whistleblowing

Regulations for the Management of Reports of Unlawful Conduct and Violations (Whistleblowing) and the Protection of the Whistleblower

For information and reports, please write to violazioni@renatocorti.it

Version 1.1 dated: 30/11/2023
Approved by: Sole Administrator on: 06/12/2023

1. Introduction

The whistleblowing system allows employees and collaborators to report unlawful acts and irregular conduct potentially harmful to the integrity of the organization they work for. It aims to promote a culture of ethics in compliance with the principles of legality.

This regulation aims to govern the procedure for managing reports of unlawful acts within the company and to publicize how the company guarantees protection for whistleblowers.

This regulation is based on recent legislation (Legislative Decree of March 10, 2023, No. 24) and is drafted in accordance with the “Guidelines on the protection of persons reporting breaches of Union law and the protection of persons reporting breaches of national legal provisions” issued by the National Anti-Corruption Authority (ANAC), as well as the “Operational Guide for Private Entities” issued by Confindustria in October 2023.

Legislative Decree No. 24 of March 10, 2023 implements in Italy the EU Directive 2019/1937 of the European Parliament and of the Council of October 23, 2019, concerning the protection of persons who report breaches of Union law.

The new rules aim, on the one hand, to guarantee freedom of expression and information, which includes the right to receive and communicate information, as well as the freedom and pluralism of the media. On the other hand, it is a tool to counter (and prevent) corruption and poor governance in the public and private sectors.

The whistleblower provides information that may lead to the investigation, detection, and prosecution of breaches, thereby strengthening the principles of transparency and accountability of democratic institutions. Therefore, ensuring the protection—both in terms of confidentiality and protection against retaliation—of those who report or denounce violations contributes to uncovering and preventing risks and harmful situations for the entity itself and, by extension, for the public interest.

2. Who Can Report a Violation

The whistleblower is a natural person who witnesses a violation or irregularity discovered while carrying out their professional activity at or in relation to the company and decides to report it.

The following individuals within the organizational structure may report violations:

  • Company employees, in a broad sense, including all individuals with an employment relationship with the company, even temporarily (e.g., agency workers, volunteers, interns, and trainees—whether paid or unpaid—, or those hired on a trial basis).
  • Individuals who do not yet have or no longer have a legal relationship with the company, if the information was acquired during the selection process or other pre-contractual phases, or during the employment relationship.
  • Workers and collaborators of companies providing goods and services or executing works on behalf of the company.
  • Freelancers and consultants providing services to the company.
  • Individuals in administrative, management, supervisory, monitoring, or representative roles within the company.

3. Subject and Requirements of Reports

Legislative Decree No. 24/2023 states that the subject of a report (or subsequent public disclosure or complaint) may include information about violations—also based on reasonable suspicion—of national and EU legislation that harm the public interest or the integrity of the public administration or private entity, committed within the organization with which the whistleblower has a qualified legal relationship (see point 2). Information may also concern violations not yet committed if the whistleblower reasonably believes they may occur based on concrete elements. These may include irregularities and anomalies (warning signs) that the whistleblower believes could lead to a violation under the decree.

Violations subject to reporting, complaint, or public disclosure (Art. 2, Para. 1, Legislative Decree 24/2023)

  • Administrative, accounting, civil, or criminal offenses
  • Unlawful conduct and violations of organizational and management models (Legislative Decree 231/2001)
  • Violations falling within the scope of application of EU or national acts
  • Acts or omissions harming the EU’s financial interests
  • Acts or omissions concerning the EU internal market, affecting the free movement of goods

Reports may also concern conduct intended to conceal violations, such as hiding or destroying evidence.

Reports concerning exclusively private life matters without any direct or indirect connection to professional activity are not permitted.

The following are also excluded from reportable information: clearly unfounded allegations, information already in the public domain, and rumors lacking reliability (so-called “hallway gossip”). Reports must not include defamatory or offensive content or moral judgments aimed at offending the dignity or reputation of the persons involved.

Furthermore, the following cannot be the subject of a report:

  • Complaints, claims, or requests related to personal interests of the whistleblower or those who have submitted a complaint to judicial authorities, concerning their individual employment relationships or relationships with hierarchical superiors
  • Immediate threats to life or property, for which local authorities should be contacted directly
  • Disagreements about applicable laws

The motives behind the report are irrelevant for the purpose of processing the report and granting protection against retaliatory measures. However, reports based solely on personal interest are not considered whistleblowing.

4. Elements and Characteristics of Reports

Reports should clearly indicate:

  • The time and place of the reported incident
  • A description of the incident
  • Names or identifying elements of the persons allegedly involved

It is also helpful to attach documents supporting the report, as well as identify other individuals who may have knowledge of the facts.

If the report is not sufficiently detailed, the person handling it may request additional information via the dedicated channel or in person, if the whistleblower has requested a direct meeting.

Proper documentation, complete descriptions, and attached evidence can allow anonymous reports to be processed in the same way as named reports.

5. Channels and Methods of Reporting

The internal reporting system uses specific, autonomous, and independent communication channels available to staff.

The following technical methods are available:

  • Ordinary mail: confidential letter addressed to the designated persons responsible for managing reports (hereinafter the “Responsible Parties”)
  • Email address accessible only by the Responsible Parties: violazioni@renatocorti.it
  • In-person meeting with the Responsible Parties

Anyone receiving a report outside the designated channels must promptly forward the original to the Responsible Parties, destroy any copies, and maintain confidentiality over any acquired information.

6. Protections and Guarantees Provided by the Internal Reporting System

With the aim of encouraging the development and use of an effective internal reporting system for violations, proportionate to its size and complexity, the company ensures the following protections and guarantees for all parties involved.

a. Protection and Rights of the Reporting Person. The internal reporting system adopted by the company ensures the confidentiality of the reporting person’s identity, which cannot under any circumstances be disclosed (especially in relation to the reported party and hierarchical superiors) without their explicit consent, subject to the following exceptions required by law:

  • Anonymity is not opposable by law (e.g., criminal investigations)
  • Elements of the report require mandatory notification to Judicial Authorities

With respect to the employee who submits a report under this Regulation, the internal reporting system provides measures to prevent and repress any form of retaliation, discrimination, or intimidation that affects working conditions due to the report. Discriminatory measures include, by way of example: dismissal, unjustified disciplinary actions, denial of company bonuses, unjustified transfer, workplace harassment of any kind, and any other retaliatory action creating intolerable working conditions. The reporting person may at any time request the application of the protections under this Regulation, including the right to request a transfer to another office and, where necessary, independent psychological assistance in case of stress resulting from the report.
The company guarantees, where reasonably possible, compliance with such requests. Furthermore, no form of retaliation or discrimination affecting working conditions shall be tolerated against those cooperating in the investigation of the report’s validity.

b. Identifiability of Reports. Although permitted by law, the company does not encourage anonymous reports as a standard means to report violations. Therefore, the internal reporting system provides that reports must be nominal, and anonymous reporters will be asked at the first contact to provide identifying information to enable follow-up communication.

c. Protection and Rights of the Reported Person. The internal reporting system ensures the confidentiality of the reported person’s identity. If someone is investigated following a report submitted through the internal reporting system, they will be informed within a reasonable timeframe, depending on the specific circumstances and, in any case, before the conclusion of the investigative phase. Where information must be collected for investigation, the need for confidentiality takes precedence over the reported person’s right to information (privacy notice), and therefore over the need to obtain their prior consent to process their personal data. Once the investigation is complete—and the temporary suspension of some privacy rights ends—the reported person may access the report’s data (excluding the identity of the reporter), request the correction of inaccurate, incomplete, or outdated data, and request deletion of data no longer needed for retention purposes.

d. Confidentiality and Information Protection. The company’s internal reporting system guarantees, as a key operating condition, the protection of information (identity of the reporter, report content, identity of the reported person) through the technical and IT processes and solutions it adopts. In particular, to avoid unauthorized disclosure of information related to reports (e.g., due to unauthorized access, accidental loss, or accidental disclosure), strict cybersecurity measures are implemented, including:

  • adoption of appropriate access security policies
  • adoption of appropriate data access policies
  • proper data retention methods
  • secure and confidential management of report content

All individuals involved in the reporting management process—from receipt to archiving—are required to maintain discretion and complete confidentiality, particularly regarding the identity of the reporter. Staff responsible for handling such information are clearly identified, specifically trained, and bound by confidentiality obligations related to their role.

e. Handling of Reports Made in Bad Faith or Malice. Reports submitted under the internal reporting system do not imply any liability for the reporter, except in cases of bad faith or malice. If, during the examination and evaluation phases, it is found that the report was made with the intent to harm or damage the reported person (i.e., malicious or false reporting), such behavior may be considered defamation or slander under applicable law. The company will consider whether to apply disciplinary action. In any case, to protect everyone’s dignity and reputation, the company provides its staff protection against defamatory reports, censoring them and, if deemed necessary, informing those falsely cited.

f. Processing of Personal Data. The information and any other personal data collected under this Regulation are processed in accordance with current data protection laws.

7. Duties of Those Managing Reports

Those managing reports must comply with the requirements set by legislation to ensure both efficient and timely handling of reports and the protection of whistleblowers.

Those managing reports must:

  1. Issue an acknowledgment of receipt to the reporting person within seven days of receiving the report
  2. Maintain communication with the reporting person
  3. Properly follow up on received reports
  4. Provide a response to the reporting person within a maximum period of three months from the report’s receipt

8. Roles and Responsibilities

The individuals responsible for managing reports are the Chief Executive, the Director of Finance and Administration, and the Human Resources Manager. They collectively manage reports, except when a report specifically concerns one of them. In such cases, the reported individual must recuse themselves, and the remaining members will handle the report.

The responsibilities include:

  • Approving this regulation and any necessary amendments to the system
  • Promoting initiatives to ensure understanding and dissemination of the Regulation’s content among stakeholders
  • Upon examining and thoroughly processing reports, assessing the adoption of appropriate actions, including disciplinary measures, to stop or prevent the reported behavior

9. Process for Managing Violation Reports

The process of managing violation reports is divided into the following phases:

  • Receipt and admissibility verification
  • Investigative phase
  • Archiving, traceability, and retention of the report

The entire process must ensure the confidentiality and protection of the personal data of both the reporting and the reported persons.

9.1 Receipt and Admissibility Verification

This phase involves collecting all information provided by the reporting person and supplementing it, if needed, to verify whether the report is admissible.

This phase includes verifying subjective, objective, and completeness aspects. The Responsible Parties will verify:

  • the inclusion of the reporter’s identity
  • whether the reporter falls within the defined scope (see point 2)
  • whether the report fits the defined objective scope of the internal reporting system (see point 3)
  • whether the report includes sufficient details of a possible violation to justify further investigation
  • whether the report contains the essential elements:
  1. date of the report
  2. statement of any personal interest related to the report
  3. statement of any shared responsibility in the reported violation
  4. reference period of the act/fact
  5. individuals or company departments involved
  6. detailed description of acts or facts
  7. preferred method of communicating the investigation outcome to the reporter, or an explicit statement that they do not wish to be contacted (unless required for legal proceedings)

In this phase, the Responsible Parties may request additional necessary information from the reporter, while safeguarding the confidentiality of their identity.

Reports made in person must be documented by the Responsible Parties and shared with the reporter.

Once admissibility is confirmed, the Responsible Parties register the report in a dedicated log, assigning a progressive number based on the date received.

The following must be logged:

  • Progressive ID code
  • Date of receipt
  • Reporter’s personal data
  • Submission method
  • Case status (received, under review, under evaluation, archived)

The Responsible Parties will also open a case file using the progressive ID from the log and gather all related information.

At the end of this phase, the Responsible Parties will decide whether to:

  • Archive the report, if it is clearly unfounded or outside the scope of the internal system
  • Proceed to the investigative phase

In the case of archived reports, the Responsible Parties will inform the reporter, including a brief explanation for the decision.

9.2 Investigative Phase

The Responsible Parties initiate the investigation in accordance with principles of timeliness, independence, fairness, and confidentiality. They may request support from relevant organizational units or external consultants specialized in the subject matter, ensuring confidentiality and anonymization of personal data.

The investigation methodology will be determined case-by-case, using the most effective approach depending on the nature and circumstances of the violation. Verification methods may include, for example: interviews, document analysis, database research, and company asset checks, in compliance with data protection regulations.

Under no circumstances are investigations allowed that compromise the dignity or confidentiality of the employee, or that are arbitrary, biased, or unfair, discrediting the employee or damaging their reputation among colleagues.

Within three months of receiving the report, the Responsible Parties must decide whether to:

  • Archive the report, providing a reasoned response to the reporter

Or consider the report as significant and evaluate appropriate actions, including disciplinary measures, to stop or correct the reported behavior.

9.3 Archiving, Traceability, and Retention of the Report

The Responsible Parties ensure traceability of reports and their related assessments, allowing the process to be auditable ex post.

At the end of the investigation—or after any resulting legal or disciplinary proceedings—the data will be processed and retained only for as long as necessary for the intended purposes, and in any case, no longer than five years.

If legal or disciplinary action is taken against the reported person or against the reporter (in the case of false or defamatory claims), personal data must be retained until the end of the proceeding and until the expiration of appeal terms.

Personal data related to unfounded reports must be deleted immediately.

All report files are stored securely in a protected location to ensure confidentiality and data protection according to privacy regulations. Retention must not exceed the necessary period for data processing purposes, and always within the company’s privacy procedures, and in any case no more than five years.

10. Final Provisions

This Regulation, approved as indicated on the cover page, will be revised in the event of significant external or internal changes.