INTERNAL REPORTING SYSTEM
(WHISTLEBLOWING)
PREAMBLE
SOF S.p.A. (hereinafter also referred to as "SOF" or the "Company") operates within a framework of fair competition with honesty, integrity, correctness, and good faith, respecting the legitimate interests of shareholders, employees, customers, business and financial partners, as well as the local communities in which SOF is present with its activities. SOF defines the values underlying the company's activities, and integrity represents a cornerstone principle guiding the behaviors of employees and those who operate with the Company. The Group Behavioral Pact specifies concrete behaviors to be implemented in daily practice, derived from the principles outlined in the Code of Conduct and reflected in the Supplier Code of Ethics. Operational procedures are defined in the Organization, Management, and Control Model pursuant to Legislative Decree 231/01, in the Anti-Corruption Policy, and in the current company procedures.
As an ethical safeguard to maintain a high level of attention to the behaviors adopted by both employees and those who operate with the Company, SOF has established a reporting system directed to R-QHSE&C (which also covers the role of RPC), serving as a tool to report issues related to non-compliance with the Organization, Management, and Control Model pursuant to Legislative Decree 231/01, the Code of Conduct, the Anti-Corruption Policy, the Supplier Code of Ethics, and the current company procedures.
In compliance with the requirements of the Social Responsibility SA8000 ethical certification held by the Company, SOF also uses this reporting system to report cases of non-compliance with the principles (ref. SA03 - SA8000 Reports).
The purpose of this procedure is to define the content, methods of execution, and subsequent management of reports submitted, in implementation of Legislative Decree of March 10, 2023, No. 24 (hereinafter "decree"), which implements Directive (EU) 2019/1937 of the European Parliament and of the Council, of October 23, 2019, to report any behaviors not in line with the Organization, Management, and Control Model pursuant to Legislative Decree 231/01, the Code of Conduct, the Anti-Corruption Policy, the Supplier Code of Ethics, or other company policies and procedures adopted by the Company, as well as any other offenses referred to in Article 3 of the decree, by members of the Company's Organs, Function Managers, as well as by employees, external collaborators, suppliers, and clients.
1. DEFINITIONS AND ACRONYMS
- Violations: Behaviors, acts, or omissions that harm public interest or the integrity of the private entity.
- Information on Violations: Information, including well-founded suspicions, regarding violations committed or that, based on concrete elements, could be committed within the organization with which the reporting person or the one filing the report to the judicial or accounting authority has a legal relationship under Article 3, paragraph 1 or 2 of the Decree, as well as elements concerning conduct aimed at concealing such violations.
- Reporting: The written or oral communication of information on violations.
- Internal Reporting: The written or oral communication of information on violations, submitted through the internal reporting channel.
ACRONYMS
- ADE: Chief Executive Officer
- R-QHSE&C: Head of Quality Health Safety Environment & Compliance Office
- QHSE&C: Quality Health Safety Environment & Compliance Department
- RPC: Anti-Corruption Prevention Manager
- R-PER: Personnel Manager
- SPT: Social Performance Team
2. DETAILS OF ACTIVITIES
2.1. SUBJECTIVE SCOPE OF APPLICATION
The provisions of the decree and this procedure apply to the following individuals reporting information on violations that they become aware of in the course of their work:
a) Employees, including workers whose employment relationship is governed by Legislative Decree June 15, 2015, No. 81, or by Article 54-bis of Legislative Decree April 24, 2017, No. 50, converted, with amendments, by Law June 21, 2017, No. 96.
b) Freelancers, including those indicated in Chapter I of Law May 22, 2017, No. 81, as well as those with a collaboration relationship under Article 409 of the Code of Civil Procedure and Article 2 of Legislative Decree No. 81 of 2015, who carry out their work at SOF.
c) Workers or collaborators who carry out their work at the Entity providing goods or services or carrying out works on behalf of third parties.
d) Freelancers and consultants providing their services at SOF.
e) Volunteers and interns, paid and unpaid, providing their services at SOF.
f) Shareholders and individuals with functions of administration, management, control, supervision, or representation, even if such functions are exercised de facto, at SOF.
g) Protection for the above-mentioned reporting individuals also applies in the following cases:
h) When the legal relationship has not yet begun, if information on violations has been acquired during the selection process or in other pre-contractual phases.
i) During the probationary period.
j) After the termination of the legal relationship if information on violations has been acquired during the relationship itself.
k) Notwithstanding what is provided in Article 17, paragraphs 2 and 3 of the Decree, protective measures (see below) also apply to:
l) Facilitators (individuals assisting the reporter in the reporting process, operating within the same work context, and whose assistance must be kept confidential).
m) Individuals in the same work context as the reporting person, the one who filed a report with the judicial or accounting authority, or made a public disclosure, and who are bound to them by a stable emotional or family relationship within the fourth degree.
n) Colleagues of the reporting person or the person who filed a report with the judicial or accounting authority or made a public disclosure, working in the same work context and having a habitual and current relationship with that person.
o) Entities exclusively or jointly owned (majority participation by third parties) by the reporting person or the person who filed a report with the judicial or accounting authority or made a public disclosure or for which these individuals work, as well as entities operating in the same work context as the aforementioned individuals.
2.2. REPORTING SYSTEMS
Reports can be directed either to the hierarchical superior or to the function deemed competent. If, for any reason, this route is deemed impractical, and for all cases of non-compliance with SA8000 certification principles, reports can be submitted to the attention of the R-QHSE&C function using two alternative channels:
• Online Platform: Submission through the platform can be in written form or via voice messaging, with or without registration (see "Whistleblower's Manual" at the link https://manuali.digitalpa.it/whistleblowing/v4-0-0/frontend/manuale-operativo-utente-segnalatore-non-registrato.html). In both cases, the channel is suitable for ensuring the confidentiality of sources and information in possession, subject to legal obligations, and allows confidential communication between the reporter and the Oversight Body / R-QHSE&C. The platform, managed by a specialized industry provider, uses encryption systems that ensure high levels of security and guarantees for reporters. It is accessible from the Fincantieri website in the connected section, following the link https://www.fincantieri.com/it/gruppo/controllate-collegate/SOF/.
• Mailing Address: SOF S.p.A., Via Giovanni del Pian dei Carpini, 1 - 50127 Florence Confidential - "R-QHSE&C" function
The adopted system complies with the requirements of Legislative Decree March 10, 2023, No. 24, implementing Directive (EU) 2019/1937, concerning the "protection of persons reporting violations of Union law and provisions on the protection of persons reporting violations of national legal provisions."
2.3. REPORTING
Reports can be made at any time and may refer to events that have occurred or are ongoing. Some examples, not exhaustive, of possible reports include:
• Situations of conflict of interest deemed unknown to the company. • Acts of corruption by third parties towards employees or by employees towards third parties. • Frauds. • Improper use of company assets. • Intentional communication of false information to Public Administrations. • Discrimination. • Harassment. • National and European Union regulations.
Reports should always be adequately detailed to allow proper verification of the highlighted facts, regardless of the identification of the responsible party. A report is detailed when the author's narrative of facts, events, or circumstances constituting the foundational elements of the alleged wrongdoing is made with a degree of detail sufficient to identify elements useful or decisive for verifying the validity of the report (e.g., type of offense committed, reference period, value, causes and purposes of the offense, areas and individuals affected or involved). If available, the inclusion of documents/evidence to support the statements is appreciated. Reports lacking any substantial supporting elements, overly vague, or insufficiently detailed are not considered.
Below is the form to be used in the online platform for written reports:
- Nature of Offense:
- Corruption
- Incitement to corruption
- Abuse (SA8000)
- Theft
- Misconduct
- Mobbing (SA8000)
- Absenteeism (SA8000)
- Violent or harassing behavior (SA8000)
- Violation of the ethical code
- Violation of bidding procedures and other contracts
- Violation of staff selection and hiring procedures
- Conflict of interest
- Unauthorized disclosure of confidential information/violation of confidentiality obligation
- Other Model 231 violations
- Other
- Civil and criminal offenses
- Tax offenses
- Unauthorized access to IT applications
- Reporter's Relationship with the Company:
- Title:
- Perpetrators of the Offense:
- Involved Individuals:
- Organizational Unit: (specify construction site, department, etc.)
- Locations of Offenses:
- Presumed Start Date of Offenses:
- Description:
The abuse or misuse in bad faith of the tool, for example, to report events already known to be unfounded to the whistleblower, purely personal matters, or reports with an evident defamatory or calumnious content, results in the application of the Company's sanctioning system. In case of doubts about the interpretation of events or situations that could represent a corrupt act, it is possible to contact the R-QHSE&C function using the same reporting channels indicated in the section Reporting Systems.
2.4. ANONYMOUS REPORTS
Reports from which it is not possible to deduce the identity of the reporting person are considered anonymous. Anonymous reports can be considered only if adequately detailed and provided with all the informative elements necessary for verification. The reporting person, even if initially not disclosing their identity, may do so at a later time, for the purpose of acquiring eventual legal protection. In any case, the reporting person or anonymous complainant, once identified, who has reported to ANAC (National Anti-Corruption Authority) that they have suffered reprisals, may benefit from the protection that the decree provides against retaliatory measures. SOF is therefore required to record the anonymous reports received and keep the related documentation for no more than five years from the date of receiving such reports, making it possible to trace them, in case the reporting person or anyone who filed a complaint informs ANAC of having suffered retaliatory measures due to that anonymous report or complaint.
2.5. MANAGEMENT OF THE REPORT
As mentioned, the R-QHSE&C function exclusively receives reports through the two channels. The management of the report is entrusted to R-QHSE&C, which proceeds to assign:
Reports with relevance to Legislative Decree 231 to the Supervisory Body;
Reports on Anti-Corruption to the Supervisory Body and R-QHSE&C itself;
Reports on SA8000 to the Social Performance Team (SPT).
Consequently, the possible actions are:
Process the report by promoting the necessary investigations;
Forward the report to the relevant Functions, relying on the various identified collaborators each time to instruct the management process based on their skills and corporate functions, and requesting feedback on the actions taken;
Proceed with the archiving of the report (rejection), adequately justifying the choice made in line with the criteria mentioned in the "Report" paragraph.
If deemed appropriate and if the reporting method allows, it is possible to consult both the reporting person to obtain more information and the alleged author of the violation, also leading to all necessary investigations and inquiries to ascertain the validity of the report. For verifications, R-QHSE&C operationally relies on the support of the relevant company functions or external consultants. The use of the computer platform allows not only R-QHSE&C to communicate (even anonymously) with the reporting person but also allows the latter to check the status and outcome of the report at any time through login credentials.
If, from the verifications carried out, R-QHSE&C identifies a violation of the rules of conduct and relevant policies and procedures (Organization, Management and Control Model pursuant to Legislative Decree 231/01, Code of Conduct, Anti-Corruption Prevention Policy, Supplier Code of Ethics, or other company policies and procedures adopted by the Company), it reports the disciplinary offense to the Company for appropriate decisions based on what is defined in the Organizational Model, independent of the possible initiation of a criminal proceeding against individuals or an administrative proceeding against the company under Legislative Decree 231/01. The sanctions application process involves R-QHSE&C sending a report containing the personal details of the party responsible for the violation, a description of the contested conduct, the indication of the provisions that have been violated, and any supporting documents, which is sent to:
R-PER for employees and, in the case of managerial staff, also to the President of the Board of Statutory Auditors and the Chief Executive Officer;
Board of Directors and Board of Statutory Auditors for members of corporate bodies. The violation of rules of conduct and relevant policies and procedures by external collaborators, consultants, and business partners entails the sanction of contract termination in accordance with contractual clauses and legal provisions. At least annually, both the Supervisory Body and R-QHSE&C inform the Board of Directors and the Board of Statutory Auditors through a written report on the control and verification activities carried out and any initiatives following violations of rules of conduct and relevant policies and procedures. In all cases, if the verifications reveal a violation of the law, the Supervisory Body/R-QHSE&C promptly informs the Company to promote the consequent initiatives, including reporting to the competent Judicial Authority. The documentation supporting the Supervisory Body/R-QHSE&C's verification and/or supervision activities consists of:
Audit reports;
Interviews/communications made to the relevant/involved Functions;
Minutes of Supervisory Body meetings outlining the decisions made based on the acquired documents;
Documentation related to investigations carried out by the relevant function. The "R-QHSE&C" function documents and archives the reports, decisions made, and documentation supporting the verifications carried out, respecting the confidentiality principle of the data and information contained therein, as well as the regulatory provisions on the processing of personal data. The reports received cannot be deleted in any way from the platform, and any activity performed on the reports is recorded in the system and is visible to other authorized users. If a report concerns or involves R-QHSE&C, the reported party must refrain from managing it.
2.6. CONFIDENTIALITY OBLIGATION
Reports cannot be used beyond what is necessary to give adequate follow-up to them. The identity of the reporting person and any other information from which their identity can be directly or indirectly inferred cannot be disclosed without the express consent of the reporting person to individuals other than those competent to receive or follow up on the reports, expressly authorized to process such data under the rules on the protection of personal data. In the context of criminal proceedings, the identity of the reporting person is covered by confidentiality in the ways and limits provided for by Article 329 of the Code of Criminal Procedure. In the context of proceedings before the Court of Auditors, the identity of the reporting person cannot be disclosed until the conclusion of the investigative phase. In the context of disciplinary proceedings, the identity of the reporting person cannot be disclosed if the disciplinary charge is based on findings distinct and additional to the report, even if subsequent to it. If the charge is based, in whole or in part, on the report, and knowledge of the identity of the reporting person is essential for the defense of the accused, the report will be usable for disciplinary proceedings only with the express consent of the reporting person to the disclosure of their identity. The reporting person is notified in writing of the reasons for the disclosure of confidential data in the above case, as well as in internal and external reporting procedures when the disclosure of the identity of the reporting person and the information is also essential for the defense of the person involved. SOF protects the identity of the individuals involved and those mentioned in the report until the conclusion of the proceedings initiated due to the report, in compliance with the same guarantees provided in favor of the reporting person. Notwithstanding the above, in reporting procedures, the person involved may be heard, or, at their request, they are heard, also through a paper-based procedure by acquiring written observations and documents.
2.7. PROCESSING OF PERSONAL DATA
Any processing of personal data, including communication between competent authorities, provided for by this procedure, must be carried out in accordance with the rules on the protection of personal data. The communication of personal data by institutions, bodies, or organizations of the European Union is carried out in accordance with Regulation (EU) 2018/1725. Personal data that is manifestly not useful for the processing of a specific report is not collected or, if collected accidentally, is immediately deleted. The rights under Articles 15 to 22 of Regulation (EU) 2016/679 can be exercised within the limits provided for by Article 2-undecies of Legislative Decree no. 196 of June 30, 2003. Processing of personal data related to the receipt and management of reports is carried out by SOF, as the data controller, providing appropriate information to reporting persons and individuals involved under Articles 13 and 14 of Regulation (EU) 2016/679 or Article 11 of the aforementioned Legislative Decree no. 51 of 2018, and adopting appropriate measures to protect the rights and freedoms of the data subjects.
2.8. DOCUMENT RETENTION
Reports and related documentation are kept for the time necessary for the processing of the report and in any case not exceeding five years from the date of communication of the final outcome of the reporting procedure, in compliance with the above confidentiality obligations.
2.9. WHISTLEBLOWER PROTECTION FORMS - CONDITIONS
The protective measures provided for by the Decree and described in the following paragraphs apply to the whistleblower under the following conditions:
a) At the time of the report, the reporting person or complainant had reasonable grounds to believe that the information on the reported violations, publicly disclosed, or reported, was true and fell within the objective scope referred to in § 3;
b) The report was made based on what is provided in the preceding paragraphs.
Except as provided in Article 20 of the decree, when the criminal liability of the reporting person is ascertained, even by first-instance judgment, for the offenses of defamation or slander or, in any case, for the same offenses committed with the report to the judicial or accounting authority or their civil liability, for the same title, in cases of intent or gross negligence, the protections provided in this section are not guaranteed, and a disciplinary sanction is imposed on the reporting or complaining person. The protective measures also apply in cases of anonymous reporting if the reporting person has been subsequently identified and has suffered reprisals.
2.10. PROHIBITION OF RETALIATION
Reporting entities or individuals shall not undergo any retaliation. The Decree defines "retaliation" as any behavior, act, or omission, even if only attempted or threatened, carried out due to reporting, reporting to the judicial or accounting authority, or public disclosure, causing or potentially causing unjust harm to the reporting person or the person who filed the report, directly or indirectly.
In the context of judicial or administrative proceedings or any non-judicial disputes aimed at establishing prohibited behaviors, acts, or omissions under this paragraph against reporting persons, it is presumed that they were carried out due to the report. The burden of proving that such conduct or acts are motivated by reasons unrelated to the report lies with the party who carried them out.
In the case of a damages claim filed with the judicial authority by reporting persons, if these individuals demonstrate that they made a report in accordance with the Decree and this procedure and suffered harm, it is presumed, unless proven otherwise, that the damage is a consequence of that report.
Below are some cases that constitute retaliation:
a) Dismissal, suspension, or equivalent measures;
b) Demotion or failure to promote;
c) Change in duties, change of workplace, salary reduction, or modification of working hours;
d) Suspension of training or any restriction of access to it;
e) Negative performance reviews or negative references;
f) Imposition of disciplinary measures or other sanctions, including pecuniary ones;
g) Coercion, intimidation, harassment, or ostracism;
h) Discrimination or unfavorable treatment;
i) Failure to convert a fixed-term employment contract into a permanent contract, where the worker had a legitimate expectation of such conversion;
j) Non-renewal or early termination of a fixed-term employment contract;
k) Damages, including damage to the person's reputation, especially on social media, or economic or financial harm, including the loss of economic opportunities and income loss;
l) Improper inclusion in lists based on a formal or informal sectoral or industrial agreement, which may make it impossible for the person to find employment in the sector or industry in the future;
m) Early termination or cancellation of a supply contract for goods or services;
n) Revocation of a license or permit;
o) Request for psychiatric or medical examinations.
2.11. PROTECTION AGAINST RETALIATION
Reporting entities and individuals can report to ANAC any retaliation they believe to have suffered. Retaliatory acts are void. Reporting persons who have been dismissed due to the report have the right to be reinstated in the workplace, in accordance with Article 18 of Law No. 300 of May 20, 1970, or Article 2 of Legislative Decree No. 23 of March 4, 2015, depending on the specific discipline applicable to the worker. The judicial authority takes all necessary measures, including provisional ones, to ensure protection of the subjective legal situation triggered, including compensation for damages, reinstatement in the workplace, the order to cease the retaliatory conduct, and the declaration of nullity of the acts adopted.
2.12. LIMITATIONS AND RESPONSIBILITIES
Reporting entities or individuals who disclose or disseminate information about violations covered by the duty of confidentiality, other than that under Article 1, paragraph 3 of the decree, or related to the protection of copyright or the protection of personal data, or who disclose or disseminate information about violations that harm the reputation of the person involved or reported when, at the time of disclosure or dissemination, there were reasonable grounds to believe that the disclosure or dissemination of such information was necessary to reveal the violation and the report, public disclosure, or denunciation to the judicial or accounting authority was made in accordance with Article 16 of the decree. In these cases, any further liability, including civil or administrative, is also excluded. Unless the act constitutes a crime, the reporting entity or individual incurs no liability, including civil or administrative, for acquiring information about violations or accessing them. In any case, criminal liability and any other liability, including civil or administrative, is not excluded for behaviors, acts, or omissions not connected to reporting, reporting to the judicial or accounting authority, or public disclosure, or that are not strictly necessary to reveal the violation.
2.13. WAIVERS AND SETTLEMENTS
Waivers and settlements, whether full or partial, concerning the rights and protections provided by the decree, are not valid unless made in the forms and manners prescribed by Article 2113, fourth paragraph, of the Civil Code.