Whistleblowing



1 SUMMARY AND PURPOSE


This procedure has the aim of regulating the methods of reporting crimes or irregularities within the company with the aim of protecting the person making the aforementioned reports.

Further objectives of this "Whistleblowing" Procedure can be summarized as follows:


- define and formalize the reporting procedure by establishing terms and responsibilities in the process of reporting offenses;

- define the rules that must be observed in order to guarantee the confidentiality of the reporter, the other subjects involved and the report itself;

- define the role of the recipient of the reports;

- promote, within the Company, a culture based on responsibility and ethics, in the belief that the active participation and involvement of

all employees/collaborators are a fundamental part of the Company's development process;

- allow the Company to be promptly informed of facts or conduct contrary to the ethical principles pursued, for the purpose of prompt intervention, as well as

identify and manage possible deficiencies in the internal control and risk management system.


1.1 Reference legislation


This procedure refers to the new Legislative Decree. n.24 of 10/03/2023 implementing EU Directive 2019/1937, concerning the protection of people who report violations of Union law.

For the purposes of drafting this document, the ANAC Guidelines, approved with resolution no. 311, regarding the protection of people who report violations of Union law and the protection of people who report violations of national regulatory provisions, were also considered. Procedures for the presentation and management of external reports.


2 FIELD OF APPLICATION / RECIPIENTS


The procedure applies exclusively to Sysdat.it SRL (hereinafter also "Sysdat" or "the Company") and relates to reports relating to the field of application provided for by the law. Please note that Legislative Decree 24/2023 provides that the violations subject to reporting, denunciation or public disclosure must concern:

  • The offenses that fall within the scope of application of the European Union or national acts indicated in the annex to the Legislative Decree. 24/2023 (public procurement, prevention of money laundering and terrorist financing, product safety and conformity, consumer protection, protection of privacy and protection of personal data and security of networks and information systems, etc.); The documents acts or omissions constituting fraud, or other illegal activity, which harms the financial interests of the European Union; acts or omissions concerning the internal market of the European Union (eg violations of competition and state aid, etc.); acts or behaviors which, in any case, frustrate the object or purpose of the European Union acts in the above sectors.


This procedure does not apply, however, to disputes, claims or requests linked to a personal interest of the reporting party which relate exclusively to their individual working relationships, or inherent to their working relationships with hierarchically superior figures.


On the subjective side, by way of example, this procedure applies to:


- Employed workers;

- Self-employed workers who carry out their work in private sector entities;

- Freelance professionals and consultants who work for private sector entities;

- Volunteers and interns, paid and unpaid, who work for private sector entities;

- Shareholders and people with administration, management, control, supervision and representation functions;

- Facilitators;

- Other subjects provided for by Legislative Decree 24/2023.


For all the aforementioned subjects, the protection also applies during the probationary period and before or after the establishment of the employment relationship or other legal relationship.

Considering the purposes of this procedure, the confidentiality of the identity of the reporter and all the subjects involved is guaranteed from the moment of receipt and in every subsequent phase of the related management. For further details on the topic of privacy protection, please refer to Annex 1.


3 DEFINITIONS


a) Reporting procedure (Whistleblowing)

Report management procedure as defined below.


b) Internal Channel

Internal reporting channel set up by the Company, suitable for guaranteeing the confidentiality of the identity of the reporter and the person reported, as well as the content of the report and the related documentation, also through the use of encryption.


c) Whistleblower

The natural person who reports information on violations acquired within his/her working context: therefore all subjects who are even only temporarily in working relationships with the Company are included in the definition, even if they do not have the status of employees (such as volunteers, interns, paid or unpaid) and, albeit under certain conditions, those who do not yet have a legal relationship with the Company (in the pre-contractual negotiations phase) as well as those whose relationship has ended or who are in a probationary period.


d) Facilitator

The natural person who assists the reporting party in the reporting process, operating within the same working context and whose assistance must be kept confidential (for example: the colleague from an office other than that of the reporting party who assists the latter in the reporting process on a confidential basis, i.e. without disclosing the information learned; or a colleague who also holds the qualification of a trade unionist if he assists the reporter in his name and on his behalf, without using the union symbol).


e) Reported/person involved

The natural or legal person mentioned in the internal report either as the person to whom the violation is attributed or as the person involved in the reported violation.


f) Reporting Management Structure (SGS)

Independent internal person or office dedicated to the management of reports, or external entity also autonomous.


g) Reporting

Based on the provisions of the art. 2 of Legislative Decree 24/2023, a report means the written or oral communication containing information on the reported violation.


h) External channel at ANAC (only for reports of offenses relating to Legislative Decree 24/2023)

Those who intend to make a report may use, as an alternative to the internal channel established, the external channel managed by ANAC, if the following conditions are met:

  • when the internal channel, despite being mandatory, is not active or, even if activated, does not comply with the provisions of Legislative Decree 24/2023 with reference to the subjects and methods of submitting internal reports that must be able to guarantee the confidentiality of the identity of the reporting person and other protected subjects; when the reporting person has already made an internal report and it has not been followed up by the designated person or office; when the reporting person has reasonable grounds to believe on the basis of concrete circumstances attached and information that can actually be acquired and, therefore, not on simple inferences, that if an internal report were to be made: a) it would not be effectively followed up; b) this could entail the risk of retaliation; when the reporting person has reasonable grounds to believe that the violation could constitute an imminent or obvious danger to the public interest.


i) Public disclosure (only for reports of offenses relating to Legislative Decree 24/2023)

Further reporting method introduced with Legislative Decree 24/2023, through which information on violations is made public through the press or electronic means or in any case through means of dissemination capable of reaching a large number of people (social networks , web, television, radio, etc.).

 

l) Conflict of interest

The term "conflict of interest" means any situation in which the functions involved in the management of the reports (Head of the investigation) have personal or professional interests in conflict with the impartiality required for their responsibility, such as not to allow the evaluation objective reporting.


m) Confidentiality regarding the content of the report and the identity of the person reported and the other subjects involved

Sysdat guarantees the confidentiality, not only of the identity of the reporter and of all the subjects who enjoy the same protections, but also of any other information or element of the report from the disclosure of which the identity of the reporter can be deduced directly or indirectly.


n) Protection of privacy

This reporting management procedure was created with the objective of protecting the privacy of the subjects involved in the reporting, in compliance with the principles established by the GDPR.



4 OPERATING MODES


4.1 Introduction

The Company has adopted this procedure in order to ensure compliance with legality and the principles of correctness and transparency, as well as the confidentiality of the subjects and the content of the report.


5 PRELIMINARY OPERATIONAL ACTIVITIES


5.1 Identification of the Report Management Structure

In light of the art. 4, paragraph 2 of Legislative Decree 24/2023, Sysdat has chosen to entrust the management of reports to a specifically identified and appointed external entity, which in this procedure is qualified as a Report Management Structure (hereinafter also SGS ).


5.2 Definition of the methods for managing anonymous reports

Reports from which it is not possible to deduce the identity of the reporter are considered anonymous.

These reports are equivalent to ordinary ones, if detailed. If the Report Management Structure receives anonymous reports through the established channels, they will be considered as ordinary reports.

In cases of anonymous reporting, if the reporting person has subsequently been identified and has suffered retaliation, the protection measures for retaliation still apply.


5.3 Description of the reporting methods adopted by the Company


(a) Written channel

The reporting party can send the report by traditional mail; so that SGS can ensure correct management, the reporter must use in closed envelopes:

  • the first with the identification data of the reporting person together with the photocopy of the identification document; the second with the report, in order to separate the reporting person's identification data from the report; the third which must contain the first two envelopes and must contain the following address:


Via Enrico Fermi 6, Vicopisano

 

“SYSDAT.IT SRL REPORT – CONFIDENTIAL”


(b) Oral canal

The reporting person will be able to make internal reports also in oral form by requesting a direct meeting with the SGS, to be requested by writing to m.santoni@siquam.it, indicating SYSDAT REPORTING in the subject.

If the internal report is made orally during a meeting with the SGS, it, subject to the consent of the reporting person, is documented by the SGS or by the support staff identified and trained for this purpose, by recording on a device suitable for conservation. and listening or verbally. In the latter case, the reporting person can verify, rectify and confirm the minutes of the meeting by signing.

Whatever reporting channel is chosen by the reporting person, the Company guarantees, also through the use of encryption tools, the confidentiality of the identity of the reporting person, of the person involved and of the person mentioned in the internal report, as well as of the content of the report. internal and related documentation.

The Company, regardless of the type of report sent, undertakes to protect the confidentiality of the reporter even when the report is made through methods other than those established in accordance with Legislative Decree 24/2023 or reaches subjects other than SGS.


5.4 The report sent to an incompetent person

In the event that the report is submitted to a person other than SGS, the report must be transmitted, within seven calendar days of its receipt, to SGS via the channels provided for in paragraph 5.3, giving simultaneous notice of the transmission to the reporting person.


5.5 Conflict of Interest

Regardless of the type of report received, the SGS will conduct the investigation relating to the report making use of the collaboration of the Secretariat function; in the event that SGS recognizes a possible situation of conflict of interest of this function, it will be its responsibility to interface with the subjects who are not involved in the facts being reported.


6 PROCEDURAL FLOW


6.1 Assumptions

This procedure assumes that:

  • The reporter acts in good faith. The whistleblower who voluntarily makes a report in bad faith may be subject to disciplinary measures by way of example: conservative sanctions (verbal warning, written warning, fine, suspension from work and pay, disciplinary transfer), dismissal, withdrawal from the contractual relationship, actions of compensation for damages, etc.; The reporting management structure manages the reports received in an objective, impartial and confidential manner both against the reporting party and the reported party, involving exclusively the figures identified in this procedure.


6.2 Submitting and Tracking a Report

For the purposes of sending reports, the reporter uses the forms and tools provided by the internal channel set up by the Company. In this phase the reporter can be helped by the facilitator, where this has been identified.

Reports must be:

- in good faith: the reporting party has reasonable certainty of the truthfulness of what he reports, that is, he does not have prejudices and/or the aim of causing harm to anyone and/or obtaining personal benefits.

- detailed: they must allow the identification of objective elements reasonably sufficient to start an investigation; by way of example, they must contain:

- the description of the fact;

- the personal details or other elements that allow the identification of the person to whom the reported facts can be attributed;

- the circumstances of time and place in which the reported event occurred.

It is also useful to attach documents that can provide elements of substantiation of the facts being reported, as well as the indication of other subjects potentially aware of the facts.


6.3 Management of reports received

The reporting management phase is supervised by the SGS and is divided into four sub-phases:

  • Pre-analysis; Investigation; Evaluation and final outcome; Archiving.


6.4 Pre-analysis of reports

When the Report Management Structure receives a report to the dedicated address, it evaluates its contents by carrying out an initial screening and immediately detecting those that are clearly unfounded, unsubstantiated, concerning an object that is not relevant, slanderous and/or insulting . In any case, within the seventh day of receiving the report, SGS will notify the reporting party of receipt of the report.

For the management of all reports of violations, falling within Legislative Decree 24/2023 and relevant to Sysdat, the Report Management Structure will be able to interface with the Secretariat, identified as the internal contact person of the SGS itself. In the event that the latter evaluates the presence of any conflicts, it will contact the company structures it deems suitable, also based on the topics being reported, guaranteeing in any case the confidentiality of the reporter and the other parties involved.


6.5 Investigation of reports

The investigation is the set of activities aimed at verifying the content of the reports received and acquiring useful elements for the subsequent evaluation phase, guaranteeing maximum confidentiality on the identity of the person reported and the other subjects involved, and on the subject of the report. If the Report Management Structure deems it necessary, while still guaranteeing the confidentiality of the reporter and the other parties involved, it can avail itself of the collaboration of company functions (referred to in paragraph 6.4) and external figures competent based on the topic of the report . On this point it is specified that since SGS does not have autonomous spending powers, the task of any identified external party will be conferred by company figures with adequate powers in this regard.

The Whistleblowing Management Structure, in carrying out the investigation, can:

  • contact the reporting party in confidence, and request any documents and/or additional information; interrupt the investigation if the report is found to be unfounded.

It is specified that SGS will be responsible for eliminating any data that is not relevant to the report or necessary for the purposes of managing the investigation.



6.6 Evaluation and final outcome of reports

The Whistleblower Management Structure carries out its own assessments of the outcome of the investigation and provides feedback to the reporting party no later than three months after taking charge of the report. SGS summarizes the results of its investigation in a specific report which is sent to the Board of Directors. Alternatively, in the event that a possible conflict of interest situation arises, the report produced will be shared with the Sole Auditor to evaluate the possible actions to be taken.

If the report is found to be well-founded, the competent corporate entities will be able to decide on the application of disciplinary measures provided for by the Sanctioning System of the relevant CCNL and/or evaluate the possible communication of the events to the competent authorities.

In the event that the report is found to be unfounded, the competent corporate entities will be able to evaluate the possibility of applying the Sanction System to the person making the report in bad faith.

If, following a report, gaps emerge in the risk control and management system, it will be the responsibility of the competent business units to define the appropriate improvement actions.


This procedure is represented schematically in the "Flow" attached (Annex 2).


7 DEFINITION OF THE METHODS OF MANAGEMENT OF PERSONAL DATA PROTECTION


The data controller of the personal data relating to the Whistleblowing Procedure is identified as the Sysdat Company which will process the personal data of all the subjects involved in the report in compliance with the principles established by the GDPR, providing suitable information to the interested parties pursuant to the articles. 13 and 14 of the GDPR, as well as adopting appropriate measures to protect the rights and freedoms of the interested parties.

The Data Controller has entrusted the management of the reports to SGS, which may possibly avail itself of the support of any specifically authorized internal parties. Specifically, SGS, as an external entity, has received a specific appointment as "data controller", pursuant to art. 28 of the GDPR; the internal subjects involved in the investigation operate subject to specific authorization from the Data Controller and on the basis of the instructions given by the latter. The processing of personal data relating to the receipt and management of reports is carried out in compliance with the principles set out in articles 5 and 25 of Regulation (EU) 2016/679, providing appropriate information to the reporting persons and to the persons involved pursuant to articles 13 and 14 of the same regulation (EU) 2016/679, as well as adopting appropriate measures to protect the rights and freedoms of the interested parties

The company ensures that the management of reports and the related processing of data for privacy purposes is therefore carried out in compliance with the applicable legal provisions, taking into account the principles of the European Regulation 2016/679 on privacy (GDPR). Specifically, Sysdat guarantees in carrying out the entire procedure:

- provide the reporting party and the other parties involved with all adequate information on the processing of personal data;

- process personal data in full compliance with the GDPR;

- carry out a specific impact assessment (Privacy Impact Assessment) on the processing in question;

- identify the technical and organizational measures suitable to guarantee an adequate level of safety;

- regulate relationships with external parties involved in the processing of personal data;

- do not process and/or store personal data that is manifestly not useful for processing the report.

With regard to the management of the exercise of the rights of interested parties, European legislation on the protection of personal data provides that, in some specific cases, national law may limit the scope of the obligations of the data controller and the rights generally recognized to interested parties in reference to your personal data provided for in CHAPTER III of Regulation (EU) 2016/679 (art. 23 Regulation (EU) 2016/679).

As established by the art. 13 paragraph 3 of the Legislative Decree. 24/2023, within the scope of the reports, a limitation of the rights of the interested parties is foreseen pursuant to art. 2-undecies of the legislative decree of 30 June 2003, n. 196; this limitation applies because the exercise of these rights could result in an effective and concrete prejudice to the confidentiality of the identity of the reporter and of any persons involved/mentioned in the report itself.

Therefore, the reporting party can exercise the right to access their data, to rectify or integrate it, to cancel it and to limit its processing in the same way in which they made the report.

The reporting party, pursuant to art. 77 of Regulation (EU) 2016/679, you also have the right to lodge a complaint with the Data Protection Authority, if you believe that the processing violates the aforementioned Regulation.

The exercise of the rights referred to in CHAPTER III of Regulation (EU) 2016/679 by other interested parties, such as the reported party or other persons involved, may be delayed, limited or excluded if such exercise could lead to actual and concrete prejudice to the confidentiality of the identity of the reporter as provided for by article 2-undecies, letter. f of the legislative decree 30 June 2003, n. 196 (implementing article 23 of Regulation (EU) 2016/679).

In such cases, these subjects can exercise the aforementioned rights through the Guarantor for the Protection of Personal Data in the manner referred to in Article 160 of Legislative Decree 30 June 2003, n. 196.

For further information on the processing of personal data, please read the whistleblowing information (Annex 3).


8 PROHIBITION OF RETALIATION, SANCTIONS AND LIABILITY REGIME


Whistleblowing is a measure that allows us to strengthen the diffusion of a culture of ethics, transparency and legality within Sysdat. This important objective can only be achieved if the reporting subject, in addition to having the tools available to make reports, also has, and above all, the certainty that he will be protected in order not to suffer retaliation from colleagues or superiors or to risk that your report remains unheard.

For these reasons, the Legislative Decree. 24/2023 and the Company explicitly provide for a ban on retaliation to protect the whistleblower and other subjects envisaged by the law, even if it involves merely attempted or threatened retaliation, which causes or may cause to the person/entity, directly or indirectly. , an unjust damage.

However, in order for retaliation to take place and, consequently, for the subject to benefit from protection, a close connection between the contents of the report and the retaliatory action suffered is necessary.

For the purposes of protection, however, the personal and specific reasons that led people to make the report, public disclosure or complaint have no relevance. In the absence of compliance with these general conditions, protection cannot be guaranteed even to subjects other than the one who reports, denounces and carries out the public disclosure if, due to the role assumed within the reporting/denunciation process and/or the particular relationship that binds them to the whistleblower or the complainant, are indirectly subjected to retaliation.

The Company, in adopting this procedure, is aware of the administrative sanctions applicable by the ANAC pursuant to art. 21 of Legislative Decree 24/2023.

Disciplinary sanctions are also applicable to the whistleblower in the event of reports found to be unfounded, made with malice or gross negligence, or those that are manifestly opportunistic and/or made for the sole purpose of harming the reported person or other subjects.

The disciplinary sanctions will be proportionate to the extent and severity of the illegal conduct ascertained and may also lead to the termination of the relationship, in compliance with the provisions of the law and the applicable CCNL regulations.

The Report Management Structure may also be subject to a contractual sanction if there has been a deficiency in the application of confidentiality measures or failure to evaluate the report.

All confirmed violations of the measures put in place to protect the whistleblower are also similarly sanctioned.


9 TRAINING


The Sysdat Report Management Structure has been adequately trained to manage reports according to the principles and methods established by this procedure.

By virtue of the circumstance according to which the protection of the whistleblower is fully included among the general corruption prevention measures, the Company undertakes to guarantee annually or in any case in the event of significant regulatory updates, the carrying out of awareness and training initiatives regarding:

- The first levels of the company, who must be adequately informed both on the content of the standard and on how it is implemented in their company (procedure),

and on how to handle the information they may have to manage in relation to a report;

- Employees and collaborators, who must be trained and informed on how to activate the internal reporting channel and on how and when they can

possibly activate external reporting and/or public disclosure channels. Furthermore, these subjects must be informed about the protections activated

by the company, and on how to be updated on the progress of the reports made.


10 ADVERTISING

This procedure adopted by Sysdat is made available to all workers and external parties indicated by the standard, through publication on the company website (www.sysdat.it).


11 ARCHIVING OF REPORTS

The Report Management Structure ensures that, at its registered office, all documentation is archived in specific dedicated folders, managed according to strict confidentiality criteria.

After five years from the date of communication of the final outcome of the reporting procedure, SGS will wait to receive instructions from the Company regarding the methods of returning and/or deleting the data. It is understood that in the event of a return, SGS will be responsible for transmitting only the strictly necessary information regarding the report (for example subject, outcome, dates of response to the reporting party, etc.).

The Report Management Structure is also required to keep the register of reports received updated, taking care to indicate each time the outcome it has reached.

If the investigation activity has a negative outcome, the Report Management Structure will still archive the report, adequately illustrating the reasons for the assessment.

Share by: