Whistleblowing Procedure

1- PURPOSE AND SCOPE

A “breach reporting” or “reporting” system (the so-called whistleblowing system) has been established to prevent and combat fraudulent behaviour and unlawful or irregular conduct in line with measures introduced by Law No. 179 of 30 November 2017 “Provisions for the protection of whistleblowers who report offences or irregularities which have come to their attention in the context of public or private employment” and by Legislative Decree No. 24 of 10/03/2023 (implementing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law and containing provisions concerning the protection of persons who report breaches of national laws).

To this end, this procedure: 

  • identifies the conduct and events that can be reported as described herein;
  • identifies the principles and rules governing the reporting process, as well as the consequences for any misuse of the channels established for reporting;
  • defines the procedure for receiving reports, preliminary enquiry, examination and verification, closing reports received from any party, including anonymous reports, and identifies roles, responsibilities, operating methods and tools used.

This procedure applies to Comec as described herein. 

 

2- REFERENCES

  • UNI ISO 37001:2016;
  • Comec Code of Ethics and Conduct;
  • Regulation (EU) 2016/679 on personal data protection (the so-called GDPR) and Legislative Decree No. 196/03 and subsequent amendments and addenda;
  • Law No. 179/2017 (the so-called Whistleblowing Law);
  • Legislative Decree No. 24/2023 (implementing Directive (EU) 2019/1937)

 

3- TERMS AND DEFINITIONS

Code of Ethics: The Comec Code of Ethics and Conduct
Reports Committee: A committee of two people who are responsible for handling reports: Sabina Bragonzo and Paola Armiraglio c/o Comec Italia srl. 
Recipients:

Confidentiality Officer

Persons linked to Comec by a contractual relationship, more specifically, Persons in the Comec company, Associated Persons and Suppliers. Any other third parties involved by Comec in checks and investigations as per this procedure are also considered Recipients, limited to the salient aspects of safeguarding and protecting the Reporting Party and the Reported Party.

The person tasked with personal data processing: Manuele Baggini

Suppliers:  Economic operators (natural person, legal person or groups) other than Associated Persons that have, or plan to have, a contractual relationship with Comec for the supply of goods, works and/or services.
Persons in the Comec Group: Directors, partners and employees (including collaborators working in the company organisation with different types of employment relationships).
WB Confidential email channel: The confidential email channel used for submitting a Report: whistleblowing@comec-italia.it.
Reporting Party: The person who makes a Report.
Reported Party: The person responsible for, or allegedly responsible for, the conduct referred to in the Report.
Report: Written communication submitted, even anonymously, by the Reporting Party through one of the reporting channels referred to in 4.2 to report fraudulent behaviour, unlawful or irregular conduct relating to work or collaboration activities with Comec that breach (or allegedly breach) Model 231, the Code of Ethics, or the Internal Control System.
Internal Control System: This means all the policies, procedures, regulations (and other similar internal regulatory documents) adopted by Comec.
Associated Persons: Any third party with which Comec has, or plans to have, any form of commercial relationship during which the said third party could act on behalf of or in the interests of Comec.
Group Management: The group of persons, such as the President, CEO, General Manager, Executive Director and Sole Administrator.

 

4- PRINCIPLES OF CONDUCT AND OPERATING METHODS


4.1.1- Principles of conduct


4.1.2 – Safeguarding the Reporting Party

Comec forbids any direct or indirect acts of retaliation or discrimination against the Reporting Party for reasons directly or indirectly linked to the Report. 

If an employee of Comec believes that they have been subjected to an act of retaliation or discrimination due to the submission of a Report, they can notify the Reports Committee. This Committee has a duty to promptly notify the Human Resources Department to examine the case and initiate any disciplinary proceedings that may be required against the person responsible for the discriminatory or retaliatory conduct.

The protection afforded to the Reporting Party can be ensured by Comec only if he or she complies with this procedure.

Any behaviours that breach safeguarding measures for the Reporting Party, and the transmission of Reports made with wilful misconduct or gross negligence, may lead to disciplinary proceedings being initiated against those responsible.


4.1.2 – Safeguarding the Reported Party

The conduct referred to in the Report may relate to employees (including managers and directors), Suppliers and/or Associated Persons

In order to avoid any improper use of the Report and prevent defamation or the disclosure of sensitive personal data of the Reported Party, which could damage his or her reputation, or cause him or her to experience discrimination, retaliation or be otherwise disadvantaged, this procedure sets out measures to safeguard the Reported Party. 

To this end, any injurious, defamatory or slanderous Reports that could give rise to civil and/or criminal liability on the part of the Reporting Party are strictly prohibited. 

Every Report received is assessed and examined by independent persons that are not directly involved in the reported event in order to avoid any conflicts of interest and ensure their impartiality. Auditing methods and tools are used during assessments and investigations that afford the strongest possible guarantees in terms of objectivity and reliability for the outcomes achieved. 

Decisions about any disciplinary measures, complaints or other measures to be taken following the outcome of the investigations will be made by the appropriate company departments and, in any event, by persons other than those that carried out the investigations in order to avoid any conflicts of interest or lack of impartiality. 


4.1.3 – Principle of non-exclusion

Comec guarantees that it will examine all the Reports that it receives in accordance with the modalities set forth in this procedure. 

The Reporting Party can receive feedback about the progress of the Report that he or she submitted by consulting the WB Confidential email channel. Please note that the feedback will not contain detailed information about the outcome of the investigations or any decisions made by Comec.


4.1.4 – Confidentiality

Comec guarantees that the Report will be confidential, as will the contents of the Report, the identities of the Reporting Party and the Reported Party, as well as documentation provided by the Reporting Party and/or subsequently gathered or processed. 

Therefore, the abovementioned information may not be disclosed to any persons not directly involved in the assessment and investigation process; all those that receive or are involved in the handling of the Reports are bound to protect their confidentiality. 

The confidentiality of the Reporting Party and the contents of the Report may not be respected solely in one of the following cases: 

  1. the Reporting Party provides his or her express consent to reveal his or her identity; 
  2. anonymity is not enforceable by law and the identity of the Reporting Party is required by the judicial authority in relation to investigations (criminal, tax or administrative investigations, inspections by regulatory bodies) or by other so entitled parties; 
  3. criminal liability has been established, even with a first-instance judgement, for crimes of slander or defamation or crimes committed with the Report, or civil liability for the same offences in cases of wilful misconduct or gross negligence;
  4. the Report is prohibited pursuant to 4.2.

4.1.5 – Personal data processing

The personal data of the Reporting Party, Reported Party and of all those involved with the Report are processed in compliance with personal data protection legislation as per Regulation (EU) 2016/679 and Legislative Decree No. 196/2003 as amended by Legislative Decree No. 101/2018 and also with all the measures adopted by the Italian Data Protection Authority.

More specifically:

  1. once the Report is submitted, the Reporting Party receives a privacy notice from the controller pursuant to Article 13 of Regulation (EU) 2016/679, which, among other things, specifies the purposes and methods for processing the party’s personal data, the persons/departments to whom/which the reported data may be disclosed with regard to the handling of the Report, and the rights of the Reporting Party with reference to their processed personal data; 
  2. only personal data that are strictly necessary and relevant to the purposes for which they have been collected are processed;
  3. technical and organisational measures that are appropriate for providing an adequate level of data protection and confidentiality for the information that has been received are implemented in compliance applicable legislation;
  4. the ability of the Reporting Party or Reported Party (“data subjects” pursuant to data protection regulations) to exercise their rights regarding any of their personal data that is processed during the reporting process may be limited, pursuant to Article 2-undecies of Legislative Decree No. 196/2003 as amended by Legislative Decree No. 101/2018, if exercising said rights could effectively and actually prejudice other interests protected by specific legislative provisions, with the clarification that under no circumstances may the Reported Party be permitted to make use of his or her rights to obtain information about the identity of the Reporting Party;
  5. access to personal data is granted solely to persons that have been appointed and authorised to receive this type of Report, limiting the transfer of confidential information and personal data to only when necessary;
  6. personal data are stored in compliance with applicable regulations.

 

4.2 – Reports


4.2.1 – The format and content of Reports

Examples of the wrongdoing or irregularities referred to in Reports may include but are not limited to the following: 

  1. the falsification, modification, destruction or concealment of documents;
  2. administrative irregularities and irregularities in compliance with accounting or tax requirements or the preparation of the company’s financial statements;
  3. fraudulent conduct designed to disclose confidential information about the know-how used in company operations;
  4. conduct designed to violate the safety regulations concerning the use of machinery and products used for printing;
  5. promising or giving a sum of money or other benefits to a public official or person charged with a public service in return for performing their duties (e.g. facilitating a case) or performing an act in breach of their official duties (e.g. failure to submit a report of tax irregularities); 
  6. promising or giving a sum of money or other benefits in order to bribe suppliers or customers; 
  7. agreements with suppliers or consultants that make inexistent services appear to have been provided;
  8. the falsification of expense reports (e.g. “inflated” reimbursements or expenses for non-existent trips); 
  9. inventing and disclosing to the public falsehoods that are about the company or may alter its market value;
  10. fraudulent conduct towards customers.

Any employee that becomes aware of any wrongdoing or irregularities (as illustrated above) is obliged to report it straightaway in accordance with the modalities described in this procedure.

Reports cannot concern mere suspicions or rumours. However, the Reporting Party does not have to be certain that the reported conduct has actually occurred or about the perpetrator of said conduct; it is enough for them to believe, based on their knowledge, that it is highly probable that there has been a breach of the Code of Ethics and/or the Internal Control System or that a wrongdoing has taken place.

In this perspective, the Reports must be adequately substantiated, namely they must contain all the evidence that will enables the facts referred to in the Report to be properly checked.

To this end, Reports must contain at least the following information:

  1. the Report must contain references that identify the person submitting the Report. Any reports submitted anonymously will be processed to the extent that they contain the information set forth in the following points;
  2. a clear description of the facts referred to in the Report, indicating (if known) the circumstances about where and when the facts were committed/omitted; 
  3. any detail (such as name and surname, position/role in the company) that enables the alleged perpetrator(s) of the conduct referred to in the Report to be easily identified.

Any Reports that do not contain the minimum information required as per this paragraph may not be taken into consideration and will not offer any protection for the Reporting Party.

Furthermore, the Reporting Party may include the following additional details: 

  1. any other individuals that know about other salient points in the Report; 
  2. any documents that can confirm the validity of the facts stated in the Report; 
  3. any other information that could facilitate the gathering of evidence for the reported facts.


4.2.2 – Prohibited reports 

The Report must not adopt an offensive tone or contain personal insults or moral judgements that could offend or harm the honour and/or personal and/or professional reputation of the person or persons to whom the reported facts are attributed. It is specifically prohibited to: 

  1. use insulting remarks; 
  2. submit Reports for purely defamatory and slanderous purposes; 
  3. submit Reports that relate solely to aspects of the Reported Party’s private life without any (direct or indirect) link to their activities in the company; 
  4. submit Reports of a discriminatory nature insofar as they refer to the sexual, religious or political orientation, or the racial or ethnic origin of the Reported Party;
  5. submit unfounded Reports for the sole purpose of damaging the Reported Party.

It should also be noted that it is prohibited to submit negligently written Reports containing statements that are clearly unfounded or whose lack of foundation can be easily substantiated by the Reporting Party. 

Please note that Prohibited Reports:

  1. will not be considered;
  2. will not offer any protection to the Reporting Party;
  3. could lead to disciplinary proceedings being initiated against the Reporting Party.

 

4.2.3  -Submitting a Report

Reports can be submitted through one of the following channels: 1) email, 2) ordinary postal service 

  1. The Report can be submitted by using the confidential email channel whistleblowing@comec-italia.it, which can be accessed by anyone that has a contractual relationship with Comec.

This email address has been designated as the primary channel for handling Reports and can ensure the strictest confidentiality and highest level of protection for the Reporting Party. 

Please note that in order to ensure the strictest confidentiality about the identity of the Reporting Party, the email channel is hosted and managed by an external provider that is outside and independent of Comec. Nobody that is employed by or collaborates with the company has access to the email channel as a system administrator.

All the information that is gathered is stored in electronic form. The said email channel also acts as an electronic register for the Reports that are received, logging the essential data and summary information for assessing validity and about the steps that have been taken. 

  1. The Report can be submitted as a written communication sealed in an envelope marked as “confidential/private” and for the attention of the Reports Committee and then sent to the company address of the Comec by ordinary postal service. 

When people in the company receive a Report by external or internal post, email or other means they are required to enter it immediately onto the email channel set up for WB Confidential reports, and forward the original complete with any enclosed documentation to the Reports Committee. The receiver must not keep a copy and must refrain from taking any independent measures or actions to examine and/or investigate it further. Failure to pass on a Report that has been received is a breach of this procedure and could lead to the appropriate steps being taken, including disciplinary measures.

In order to ensure that the contents of the Report are made available only to the persons handling the preliminary enquiry, the receiver must take appropriate steps to conceal details about the Reporting Party (where provided) on the copy of the Report that has been received. 

 

4.2.4 -Registration

All Reports, regardless of how they have been received, are logged on the WB Confidential email channel, which is the database that summarises and manages essential data from the Reports. It also ensures that all the relevant documentation produced or acquired during the performance of the actions set forth in this procedure is filed.

If a Report is not adequately substantiated, the Reports Committee can ask the Reporting Party to provide further details.

 

4.2.5 -Preliminary assessment and classification

The Reports Committee will promptly take charge of and examine any Report received so that it can conduct a preliminary enquiry for its preliminary assessment. 

The aim of the preliminary enquiry is to use all available means to conduct specific ascertainment, examinations and assessments regarding the reasonable grounds of the factual circumstances that have been reported. The goal of preliminary enquiry is to reconstruct the management and decision-making processes that had been adopted by using official information and documentation as well as any other material made available. The merits of management decisions or opportunities, discretionary or technically discretionary, taken each time by the company departments involved do not fall within the examinatory scope of the preliminary enquiry, unless they are clearly unreasonable. 

Once the preliminary enquiry is completed, the Reports Committee can come to one of the following conclusions:

  1. Non-relevant report: the Report has no relevance to the scope of this procedure, in that it refers to Reported Parties or to companies that are not within the remit of this procedure, or refer to conduct, incidents or events that cannot be reported under this procedure or do not contain the minimum level of detail required by this procedure. In these cases, a Report is filed without proceeding with further investigations, and the relevant feedback is sent to the Reporting Party through the WB Confidential email channel.
  2. Inadmissible report: if it has not been possible to gather sufficient information to be able to proceed with further investigations, the Report is filed.
  3. Prohibited report: if the Reports Committee receives a prohibited report (as described above), it will assess whether to notify the Human Resources Department that it has received a Prohibited Report so that they can potentially initiate the procedure for disclosing the identity of the Reporting Party and begin disciplinary proceedings against that person. In this case, the Reported Party could also be notified of the Report to enable them to exercise their rights of defence. 
  4. Relevant and admissible report: if Reports are confirmed to be substantiated and relevant to the scope of this procedure, the Reports Committee will initiate the verification stage as described below.

The Reports Committee can reserve the right to ask the Reporting Party for further information or documentation and also to involve them in the preliminary enquiry and give them any information about the start and progress of the preliminary enquiry. 

The preliminary enquiry shall normally be concluded within four weeks from receipt of the Report.

 

4.2.6 – Escalation if (relevant and admissible) Reports refer to senior management or the Reports Committee

If any Reports relate to the Chairman of the Board of Directors or one of the Directors, the Reports Committee shall immediately notify the other members of the Board of Directors so that they can coordinate and outline the next step in the investigations. 

If any Reports relate to a member of the Reports Committee, the other members shall ask the external provider and administrator of the WB Confidential email channel to prohibit that member of the Reports Committee from accessing the section of the platform containing the Report in question until the internal enquiries and investigations have concluded.

 

4.2.7 -Internal enquiries and investigations

Where a Report has been received and classified as relevant and admissible, the Reports Committee shall initiate the internal enquiries and investigations so that further detailed information can be gathered and it can be verified if there are any grounds to the reported facts by conducting direct enquiries or with the help of external consultants. 

Any third parties involved in the preliminary enquiry also become Recipients of this procedure and are consequently required to comply with, inter alia, confidentiality obligations. If these parties should breach the principles set out in this procedure, the company concerned can take the measures recommended in the disciplinary/sanctioning system of the Model 231 adopted by that company.

 

4.2.8 –Conclusion of the process

The stage of the internal enquiries and investigations concludes with the Reports Committee or a person appointed by the Reports Committee (external consultant) drawing up a report that formalises the contents of the Report, the checks and investigations that have been conducted and the outcomes which have been achieved. The Report shall also include any actions that need to be taken regarding each issue that has emerged. 

If Reports were submitted via the WB Confidential email channel, feedback shall also be sent to the Reporting Party notifying them that the assessment of their Report has concluded.

If the Reports Committee does not recognise that the facts stated in the Report are well founded once the internal enquiries and investigations are completed, the Report will be filed.

However, if the Report turns out to be a Prohibited Report (as described above) once the internal enquiries and investigations are completed, the consequences will be those stated in 4.2.5(c).

 

4.2.9 -Reporting to senior management

If grounds are recognised for the Report and it relates to one or more employees of Comec, the Reports Committee shall send a final report of the internal enquiries and investigations to the Human Resources Department and to the company management so that they can assess whether any measures need to be taken. 

 

4.2.10 – Procedure for disclosing the identity of the Reporting Party

Only in the cases stated in the “Confidentiality” section of 4.1 and providing that there is first evidence of the existence of cases as per the aforementioned “Confidentiality” section, Comec can formally request the external provider and administrator of the WB Confidential email channel to link the contents of the Report to the identity of the Reporting Party. 

 

5 – ARCHIVING DOCUMENTS

The information and any other personal data acquired during the implementation of this procedure are processed in compliance with Regulation (EU) 2016/679. 

In order to ensure the management and traceability of the Reports and follow-up actions, the Confidentiality Officer will be responsible for keeping the information relating to the Reports and ensure that the relevant documentation is archived and stored for the length of time stated in applicable regulations. 

Personal data shall be stored in a form that enables data subjects to be identified for no longer than is necessary for the purposes for which the data are processed and, more specifically, for a maximum of five (5) years, unless they are legally required to be kept for a longer period or for the settlement of any disputes or for the establishment, exercise or defence of legal claims.