REPORT MANAGEMENT PROCEDURE COMPLIANT WITH THE PROVISIONS OF THE LEGISLATIVE DECREE. March 10 2023, no. 24 (WHISTLEBLOWING)
Regulatory Source
Legislative Decree no. 24/2023 constitutes the latest legislation to come into force (implementing in Italy «European Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019).
This concerns the protection of people who report violations of European Union and containing provisions regarding the protection of people who report violations of national regulatory provisions” (the “Legislative Decree no. 24/23”).
The regulatory system had previously seen the entry into force of law no. 179/2017, whose art. 2 had inserted, in the art. 6 of Legislative Decree 231/2001 — a specific provision regarding measures related to the presentation and management of reports.
The legislation — on the subject of «Whistleblowing», literally translated as «report» which means that set of rules aimed — on the one hand, at regulating the methods of reporting illicit conduct within a specific context (such as the workplace) and — on the other, to protect the so-called «Whistleblower» reporting party from possible retaliation resulting from this.
Reference context
The Legislator, in Legislative Decree 24/2023 (so-called «Whistleblowing Law«), defined, inter alia:
The objective scope of application (art. 1) — which specifies that the legislation is aimed at protecting people who report violations of national or community regulatory provisions — which harm the public interest, the integrity of the public administration, or of the private entity — of which they became aware in a public or private working context.
Claims or requests originating in a personal and/or individual interest are excluded from the scope of application of the decree in question.
The subjective scope of application (art. 3) of the law, identifying the subjects protected in the public and private spheres;
- The obligations of organisations and companies in terms of the prohibition of retaliatory acts, non-discrimination of whistleblowers and protection of their confidentiality.
- The obligation for the company to identify and manage one or more channels — also through IT methods, which allow the reporting subjects to expose the facts that are considered violative, selling the confidentiality of their identity — as well as that of the person, protected reported and any other person involved in any capacity. In addition, the content of the report and any related documentation that is/or has been Personal data must however be processed in accordance with EU Regulation 2016/679.
- The need to provide information (and carry out consultation — upon request) towards the trade union representatives or organisations referred to in Article 51 of Legislative Decree no. 81 of 2015, before activating the aforementioned reporting channels.
- The conditions for making an external report (art. 6) and the prohibition of retaliatory or discriminatory acts against the reporter for reasons connected to the report.
- The need to provide — in the disciplinary system adopted pursuant to article 6, para 2, letter e), of decree no. 231 of 2001, sanctions against those who are found to be responsible for the offences referred to in paragraph 1 of the art. 21 of the Whistleblowing Law.
Introduction to Whistleblowing
«Whistleblowing» is the report made by a person — so-called «whistleblower», who — in the workplace, believes that the danger of a current or potential offence has occurred/exists — which could cause damage to the company/entity for which he works, to customers, suppliers, colleagues, citizens, and any other category of subject — as well as to the public interest.
The Company — which has always been sensitive to ethical issues and correct conduct, has implemented the legislation in question.
This activates internal systems for reporting violations, to allow the subjects identified by law to report infringements of National or European Union regulations that harm the public interest or the integrity of the public administration or private entity — of which they have become aware in a public or private working context.
These include violations of the Code of Ethics or of the Organisation, Management and Control Model pursuant to Legislative Decree 231/01.
Persons who can make reports
Reports can be made by the following people:
- Fibet Spa employees — even during the trial period;
- Self-employed workers, individual entrepreneurs, collaborators with whom Fibet Spa have relationships for the provision of services and the supply of goods;
- Holders of an agency or commercial representation relationship;
- Workers or collaborators who carry out their work for legal entities, who supply goods or services or who carry out works in favour of Fibet Spa;
- Freelancers and consultants who provide their services to Fibet Spa;
- Volunteers and paid (or unpaid) interns who work at Fibet Spa;
- The Directors, Auditors, Auditing firms of Fibet Spa, or any person with administration, management, control and supervision functions carried out, (even on a simplistic basis), at Fibet Spa.
Object and reporting prohibited
The purpose of this document is to inform about the operational methods for managing reports — and any consequent investigation activities that may be useful/necessary. The procedure is not applicable to cases expressly excluded by Legislative Decree 24/23, including:
- disputes, claims or requests linked to a personal interest of the whistleblower, which relate exclusively to individual working relationships and relationships with hierarchically superior figures. For example, personal grievances of the whistleblower, a disagreement between two employees or relationships with the hierarchical superior or with colleagues;
- reports of violations — already regulated on a mandatory basis by European Union or national acts, or by national ones that constitute the implementation of European Union acts;
- reports of breaches relating to national security, as well as procurement relating to defence or national security aspects — unless such aspects fall under relevant secondary law of the European Union.
The reports — even when anonymous, must always have content from which emerges a loyal spirit of participation in the control and prevention of facts harmful to the general interests.
Anonymity cannot in any way represent the tool to vent disagreements or conflicts between employees. It is similarly prohibited to
- use abusive expressions;
- forward reports with purely defamatory and slanderous purposes;
- forward reports that concern exclusively aspects of private life — without any direct or indirect connection with FIBET’s activity.
Any such reports will be considered even more serious — if they refer to sexual, religious, political or opinion habits and orientations in a broad sense.
The prohibited reports in question may be destroyed (and therefore not archived); such destruction must be mentioned in writing, indicating the identifying elements of the report or anonymous writing.
Finally, reports that prove to be unfounded and clearly defamatory and slanderous will be destroyed after any hearing of the reported subject, who must be given the right to report such crimes or not.
In this case, the report or anonymous writing will assume the nature of a material object of the crime and will not be destroyed.
Objectives
The purpose of this document is to allow the possible emergence of illegal and/or irregular conduct and/or situations within the Company.
It is intended to clarify — and make it easier for the whistleblower to resort to reporting — whilst removing any factors that may hinder or discourage the use of the institution.
The objective of the procedure is therefore, on the one hand to provide the reporting party with clear operational indications regarding the subject, contents, recipients and methods of transmission of the reports and on the other, to inform them about the forms of protection and confidentiality that are recognised, assured and guaranteed.
It is intended to promote the sharing, respect and application of the Companys’ values in the working lives of its interlocutors.
Departments and subjects involved
The offices and functions involved in the activities envisaged by this procedure are:
- Sole Director;
- Those in charge of the Human Resources Office;
- Those responsible for the processing of personal data;
- All subjects who can — pursuant to Legislative Decree 24/2023, make reports consistent with the provisions of this regulation;
- The subjects whose conduct/behaviour has possibly been reported;
- Any third parties appointed — in compliance with the legislation on the protection of privacy, to carry out in-depth investigations, where this occurs;
- The members of the SB established pursuant to Legislative Decree 231/2001 on the occasion of the periodic audit, or in any other case provided for by law.
Procedures and other related documents
- Organization, Management and Control Model ex. Legislative Decree 231/2001 adopted by the Company;
- Company’s ethical and disciplinary code.
Reporting channels, forwarding methods and formal information thereof
In order to facilitate and anonymise internal reports, the following transmission channels have been defined:
- the online portal “My Whistleblowing”
This is software from the broader «My Governance» family, programmed and marketed by Zucchetti, available online at;https://areariservata.mygovernance.it/#!/WB/fibet
This is a written reporting channel suitable for guaranteeing — using IT methods, the receipt and management of reports while maintaining maximum confidentiality on the identity of the reporting party in compliance with the provisions of the law (hereinafter the «Software»).The portal — it should be noted, is managed by a third party — independent of the Company, but who are bound to confidentiality and compliance with privacy legislation.The procedures for entering the data that the reporting party intends to provide will be indicated by the portal manager during the first communication phase — together with the access credentials and each employee will receive a specific handbook
- mailbox
as a written reporting channel in paper form which must be sent via registered mail to the following address:Fibet S.p.a., Via Alba 12/06 10024 Moncalieri (To)
In view of the confidential logging of the report by the Channel Manager, it is necessary that the report is inserted in two closed envelopes:
- the first with the reporting person’s identification data — together with a photocopy of the identification document
- the second with the report, in order to separate the reporting person’s identification data from the report.
Both must then be inserted into a third closed envelope bearing the words on the outside — both on the front and back, in order to guarantee maximum confidentiality: «Strictly Confidential Reserved for the Whistleblowing Manager — Whistleblowing»
If using this channel, the reporting party must indicate in the communication a physical address, or email to which the Channel Manager can prove receipt of the report and provide the relevant feedback.
If no address /email is indicated, the Channel Manager (in the presence of the conditions), will examine the report — without any obligation to prove receipt and/or feedback required by the Law on whistleblowing.
The reports will then be taken care of by the Channel Manager — who will take care of registering and storing the report as indicated in Point Management of reports of this procedure.
The Company may also take into consideration anonymous reports — where these are adequately detailed: i.e. such as to bring out facts and situations by relating them to specific contexts (i.e. documentary evidence, indication of particular names or qualifications, mention of specific offices, procedures or particular events, etc.).
The report — even non-anonymous ones, must be detailed and have the widest possible degree of completeness and exhaustiveness, and in any case — such as to make it credible.
The reporting party is required to provide all available and useful elements to allow the competent parties to carry out the necessary and appropriate checks and investigations to confirm the validity of the facts being reported, such as:
- a clear and complete description of the facts covered by the report;
- the circumstances, time and place in which the reported facts were committed;
- the personal details or other elements that allow the identification of the person(s) who has/have carried out the reported facts (e.g. qualification, place of employment in which he/she carried out the activity);
- any documents supporting the report;
- the indication of any other subjects who can report on the facts being reported;
- any other information that can provide useful feedback regarding the existence and truthfulness of the facts reported.
In order for a report to be detailed, these requirements do not necessarily have to be respected at the same time — considering the fact that the reporting party may not be fully available with all the requested/useful information.
Therefore, through the IT channel (and resultantly through the Software indicated above), the reporting party will be guided through every phase of the report.
They will be asked — in order to improve the detail, to complete a series of fields with respect to the requisite requirements.
The whistleblower can make an external report (benefiting from the protections provided by law) if, at the time of its submission, one of the following conditions occurs:
- an internal channel is missing or is not compliant;
- the reporting party has already made an internal report and it has not been followed up;
- the whistleblower has a well-founded fear that internal reporting is not effective or could expose themselves to the risk of retaliation;
- the reporting party has reasonable grounds to believe that the violation may constitute an imminent or obvious danger to the public interest.
The recipient of the external reporting is ANAC.
To carry out the external report, the reporting party can acquire information on the methods of execution from the internet address www.anticorruzione.it
It is essential — whatever the channel used, that the elements indicated are known directly by the reporting party and not reported or reported by other parties.
The Organization, Management and Control Model pursuant to Legislative Decree 231/01 of the Company, integrated by this Procedure, also involves the methods for transmitting to the Supervisory Body — Reports regarding conduct that may constitute the possible commission of significant offences pursuant to decree 231/2001 or in any case violations of the Model.
Management of reports
Once the report has been received through the channels provided for in this procedure, its management is divided into three phases:
- registration and custody;
- investigation (if any) and communication of the outcome;
- storage
1. Registration and custody
If the report is made via the Software, the Software itself will provide complete and confidential reporting in compliance with the relevant legislation.
In the case of communications on paper — or by other means, upon receipt of the report, the Channel Manager assigns a specific alphanumeric ID to the reporting party, and proceeds to record it in an IT and/or paper register — to which no parties — other than those with the contact details, have access to the report, in particular:
-
- day and time;
- reporting party;
- subject of the report;
- notes;
- status of the report to be filled in at each stage of the process, i.e. preliminary investigation, investigation, communication of the evidence that emerged and archiving.
The paper register is kept inside a closed – locked cabinet accessible only to authorized personnel, including the Report Managers.
2. Investigation (if any) and communication of the outcome
The preliminary investigation aims to verify the validity of the report received.
To this end, the Channel Managers meet to evaluate the contents by carrying out an initial screening and:
-
- where it is immediately discovered that the same is clearly unfounded — it is immediately archived, highlighting the reason in the register, even in summary form;
- where the report is not well-substantiated, further information is requested from the reporter where possible. In the event that it is not possible to collect sufficient information to substantiate the report and start the investigation — it is archived, always highlighting the motivation in the register, even in summary form;
- if the report appears detailed — with precise and consistent factual elements, we proceed with the investigation phases.
The investigation is the set of activities aimed at verifying the content of the reports received and acquiring useful elements for the subsequent evaluation phase, whilst guaranteeing maximum confidentiality regarding the identity of the reporter and the subject of the report.
The investigation has the main purpose of verifying the veracity of the information subjected to investigation and providing a precise description of the facts ascertained through audit procedures and objective investigative techniques.
The person in charge of the investigation is the Channel Manager — and any external consultants appointed ad-hoc.
It is everyone’s duty to cooperate with the person in charge of the investigation in full.
For each investigation, the person in charge of the investigation prepares a final report containing:
-
- the description of the ascertained facts;
- the evidence collected to demonstrate the same;
- the causes and shortcomings — where immediately deducible from the context gathered, which allowed the reported situation to occur;
- any further data and/or information deemed useful for the overall evaluation of the report.
At the end of the investigations — when it is found that the report received is unfounded, the Channel Manager proceeds to archive the report — and, where possible, communicates this to the reporter.
However, if the report is found to be well founded, the Channel Manager activates the Company Managers (Sole Director, Administrative Director) to undertake the necessary and most appropriate mitigative and/or corrective actions.
It also transmits the outcome of the investigation to the HR function for the possible initiation of disciplinary proceedings aimed at imposing — if necessary, disciplinary sanctions in line with the provisions of the applicable legislation and the relevant collective labour agreements.
The Supervisory order must also be notified of any positive outcome of the report.
3. Storage
In order to assure the traceability, confidentiality, conservation and availability of data throughout the procedure, the documents are stored and archived both in digital format (via the Software), through password-protected network folders and in paper format, in a special locked cabinet located in the Canal Manager’s office, accessible only to specifically authorized and trained persons.
All documentation will be kept — without prejudice to further legal terms in the cases expressly provided, for 10 years from the date of closure of the activities.
In accordance with current law and company procedures regarding privacy, the processing of personal data of all people involved and/or mentioned in the reports is protected.
Protection of the whistleblower
The entire process must however guarantee the confidentiality of the identity of the whistleblower from the moment the report is received — and at every subsequent stage.
To this end — in compliance with current legislation, the Company has established a series of mechanisms aimed at protecting the originator, providing:
- the protection of the confidentiality of the whistleblower;
- the prohibition of discrimination against the whistleblower.
1. Protection of the confidentiality of the whistleblowers
The Software guarantees complete confidentiality of the originator, as only the Channel Manager can access the report.
In the case of reports made through any other methods, the recipients — once the report has been received and registered, assign the reporting party a specific anonymized ID.
To protect the confidentiality of the whistleblower, the ID will be used in all official documents and communications during the investigation.
In the context of any disciplinary proceedings instituted against the reported person:
-
- if the alleged facts were based on investigations distinct and additional to the report — even if consequent thereto, the identity of the reporting party cannot be revealed;
- if the alleged facts were based in whole or in part on the report, the identity of the originator may be revealed to the person(s) involved in the report itself, where two requirements are met simultaneously:
- the consent of the reporting party;
- the proven need on the part of the reported party to know the name of the whistleblower for the purposes of full exercise of the right of defence.
2. The prohibition of discrimination against the whistleblower
The reporting party cannot be sanctioned, fired or subjected to any discriminatory measure — direct or indirect, having effects on working conditions for reasons directly or indirectly linked to the report.
Of course, this exclusion in principle does not extend to reports identified as «confidential», where the content of the same — in itself, constitutes illicit conduct from a contractual and/or regulatory perspective.
By discriminatory measures we mean:
-
- unjustified disciplinary actions;
- harassment in the workplace;
- any worsening changes in duties or place of work and, in general, any other change in a broad sense — worsening the conditions of the employment relationship which can be classified as motivated by retaliatory intent following the report.
The reporting party — who believes he or she has suffered discrimination for having made a report must provide detailed information to the Manager of the Companys’ channel.
The reporting person — who believes he or she has suffered discrimination can take legal action against the perpetrator of the discrimination — and also against the Company — if the Company actively participated in the discrimination.
In this case, the law provides for a reversal of the burden of proof, and it will therefore be the Company that will have to demonstrate that the deteriorating change in the reporting person’s working conditions, or other behaviours identified in the previous paragraph, does not originate from the report.
There is a duty of confidentiality on the part of all the subjects involved, without prejudice to their right of defence and investigation, also towards any subjects reported; a duty that is all the more relevant until the outcome of the procedure itself (which, it should be remembered, can also end with a negative outcome).
Breach of procedure
Failure to comply with this procedure entails the possibility for the Companys’ employees to apply the Company’s Disciplinary System — in line with the provisions of the applicable legislation and the relevant collective labour agreements.
Update of the procedure
This procedure is approved by the Sole Director and is subject to periodic updating.