The purpose of this Policy, implemented by Peck S.p.A., is to regulate the process of transmitting, receiving, analyzing and managing reports, adequately motivated, on breaches of laws and regulations (as identified below) by Staff (so-called Whistleblowing).
The purpose of the Policy is to implement Legislative Decree No. 24/2023, published in the O.G. on 15.3.2023, transposing Directive (EU) 2019/1937 concerning the “protection of persons who report breaches of Union law (so-called Whistleblowing discipline).”
For matters not expressly indicated by this Policy, the provisions of Legislative Decree No. 24/2023 referred to above remain fully applicable.
In a nutshell, the purpose of the Policy is to:
For the purposes of this Policy, the following expressions have the meanings indicated:
All employees of Peck S.p.A. (executives, middle managers, white collars, blue collars), directors, members of corporate bodies and supervisory bodies, as well as all those who, for various reasons, have employment, collaboration or business relations with the Company, including collaborators, trainees, temporary workers, consultants, agents, suppliers and business partners, even before the legal relationship with the Company began or after it was terminated.
4.1 The following may be the subject of the Report
4.2 Reports concerning the following are excluded from the scope of application of the Policy:
Addressees of this Policy who become aware of Breaches are required to make a Report through the internal reporting channels described below, which allow for the submission of such Reports in writing or orally.
The Report:
At the request of the Whistleblower, a face-to-face meeting with the Whistleblowing Manager may be arranged; the Whistleblowing Manager shall inform the Whistleblower in writing of the date of the meeting, which shall be set no later than 15 days after receipt of the request. In this case, subject to the consent of the person making the report, the meeting shall be documented by the staff member in charge by means of a recording on a device suitable for storage and listening, or by means of minutes, which the Whistleblower may verify, correct and confirm by signing.
Anyone who receives a Report outside the channels indicated above shall promptly forward the original and any attachments to the Whistleblowing Manager.
The Whistleblower may submit its Report to ANAC, through the external reporting channel provided by ANAC, only if:
The Whistleblower may proceed by public disclosure only if:
Anonymous Reports may also be taken into consideration, provided they are adequately substantiated and detailed. Anonymous Reports limit the possibility for Peck S.p.A. to investigate effectively, since it is impossible to establish an easy information channel with the Whistleblower. Peck S.p.A. considers, among the relevant factors for assessing an anonymous Report, the seriousness of the reported Breach, the credibility of the facts represented and the possibility of verifying the truthfulness of the Breach from reliable sources.
In any case, the protections referred to in paragraph 9 below shall be ensured only if the Whistleblower is subsequently identified or his identity emerges at a later stage.
6.1 The Reports must be, in any case and regardless of the channel used for their submission, circumstantiated and well-founded, so as to allow the necessary measures to be taken and the appropriate checks and investigations to be carried out, also by carrying out investigations and formulating requests for clarifications to the Whistleblower, where identified.
In particular, the Report should have the following minimum content and therefore indicate:
6.2 The Whistleblower may allow his/her own identification, by indicating the contact details where he/she can be contacted (by way of example only: name and surname, e-mail address, telephone number), possibly different from the professional ones. If such information are not provided, and therefore the Whistleblowing Manager is not in the position of interacting with the Whistleblower for the management of the Report, the Report may be considered as unmanageable under the whistleblowing rules and will eventually be treated as an ordinary Report.
After having made a Report, the Whistleblower that detects any errors may immediately inform the Whistleblowing Manager through the same channel by which the Report was made.
6.3 Reports are to be considered irrelevant if they prove to be intentionally futile, false or unfounded, with purely defamatory content or in any case concerning deliberately erroneous or misleading information, for the sole purpose of damaging the Company, the Reported Person or other persons concerned by the Report, as well as Reports of a discriminatory nature, insofar as they refer to sexual, religious or political orientation or to the Reported Person’s racial or ethnic origin.
In such a case, the Company reserves the right to take appropriate action – including through the adoption of suitable disciplinary sanctions – against the Whistleblower, without prejudice to his/her possible criminal liability and/or liability pursuant to Article 2043 of the Civil Code.
7.1 The procedures for handling internal Reports are as follows:
If a direct meeting is requested, the same shall be scheduled within 10 days from the date of receipt of the request, or, in the event of proven urgency, within 5 days from the same date.
7.2 During preliminary investigation phase, targeted checks on the Report shall be carried out, in order to identify, analyze and assess the elements confirming the truthfulness of the reported facts, also by requesting integrations to the Whistleblower, if identified and if necessary. The Whistleblowing Manager may avail himself of the assistance of internal functions of Peck S.p.A. as well as of the support of external professionals and/or technical consultants, depending on the subject of the Report. The Whistleblowing Manager shall ensure that the preliminary investigation is carried out in a fair and impartial way; each person involved in the investigation shall be informed – once the preliminary investigation is completed – about the statements made and the evidence found against him/her and shall be granted to reply to them.
7.3 If during the investigation objective elements emerge proving the lack of good faith on the Whistleblower, Peck S.p.A. shall be immediately informed in order to assess the activation of possible sanctioning procedures against the Whistleblower; the Report shall be archived. The Report shall also be archived when the investigation reveals that it is unfounded.
7.4 If, at the end of the investigation, the Report is assessed as well-founded, a report summarizing the checks carried out and the evidence emerged is drawn up, in order to share with the administrative body the adoption of sanctions and/or the preparation of corrective actions. The administrative body also assesses the adoption of actions to protect the Company, including before courts.
7.5 The Manager is required to document the entire process of its management, by means of digital and/or hardcopy archive, and to keep all the relevant documentation, in order to ensure the complete traceability of the actions undertaken for the fulfilment of its institutional functions. All the documentation must be kept for as long as necessary for the management of the Report and, in any case, no longer than 5 years from the closure of the Reporting procedure.
In the event that the Whistleblowing Manager coincides with the Whistleblower, or with the Reported Person, the Report shall be handled by another person designated by the firm so that it can be handled effectively, independently and autonomously, in compliance with the confidentiality obligation provided for by the law.
9.1 The protections afforded to the Whistleblower may be guaranteed by the Company only if the indications provided by the Policy are complied with.
No protection is granted to the Whistleblower in case he/she contributed to the commission of the unlawful conduct. The protections afforded to the Whistleblower are also extended to:
9.2 The Company, in setting up and implementing its internal reporting channels, guarantees the confidentiality of the identity of the Whistleblower, of the Reported Person and of any other persons involved, as well as the content of the Report and of the relevant documentation. Reports cannot be used beyond what is necessary to adequately follow them up. The identity of the Whistleblower and any information from which it may be inferred, directly or indirectly, cannot be disclosed, without the Whistleblower’s express consent, to persons other than those competent to receive or follow up the Reports and expressly authorised to process such data.
In addition:
9.3 The Company shall not tolerate any kind of threat, retaliation, unjustified sanction or discrimination against the Whistleblower, the Reported Person and any person who has cooperated in the activities of investigating the merits of the Report. The adoption of discriminatory or retaliatory measures against the Whistleblower may give rise to disciplinary proceedings against the person responsible.
In the light of the provisions of Article 19(1) of Legislative Decree no. 24/2023, this does not affect the possibility for the Whistleblower to communicate to the ANAC any retaliation that he/she believes he/she has suffered in his/her work context.
Appropriate protection measures are also in place for the benefit of the Reported Person, in order to prevent any discrimination. The submission and receipt of a Report is not sufficient to initiate any disciplinary proceedings against the Reported Person. If it is decided to proceed with the investigation, the Whistleblower may be contacted and will be given the opportunity to provide any necessary clarification.
The receipt and management of Reports determine the processing of the data of the Whistleblowers.
Any personal data processing under this Policy must be carried out in compliance with the provisions of Regulation (EU) 2016/679 (GDPR) and Legislative Decree no. 196/2003, the so-called Privacy Code.
Personal data that are manifestly not useful for the processing of a specific Report shall not be collected or, if accidentally collected, shall be deleted immediately. The rights referred to in Articles 15 to 22 of the GDPR may be exercised within the limits of Article 23 of the GDPR and 2-undecies of Legislative Decree No. 196/2003.
Personal data processing that relates to the receipt and management of Reports is carried out by the Company in its capacity as Data Controller, in compliance with the principles set out in Articles 5 and 25 of the GDPR, providing appropriate information to the Whistleblower and the persons involved pursuant to Articles 13 and 14 of the GDPR, as well as adopting appropriate measures to protect the rights of the persons concerned. To this end, the Company provides specific information on the processing of personal data carried out in connection with the acquisition and management of the Reports governed by this Policy.
In addition, the Company, in compliance with the provisions of Article 13 of Legislative Decree No. 24/2023 and Articles 24 and 32 of the GDPR, identifies technical and organizational measures suitable for guaranteeing a level of security appropriate to the specific risks arising from the processing operations performed, on the basis of a data protection impact assessment (DPIA), regulating by contract or other legal act pursuant to Article 28 of the GDPR the relationship with any external suppliers that process personal data on its behalf with the status of data controller.
The Whistleblowing Manager periodically reviews, and if necessary updates, the Policy, to ensure its constant alignment with company practice and regulations.
The Policy is communicated by uploading it on the corporate website, displaying it on company notice boards and any other tool deemed appropriate in order to ensure a conscious, accurate and professional handling of Reports. The Company promotes communication, information and training activity on the Policy, to ensure the most effective application of the same and the widest knowledge of the rules on Whistleblowing, of the functioning of and access to the channels and tools made available to make Reports and of the measures applicable in the event of Breaches. This, in particular, in order to fulfil the training and information obligations referred to in Articles 4(2) and 5(1)(e) of the Decree.
1) Categories of Personal Data
a) Whistleblower’s Personal Data referred to in Article 4, point 1, of the GDPR (in the case of non-anonymous Reports) as well as of any Persons involved in or mentioned in the Report and Facilitators, as defined by the Whistleblowing Policy (hereinafter “Data Subjects”), such as: personal data (e.g. name, surname, date and place of birth), contact data e.g. landline and/or mobile telephone number, postal/e-mail address).
(b) Special categories of data referred to in Article 9 of the GDPR (by way of example but not limited to data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data relating to a person’s health or sexual life or sexual orientation and judicial data, such as criminal convictions and offences), if included in the report.
c) Data relating to criminal convictions and offences or related security measures, as referred to in Article 10 of the GDPR, if included in the alert..
2) Purposes of the processing and related legal basis
The aforementioned Personal Data are processed by the Data Controller for the following purposes
(a) correct and complete management of the investigative activities necessary to assess the merits of reports of offences or irregularities of which the Whistleblower has become aware in the context of the employment relationship with the Controller or in the performance of administrative, control, supervisory or representative functions pursuant to Legislative Decree No. 24/2023;
b) fulfilment of obligations provided for by law or EU regulations;
c) defence or ascertainment of a right in civil, administrative or criminal litigation;
d) (processing which only concerns whistleblowers and, in particular, data allowing, directly or indirectly, their identity to be inferred) disclosure of the identity of the whistleblower for the purposes of defending the reported person or the person involved in any disciplinary proceedings based on the whistleblower’s report.
(e) (processing affecting only the Whistleblower during an oral meeting, in particular concerning all the information transmitted during the course of the report, including data allowing the identity of the Whistleblower to be inferred, directly or indirectly) transcription or recording on a device suitable for recording and listening. In the case of written minutes, the Whistleblower may in any case verify, rectify or confirm the minutes of the meeting by signing them;
The legal basis for the processing is:
The provision of data is necessary for the achievement of the above purposes; failure to provide such data, in part or inexactly, may result in the impossibility of handling the report..
Peck S.p.A. shall retain personal data according to the terms provided for in Article 14 of Legislative Decree no. 24/2023, i.e. for the time necessary to process the report and in any case for no longer than 5 years from the date of communication of the final outcome of the reporting procedure. Personal data that are clearly not useful for the processing of a specific report are not collected or, if accidentally collected, are promptly deleted. This is without prejudice to cases where processing is authorised by law or by a provision of the Italian Data Protection Authority (hereinafter, the ‘Garante’) or in any case by order of the Public Authority.
4) Modalities and logic of the processing
Data processing is carried out manually and/or by means of computerised and telematic automated tools with logics related to the above-mentioned purposes and, in any case, in such a way as to guarantee security and confidentiality.
The Whistleblowing management system guarantees, at every stage, the confidentiality of the identity of the Whistleblower, of the Persons involved and/or in any case mentioned in the Whistleblowing, of the content of the Whistleblowing and of the relevant documentation, without prejudice to the provisions of Article 12 of Legislative Decree no. 24/2023.
The personal data of the persons concerned will not be transferred outside the European Union..
The Data Controller of personal data processing is Peck S.p.A., with registered office in via Spadari 9 – 20123 Milan.
The Data Controller has appointed a Data Protection Officer, who can be contacted at the following address: privacy@peck.it.
Some processing operations may be carried out by other third parties, to whom Peck S.p.A. entrusts certain activities (or part of them) for the purposes referred to in point 2); these subjects will operate as autonomous Data Controllers or will be designated Data Processors and are essentially included in the following categories
a) Whistleblowing Manager
b) Consultants (Organisation, Litigation, Law firms, etc.)
c) Companies in charge of personnel administration and management
d) Auditing companies
e) Investigation Agencies
f) Public Institutions and/or Authorities, Judicial Authorities, Police Bodies.
The data subject, in the persons of the Reporting Party or the Facilitator, has the right to access at any time the data concerning him/her and to exercise the rights provided for in Articles 15 to 22 of the GDPR, insofar as applicable (right of access to personal data, right to rectify them, right to obtain their deletion or so-called right to be forgotten, right to restriction of processing, right to portability of personal data or right to object to processing), by sending an e-mail to the address: privacy@peck.it
In addition, should he consider that the processing concerning him violates the Regulation, the data subject has the right to lodge a complaint with the Garante per la Protezione dei dati Personali, with offices in Piazza Venezia n. 11, 00187 – Rome (http://www.garanteprivacy.it/).
The aforementioned rights may not be exercised by the person concerned or by the person mentioned in the report, for as long as and to the extent that this constitutes a necessary and proportionate measure, pursuant to Article 2-undecies of Legislative Decree No. 196/2003 as amended (hereinafter, Privacy Code), as the exercise of such rights could result in actual and concrete prejudice to the protection of the confidentiality of the identity of the person reporting the matter.
In cases where it is not possible to exercise such rights directly, data subjects may still exercise them through the Garante, in the manner set out in Article 160 of the Privacy Code. In such cases, the Garante shall inform the person concerned that it has carried out all the necessary checks or that it has conducted a review, as well as of the right of the person concerned to lodge a judicial appeal.