WHISTLEBLOWING PROCEDURE


1. PREAMBLE AND PURPOSE


On March 15, 2023, Legislative Decree no. 24/2023 (hereinafter also referred to as the "Whistleblowing Decree" or simply the "Decree") was published in the Official Gazette, implementing EU Directive 2019/1937 concerning the protection of individuals (Whistleblowers) reporting violations of European Union law or national regulations.

The purpose of the following procedure is to describe the system for collecting and managing reports of improper conduct or suspicions of wrongdoing that harm public or societal interests, offenses falling within the scope of Legislative Decree no. 231/2001, or aspects related to the company's social responsibility in order to:

  • Protect the Reporting Party
  • Encourage a culture of good communication and Corporate Social Responsibility
  • Contribute to the improvement of the organization by promoting trust and transparency.

Reports must be made in the public interest or in the interest of the integrity of the company.


2. DEFINITIONS


REPORTER: The individual who reports information on violations acquired within their current or past work context. This includes permanent and temporary employees, administrators, members of social and supervisory bodies, as well as anyone else who, in various capacities, has working relationships with the company (freelancers, consultants, interns, contractors, suppliers, customers, individuals with administrative, managerial, supervisory, or representative functions).

REPORTED: The person mentioned in the report implicated in the reported violation.

REPORT: Any communication regarding behaviors and/or information that may constitute criminal offenses or inappropriate, incorrect, or alleged violations of ethical principles, legal norms, company policies, and procedures.

MALICIOUS REPORT: Any communication that proves unfounded based on objective elements. Reports that are deliberately false or unfounded, with defamatory content solely for the purpose of harming the subjects mentioned in the report, are considered made in bad faith. In such cases, the company reserves the right to initiate necessary disciplinary/legal actions.

IRRELEVANT REPORT: Any received communication regarding behaviors that do not constitute violations. Personal matters (complaints or personal claims) are specifically considered irrelevant reports. Also considered irrelevant are communications that, based on the generality of their content, do not allow for adequate verification.

VIOLATIONS: Behaviors, acts, or omissions that harm public interest or the integrity of the company.


3. CONTENT OF THE REPORT


Reports must be made in good faith, be detailed, and well-founded. They should include all relevant elements for conducting necessary checks and investigations to assess their validity and objectivity, allowing for appropriate measures, including investigations. It is necessary to attach, where available, appropriate documentation supporting the report, including the indication of witnesses or individuals who can provide information on the reported facts. Examples of reportable conduct include corruption and fraud, embezzlement and theft, health, safety, and environmental violations, money laundering, discrimination, harassment, mobbing, violations of tax regulations and competition law, and disclosure of trade secrets.


4. REPORTING CHANNEL


As an employee or collaborator (customer, supplier, etc.), you can report misconduct (or claim to have reasonable suspicion) Directly to the company or through external channels.


INTERNAL REPORTING OF OFFENSES:


Through the following link, you have the opportunity to send information about improper behavior or report actions that you consider immoral, illegal, or in violation of internal regulations and company policies. The purpose of this platform is to bring to light issues that would otherwise not have been revealed. Those who intend to report violations (administrative, accounting, civil, or criminal) of which they are aware must use this computer application, which protects the confidentiality of the reporter's identity. Reports are confidential in the computer system, and reporters, using a unique identification code generated by the system, can "communicate" with those managing the report anonymously and depersonalized through the computer platform. The identity of the reporter will be protected in any context following the report. Confidentiality extends to the names of individuals involved and mentioned in the report until the conclusion of proceedings initiated due to the report, respecting the same guarantees provided to the reporting person. Anonymous reports will be considered only if adequately detailed and provided with all the necessary information to verify them.

Through this page, you can:

  1. Create a new report
  2. Stay updated on an existing report:
  3. Receive notice of "receipt" or "rejection" of the report after 7 days from submission
  4. If the report is taken into account, receive corrective/improvement actions that the company takes within 90 days from the submission of the report to prevent the offense from recurring.
  5. Receive requests for clarification/additional information regarding the report from the REPORT MANAGER if necessary

ACCESS TO THE PLATFORM

Enter the address https://wb-hs.mc3-innovation.it/ARXivarNextWebPortal from any browser. On the first access, use USER: segnalatore_thy and PASSWORD: segnalatore_thy. The system will provide a NICKNAME to be used for subsequent accesses when the reporter wants to check for updates on the report.


5. PROTECTIONS FOR THE REPORTER AND REPORTED


The company ensures the confidentiality of the reporter's identity and the confidentiality of information throughout the case management process, unless there is an obligation to disclose in the context of investigations by National Authorities or judicial proceedings.

The company undertakes to protect the good-faith reporter and those who participated in the investigation against any form of retaliation, discrimination, or penalization directly or indirectly related to the report.

The company adopts the same forms of protection provided to guarantee the confidentiality of the reported individual's identity.


6. PRIVACY POLICY


Pursuant to Art. 13 European Regulation 679/2016 (Concerning personal data necessary for the management of reports of unlawful conduct ex EU Reg. 2019/1937 - legislative decree 24/2023)

Data Controller:

The data controller is Thytronic SpA, located in Milan, Piazza Mistral 7. Any requests for information and/or clarifications regarding data processing can be made by sending an email to the following address: privacy@thytronic.it.

Processing and Purposes:

The controller wishes to inform you that, if you make a report not in ANONYMOUS format but by providing your details, your personal data (identifying and contact information such as name, surname, phone number, email address, qualification, or professional position) will be collected and processed to comply with the regulations of EU Regulation 2019/1937 and Legislative Decree 24/2023. This is done to carry out necessary investigative activities to verify the validity of the reported incident and to take the appropriate measures.

Legal Basis for Processing:

The processing is carried out to fulfil legal obligations as per EU Regulation 2019/1937 and 24/2023.

Data Provision:

Providing data is optional since reports can also be anonymous.

Data Communication and Scope of Dissemination:

Data will only be processed by individuals expressly authorized by the Controller and may be transmitted to the judicial authority while respecting the confidentiality of the reporter. Data will not be subject to dissemination or transfer to third countries

Retention Period:

The reporter's data will be kept for the time strictly necessary to achieve the purposes outlined in this information. The data will be deleted within 12 months if the whistleblowing process concludes with the archiving of the report. In all other cases, the maximum retention period is proportional to the duration of any criminal or disciplinary proceedings, etc.

Rights of the Data Subject:

You are granted the full right to request access to personal data from the data controller, as well as rectification or erasure of such data (right to be forgotten - Article 17) or restriction of processing concerning you, or to object to their processing, in addition to the right to data portability. This right can be exercised by sending an email to privacy@thytronic.it. Furthermore, the Controller will cease processing upon receipt of such a request.

Complaint to the Supervisory Authority:

The data subject has the right to lodge a complaint with the Supervisory Authority if their requests for information addressed to the Controller have not resulted in satisfactory responses. The relevant authority is the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali): http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524