Whistleblowing eng

0. INTRODUCTION
This procedure and the related operating instructions are an integral part of and directly implement the provisions of the Organization, Management, and Control Model pursuant to Legislative Decree 231/2001. Failure to comply with them may therefore result in the application of sanctions pursuant to the provisions thereof.
Any violation of the procedure and the Model must be reported to the Supervisory Board.

1. PURPOSE
This procedure illustrates the methods by which the recipient of the Organization, Management, and Control Model (hereinafter “Model” or “MOGC231”) can report events that could give rise to liability pursuant to Legislative Decree 231/2001 or that otherwise constitute a report of infractions/violations, as further detailed below.

1.1 Recipients
The recipients of this procedure are:
• Recipients of the Model: any recipient of the MOGC231 may act as a whistleblower.
• Supervisory Body: recipient of reports, responsible for managing the report itself.

2. REFERENCES
This procedure meets the requirements specified in the relevant standards (both mandatory and voluntary) that the organization has adopted and incorporated (see PQDRM02 – List of Standards & Laws), with particular reference to:
• Legislative Decree 231/01 and subsequent amendments (hereinafter also “Decree 231”);
• Law 179/17 of 30/11/2017: Protection of employees or collaborators who report wrongdoing in the private sector;
• GDPR – Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
• Legislative Decree No. 196 of 30 June 2003 (Personal Data Protection Code) and subsequent amendments and additions, including Legislative Decree No. 101 of 10 August 2018, as well as related legislative provisions;
• Directive 2019/1937/EU of the European Parliament and of the Council on the “protection of persons reporting breaches of Union law”;
Legislative Decree 24/23 implementing Directive 2019/1937/EU of the European Parliament and of the Council on the “protection of persons reporting breaches of Union law”.

It also refers to the internal rules and regulations contained in the following documents, available online at \\Datastoresrv\Sistema_Qualita’:
• Organizational, Management and Control Model pursuant to Legislative Decree 231/01 [“MOGC231”, General and Special Section]
• Company Management Manual (MGA) and related annexes, including:
• Code of Ethics (Annex 2a to the MGA)
• Powers and Delegations Framework (Annex 3c to the MGA) Conduct Policies (Annex 2b to the MGA)
• IOQ&S02 – Security Policies

2.1. Registration Documents
The reference models/templates, published in \\Datastoresrv\Sistema_Qualita’\Modelli_new or in specific folders, are detailed in the reference IOs and listed here:
• Form for reporting misconduct

As specified in §4.1.2, the form is not strictly necessary to submit a report.

3. TERMS AND DEFINITIONS
COMPANY MANAGEMENT SYSTEM DOCUMENTS:
SGA Company Management System
MGA Company Management Manual
PQ Company Management System Procedure
IO Operating Instruction
MOD Form/Template

FUNCTIONALITY:
The acronyms defined in the company organizational chart are valid.

SPECIFIC DEFINITIONS:
Please refer to the definitions in Legislative Decree 24/23, art. 2, of which the most significant are listed below:

Whistleblowing. Whistleblowing derives from the phrase “to blow the whistle,” referring to the action of a referee in reporting a foul or that of a police officer attempting to stop an illegal action.
Law 179/17 of November 30, 2017, inserted paragraph 2-bis into Article 6 of Legislative Decree 231/01, which provides the provisions for “Protection of employees or collaborators who report wrongdoing in the private sector.”
According to this legislation, recipients of the MOGC231 who become aware of any unlawful conduct relevant to Legislative Decree 231/01 or violations as indicated in §4.1 are encouraged to submit detailed reports based on precise and consistent facts.

Whistleblower (or whistleblower) Pursuant to Articles 1 and 2 of Legislative Decree 24/23, a whistleblower is defined as anyone who reports, discloses, or reports to the judicial or accounting authorities violations of national or European Union regulations that harm the public interest or the integrity of the public administration or private entity, of which they have become aware in a public or private work context.
Persons working in the public or private sector are entitled to report violations, whether as:
• employees
• subordinate workers
• self-employed workers/collaborators
• freelance professionals
• volunteers and interns
• third parties such as suppliers, consultants, and stakeholders in general
• shareholders and persons with administrative, management, control, supervisory, or representation roles

Reporting: Communication, in writing or orally, of information relating to a potential violation (as further specified in §4.1). Reports concern all situations in which the whistleblower is acting to protect a non-personal interest, as the reported event usually concerns dangers or risks that threaten the organization as a whole, its staff, third parties, or even, more generally, the community.

Facilitator: A natural person who assists a whistleblower in the reporting process, operating within the same work context and whose assistance must be kept confidential.

TFEU Treaty on the Functioning of the European Union: describes the functioning of the EU and determines the areas, methods, and limits of its exercise and competence.

Criminal Code

4. PROCESS
The following paragraphs illustrate the “Whistleblowing scheme” adopted by Area, i.e., the procedure to follow for submitting reports.

4.1 Scope of the Report
4.1.1 Subject of the Report
This reporting system was established by Area in response to the specific regulatory requirement set forth in Legislative Decree 231/01 and subsequent amendments, Article 6, paragraph 2-bis, and therefore has the primary objective of managing reports of irregularities and/or offenses (occurring or likely to occur) in accordance with the provisions of Legislative Decree 231/01 and/or the MOGC231.

Furthermore, according to the Legislative Decree 24/23, it was established that information on violations, including well-founded suspicions, of national and European Union regulations that harm the public interest or the integrity of public administration or private entities, committed within the organization of the entity with which the reporting person has legal relationships, are subject to reporting (see definition of “Whistleblower”).
Information on violations may also concern violations not yet committed that the whistleblower reasonably believes could be committed based on concrete evidence. Such evidence may also include irregularities and anomalies (symptomatic indicators) that the whistleblower believes could give rise to one of the violations covered by the decree.

The violations identified by the legislator, and categorized below, may concern:
• Criminal offenses;
• Administrative offenses;
• Accounting offenses;
• Civil offenses;
• Violations of unlawful conduct relevant pursuant to Legislative Decree 231/01 and the provisions of the related MOGC231 implemented in AREA;
• Offenses committed in violation of the EU legislation listed in Annex 1 to Legislative Decree 24/23 and all national provisions implementing it, with reference to the following sectors: public contracts; Financial services, products, and markets; and the prevention of money laundering and terrorist financing; product safety and compliance; transport safety; environmental protection; radiation protection and nuclear safety; food and feed safety and animal health and welfare; public health; consumer protection; privacy and personal data protection; and security of network and information systems;
• Acts or omissions affecting the financial interests of the European Union (TFEU, Art. 325) as identified in EU regulations, directives, decisions, recommendations, and opinions aimed at combating fraud and illegal activities affecting the EU’s financial interests;
• Acts or omissions affecting the EU internal market, which affect the free movement of goods, persons, services, and capital (TFEU, Art. 26, paragraph 2); This includes violations of EU rules on competition and state aid, corporate tax, and/or activities aimed at obtaining a tax advantage that defeats the purpose or object of applicable corporate tax legislation;
• Acts or behaviors that defeat the purpose or object of European Union provisions in the areas listed above.

From an operational perspective, this requires the involvement of the functions responsible for ensuring compliance with the regulations in the various areas, which will be responsible for contributing to the reporting system.
By way of example, but not limited to, the following events may be reported:
• Theft of organizational property;
• Forgery or alteration of documents;
• Forgery or manipulation of accounts and intentional omission of records, events, or data;
• Destruction, concealment, or inappropriate use of company documents, files, archives, equipment, and tools;
• Embezzlement of money, valuables, supplies, or other assets belonging to the organization or third parties;
• Giving a sum of money or other benefit to a public official in exchange for a function performed or for the omission of an official act (e.g., failure to file a report for tax irregularities);
Acceptance of money, goods, services, or other benefits as incentives to favor suppliers/companies;
Falsification of expense reports (e.g., “inflated” reimbursements or for false travel);
Falsification of attendance records;
Disclosure of confidential and proprietary information of the organization to external parties, including competitors;
Use of company resources and assets for personal use without authorization;
Presence of anomalies in equipment, substances, materials, and devices;
Actions or omissions likely to cause financial damage to the organization;
Actions or omissions likely to cause damage to the organization’s image;
Presence of serious and imminent danger to the health and safety of workers (the worker, in addition to reporting, must also take action to eliminate the danger, consistent with his or her capabilities and skills).

It should be noted that whistleblowing does not concern personal grievances of the reporting party, as the reports, even when anonymous, must affect the public interest or the integrity of the organization.
Anonymity may in no way be used as a means to vent disagreements or conflicts between employees/collaborators.
Likewise, the following are prohibited:
• Use of abusive language;
• Submitting reports for purely defamatory or libelous purposes;
• Submitting reports that concern exclusively aspects of the reporting party’s private life, with no direct or indirect connection to company activities. Such reports will be considered even more serious when they relate to sexual, religious, political, or philosophical habits and orientations.

4.1.2. Report Requirements and Content
Reports, as required by law (Legislative Decree 231/01, art. 6, paragraph 2-bis), must be:
• detailed;
• based on precise and consistent facts.

In this regard, it is important to clarify that “it is not necessary for the reporting person to be certain of the actual occurrence of the reported events or of their perpetrator. However, it is considered sufficient that the reporting person, based on his or her knowledge, considers it highly probable that an unlawful act has occurred.” [ANAC Guidelines].
Reports based on mere suspicions or rumors will not be considered.

Each report must include the following information:
• the reporting period and the physical location where it occurred;
• the nature of the actions/omissions committed or attempted;
• A description of the irregularity/violation or the alleged offense;
• The possible causes and purposes of the act contrary to MOGC231;
• The individuals or corporate structures involved as perpetrators of the act;
• Any other parties with knowledge of the act.

Please provide all information and data necessary to ensure a thorough processing of the report.
If it is impossible to verify the veracity of the report and/or analyze its content, it will be automatically archived.

4.1.3. Parties who can report a violation
A whistleblower is someone who, having witnessed a violation or irregularity in the workplace, decides to report it. Anyone who performs a specific task or function within the organization can report a violation, for example: employees, managers, shareholders, directors, those performing control and supervisory functions, collaborators, consultants, volunteers, interns, third parties such as suppliers, and, in general, stakeholders.

Therefore, reports can be made when:
• The legal relationship is ongoing,
• The legal relationship has not yet begun if information about the violations was acquired during the selection process or other pre-contractual phases,
• The legal relationship has been terminated, if information about the violations was acquired before the termination of the relationship (retirees).

4.1.4. Parties who may be reported
Anyone may be reported by the whistleblower who holds them responsible for an irregularity and/or violation.
The reported party is informed as soon as possible after their data is recorded. Under no circumstances may the reported party be permitted to exercise their right of access to obtain information on the whistleblower’s identity.

4.1.5. Reporting Channels
With the entry into force of Legislative Decree 24/23, the legislator has provided several possible reporting channels for whistleblowers. The following is a summary of the reporting methods available in the Area, in compliance with current legislation:
• The internal reporting channel in the Area is entrusted to the Supervisory Body, which manages the reports received, guaranteeing the confidentiality and anonymity of the whistleblower;
• The external reporting channel is entrusted to the ANAC (as required by Legislative Decree 24/23, art. 7); This channel may be used, for example, if:
• the whistleblower has already filed an internal report without receiving any response;
• the whistleblower has reasonable grounds to believe that the violation may constitute an imminent or manifest danger to the public interest.

Also within the scope of the “external” channel, Legislative Decree 24/23 provides the whistleblower with the option to proceed through:
• Public disclosure: this allows the whistleblower to make information about violations publicly available through the press or electronic media, or in any case through means capable of reaching a large number of people. This is only permitted if the whistleblower has used the internal and external channels mentioned above but no appropriate action has been taken, if the violation may constitute an imminent or manifest danger to the public interest, or if the whistleblower has reasonable grounds to believe that reporting through the “ANAC” channel may entail the risk of retaliation or may not be effectively followed up;
Reporting to the Judicial Authorities: The decree, in accordance with previous regulations, also grants protected individuals the right to contact the judicial authorities to file a report of unlawful conduct of which they have become aware in a public or private workplace.

As required by current legislation, the reporting procedures are also published in a dedicated section of the company website (https://www.area.it/codice-etico/).

4.2. Recipient of the Report
4.2.1. Competent Body of the Internal Channel (and Protection)
Responsibility for collecting and managing reports submitted through the internal channel lies with the Supervisory Body (OdV) appointed pursuant to Legislative Decree 231/01.
The OdV is also the body already responsible for receiving information flows regarding the periodic findings of the monitoring activity on the effective implementation of the MOGC231.
If deemed appropriate, the Supervisory Body may avail itself of the collaboration of the relevant company representatives or, in the case of reports requiring specific expertise, of external professionals, while still preserving the confidentiality of the whistleblower.

4.2.3. Escalation
If the report directly concerns one of the members of the Supervisory Body, it must be addressed to the Board of Directors, which will be responsible for managing the specific report.

4.2.4. Powers of the Receiving Body
Within the scope of its autonomy, the Supervisory Body has the right to proceed with any further investigations it deems appropriate to effectively verify the validity of the report, without prejudice to the provisions on controls and investigations set forth in Title I of the Workers’ Statute, concerning controls of man by man (“The Freedom and Dignity of the Worker”) and the constraints established by other mandatory regulations (e.g., GDPR, see §4.66).

4.2.5. Competent Body for the External Channel (and Protection)
The ANAC is responsible for collecting and managing reports submitted through the external channel, as established by Legislative Decree 24/23.
However, ANAC is not considered the recipient of reports communicated via “Public Disclosure” and “Report to the Authority.”

4.3. Internal Reporting Procedure
4.3.2. Procedure Manager
The Whistleblowing Scheme requires the appointment of a Manager for internal reporting systems, who:
• ensures the proper execution of the procedure,
• reports directly and promptly to the corporate bodies the information reported, where relevant,
• draws an annual report on the proper functioning of the internal alert procedure.

The Procedure Manager, within the Area, is identified within the Supervisory Body, which is also responsible for receiving and managing the reports themselves.
In light of this, the Supervisory Body must also:
• inform the reported party as soon as possible after the data concerning them is recorded;
• draws an annual summary report on the reports received and their follow-up.

The organization is obligated to protect the person responsible for the whistleblowing procedure from pressure and discrimination exerted by or on behalf of the reported individual.

4.3.3. Reporting Procedure
Verbal Reporting
The whistleblower may request a meeting with the Supervisory Body to explain the content of the report. Written minutes of the report are required.
Paper Reporting
The whistleblower may submit the report in a sealed envelope marked “confidential/personal” on the outside to: AREA S.p.A. – Supervisory Body, Via Gabriele D’Annunzio, 2, Vizzola Ticino (VA).

Alternatively, the same envelope may be placed in the mailbox located on Floor 3 of Area’s corporate headquarters, c/o Building MXP (Via Gabriele D’Annunzio, 2, Vizzola Ticino), which is designated for the collection of confidential documents intended for the HR office.

Paper reports, if anonymous, will be considered only if adequately detailed and presented in detail, revealing specific and precise facts and situations.
If the report does not contain any identifying information about the reporting person and a communication channel cannot be established, even if the report itself is accompanied by the information necessary to investigate the matter in depth, it cannot be handled in compliance with the reporting person’s protection guarantees, nor within the timeframes required by law for providing appropriate feedback.
Reporting via electronic means
The reporting person, notwithstanding the provisions of the Security Policies (IOQ&S02, §§ 5.4.11 and 5.4.19), may also use personal/private email accounts, possibly without identifying the sender, to send the report to the dedicated address segnalazioni@legalmail.it, which is accessible exclusively by the Supervisory Body.
In this case, even if the report is anonymous, it will be processed in accordance with the timeframes and guarantees described in Legislative Decree 24/23.

The method of sending the report, which guarantees content encryption and complete confidentiality, consists of attaching the explanatory documentation compressed in a password-protected 7-zip (.7z) format to the email, removing any unencrypted text from the body of the email.
The password must not be communicated in the email but sent to the Supervisory Body via other means of contact (e.g., verbally or in another email).

4.3.4. Report Management Methods
The Supervisory Body, the body responsible for managing the report, analyzes its content upon receipt, identifying and analyzing:
• The date of receipt;
• The relevance of the report;
• Whether it concerns a committed or attempted action;
• The nature of the incident: irregularity or violation of the model, type of violation;
• The relevant process (and protocol), if applicable;
• Any individuals and/or offices responsible for the specific issue;
• The need for further investigation and any involvement of third parties to carry it out (in the case of external consultants, the signing of a specific NDA).

Subsequently, the Supervisory Body proceeds to manage the report with the following steps:
• Conducting further investigations in compliance with the principles of impartiality and confidentiality, carrying out any activities deemed appropriate, including any personal interviews with the reporting party and any other individuals who may be able to provide information on the reported incidents.

If, following the investigation, the report is found to be well-founded, given the nature of the violation, the following steps will be taken:
• Communicating the outcome of the investigation to the HR Manager and the Head of the department to which the perpetrator of the confirmed violation belongs, so that they can take appropriate management measures, including, where applicable, disciplinary action;
• Communicating the outcome of the investigation to the Board of Directors for any further action deemed necessary to protect the Company;
• Filing a complaint, as required by law, with the competent judicial authority.

• Reporting: The Supervisory Body prepares a report of the investigation conducted and shares it with the person responsible for the investigation, if any, and with the Board of Directors. This document is complete with the details and information necessary to define any necessary measures, including those aimed at preventing the recurrence of the reported events.

Subsequently, improvement measures will be identified to reduce the risk of crimes and/or violations being committed.
Following this report, the need to update any documents used by the organization will also be assessed and appropriate training provided to employees/collaborators to share the changes that have emerged.

4.3.5. Feedback to the Reporter
The Supervisory Body must inform the reporting party of receipt of the report within 7 days; it then has 3 months from the date of receipt to provide feedback (acceptance or archiving of the report). If the process has not yet been completed, the Supervisory Body is still required to inform the reporting party, who will be updated on subsequent developments.
The reporting party has the right to feedback, the nature of which will be decided by the Supervisory Body from time to time, respecting the privacy of the reported party.

4.4. External Reporting Procedure
4.4.1 Procedure Manager
The management of external reports is governed by Articles 6, 7, and 8 of Legislative Decree 24/23, which designate ANAC as the reporting system manager.
ANAC has activated an external reporting channel that guarantees, through the use of encryption tools, the confidentiality of the identity of the reporting person, the person involved, and any persons mentioned in the report, as well as the content of the report and related documentation.

4.4.2. Reporting Methods
An external report is received by ANAC through:
• IT platform
• Telephone reporting
• In-person meeting

Reporting on the IT platform
The ANAC platform allows for the electronic completion, sending, and receipt of the reporting form, the management of the investigation, and any forwarding to other competent authorities.
On the ANAC institutional website, by clicking the link to the dedicated page, you can access the dedicated Whistleblowing service – Form for reporting unlawful conduct pursuant to Legislative Decree No. 24/2023 (https://whistleblowing.anticorruzione.it/#/).

Telephone Reporting
ANAC has set up a telephone operator service that allows oral reports to be collected, after a spoken presentation of the personal data processing policy and the instructions needed to find the full text of this policy online. The operator is a member of the competent ANAC Office. They collect the report by telephone and upload it to the ANAC platform along with the audio recording of the call.
The operator will then provide the reporting party with a unique 16-digit code that will allow them to log in to the platform for the first time, where they will be provided with a new code.

Reports Collected Through Face-to-Face Meetings
ANAC also offers the option of submitting reports through a face-to-face meeting, after presentation of the personal data processing policy. The reporting party will submit their report to an operator who will upload it to the IT platform, similar to the procedures for telephone reports described above.

4.4.3. Report Management Procedures
After receiving the report, ANAC analyzes its content, determining its jurisdiction and legitimacy.
• Investigation: The received report and the attached documentation are forwarded to the competent supervisory offices for the specific case, which conduct the necessary investigation to follow up on the report, including through hearings and the acquisition of documents.

The communication must indicate, under penalty of inadmissibility:
•  the full name and contact details of the interested party and, if available, the certified email address that the Authority will use for any communications;
•  the perpetrator of the alleged violation;
•  the facts underlying the communication;
•  the documents supporting the communication.
Where it is necessary to obtain information, clarifications, or documents in addition to those contained in the communication, the Office may summon the parties in possession of such information to a hearing or send them a request for additional documentation, assigning a deadline, not exceeding 30 days, within which they must provide a response.

Reporting: Once the investigation phase is completed, ANAC shall notify the reporting party of the final outcome of the investigation, conducted by the competent Supervisory Office. This outcome may include the filing or forwarding of the documents to the competent authorities, a recommendation, or an administrative sanction.

4.4.4. Feedback to the reporting party
ANAC must notify the reporting party of receipt of the report within 7 days of its receipt, unless the reporting party specifically requests otherwise, or unless ANAC believes that notification would compromise the confidentiality of the reporting party’s identity.
Following the investigation phase, the Supervisory Office must respond to the reporting party within 3 months or, if justified and justified, 6 months from the date of acknowledgement of receipt of the external report, communicating the final outcome of the report.

4.5. Protection of the Reporting Party
4.5.1. Obligation to Maintain Confidentiality of Identity
The confidentiality of the reporting party’s identity must be guaranteed throughout the reporting process, starting from its receipt and at every subsequent stage.
Confidentiality must be guaranteed not only for the reporting party’s identity, but also for any other information or element of the report whose disclosure could directly or indirectly lead to the reporting party’s identity.
Violation of the obligation of confidentiality is grounds for disciplinary action, without prejudice to other forms of liability provided for by law.
Therefore, the reporting party’s identity cannot be revealed without their express written consent, in response to a written communication stating the reasons for disclosing their identity. This protection must also be applied by the organization’s top management, who cannot request further investigation or information in order to identify the whistleblower. The obligation to maintain the utmost confidentiality regarding the whistleblower’s identity and not to conduct further investigation or request the aforementioned information applies to all those who, for any reason, become aware of the report or are involved in the investigation process. This obligation may also be reaffirmed by requesting the signing of a formal undertaking to this effect.

If disciplinary proceedings are initiated as a result of the facts reported, the whistleblower’s identity may be revealed, with their prior consent, if:
• the disciplinary charge is based, in whole or in part, on the report; and
• knowledge of the whistleblower’s identity is absolutely essential to the accused’s defense, provided that this circumstance is presented and substantiated by the latter during the hearing or through the submission of defense briefs.
Such protective measures apply exclusively to those who report in good faith, i.e., those who report the issue believing it highly probable, based on their knowledge, that an unlawful act or irregularity has occurred.

No protection is provided if the whistleblower, through his or her own report, incurs criminal liability for slander (Article 368 of the Criminal Code) or defamation (Article 595 of the Criminal Code), or compensation for unlawful acts (Article 2043 of the Civil Code), and if anonymity is not applicable by law (e.g., criminal, tax, or administrative investigations, inspections by supervisory bodies).

With the entry into force of Legislative Decree 24/23, the legislator extended the protection afforded to the whistleblower to all individuals whose work assists the whistleblower in providing his or her statements, such as:
• facilitators, i.e., natural persons who assist the whistleblower in the reporting process, operating within the same work context and whose assistance must be kept confidential;
• people in the same work context as the whistleblower who are linked to him or her by a stable emotional bond or family relationship within the fourth degree;
• co-workers of the reporting person who have a habitual and ongoing relationship with the reporting person;
• entities owned by the reporting person for which the reporting person works, as well as entities operating in the same work context as the reporting person.

4.6.1. Prohibition of Retaliation
Any form of retaliation or discriminatory measure, whether direct, indirect, or attempted, affecting working conditions for reasons directly or indirectly related to the report, such as to cause unfair harm to the reporting person (dismissal, demotion, unjustified transfer, or behavior classified as mobbing, negative performance reviews, and other conditions set forth in Article 17 of Legislative Decree 24/23), is not permitted or tolerated against a recipient of the Model who makes a report pursuant to this procedure. A whistleblower who believes they have suffered discrimination as a result of filing a report of wrongdoing must provide detailed information about the discrimination to the Supervisory Body, with reference to the previous report. The Supervisory Body, having assessed the existence of the relevant evidence, reports the alleged discrimination:
• to the manager of the department to which the employee/collaborator who allegedly discriminated belongs;
• to the HR Manager;
• to another appropriate department, if the discrimination was committed jointly by the HR Manager and the department manager.

The Manager of the department, in collaboration with the HR Manager, promptly assesses the appropriateness/necessity of taking steps or measures to restore the situation and/or to remedy the negative effects of the discrimination through administrative channels and whether there are grounds for initiating disciplinary proceedings against the person who committed the discrimination.

The employee retains the right to directly contact the labor inspectorate or their trade union.

4.6. Documentation and IT System
4.6.1. Compliance with the Principles of Privacy by Design and Privacy by Default
Within the reporting system, a specific form has been defined to guide the whistleblower in completing a report.
The form (Form for Reporting Unlawful Conduct) streamlines the compilation process, encouraging the whistleblower to provide only the information required for the report, without exceeding the limits (Privacy by default).

Completing the form is not considered necessary, however, it is extremely useful for providing only the data essential for analyzing the incident. It is therefore recommended to complete and submit it or, alternatively, submit a complete report with the requested information.
• Reports received verbally during a meeting and subsequently minuted, and reports received in paper format, are not duplicated and are stored in the Supervisory Body’s archive, which is the only body with access to the form as the recipient of the reports;
The data contained in reports received through internal channels is protected according to the policies applied based on the mail server operator’s security parameters. For this reason, it is advisable to always send reports in password-protected .7z format, which, by default, uses encryption to make the file’s contents inaccessible to anyone without the appropriate decryption key.

The report is sent to the Supervisory Body, which is obligated not to disclose the personal data contained therein and to process it only if strictly necessary for the specific purpose of analyzing and evaluating the report (Privacy by design).

4.6.2. Information Obligations Pursuant to Article 13 of the GDPR
The following information is provided by the Data Controller to the reporting party in accordance with Article 13 of Regulation (EU) 2016/679, summarizing it also on the Reporting of Unlawful Conduct Form, regarding data processing in the event of a report made through an internal channel.

Nature of the data processed
This information refers to the personal data of the reporting party, which they voluntarily submit when submitting a report.
• Data Controller
• The data controller is Area S.p.A., a single-member company, with registered office at Via Gabriele D’Annunzio 2, Vizzola Ticino – Varese, Milan Malpensa, email address: privacy@area.it.
• The contact details of the company’s Data Protection Officer (DPO) are: dpo@area.it.
• Purpose of the processing
The data collected will be used for purposes related and/or instrumental to the in-depth analysis of the report received.

Processing Methods
In relation to the above-mentioned purposes, personal data is processed using manual, computerized, and electronic tools designed to store, manage, and transmit the data, solely for the purposes for which it was collected and, in any case, in a manner that guarantees its security and confidentiality. Furthermore, the organization processes the personal data acquired in full compliance with the principles of fairness, lawfulness, and transparency, as well as in compliance with applicable data protection legislation.
To protect the confidentiality of the reporting party’s identity, where possible, the content of the report will be immediately separated from the reporting party’s identifying information, while maintaining a correspondence known only to the Supervisory Body.

Nature of the Data Provision and Effects of Refusal
The provision of data for purposes related and/or instrumental to the analysis of the report is optional and is at the discretion of the reporting party when submitting the report. Please note that if the reporting party does not wish to provide personal data that is clearly essential to a thorough processing of the report, the report will be automatically archived.

Scope of data disclosure
The data provided is disclosed and processed by members of the Supervisory Body for the purposes indicated above. These individuals are authorized to process the data within the limits of their responsibilities and in accordance with the instructions given to them by the Data Controller.

Data Retention
The company retains the personal data acquired in a form that allows the identification of data subjects for a period of no more than 5 years after the purposes for which they were processed have been achieved. In any case, data processing will cease following the data subject’s request for deletion.
The Supervisory Body retains a copy of the report and the documents relating to the investigation conducted, appropriately anonymized, for a period of 10 years.

Communication and Dissemination of Personal Data
The personal data provided will not be disseminated, i.e., it will not be disclosed to unspecified parties, in any form, including making it available or simply consulting it.
Should it be necessary to disclose the personal data provided to third parties, this will only be done with the data subject’s prior written consent.

Information to the Reported Person
When the Supervisory Body informs the reported person that their data has been recorded, the Supervisory Body also informs them of:
• the nature of the data processed;
• the name of the Data Controller,
• the Purposes and Methods of Processing,
• any methods of transfer to third parties,
• the scope of disclosure and dissemination,
• the methods of storage.

Rights of the Data Subject
In relation to the aforementioned processing, the data subject may exercise the rights set forth in Articles 15-21 of the GDPR by contacting the Data Controller, such as:
• right of access: the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and further information regarding the source, purpose, category of data processed, recipients of disclosure and/or transfer of data, etc.
• Right to rectification: the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data, as well as the completion of incomplete personal data, including by means of providing a supplementary statement;
• Right to erasure: the right to obtain from the Data Controller the erasure of personal data without undue delay where:
• The personal data are no longer necessary in relation to the purposes of the processing;
• The consent on which the processing is based is withdrawn and there is no other legal basis for the processing;
• The personal data have been unlawfully processed;
• The personal data must be erased for compliance with a legal obligation;
• Right to object to processing: the right to object at any time to processing of personal data based on the legitimate interest of the Data Controller;
• Right to restriction of processing: the right to obtain from the Data Controller restriction of processing where the accuracy of the personal data is contested (for a period enabling the data controller to verify the accuracy of the personal data), the processing is unlawful, and/or the data subject has objected to the processing;
• Right to data portability: the right to receive personal data in a structured, commonly used, and machine-readable format and to transmit those data to another controller, only where the processing is based on consent and only for data processed by electronic means;
• Right to lodge a complaint with a supervisory authority: without prejudice to any other administrative or judicial remedy, a data subject who considers that the processing of his or her personal data violates the GDPR has the right to lodge a complaint with a supervisory authority in the Member State in which he or she habitually resides or works, or in the State in which the alleged infringement occurred.

4.6.3. Data archiving and retention methods
Personal data submitted by the reporting party on paper is separated from the content of the report and is not duplicated; only a copy is stored in the Supervisory Body’s physical archive, which is locked and accessible only to the Supervisory Body itself.

Even if the report is submitted electronically, archiving is the sole responsibility of the Supervisory Body, which will store the data in its certified email inbox or, alternatively, after printing the documentation, in the Supervisory Body’s physical archive.

Personal data must NOT be stored unencrypted on the company network unless it is essential for the reporting process aimed at verifying its veracity.

The content of the report, appropriately anonymized, may be stored online.

4.6.4. Secure Data Access Policies
The company intranet is built according to specific security policies, in accordance with the international standard ISO/IEC 27001, and technical and organizational access control measures are therefore in place, including:
•  Path-specific read and/or write access credentials;
•  Credential assignment process through formal request and verification by Compliance and HR Managers;
•  Network access is only possible from domain-controlled machines and/or remotely via VPN;
•  Periodic expiration of individual machine (and therefore intranet) access passwords.

4.6.5. Transparent Report Management
Each report is handled in accordance with this procedure.
The Compliance Unit has the right to conduct audits to verify that one or more reports, selected at random, are handled in accordance with the defined procedures. In conducting audits, the confidentiality of both the whistleblower and the person reported is protected, as the audits themselves are conducted in accordance with the “Whistleblowing” process and are not expected to address the merits of assessments regarding the content of the reports.

4.7. Sanctions
The Disciplinary System described in MOGC231 – General Section (§3.2.3) also provides for sanctions for violations of the reporting procedure described in this document.

By way of example, sanctions are provided for:
• Against the reported person, if he or she is held responsible for the incident following the in-depth investigation conducted by the body receiving the report;
• In the event of abusive behavior by the whistleblower;
• In the event of retaliatory or discriminatory behavior by workers – managers and subordinates – towards the whistleblower;
• Against the Supervisory Body if, after receiving the report, it fails to verify the information provided by the whistleblower;
• In the event of a violation of confidentiality obligations associated with the management of reports.

Penalties are applied as provided for by the current MOGC231 and based on the Workers’ Statute (Law No. 300/1970) and individual National Collective Bargaining Agreements.