PROCEDURE FOR THE REPORTING OF ALLEGED OFFENCES AND IRREGULARITIES
Legislative measures on reporting irregularities or violations of regulations, designed to encourage ethical conduct in the workplace and improve compliance with legal and corporate governance structures, have expressed the need to adopt a system for reporting violations ("whistleblowing") and to govern the related organisational and procedural aspects.
Law No. 179 of November 30, 2017 is entitled “Provisions for the protection of whistleblowers reporting offences or irregularities that come to their attention within the bounds of a private or public employment contract” (Whistleblowing Law) and came into effect on December 29, 2017. The adoption of the legislation in question sought to identify tools to protect workers reporting crimes or irregularities of which they have become aware during their work. In accordance with this legislation, BasicNet has set up whistleblowing channels to ensure the reporting of irregularities or violations of BasicNet S.p.A.’s Ethics Code and the Organisation, Management and Control Model pursuant to Legislative Decree No. 231/2001.
Legislative Decree No. 24/2023 transposed into Italian law Directive (EU) 2019/1937 concerning the protection of persons reporting violations of Union law of which they become aware in the course of public or private employment (the “Whistleblowing Directive”).
The decree repealed and amended the previous national regulations (Article 6, paragraphs 2-ter and 2-quater of Legislative Decree No. 231/2001 and Article 3 of Law No. 179/2017 were repealed and Article 6, paragraph 2-bis of Legislative Decree No. 231/01 was amended), creating a single regulatory text for the public and private sectors that set out the regime in question. This regime protects individuals who report unlawful conduct of which they have become aware in the course of their work, which violates not only European but also national provisions and the Organisation, Management and Control Model adopted pursuant to Legislative Decree No. 231/2001, provided that it the report is well founded and the violation is detrimental to the public interest or the integrity of the entity. Legislative Decree No. 24/2023 took effect on July 15, 2023, with the exception of the broader deadline of December 17, 2023 for private sector entities employing up to 249 workers in the last year.
The procedure below is designed to implement Legislative Decree No. 24 of March 10, 2023 for BasicNet and the Group companies (hereinafter the “BasicNet Group”).
1 – Purpose
The purpose of this document (hereinafter the “Procedure”) is to govern the process for receiving, analysing and handling Reports sent or transmitted by anyone to the Supervisory Board or - in the absence of such a Board - to the body in charge of handling them.
These Reports relate particularly to the following areas of the control system:
a) alleged violations, requests or inducements to violate national or EU laws or regulations, the provisions of the Ethics Code or internal procedures, with reference to activities and services of interest to the Group (e.g. failure to comply with contractual clauses, defamation, threats, privacy violations, fraud, improper use of company equipment);
b) alleged violations of the 231 Organisational Model (where adopted), including as a result of potentially criminal conduct and/or the commission of an offence set out in the 231 Organisational Model.
This procedure is designed to a) guarantee the confidentiality of the personal data of the reporter and of the alleged perpetrator of the violation, without prejudice to the rules governing judicial investigations or proceedings initiated in relation to the events described in the report; b) adequately protect the reporter against retaliatory and/or discriminatory conduct deriving from the report; c) ensure a dedicated, independent and autonomous channel for the Report.
2 - Definitions
Group Ethics Code
The Group Ethics Code sets out the principles of conduct with which the Group considers it essential to comply when operating in pursuit of its objectives.
It comprises a set of values and rules, the respect and observance of which constitute essential and non-negotiable elements in guiding the Company's activity. It is designed to imprint transparency, fairness, loyalty, integrity and credibility on the relationships that the BasicNet Group maintains, whether permanently or for a limited time, with stakeholders and with any other public or private third party in order to promote ethics in business processes.
Organisation, Management and Control Model
Legislative Decree No. 231 of June 8, 2001, containing "Regulations governing the administrative liability of legal entities, companies and associations, including those without legal personality, pursuant to Article 11 of Law No. 300 of September 29, 2000", introduced a system of administrative liability for companies regarding certain types of offences.
Reporting
For the purposes of this document, “Report” means any information obtained in the course of work concerning possible violations, behaviour or practices that do not comply with the provisions of the Model, the corporate procedures that guarantee its implementation, or the BasicNet Group’s Ethics Code, or violations of national or European Union regulatory provisions, which harm the public interest or the integrity of the entity.
Reports must be circumstantiated and based on grounds that are sufficiently reasonable to believe that information regarding violations is true.
Reporting in "bad faith"
“Bad faith reporting” refers to reports without sufficient grounds to believe that the information given in them is true, made in order to damage or otherwise cause harm to employees, members of corporate bodies (the Board of Directors, Board of Statutory Auditors), independent auditors and third parties (e.g. customers, suppliers, consultants, collaborators) in a business relationship with the Company.
3 - Reporting
This procedure is designed for use by:
- employees
- collaborators and consultants, engaged with any type of contract or appointment and for any reason
- collaborators in any capacity of companies supplying goods or services or carrying out work on behalf of the Company
- shareholders and members of corporate bodies
who intend to report behaviour or events that may result in a violation of the Ethics Code or the organisation Model, and more generally any violations of national or European Union regulatory provisions that harm the public interest or integrity of the entity.
Reports must be made in good faith and may not be anonymous.
The person responsible for receiving and handling reports (the receiving party) is the Internal Audit function of the parent company and - where appointed - the Supervisory Board of each company. These individuals are specifically trained to handle reports.
After an analysis of the reports, the receiving party may - where appropriate - forward them to the manager of the Dot.com involved in the report (if he or she is not the person involved in the report), or alternatively to the Group’s human resources manager.
The receiving party must protect the confidentiality of the reporter, the persons involved and/or otherwise mentioned in the report, the content of the report and the relative documentation.
Failure to disclose a report received, or violation of the confidentiality obligation, constitutes a violation of the Procedure and may lead to disciplinary action.
This channel is accessible:
through the Legality Whistleblowing web platform, where a report can be made in writing or orally (by recording an audio message to which voice distortion will be applied), which is accessible at:
https://basicnet.segnalazioni.net/
Reports may also be sent:
- by regular mail, addressed to the receiving party for each company, at their registered office.
An oral report can also be made by requesting a face-to-face meeting with the receiving party.
In the event that a report is not sufficiently substantiated, the receiving party may request that the reporter provide further details to analyse the case in depth.
As required by law, the BasicNet Group has set up systems to protect the reporter’s confidentiality. Specifically, the following measures in place to protect the identity of the reporter:
-
-
-
- the reporter’s identity may not be disclosed, without his or her explicit consent, to persons other than the person receiving the report;
-
-
- in disciplinary proceedings, the reporter’s identity may not be disclosed if the accusation of the disciplinary charge is based on separate and additional investigations other than the report, including where these are based on the report, or without their explicit consent if the accusation of the disciplinary charge is based in whole or in part on the report and knowledge of the reporter’s identity is essential for the defence of the accused
in the cases above, prior written notice will be given to the reporter of the reasons for necessity of the disclosure of his or her identity. Without such consent the report will not produce any effect and will be stored for the time prescribed by law, after which it will be deleted;
-
- the BasicNet Group also applies “by design” the principle of data minimisation and processing: where the merits of the report are independently established, following the investigation, the receiving party will ensure that the reporter’s identifying data cannot be acquired and the reporter’s identity cannot be searched for or investigated;
- any reporter who believes that s/he has suffered retaliation because of the report may communicate these facts to the person responsible for receiving and handling reports.
The Report received is logged and stored using technical means that ensure maximum security.
4 - Investigation
4.1 Preliminary verification
Following receipt of the reports, the receiving party acknowledges to the reporter that their report has been received, carries out the appropriate preliminary checks, and decides whether or not to conduct further checks and whether or not to begin the next phase of investigation.
On conclusion of the preliminary verification phase, the receiving party - should it decide not to proceed - files the report and retains the relative motivations.
4.2 Assessment of the Report
Assessment activities are performed by the Group Internal Audit function and take priority over the ordinary activities planned during the year.
For the assessment to be successful, the Group Internal Audit function may request documents and/or conduct audits at its own discretion.
4.3 Bad faith
If the preliminary verification or assessment reveals objective elements proving "bad faith" on the part of the reporting party, the Group Internal Audit function shall inform the Chairperson of the Company for appropriate measures.
4.4 Follow-up
The receiving party shall provide feedback on the report within three months of the date that receipt was acknowledgement.
The receiving party ensures that the progress of the action plan is monitored for each audit finding.
The reporter shall receive periodic updates on the progress of the investigation and any action taken. Upon completion of the investigation, the reporter will receive a final report as required by Legislative Decree No. 24/2023 or corresponding legislation.
5 - Recording and archiving
Any information or report sent by digital means shall be kept by the receiving party in a special (computer) file protected from unauthorised access for as long as necessary to allow the report to be processed, but for no longer than five years following the date on which the final outcome of the reporting procedure is announced. After that time, the data will be deleted.
6 - Annual report
The Supervisory Board reports to the competent bodies (corporate bodies and the Control and Risks Committee, where appointed) once a year on the number of reports received, the number of reports filed, and the number and outcome of those it has decided to investigate and forward.
This report enables the identification of interventions to verify and correct the issues that have emerged and monitor the evolution of the Reports forwarded.
7 - Processing of personal data and conservation of documentation
All personal data processing, including through the Portal, is carried out in compliance with the confidentiality obligations under Article 12 of Legislative Decree No. 24/2023 and in accordance with the legislation on the protection of personal data set out in Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR), Legislative Decree No. 196 of June 30, 2003 and Legislative Decree No. 51 of May 18, 2018.
Personal data protection is guaranteed for the Reporter, the Facilitator and the Person involved or mentioned in the report.
Prospective data subjects are give information on the processing of personal data in the section of the BasicNet website that contains the link to the platform.
In compliance with Article 13, paragraph 6, of Legislative Decree No. 24/2023, a Privacy Impact Assessment (PIA), prepared pursuant to Article 35 of Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR), has been conducted to define the technical and organisational measures required to reduce the risk to the rights of data subjects, including the security measures necessary to prevent unauthorised or unlawful processing.
To ensure the management and traceability of reports and consequent activities, the Internal Audit Function oversees the preparation and updating of all information regarding Reports. It also ensures, using the Portal, that all related supporting documentation is retained for the time strictly necessary for reports to be defined, and in any case for no more than 5 years, starting from the date that the final outcome of the Report is communicated to the receiving party. After this time the data will be deleted.
Personal data that are manifestly not useful in processing a specific report may not be collected and, if they are accidentally collected, must be promptly deleted.
Originals of reports received on paper are kept in a special protected room.
