where one of the following applies:

    • if you contest the accuracy of the personal data, the processing can be restricted for as long as is necessary for the Data Controller to verify the accuracy of such personal data;

    • if the processing is unlawful and you object to the erasure of your personal data and request, instead, that restrictions be placed on the use thereof;

    • if, although the Data Controller no longer needs the personal data for processing purposes, you require the said data in order to establish, exercise, or defend a right in court;

    • you have objected to the processing while it is established whether there is a lawful reason why the data controller's legitimate interests override those of the data subject.

Right to object to the processing: right to object to processing carried out in order to fulfil a duty in the public interest or connected to the exercise of public authority or on the basis of the lawful interest of the data controller or third parties, as well as the right to object to the processing of personal data concerning you carried out for direct marketing purposes, including profiling when connected to such direct marketing.

  • Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you

You can exercise your rights by sending a request to the Data Controller's email address:[email protected]. The Data Controller will reply to you as soon as possible and, in any case, within no more  than 30 days of receiving your request.

8. AM I REQUIRED TO PROVIDE MY DATA?

In order to classify the report as whistleblowing, your identification details (first name, surname) must be provided as, as provided for by ANAC (the Italian national anti-corruption authority) in its Resolution n. 6 dated 28 April 2015, anonymous reports "by express legislation intention, do not fall directly within the scope of art. 54-bis of Italian legislative decree 165/2001”. In the event that the reporting person still wishes to proceed with an anonymous report, the report will be managed differently and must be sent by ordinary mail and addressed to the Supervisory Body; a report of this kind will only be taken into consideration if suitably specific, i.e. rendered with such a level of  detail that the  events and situations are clearly related to specific contexts.

9. HOW CAN I FILE A COMPLAINT?

If you wish to file a complaint regarding the processing of your data or regarding the management of a complaint  you have already lodged, you may submit a request directly to the Supervisory Authority, following the procedures  stated on the website of the Italian data protection authority: www.garanteprivacy.it.

PROCEDURE PS-01
WHISTLEBLOWING REPORTING

1. Purpose
2. Scope
3. Duties and responsibilities
4. Documents, applicable legislation
5. Terms and definitions
6. Reporting methods
6.1. Whistleblowing
6.2. Who can make a report
6.3. When can a report be made
6.4. What can be reported
6.5. Contents of the report
6.6. How to make a report
6.7. Management of internal reporting
7. Protection for the reporting party
7.1 Protection of confidentiality
7.2 Anonymous reports
7.3 Protection against retaliation
7.4 Loss of protection
8. Training and information

1. PURPOSE

The aim of legislation for whistleblowing is to  provide for the protection of people who report breaches (of national and European Union legislative provisions that are detrimental to the public interest, or the integrity of a public administration authority or a private-sector entity, in this case DEPECHE s.r.l.) which come to their attention within a work-related context.

The protection provided by Italian whistleblowing legislation (Italian Legislative Decree n. 24 dated 10 March 2023) does not apply in the event of reports concerning disputes, claims, or applications in which the reporting person has a personal interest relating exclusively to their individual employment relationships or to their relationships with  superiors in their place of employment.

The purpose of this procedure is to:

• Fulfil legislative obligations established by Italian Legislative Decree n. 24 dated 10 March 2023, which is the consolidated law on whistleblowing;

• Manage reports made within the company;

• Set out the persons, roles, and responsibilities involved in the reporting (whistleblowing) system;

• Ensure all employees, self-employed workers, independent contractors and consultants, volunteers, trainees, shareholders, directors, and audit and supervisory bodies, are informed of and involved in the adoption of the reporting (whistleblowing) system;

• Foster and spread a culture of corporate transparency by raising awareness of the issue of misconduct.

2. SCOPE

The Italian consolidated law on whistleblowing (Italian Legislative Decree n. 24 dated 10 March 2023) applies to all private-sector entities that

1. have hired, in the last year, an average of at least fifty employees  under permanent or fixed-term employment agreements;

2. fall within the scope of the Union acts applicable to sectors defined as sensitive, even if, over the last year, they have NOT reached the average of at least 50 employees;

3. fall within the scope of Italian Legislative Decree n. 231 dated 8 June 2001 and adopt the organisation and management models envisaged therein, EVEN if, over the last year, they have not reached an average of 50 employees.

Private limited company DEPECHE SRL adopts this procedure as it falls within the scope set out above in section 1.

Within the company, this procedure applies internally to all

• employees;

• self-employed workers;

• independent contractors and consultants;

• volunteers and trainees;

• shareholders;

• people with administrative, management, control, supervisory or representation duties (board of directors and board of auditors and to all company processes).

3. DUTIES AND RESPONSIBILITIES

The company management draws up this procedure and checks that it is implemented properly.

The external entity that receives reports pursuant to Italian Legislative Decree n. 24 dated 10 March 2023 audits this reporting procedure.

Lawyer Giuseppe Meconi is the external entity appointed by board of directors'  resolution to receive reports.

All employees, self-employed workers, independent contractors and consultants, trainees, interns, and person assigned company administration, management, control, supervision or representation duties have the duty to report any misconduct.

4. DOCUMENTS, APPLICABLE LEGISLATION.

This procedure is governed by the following legislation:

• Italian Legislative Decree n. 24 dated 10 March 2023;

• European directive  n. 2019/1937;

• Italian law n.179 dated 30 November 2017;

• Italian Legislative Decree n. 231 dated 8 June 2001.

5. TERMS AND DEFINITIONS

Whistleblower: a whistleblower is a person who reports, publicly discloses or makes a complaint to the judiciary or audit authority concerning breaches of national or European Union legislative provisions which are detrimental to the public interest or the integrity of a public administration authority or private-sector entity, which comes to their attention in a work-related context in the public or private sphere.

Information on breaches: information, including well-founded suspicions, regarding breaches committed or which, on the basis of certain actual conditions,  might be committed within the organisation with which the reporting person or the person making a complaint to the judiciary or audit authority has a legal relationship (employment agreement, or a management or supervisory position), as well as details of conduct to conceal such breaches;

Report: a concern raised in writing or orally providing information on breaches;

Internal report: the written or oral provision of information on breaches submitted through the internal reporting channel;

External report: the written or oral provision of information on breaches submitted through the external reporting channel; (ANAC)

External entity appointed to receive internal reporting: the external professional tasked with receiving reports from the internal reporting channel established in compliance with the provisions of Italian Legislative Decree n. 24/23;

Public disclosure: the publication of information on breaches either through the press or online or, in any case, using means of dissemination with the potential to reach a wide audience;

Reporting person: a natural person who reports or publicly discloses information on breaches, acquired in a work-related context.

Facilitator: an individual who assists a reporting person during the reporting process, who works within the same work-related context and whose assistance must be kept confidential;

Work-related context: work or professional activities carried out in the past or present as part of legal relationships with the company through which (regardless of the nature of such activities) a person acquires information on breaches and within which context they could suffer retaliation in the event of reports, public disclosure, or complaints to the judiciary or audit authority;

Person concerned: the natural or legal person who is referred to in the report  (made either internally or externally  or in the public disclosure) as a person to whom the breach is attributed or who is otherwise implicated in the breach (whether reported or disclosed publicly);

Retaliation: any conduct, or act or omission (even if only attempted or threatened) put in practice as a result of the report, the complaint to the judiciary or audit authority, or the public disclosure, which constitutes - or may constitute - either directly or indirectly, a tort against the reporting person or the person who made the complaint or public disclosure;

Follow-up: the action undertaken by the personnel tasked with managing the reporting channel to assess the  events reported, the findings of the investigations, and any measures adopted;

Anonymous reports: reports without information that allow identification of the reporting person.

Feedback: information provided to the reporting person about the follow-up that has been given or will be given to the report;

Public-sector entities: the public administration authorities stated in art. 1.2 of Italian Legislative Decree n. 165 dated 30 March 2001; independent administrative authorities for protection, supervision, or regulation; public utility companies; state-controlled companies pursuant to art. 2359 of the Italian Civil Code, including listed companies; in-house companies, including listed companies; the entities established under public law stated in art. 3.1.d) of Italian Legislative Decree n. 50 dated 18 April 2016; private-sector service providers in public-private partnerships.

Private-sector entities: Entities, other than those falling within the definition of public-sector entities.

6. REPORTING METHODS

6.1. WHISTLEBLOWING

Private limited company DEPECHE SRL has decided to establish an internal reporting system in accordance with the provisions of Italian Legislative Decree n. 24/2023.

Italian Legislative Decree n. 24/2023 brings together, within a single legislative act, the entire set of provisions governing reporting channels and the protection measures afforded to reporting persons in both the public and private sectors. The resulting organic, standardised legislation provides for greater protection of the whistleblower, so that the latter is more incentivised  to report offences according to the limits and methods stated in the decree.

6.2. WHO CAN MAKE A REPORT

For DEPECHE SRL, the following people are qualified to make reports:

• employees of DEPECHE SRL;
• self-employed workers working for DEPECHE SRL;
• independent contractors, self-employed professionals, and external consultants who provide their services to DEPECHE SRL;
• volunteers and paid and unpaid trainees;
• shareholders and persons performing administrative, management, control, supervisory, or representation roles (board of directors, managers, board of auditors), even if these roles are performed  within DEPECHE SRL on a purely de facto basis;

6.3. WHEN CAN A REPORT BE MADE

Reports can be made:

a) during an existing  legal relationship;
b) during a trial period;
c) prior to a legal relationship if the information on the breaches was acquired during a selection process or other pre-contractual activities;
d) after termination of a legal relationship if the information on the breaches was acquired prior to the termination of the said relationship (for example, for retirement).

6.4. WHAT CAN BE REPORTED

Reports can disclose conduct, acts or omissions that are detrimental to the public interest or the integrity of a public administration authority or private-sector entity consisting of:

• Breach of national legislative provisions

- material misconduct pursuant to Italian Legislative Decree n. 231 dated 8 June 2001  (predicate offences such as, for example: breaches concerning workers' health and safety or the environment, corporate crimes, undue receipt of funds, fraud against the State, a public authority, or the European Union with the intention of obtaining public funds, computer fraud against the State or a public authority and fraud in public procurement contexts), or breaches of the organisation and management models envisaged therein;

• Breaches of European legislative provisions

- offences falling within the scope of Union acts relating to the following sectors: public procurement; financial services, products, and markets and prevention of money laundering and the financing of terrorism; product safety and compliance; transport safety; environmental protection; radiation protection and nuclear safety; food and feed safety and animal health and welfare; public health; consumer protection; protection of privacy and of personal data and security of networks and information systems;

- acts or omissions which are detrimental to the financial interests of the Union;

- acts or omissions concerning the domestic market (for example: breaches concerning competition and State aid);

- acts or conduct which defeat the object or purpose of the provisions of Union acts.

Reports can disclose:

- information relating to conduct aimed at concealing the aforesaid breaches;
- unlawful activities which have not yet taken place but which the reporting person reasonably believes could occur in the event of certain actual conditions;
- well-founded suspicions;

The breaches reported must be those specified as qualifying breaches and must affect the interest of the entity.

The present provisions do not apply to disputes, claims, or application in which the reporting party has a personal interest relating exclusively to their individual employment relationships.

6.5. CONTENTS OF THE REPORT

The reporting person must provide all the  information which may be  useful to allow the necessary and appropriate checks and investigations to establish whether the matter reported is founded.

To this end, the report should contain the following information:

- The personal details of the reporting person and specification of the role held and duties performed (unless the report is anonymous)

- A clear, complete description of the matter reported;

- If known, the time and place of the events reported;

- The personal details or other information (duties, position) that allow identification of the perpetrator (if known) of the misconduct reported;

- The details of any other parties who could provide information on the matter reported;

- Specification of any supporting documents which could confirm the matter reported;

- Any other information that can confirm the validity of the matter reported.

Anonymous reports, i.e. those made without providing any information allowing identification of the reporting person, will only be taken into consideration if suitably specific, i.e. rendered with such a level of  detail that the  events and situations are clearly related to specific contexts  (e.g. including precise names and positions, specific duties or tasks, particular procedures or events, etc.)

6.6. HOW TO MAKE A REPORT

The following reporting methods can be used:

- internal reporting channel;
- external channel (managed by ANAC);
- public disclosure;

The choice of reporting channel is no longer left to the discretion of the reporting person as the internal channel should now always be the first line of action; only if one of the conditions stated in section b) of this section is met can an external report be made.

a) Internal channel

After sending this information notice to the local trade unions stated in art. 51 of Italian Legislative Decree n. 81/2015, DEPECHE SRL established its own reporting channel, which functions as follows:

REPORTS MADE IN WRITING

- written reports, which may also be made anonymously, must be sent in a sealed envelope to the following address: to the law firm of Giuseppe Meconi, for the attention of the said lawyer, at Strada Scaglia Est 31/A – 41126, Modena, specifying that the contents of the said envelope are personal and confidential. In this case, in order to ensure confidentiality of the report, it must be contained within two sealed envelopes: the first containing the reporting person's identification details and a photocopy of their identity document; the second containing the report, in order to separate the reporting person's identification details from the report. Both of these envelops must then be inserted into a third envelope which must be sealed, marked as confidential on the outside  (e.g. using the words "private" or "confidential") and addressed, also on the outside, to the party  appointed to manage the report.  The report will then be filed confidentially, and may be recorded  in a separate register by the said party tasked with its management (SB).

REPORTS MADE ORALLY

- Dedicated telephone and voice messaging line available at the following mobile telephone number +393494639584, which is registered to the receiving entity. The call or voice message must include the company's name and the description of the matter reported, as specified in section 5.5 of this procedure.

- Oral communication with the external receiving entity, through a direct meeting arranged, within a reasonable length of time, with the aforesaid lawyer, namely  Giuseppe Meconi, whose law firm is located at Strada Scaglia Est 31/A – 41126 Modena.

The reporting methods guarantee confidentiality of the identity of the reporting person, of the person concerned, and of any person mentioned in the report, as well as the contents of the report and the related documentation.

The management of the internal reporting channel is assigned to a receiving entity outside the company, as it is external and independent, which is specifically appointed to manage reports.

Reports may be  made in writing, sent by recorded delivery mail, or orally. Internal reports made orally are carried out, at the request of the reporting person, by arranging a direct meeting with the external receiving entity  within a reasonable length of time.

Confidentiality of the report is also guaranteed by the expressly accepted confidentiality clause and by the professional duties of confidentiality imposed upon the lawyer assigned to this role of receiving entity.

Internal reports and the related documentation are kept by the external receiving entity for as long as is necessary to process the report and in any case no later than 5 years as of the date of notification of the final outcome of the reporting procedure, in compliance with confidentiality obligations envisaged in European and national legislation on the protection of personal data.

The reporting person must specify whether they intend to keep their identity confidential and therefore benefit from the protection envisaged in the event of retaliation.

If the report is received by any party other than the entity tasked with receiving the reports, i.e. the external receiving entity pursuant to art. 6 of Italian Legislative Decree n. 231, the same report must be immediately transmitted to the external  receiving entity for the ensuing activities deemed appropriate.

EXTERNAL RECEIVING ENTITY ASSIGNED TO RECEIVE REPORTS MADE VIA THE INTERNAL CHANNEL

By board of director's resolution, the company decided to appoint the role of external receiving entity for internal reports to lawyer Giuseppe Meconi, born in Recanati (MC), on 9 August 1973, tax identification number MCNGPP73M09H211G, who meets the provisions of  Italian Legislative Decree n. 24 dated 10/03/2023 concerning the independence and professional qualification to perform the role.

b) External channel (managed by ANAC)

ANAC is the competent authority for external reporting, including reports from the private sector. To make a report directly to ANAC, at least one of the following conditions must be met:

• within the work-related context, no internal reporting channel is envisaged or if it is envisaged, it has not been put into practice or does not comply with applicable legislation;

• the reporting person has already made an internal report and it has not been followed up;

• the reporting person has reasonable grounds to believe that, if they were to make an internal report, it would not be followed up effectively or the report could prompt  retaliation;

• the reporting person has reasonable grounds to believe that the breach may constitute an imminent or obvious risk to the public interest.

www.anac.it

c) Public Disclosure

Public disclosure means the publication of information on breaches either through the press or online or, in any case, using means of dissemination with the potential to reach a wide audience.

A reporting person who makes a public disclosure benefits from the protection provided for by this procedure and by applicable legislation (Italian Legislative Decree 24/2023) provided that, at the time of the public disclosure, any of the following conditions are met:

• the reporting person has already made an internal and external report or has made an external report directly and has received no response, within the envisaged deadlines, concerning the measures provided for or adopted to follow up the reports;

• the reporting person has reasonable grounds to believe that the breach may constitute an imminent or obvious risk to the public interest;

• the reporting person has reasonable grounds to believe that the external report may prompt  retaliation or may not be effectively followed up due to the specific circumstances of the actual case, such as the risk of evidence being hidden or destroyed or if there is well-founded fear that the person receiving the report may be colluding with the perpetrator of the breach or involved in the breach itself.

6.7. MANAGEMENT OF INTERNAL REPORTING

As part of the management of the internal reporting channel, the external  receiving entity (pursuant to art. 6 of Italian Legislative Decree n. 231/2001) assigned to manage  the internal reporting channel, carries out the following activities:

• issues notice of receipt of the report to the reporting person within seven days of the date the report was received;

• maintains dialogue with the reporting person and may, if necessary, seek further information from them;

• follow up received reports with the due diligence;

• provides feedback on the report within three months of the date of advice of receipt or, in the event that such advice is not provided, within three months of the expiry of the seven-day period starting upon submission of the report;

• this procedure is posted and made clearly visible in the workplace and is accessible to people who, although not frequenting the workplace, have a legal relationship with the company. This procedure is sent by email to all persons outside the company who are entitled to send reports.

7. PROTECTION FOR THE REPORTING PARTY

The legislation dedicated to whistleblowing protects the good faith of the reporting party at the time they make a report. This legislation stipulates that the reporting person will only benefit from the protection measures provided for by law if, at the time of reporting, they had reasonable grounds to believe that the information on the breaches contained in the report, publicly disclosure, or complaint was true.

7.1 PROTECTION OF CONFIDENTIALITY

Reports cannot be used in any way other than to follow up the concerns raised in them.

The identity of the reporting party cannot be revealed to people other than those tasked with receiving or following up the reports.

The ban on revealing the identity of the reporting person applies not only to their name but also to all the information in the report which could be used, even indirectly, to identify them.

The protection of the reporting person's identity is also guaranteed in the event of legal proceedings concerning criminal or accounting offences and in disciplinary proceedings.

The identity(ies) of the person(s) concerned and/or mentioned in the report is protected until completion of the proceedings begun as a result of the report, maintaining the same guarantees  as envisaged for reporting persons.

This does not affect the application of national or European Union provisions regarding: legal professional privilege, medical secrecy, and the confidentiality of rulings by competent authorities.

In the internal reporting procedures, the reported party may also be heard, at their request or if requested by other parties, through paper-based proceedings involving the acquisition of written comments and documents.

7.2 ANONYMOUS REPORTS

This reporting system provides the possibility for the reporting party to make reports anonymously; it is also envisaged however, that the reporting party may allow their identity to be disclosed to the external receiving entity in a subsequent phase of the investigations.

In the event of an anonymous report, the reporting person cannot be contacted by the external receiving entity responsible for receiving the report except unless the  reporting party themself has provided contact details for this purpose.

7.3 PROTECTION AGAINST RETALIATION

Any form of retaliation, even if only attempted or threatened, is prohibited. The matter disclosed in the report, complaint, or public disclosure are irrelevant for the purposes of the protection from which a reporting person benefits.

Retaliation means: "any conduct, or act or omission (even if only attempted or threatened) put in practice as a result of the report, the complaint to the judiciary or audit authority, or the public disclosure, which constitutes - or may constitute - either directly or indirectly, a tort against  the reporting person or the person who made the complaint or public disclosure".

Retaliation can take the following forms:

• dismissal, suspension, or equivalent measures;

• demotion or failure to promote;

• change of duties, change of place of work, reduction in pay, change of working hours;

• suspension of training or restriction of access to training;

• negative comments or references;

• imposition of disciplinary measures or other penalties, including pecuniary penalties;

• coercion, intimidation, harassment, or ostracism;

• discrimination or otherwise unfavourable treatment;

• failure to convert a temporary employment agreement into a permanent employment agreement where the worker had a legitimate expectation of such conversion;

• failure to renew or early termination of a temporary employment agreement;

• injury, including injury to reputation, in particular on social media, or financial damage, including loss of income and loss of earning potential;

• wrongful inclusion in lists, on the basis of a formal or informal sectoral or industry agreements, which may prevent the person finding employment in the sector or industry in the future;

• early termination or cancellation of an agreement for the supply of goods or services;

• cancellation of a licence or permit;

• being requested to undergo psychiatric or medical tests.

Entities and individuals can notify ANAC of any retaliation they feel they have suffered.

Protection measures also apply:

• to the facilitator  (individual who assists a reporting person during the reporting process, who works within the same work-related context and whose assistance must be kept confidential);

• to people from the same work-related context as the reporting person, to the party who made a complaint or public disclosure,  and to any people  linked to these people by a long-term emotional bond or a kinship relationship within the fourth degree;

• to the co-workers of the reporting person, or the party who has made a complaint or public disclosure, or people from the same work-related context as them who have a current habitual relationship with that person.

• to entities owned by the reporting person or for which the said people work, as well as to entities that operate in the same work-related context as the aforesaid people.

Anyone who discloses or disseminates information on breaches is not liable if the information:

• is covered by duties of confidentiality;

• is covered by protection relating to copyright;

• is covered by protection relating to personal data;

• or if they disclose or disseminate information about breaches that are detrimental to the reputation of the person concerned or reported.

There is no criminal liability when "at the time of disclosure or dissemination, there were reasonable reasons to believe that the disclosure or dissemination of the information in question was necessary in order to reveal the breach and the report, public disclosure, or complaint to the judiciary or audit authority was made in the required manner".

In the case just stated, there is also no further liability of a civil or administrative law nature.

Unless the events constitute an offence, there is no liability (including civil or administrative law liability) for the acquisition of information on breaches or for access to such information.

Support provided

ANAC has drawn up a list of tertiary sector entities that provide support to reporting persons. The list is published by ANAC on its website. This support includes free information, assistance, and advice on reporting methods and on the protection against retaliation offered by national and European Union legislative provisions, on the rights of persons concerned, as well as on the methods and conditions for accessing free legal aid provided by the State.

7.4 LOSS OF PROTECTION

If the reporting person is found liable according to criminal law for libel, slander,  or defamation or in the event that such offences are committed in the complaint made to the judiciary or audit authority or if the reporting person is found liable according to civil law for the same offences due to wilful misconduct or gross negligence, protection is not guaranteed and a disciplinary sanction is imposed on the reporting person.

8. TRAINING AND INFORMATION

This procedure is published on the company notice boards used for communications with employees,  who will also be notified of this procedure by means of a specific message included with their pay slip.

Training sessions will also be organised every two years for external workers, to inform them of offences and conduct that can be reported.

A specific email will be sent to advise all independent contractors, self-employed professionals, and external consultants who provide their services to DEPECHE SRL.