PROCEDURE FOR REPORTING UNLAWFUL ACTS AND IRREGULARITIES
Tecma Solutions S.p.A., headquartered at Via Privata Roberto Bracco No. 6, Miano, Tax Code and VAT Number IT07840930965 (hereinafter "Tecma" or "Company"), aims to promote a corporate culture characterized by proper behavior and a robust corporate governance system. Recognizing the importance of having internal regulations governing the reporting of illegitimate behaviors (as defined below) through appropriate communication channels for submission, reception, analysis, and treatment, the Board of Directors of Tecma has adopted and implemented this procedure (the "Whistleblowing Policy" or "Policy"). This procedure has regulatory content and serves as an operational tool.
1.1 The current legislation has provided measures, also for the private sector, to encourage the reporting of unlawful acts and irregularities through 'whistleblowing', as known in Anglo-Saxon countries. In Italy, various regulations govern such 'reports' (e.g., in the financial products and markets sector, for anti-money laundering or terrorism prevention purposes, concerning transport safety, or environmental protection). This discipline was recently integrated and modified by Legislative Decree 24/2023 (the "Decree") transposing Directive (EU) 2019/1937 concerning the protection of persons reporting violations of Union and national law (the "Directive"; together with the national laws transposing it and sectoral laws governing or, in any case, concerning reports, the "Whistleblowing Regulation").
1.2 The Whistleblowing Policy uses the terms with the same meaning attributed to them by the Decree, which has specifically defined them, including: reporting, violation, reporting person, involved person, etc.
1.3 For clarity, the term 'violations' is understood here in the meaning defined by the Decree but is not limited to the sole objective scope of the same, also applying to violations that are outside that material scope but are nevertheless regulated by the Whistleblowing Regulation, such as violations of Regulation (EU) No. 596/2014 on market abuse ("MAR"), which qualify as predicate offenses under Legislative Decree 231. In the latter case, external reports are regulated by the Commission Implementing Directive 2015/2392 concerning MAR and the reporting to competent authorities of actual or potential violations of that regulation (the "MAR Implementing Directive"), and the Whistleblowing Policy applies in the ways better specified in paragraph 5. In the event of a violation of the MAR discipline, it is specified, for clarity, that the discipline referred to in the "Procedure for the management, treatment, and communication of privileged information" adopted by Tecma will in any case apply, as it is compatible.
1.4 The Whistleblowing Policy is periodically updated to incorporate the regulatory innovations gradually applicable in the whistleblowing field and is made known to the recipients by publishing it on the Company's Intranet network, easily accessible through the link transmitted by the Company to all employees via a dedicated email. The Whistleblowing Policy will also be published on the Company's website https://www.tecmasolutions.com.
1.5 This Whistleblowing Policy has been communicated to the union representatives.
2.1 Tecma is committed to promoting and maintaining an adequate internal control system, understood as the set of all useful and necessary tools to direct, manage, and verify business activities, with the aim of ensuring compliance with laws and corporate regulatory instruments, protecting corporate assets, managing activities optimally and efficiently, and providing accurate and complete accounting and financial data.
2.2 The responsibility for establishing an effective internal control system is common at every level of the organizational structure of the Company. Consequently, all personnel and bodies and entities of Tecma, within the assigned functions and responsibilities, are committed to defining and actively participating in the correct functioning of the internal control system.
2.3 Tecma promotes the dissemination at all levels of a culture and rules characterized by awareness of the existence of controls and the assumption of a mindset oriented towards the conscious and voluntary exercise of controls. Consequently, management primarily and all Tecma personnel in any case are required to contribute and actively participate in the Company's internal control system and, with a positive attitude, involve their colleagues and collaborators in it.
2.4 Tecma hopes that its personnel will collaborate in maintaining a climate of mutual respect for the dignity, honor, and reputation of each individual in the company. The Company will intervene to prevent insulting, discriminatory, or defamatory interpersonal attitudes. Tecma thus guarantees adequate protection against reports made in bad faith or with willful misconduct or gross negligence, censuring such conduct and applying, in accordance with the law, what is provided for in this regard by the disciplinary system adopted by the Company.
3.1 The following individuals are recipients of the protections provided by this Whistleblowing Policy for reporting persons or those filing a complaint with the competent judicial, administrative, or accounting authority ("Authority") and/or making a public disclosure:
a) Employees of the Company or contractors or suppliers of the Company, under any type of contract;
b) Temporary workers;
c) Candidates for positions at the Company, for information on alleged violations acquired during the selection process or in other pre-contractual phases;
d) Self-employed workers and/or consultants and/or suppliers and/or collaborators providing their services to the Company;
e) Volunteers and/or interns at the Company;f) Shareholders and individuals with administrative, managerial, control, supervision, or representation functions at the Company; and
g) Former employees of the Company, if information about alleged violations was acquired during the employment relationship; as well as
h) All functions, personnel, collaborators, and/or suppliers of the Company, in any capacity involved as responsible for the legal, technical, and/or organizational management of the Whistleblowing Policy.
3.2 The following individuals are equated with the aforementioned subjects, for the purposes of the protections provided by this Whistleblowing Policy:
a) "Facilitators," or individuals operating in the same work context as the reporting person;
b) Individuals related to reporting individuals or the person who filed a complaint with the Authority and/or made a public disclosure through a stable emotional or familial bond up to the fourth degree and who operate in the same work context;
c) Colleagues of the reporting person and/or the person who filed a complaint with the Authority and/or made a public disclosure, working in the same work context as the reporting person and having a regular and current relationship with that person;
d) Entities owned by the reporting person or the person who filed a complaint with the Authority or made a public disclosure or for which these individuals work, as well as entities operating in the same work context as the aforementioned individuals.
3.3 Everyone is required to ensure the absolute confidentiality of the reporting person, using the criteria and communication methods for internal reports adopted by the Company and better described in the following paragraphs, suitable for protecting the honor of the reporting person and all parties involved in the reports.
3.4 Individuals who violate the rules established by this Whistleblowing Policy will be subject to the sanctions contained in the disciplinary system adopted by the Company, as provided by law. The disciplinary system, the code of ethics, as well as the individual internal procedures, policies, and regulations of the Company, are published on the Company's Intranet network, easily accessible through the link transmitted by the Company to all employees via a dedicated email. They will also be published – where this is deemed necessary or appropriate – on the Company's website https://www.tecmasolutions.com.
4.1 In accordance with the provisions of applicable regulations, Tecma appoints a responsible for internal reporting systems, tasked with ensuring the proper functioning of the violation reporting system and the activities of receiving, examining, and evaluating reports (the "WB Responsible").
It is the responsibility of Tecma's administrative body to ensure the assignment of the WB Responsible role for a maximum period of three years, choosing between one of the following solutions:
Tecma ensures the communication of the person periodically entrusted with the role of WB Responsible and ensures that internal reporting channels are suitable for directing reports to them.
In managing the report, the WB Responsible ensures:
The WB Responsible is not obliged to guarantee appointments/meetings with the reporting person/facilitator or involved person outside working hours or on days of legitimate absence from the workplace (e.g., during leave or vacation) or in places inadequate to ensure the safety and confidentiality of the interaction, if outside the workplace.
In carrying out their functions, the WB Responsible reports directly and promptly to the Board of Directors and the Board of Statutory Auditors about the findings, if relevant.
The WB Responsible also prepares a quarterly report on the proper functioning of the internal reporting system, providing aggregated information on the results of the activity following the received reports. The report is submitted to the attention of the Board of Directors and the Board of Statutory Auditors, subsequently made available to Tecma employees.
5.1 To facilitate the receipt of internal reports, Tecma identifies the following communication channels ("Reporting Channels"):
(a) Whistleblowing Portal
The reporting person can use the dedicated portal (the "Portal") established by the Company and reachable at the following address tecmasolutions.integrityline.com. Reports will be managed by the WB Responsible, the individual responsible for receiving internal reports. The preparation and maintenance of this Reporting Channel are guaranteed by the WB Responsible. The Company recommends that the reporting person who intends to keep their identity confidential indicate this through the appropriate function of the Portal.
(b) Postal Channel
If the reporting person does not intend or cannot use the electronic channel, which remains, in the Company's opinion, the channel to be preferably used, the reporting person can still use the following postal address: Tecma Solutions S.p.A., Via Privata Roberto Bracco No. 6, 20159, Milan, addressing the communication exclusively to the attention of the WB Responsible.
(c) Oral Channel
In addition to the aforementioned Reporting Channels, the reporting person can also make internal reports orally through a direct meeting with the WB Responsible, upon request of the reporting person, to be organized within a reasonable timeframe. If the internal report is made orally during a meeting with the assigned personnel, it, with the reporting person's consent, is documented by the assigned personnel through recording on a device suitable for preservation and listening or through minutes. In the case of minutes, the reporting person can verify, rectify, and confirm the minutes of the meeting by signing them. Regardless of the chosen reporting channel, the Company ensures, also through the use of encryption tools, the confidentiality of the identity of the reporting person, the involved person, and anyone mentioned in the internal report, as well as the content of the internal report and related documentation.
5.2 The WB Responsible (or the Board of Statutory Auditors, see paragraph 6 below in case of conflicts of interest) must be provided, for competent evaluations, with any documentation regarding the reported facts, as well as the results of any investigations already carried out.
5.3 All information regarding Reporting Channels, procedures, and prerequisites for making reports is made easily visible in the workplace and accessible on the Company's website https://www.tecmasolutions.com.
5.4 In addition to the above, the reporting person can also make an external report through the reporting channel activated and prepared, through a specific telematic platform, by the National Anti-Corruption Authority (ANAC), in the presence of one of the following conditions:
More details on the methods of communication, reception, and management of reports transmitted through the external reporting channel are available in the dedicated section on the ANAC website, at https://www.anticorruzione.it/-/whistleblowing.
5.5 Reports concerning conduct related to market abuses prohibited by MAR (i.e., market manipulation, insider trading, unlawful disclosure of privileged information) can be made through the Company's internal channels as offenses under Legislative Decree 231; however, public disclosures should not be made. Additionally, reports can be made externally directly to Consob (not ANAC) through the channel established at the following address https://www.consob.it/web/area-pubblica/whistleblowing. In such cases, the reporting person will be subject to both the protections provided by the MAR Implementing Directive and those provided by the Decree and the Whistleblowing Policy.
6.1 In the event that the report concerns the WB Responsible, the reporting person should not use the postal channel addressed to the WB Responsible.
6.2 In such cases, the report must be made through the Portal, indicating through the appropriate channel functionalities that the potential violator is the WB Responsible, in order to direct the management of the report directly to the Board of Statutory Auditors.
6.3 Anyone receiving an internal report outside the Reporting Channels must transmit it to the WB Responsible (or the Board of Statutory Auditors in the case of reports concerning the WB Responsible) within three days of its receipt. The WB Responsible (or the Board of Statutory Auditors) must notify the reporting person of the transmission within seven days from the date of receipt of the internal report. The management of the report outside the Reporting Channels must, however, take place by adopting criteria of utmost confidentiality, suitable to protect the honorability of the reporting person, the involved person, or any other person mentioned in the report, and the effectiveness of the investigations.
7.1 Reports must be based on precise and concordant factual elements and concern current, attempted, or potential violations. Among other cases provided for in the Whistleblowing Regulations, violations include conduct consisting of:
a) Violations of the ethical code or internal regulations, procedures, or policies mentioned therein (including the Whistleblowing Policy);
b) Insofar as mentioned in the Decree, offenses in the following areas: public procurement; services, products, and financial markets and prevention of money laundering and terrorist financing; product safety and compliance; environmental protection; radioprotection and nuclear safety; consumer protection; public health; protection of privacy and personal data and security of networks and information systems; discipline of the European internal market, in particular with reference to competition rules, state aid, corporate taxes, as well as the protection of the financial interests of the State and/or the European Union.
7.2 All those who detect or become aware of possible violations by individuals who have relationships with Tecma are required to act in accordance with the Whistleblowing Policy, reporting promptly through the Reporting Channels the facts, events, and circumstances that they believe, in good faith and based on reasonable evidence, have determined such violations.
7.3 The internal report must allow for the necessary and appropriate verifications regarding the validity of the circumstances reported, responsibilities, as well as all other elements, including documentary evidence, in possession of the reporting person. To this end, the internal report, in addition to being timely, must have the highest possible degree of completeness and exhaustiveness and preferably contain the following elements:
a) A clear and complete description of the behavior, including omissions, being reported;
b) The time and place circumstances in which the facts were committed or omissions occurred;
c) The name(s) or other elements (such as the position and the relationship, contractual or otherwise, with Tecma) that allow the identification of the person(s) who committed the reported facts or omissions;
d) The indication of any other individuals who can report on the facts reported;
e) The indication of any documents that can confirm the validity of such facts;
f) The indication of the quantification of any damages, pecuniary or non-pecuniary (e.g., reputational) suffered by the Company or, if such damages cannot be precisely determined in their amount, the data based on which the existence (or the risk of occurrence) of the same emerges, although their quantification is uncertain;
g) Any other information that can provide useful corroboration about the existence of the reported facts.
(a) Preliminary Analysis
8.1 As part of the management of Reporting Channels, the WB Responsible (or the Board of Statutory Auditors) issues an acknowledgment of receipt of the internal report to the reporting person within seven days of receiving it.
8.2 All internal reports undergo a preliminary analysis conducted by the WB Responsible (or the Board of Statutory Auditors) to verify the presence of data and information useful for an initial assessment of the validity of the report.
8.3 During the aforementioned analysis, and in compliance with the law, including applicable privacy regulations, the WB Responsible (or the Board of Statutory Auditors) may seek the support of relevant company functions and, if deemed appropriate, external specialized consultants, ensuring confidentiality and, where possible, anonymization of personal data in the internal report.
8.4 If, at the conclusion of the preliminary analysis, there is a lack of sufficiently detailed elements or the invalidity of the facts referred to in the report is established, the report is archived by the WB Responsible (or the Board of Statutory Auditors), with accompanying justifications.
8.5 The reporting person is informed by the WB Responsible (or the Board of Statutory Auditors) about the archiving within three months from the date of the acknowledgment of receipt or, in the absence of such notice, within three months from the expiration of the seven-day period from the submission of the report.
(b) Specific Investigations
8.6Where, following preliminary analyses, elements useful and sufficient for an evaluation of the validity of the internal report emerge or are otherwise deducible, while respecting the right to defense of the involved person, the WB Responsible (or the Board of Statutory Auditors) takes the following actions:
a) Initiates specific analyses, involving relevant company functions, if necessary, in compliance with the law, including applicable privacy regulations.
b) Concludes the investigation at any time if the invalidity of the report is established (in this case, the archiving rules mentioned above apply).
c) Engages external experts or consultants not affiliated with the Company (in compliance with the rules mentioned above).
d) Maintains communication with the reporting person and requests, if necessary, additional information.
e) Coordinates with the head of the company function concerned by the report and senior management to determine any necessary corrective actions to address identified control weaknesses, ensuring monitoring of their implementation.
f) Provides feedback to the reporting person within three months from the date of the acknowledgment of receipt or, in the absence of such notice, within three months from the expiration of the seven-day period from the submission of the report.
g) Coordinates with the head of the company function concerned by the report on any initiatives to be taken to protect the interests of the Company (e.g., legal actions) to propose to senior management.
h) Provides all relevant information for the head of the company function, equipped with the appropriate powers, to assess the initiation of a disciplinary proceeding against the reporting person if bad faith or merely defamatory intent is established in the reports, possibly confirmed by the invalidity of the report.
i) Submits to senior management and the Board of Directors the results of the investigation into the report if it relates to employees and is found to be valid, for the appropriate measures to be taken against the reported employees.
(a) Confidentiality Obligations Regarding the Reporting Person's Identity
9.1 In compliance with the confidentiality obligation that the Company ensures throughout the proceedings initiated due to the internal report, the identity of the reporting person and/or any other information from which the identity can be directly or indirectly inferred cannot be disclosed without the express consent of the reporting person to individuals other than those authorized to receive or follow up on the reports, expressly authorized to process such data under Article 29 of the General Regulation (EU) 2016/679 ("GDPR") and Article 2-quaterdecies of the Personal Data Protection Code pursuant to Legislative Decree 30 June 2003, No. 196 ("Privacy Code").
9.2 The data of the involved person and other individuals mentioned in the report or internal investigations are processed in accordance with the privacy policy, GDPR, and the Privacy Code.
9.3 In the context of the disciplinary proceeding, the identity of the reporting person cannot be disclosed if the disciplinary charge is based on separate and additional findings from the internal report, even if arising from it. If the charge is based, in whole or in part, on the internal report, and knowledge of the reporting person's identity is essential for the defense of the involved person, the internal report can only be used for disciplinary proceedings with the express consent of the reporting person to disclose their identity.
9.4 The reporting person is notified in writing of the reasons for revealing reserved data in the event of revealing the identity of the reporting person, as well as within the framework of reporting procedures transmitted through Reporting Channels and/or through the external reporting channel when revealing the identity of the reporting person and/or other information is essential for the defense of the involved person.
9.5 Tecma ensures adequate protection of the confidentiality of the reporting person's identity by censoring any conduct that violates measures in place to protect the reporting person, applying the provisions of the disciplinary system adopted by the Company. In addition to the above, the Company ensures that the identity of individuals mentioned in the report is also protected until the conclusion of the relevant proceedings.
(b) Prohibition of Discrimination Against the Reporting Person
9.6 Any form of retaliation or discriminatory measure, whether direct or indirect, affecting working conditions for reasons directly or indirectly related to the report, is prohibited against the reporting person (and individuals equated with the reporting person under the previous provisions). Acts taken in violation of this prohibition are null and void.
9.7 Protective measures apply under the following conditions:
a) At the time of the internal or external report or public disclosure, the reporting person has reasonable grounds to believe that the information on the reported violations is true and falls within the scope of this Whistleblowing Policy.
b) External reporting has been made only where permitted by law.
c) The report has been publicly disclosed only if the reporting person has:i. Previously made an internal report through the Reporting Channels established by Tecma and/or through the external reporting channel mentioned in the Whistleblowing Policy, and the reporting person has not received any feedback;ii. Reasonable grounds to believe that the violation may constitute an imminent and/or obvious danger to public interest;iii. Reasonable grounds to believe that the internal or external report may carry the risk of retaliation and/or may not be effectively pursued due to specific circumstances, such as those in which evidence may be concealed or destroyed, or there is a reasonable fear that the recipient of the report may be colluding with the violator or involved in the violation.
9.8 Discriminatory measures against the reporting person can be reported to the ANAC for actions within its jurisdiction.
(c) Reservations and Relevant Facts on a Disciplinary Level
9.9 Protective measures are not guaranteed to the reporting person who is subject to a disciplinary sanction when their criminal liability is established, even at first instance, for the offenses of defamation or slander, or in any case for the same offenses connected with the report to the judicial or accounting authority, or their civil liability for the same reasons, in cases of fraud or gross negligence.
9.10 The Company reserves the right to take appropriate actions provided in the disciplinary system against anyone who engages in or threatens to engage in retaliatory acts against those who have submitted reports in accordance with the Whistleblowing Policy, subject to the right of those affected to protect themselves legally if the reporting person is found to have criminal or civil liability related to the falsity of the statements or reports.
9.11 In addition to what is indicated in the two preceding paragraphs and the following one, disciplinary violations also include: (1) violations of the Whistleblowing Policy, (2) obstruction or attempted obstruction of the report contrary to the law, (3) violations of confidentiality obligations, and (4) failure to verify and analyze reports.
9.12 It is understood that the Company may take appropriate disciplinary and/or legal measures to protect its rights, assets, and image against anyone who, in bad faith, has made false, unfounded, or opportunistic reports and/or with the sole purpose of slandering, defaming, or causing harm to the involved person or other individuals mentioned in the report. Any other misuse or intentional exploitation of the institution subject to this procedure also constitutes a source of liability in disciplinary and other competent proceedings.
(d) Protection of the Involved Person
9.13 The involved person must be informed as soon as possible of the charges brought against them, whether or not based on the internal report, respecting the principles of adversarial proceedings and defense applicable generally to disciplinary and/or sanctioning procedures. The involved person may be heard, or, at their request, is heard, also through a written procedure by acquiring written observations and documents.
9.14 Information about the proceedings initiated against the involved person (or other individuals mentioned in the report) may be delayed or excluded if there is a substantial risk that such communication compromises the Company's ability to effectively investigate the involved person and/or collect the necessary evidence until such risks cease to exist, always in compliance with applicable legal provisions.
10.1 The data controller for personal data related to the Whistleblowing Policy (the "Controller") is identified as the Company that will process the personal data of all individuals involved in the reporting in accordance with the principles set by the GDPR. The Controller provides suitable information to the data subjects as per Articles 13 and 14 of the GDPR and adopts appropriate measures to protect the rights and freedoms of the data subjects. The WB Responsible takes on the role of "data processor" (or "controller" if the role is assumed by an external party), expressly authorized by the Controller to process the personal data of the reporting person, any other individuals covered by protection under the Decree, as well as the personal data of the individuals involved. In the management of reports and the related procedure, the Controller is assisted by the WB Responsible (or the Board of Statutory Auditors) and auxiliary personnel, expressly authorized to process personal data under Article 29 of the GDPR and Article 2-quaterdecies of the Privacy Code.
10.2 In addition to the above, the Controller may seek the collaboration of external expert consultants, authorized to process personal data, upon appointment as "data processor" under Article 28 of the GDPR.
10.3 The Controller ensures that any third party possibly involved in the management of the reporting procedure (e.g., personnel responsible for areas of the company affected by the report) processes personal data only if expressly authorized, in compliance with the instructions given by the Controller.
10.4 In the context of a report, the involved person, presumed perpetrator of the wrongdoing, with reference to their personal data processed by the Company, in accordance with the legislator under Article 2-undecies of the Privacy Code, may face limitations (e.g., delays) and/or preclusions (non-acceptance by the Controller) in exercising the rights provided by Articles 15-22 of the GDPR if the exercise of these rights could result in an actual and concrete prejudice to the confidentiality of the reporting person and individuals equated with them, and/or to the conduct of investigations or the exercise of a right in a judicial proceeding by the Company. The involved person still has the possibility to exercise their rights by seeking the intervention of the Italian Data Protection Authority (Garante per la protezione dei dati personali), as provided by Article 160 of the Privacy Code.
10.5 For further information on the processing of personal data, please refer to the whistleblowing information, available at the following link: tecmasolutions.integrityline.com.
11.1 The WB Responsible (or the Board of Statutory Auditors) and all functions possibly involved in activities governed by the Whistleblowing Policy ensure, within their respective competencies and through the information systems used, the traceability of data and information. They also take care of the preservation and archiving of the produced documentation, whether in paper and/or electronic form, to allow the reconstruction of the different phases of the process.
11.2 The preservation of the original documentation of reports is guaranteed in dedicated paper/electronic archives with the highest standards of security and confidentiality.
11.3 The original documentation, whether in paper and/or electronic form, must be kept for the time necessary for the processing of the report and in any case, not exceeding five years from the date of communication of the final outcome of the reporting procedure, in compliance with the confidentiality and minimization obligations under Article 5 of the GDPR.
11.4 Documentation related to each report may be subject to longer retention periods (i) in compliance with legal obligations and current provisions, (ii) for administrative purposes, and/or (iii) to assert and/or defend the rights and/or legitimate interests of the Company or third parties, even in the case of claims, disputes, or pre-litigation.
11.5 Reports made in bad faith are archived with care to delete names and elements that may allow the identification of the reporting person and individuals involved.
11.6 Unfounded reports, subject to archiving, are kept in the archive until the prescription period for the hypothetically unlawful act or the right to compensation arising from it, depending on the longer term, accompanied by an explanatory note of the reason for the exclusion.
