P.A. Wrongdoing report - WHISTLEBLOWING

Send a report with the outmost confidentiality.

Privacy

INFORMATION ON THE PROCESSING OF PERSONAL DATA WITHIN THE WHISTLEBLOWING REPORTS under articles 13 and 14 of Regulation (EU) 2016/679 ("GDPR")

The Bronzini Group is committed to protecting the privacy of its clients. This information, in compliance with the provisions of Legislative Decree of March 10, 2023, no. 24 (hereinafter the "Decree"), is intended for whistleblowers, individuals assisting the whistleblower in the reporting process (hereinafter "facilitators"), and individuals to whom the informational content of the report may refer as reported subjects or involved in various capacities in the matters reported within the whistleblowing procedure (hereinafter, the "Whistleblowing Procedure" or "Procedure").

To this end:

O.MEC. Srl, VAT number 01175100427, with registered office in Milan, via San Gregorio 55, and operational and administrative office in Ancona, Via E. Mattei n.30/A, represented by the legal representative pro tempore, Gianfranco Bronzini as data controller (hereinafter the "Company" or the "Controller")

WHAT PERSONAL DATA MAY BE COLLECTED

If a Report is made, the Company, through the O.G.I. (hereinafter "Illicit Management Body") with reference to the following concerned parties ("Concerned Parties") as defined by the Decree:

reporting person (hereinafter also "Reporter"),

involved person, person mentioned in the report, and the facilitator, will collect and process the relevant personal data entered by the Reporter (e.g., through free text fields in the registration form) in the Report, such as:

Identifying and contact information such as: name, surname, email, phone number, and information on the facts and circumstances subject to the whistleblowing report.
Identifying data of the Reporter will not be collected if an anonymous report is made containing the essential elements required by the Procedure;
Employment-related data, function, corporate role;
Identifying data of individuals involved in the report, information and data relating to reported violations, including any personal data relating to special categories or related to criminal convictions and offenses;
Any other information related to the Reporter, individuals involved in the report, or any other third parties that the Reporter decides to share to better describe the suspected violation;
Identifying, contact, and access account data to the computer platform of the subjects responsible for managing the reports.

PROCESSING METHODS

Personal data will primarily be processed through a dedicated computer platform "Legality Whistleblowing-Illicit reporting," which allows both written and oral reporting; in the latter case, the voice of the Reporter will be distorted to ensure security and anonymity.

Reports can also be made through direct meetings with the O.G.I. (Internal Illicit Management Body), which will document the meeting through minutes or, with the prior consent of the Reporter, record it on a device suitable for storage and listening.

The Report must not contain irrelevant facts or special categories of personal data, as defined in Article 9 of the GDPR (hereinafter also "Special Categories of Data"), i.e., those from which racial or ethnic origin, philosophical and religious beliefs, membership of parties or trade unions, as well as health status, sexual life, or sexual orientation, may be inferred, nor data relating to criminal convictions and offenses as per Article 10 of the GDPR, except where this is unavoidable and necessary for the Report itself.

Subject to the above, the Controller hereby provides the Concerned Parties with information regarding the processing of personal data concerning them, reserving the right to provide it again to the Concerned Parties at a later time after the Report, in order to ensure the effectiveness of the Whistleblowing Procedure and not to compromise any investigations initiated by the Company or the Authorities.

PURPOSES FOR WHICH PERSONAL DATA MAY BE USED

Personal data will be processed for purposes related to the receipt and management of the Report in compliance with the Decree and the Whistleblowing Procedure. The processing is based on the fulfillment of a legal obligation to which the Controller is subject under Article 6, paragraph 1, letter c) of the GDPR as provided for by the Decree. The provision of personal data is mandatory because, otherwise, the Company would be unable to fulfill specific legal obligations related to the management of Reports and, consequently, could not guarantee the protective measures provided for by the Decree in favor of the Concerned Parties.

Personal data will be processed for purposes related to the defense of rights in the course of judicial, administrative, or extrajudicial proceedings and in the context of disputes arising in relation to the Report made. Additionally, personal data may be processed by the Company for legal action or to assert claims.

The processing is based on the legitimate interest of the Company under Article 6, paragraph 1, letter f) of the GDPR in protecting its rights. In this case, no new and specific provision is required, as the Company will pursue this additional purpose, if necessary, by processing the personal data collected for the aforementioned purposes, deemed compatible with this one (also considering the context in which the personal data were collected, the relationship between You and the Company, the nature of the data themselves, and the adequate guarantees for their processing, as well as the connection between purpose A. and this additional purpose).

As stated in the previous paragraph 2, the Report must not contain Special Categories of personal data, except where this is unavoidable and necessary for the Report itself. In this case, the lawful basis for the processing of such personal data is based on Article 9, paragraph 2, letter b) of the GDPR regarding purpose A, and Article 9, paragraph 2, letter f) of the GDPR regarding purpose B.

Regarding any data concerning criminal convictions and offenses, the legitimacy condition is to be found based on Article 2-octies of Legislative Decree no. 196/2003, as amended by Legislative Decree no. 101/2018 and by the Decree ("Privacy Code") - in fulfilling the legal obligations provided for by the Decree.

HOW DO WE KEEP PERSONAL DATA SECURE AND FOR HOW LONG

The processing of personal data is based on the principles of fairness, lawfulness, transparency, integrity, and confidentiality. The processing is carried out with both paper and electronic support, including automated methods for storing, managing, and transmitting them. Paper documentation is kept to a minimum and archived and stored in cabinets and premises equipped with security locks.

Processing will take place using suitable tools to ensure security and confidentiality through the use of procedures to prevent the risk of loss, unauthorized access, unlawful use, and disclosure. This is done through the adoption of encryption techniques and the implementation of technical and organizational security measures defined, evaluated, and implemented also in light of an impact assessment pursuant to Article 35 of the GDPR, such as voice distortion in voice messaging.

Personal data contained in the Report will be retained for no longer than 5 years from the date of communication of the final outcome of the reporting procedure. Personal data that are manifestly not useful for the processing of a specific Report are not collected or, if collected accidentally, are immediately erased.

WHO CAN WE SHARE PERSONAL DATA WITH

Access to personal data will be granted exclusively to the O.G.I. (employees trained, authorized, and appointed by the Controller), to assess and gather further details about the report;

Subsequently, in the phase of verifying the validity of the Report, where it becomes necessary for needs related to investigative activities, personal data may be forwarded, in accordance with the principle of confidentiality, to other functions of the Companies to which specific instructions have been provided and thus expressly authorized, such as internal sector managers.

Furthermore, personal data may be disclosed, if necessary and under the circumstances, to public authorities (including administrative, judicial, and public security authorities) and to other third parties if required to protect the rights and legitimate interests of the data controller (e.g., freelance consultants registered with a specific professional register, such as lawyers, accountants, labor consultants, etc.), service providers, and platforms for managing reports and storing data contained therein.

The computer platform for managing reports is operated by the company DigitalPA S.r.l., with registered office in Cagliari, Via S. Tommaso D’Aquino 18/A 38 10122 Turin (TO), designated as the data processor pursuant to Article 28 of Regulation (EU) 2016/679.

INTERNATIONAL TRANSFER

There is no planned transfer of personal data to third countries outside the EU/EEA.

RIGHTS REGARDING DATA PROTECTION AND THE RIGHT TO LODGE COMPLAINTS WITH THE SUPERVISORY AUTHORITY

Each Data Subject has the right to request from the Company, subject to the conditions set forth in the GDPR and the Privacy Code:

access to personal data, as provided for in Article 15 of the GDPR;
rectification or integration of personal data held by the Company that are considered inaccurate, as provided for in Article 16 of the GDPR;
erasure of personal data for which the Company no longer has any legal basis for processing, as provided for in Article 17 of the GDPR;
limitation of how the Company processes personal data if one of the hypotheses provided for in Article 18 of the GDPR applies;
a copy of the personal data provided to the Company, in a structured, commonly used, and machine-readable format, and the transmission of such personal data to another data controller (portability), as provided for in Article 20 of the GDPR;
to lodge a complaint with the Data Protection Authority as provided for in Article 77 of the GDPR, using the references available on the website garanteprivacy.it, or to take appropriate legal action.

Right to Object: In addition to the rights listed above, the Data Subject has the right to object at any time, for reasons related to their particular situation, to the processing of personal data concerning them by the Company for the pursuit of its legitimate interests, as provided for in Article 21 of the GDPR.

The aforementioned rights may be limited pursuant to Article 2-undecies, first paragraph, letter f) of the Privacy Code if exercising them could result in a concrete and effective prejudice to the confidentiality of the identity of the person reporting violations they became aware of in the course of their employment relationship or functions performed, pursuant to the Decree.

In such cases, the Data Subject's rights may also be exercised through the Data Protection Authority in accordance with the methods set out in Article 160 of the Privacy Code. In this case, the Data Protection Authority informs the Data Subject that all necessary checks have been carried out or a review has been conducted, as well as the Data Subject's right to appeal to the courts.

CONTACTS

The contact details of the Company, as Data Controller, are as follows: omec@sicurezzapostale.it; info@omec.it.

For any further information regarding the processing of personal data and to exercise rights, outside the cases mentioned above, you can contact the Company by registered letter with return receipt requested at the following address: O.MEC. Srl - Via Enrico Mattei n. 30/A - Ancona (AN);

------

COS.M.I. Srl, VAT number: 01271580423, with registered office in Ancona, via Enrico Mattei n. 30/A, represented by its legal representative Mr. Mirco Nisi, acting as data controller (hereinafter the "Company" or the "Controller").

1. WHAT PERSONAL DATA MAY BE COLLECTED

If a report is made, the Company, through the O.G.I. (hereinafter "Illicit Management Body") with reference to the following data subjects ("Data Subjects") as defined by the Decree:

reporting person (hereinafter also "Reporter"),

- Identifying and contact details such as: name, email, phone number, and information about the facts and circumstances subject to the whistleblowing report.

- The identifying details of the Reporter will not be collected if an anonymous report is made that contains the essential elements required by the Procedure;

- Employment-related data, function, corporate role;

- Identifying details of individuals involved in the report, information and data related to the reported violations, including any personal data related to special categories or criminal convictions and offenses;

- Any other information related to the reporter, individuals involved in the report, or any other third parties that the reporter decides to share to better describe the suspected violation;

- Identifying, contact, and account data for accessing the computer platform of the subjects responsible for managing the reports.

2. PROCESSING METHODS

Personal data will primarily be processed through a dedicated computer platform "Legality Whistleblowing - Reporting Illicit Activities", which allows both written and oral reporting; in the latter case, the voice of the reporter will be distorted to ensure security and anonymity.

Reports can also be made through direct meetings with the O.G.I. (Internal Illicit Management Body), which will document the meeting through minutes or, with the reporter's consent, record it on a suitable device for storage and listening.

The Report should not contain irrelevant facts or special categories of personal data, as referred to in Article 9 of the GDPR (hereinafter also "Special Categories of Data", i.e., those from which, among other things, racial or ethnic origin, philosophical or religious beliefs, membership of parties or trade unions, as well as health, sex life, or sexual orientation may be inferred), or data relating to criminal convictions and offenses referred to in Article 10 of the GDPR, unless this is unavoidable and necessary for the purpose of the Report itself.

Notwithstanding the above, the Controller hereby provides the Data Subjects with information concerning the processing of their personal data, reserving the right to provide it again to the Data Subjects at a later time after the Report, in order to ensure the effectiveness of the Whistleblowing Procedure and not to compromise any investigations initiated by the Company or the Authorities.

3. FOR WHAT PURPOSES PERSONAL DATA MAY BE USED

Personal data will be processed for purposes related to the receipt and management of the Report in compliance with the Decree and the Whistleblowing Procedure. The processing is based on compliance with a legal obligation to which the Controller is subject under Article 6, paragraph 1, letter c) of the GDPR as provided by the Decree. The provision of personal data is mandatory, as otherwise, the Company would be unable to fulfill specific legal obligations related to the management of Reports and, consequently, could not guarantee the protection measures provided by the Decree for the Data Subjects.

Personal data will be processed for purposes related to the defense of rights in judicial, administrative, or extrajudicial proceedings and in disputes arising in connection with the made Report. Additionally, personal data may be processed by the Company to take legal action or assert claims.

The processing is based on the legitimate interest of the Company under Article 6, paragraph 1, letter f) of the GDPR in the protection of its rights. In this case, a new and specific provision is not required, as the Company will pursue this additional purpose, if necessary, by processing the personal data collected for the purposes mentioned above, deemed compatible with this one (also in consideration of the context in which the personal data were collected, the relationship between You and the Company, the nature of the data, and the adequate safeguards for their processing, as well as the connection between purpose A and this additional purpose).

As stated in the previous paragraph 2, the Report must not contain Special Categories of personal data unless this is unavoidable and necessary for the purpose of the Report itself. In this case, the legality of processing such personal data is based on Article 9, paragraph 2, letter b) of the GDPR concerning purpose A, and Article 9, paragraph 2, letter f) of the GDPR concerning purpose B.

With regard to any data relating to criminal convictions and offenses, the legitimacy condition is based on Article 2-octies of Legislative Decree no. 196/2003, as amended by Legislative Decree no. 101/2018 and the Decree ("Privacy Code") - in compliance with the legal obligations of the Decree.

4. HOW WE KEEP PERSONAL DATA SECURE AND FOR HOW LONG

The processing of personal data is based on the principles of fairness, lawfulness, transparency, integrity, and confidentiality. Processing is carried out using both paper-based and electronic means, including automated methods for storage, management, and transmission. Paper documentation is kept to a minimum and stored and guarded in cabinets and rooms equipped with secure locks.

Processing will be carried out using suitable tools to ensure security and confidentiality through the use of procedures designed to prevent the risk of loss, unauthorized access, unlawful use, and dissemination. This is achieved through the adoption of encryption techniques and the implementation of defined technical and organizational security measures, also evaluated and implemented in light of an impact assessment under Article 35 of the GDPR, such as voice distortion in voice messaging.

The personal data contained in the Report will be retained for no more than 5 years from the date of communication of the final outcome of the reporting procedure. Personal data that are evidently not useful for the processing of a specific Report are not collected or, if collected accidentally, are immediately deleted.

WITH WHOM CAN WE SHARE PERSONAL DATA

Access to personal data will be exclusively granted to the O.G.I. (trained, authorized, and appointed employees by the Data Controller), to evaluate and gather further details about the report;

Subsequently, in the phase of assessing the validity of the Report, where necessary for investigative activities, personal data may be forwarded, respecting the principle of confidentiality, to other functions of the Companies to which specific instructions have been provided and therefore specifically authorized, such as internal sector managers.

Furthermore, personal data may be disclosed, where necessary and the conditions are met, to public authorities (including administrative, judicial, and public security authorities) and other third parties if required to protect the rights and legitimate interests of the Data Controller (e.g., freelance consultants registered in a specific register (lawyers, accountants, labor consultants, etc.), service providers, and platforms for managing reports and archiving the data contained therein.

The computer platform for managing reports is operated by the company DigitalPA S.r.l., headquartered in Cagliari, Via S. Tommaso D’Aquino 18/A 38 10122 Torino (TO), designated as the data processor under Article 28 of Regulation (EU) 2016/679.

INTERNATIONAL TRANSFER

There is no provision for the transfer of personal data to third countries outside the EU/EEA area.

DATA PROTECTION RIGHTS AND THE RIGHT TO LODGE COMPLAINTS WITH THE SUPERVISORY AUTHORITY

Each Data Subject has the right to request from the Company, subject to the conditions set forth in the GDPR and the Privacy Code:

access to personal data, as provided for in Article 15 of the GDPR;
rectification or integration of personal data held by the Company that are deemed inaccurate, as provided for in Article 16 of the GDPR;
erasure of personal data for which the Company no longer has any legal basis for processing as provided for in Article 17 of the GDPR;
restriction of how the Company processes personal data if one of the hypotheses provided for in Article 18 of the GDPR occurs;
a copy of the personal data provided to the Company, in a structured, commonly used, and machine-readable format and the transmission of such personal data to another data controller (the so-called portability), as provided for in Article 20 of the GDPR;
to lodge a complaint with the Italian Data Protection Authority as provided for in Article 77 of the GDPR, using the references available on the website garanteprivacy.it, or to resort to the appropriate judicial venues.
Right to object: in addition to the rights listed above, the Data Subject has the right to object at any time, for reasons related to their particular situation, to the processing of personal data concerning them by the Company for the pursuit of its legitimate interests, as provided for in Article 21 of the GDPR.

The aforementioned rights may be limited in accordance with Article 2-undecies, first paragraph, letter f) of the Privacy Code, if the exercise of such rights may result in a concrete and effective prejudice to the confidentiality of the identity of the person reporting violations that they became aware of in the course of their employment relationship or duties performed, pursuant to the Decree.

In such cases, the Data Subject's rights may also be exercised through the Privacy Guarantor in accordance with the methods set out in Article 160 of the Privacy Code. In this case, the Privacy Guarantor informs the Data Subject that all necessary checks have been carried out or a review has been conducted, as well as of the Data Subject's right to appeal to the courts.

CONTACTS

The contact details of the Company, as Data Controller, are as follows: cosmisrl@sicurezzapostale.it; info@cos-mi.it For any further information regarding the processing of personal data and to exercise the rights, outside the cases mentioned above, you may contact the Company by registered letter with return receipt requested at the following address: COSMI Srl - Via Enrico Mattei n.30/A – Ancona (AN).