CNCCS – Nazionale Composti Chimici e Centro Screening” S.c.a.r.l. (hereinafter referred as “CNCCS”) - acknowledges the importance of having a transparent process that offers all stakeholders operating within its business environment the opportunity to report actions and behaviors that are not compliant with current regulations, with its own Code of Ethics, as well as with its internal policies and procedures.

CNCCS considers the respect for the principles outlined in the Code of Ethics as a shared responsibility by all: by those working within CNCCS, on behalf of CNCCS, and more broadly, by all those who collaborate or come into contact with CNCCS.

CNCCS enforces compliance with both internal regulations (including, but not limited to, Policies, Procedures, Model 231) and external regulations (national and European Union laws). For this reason, it supports and promotes the safeguarding of the principles, rights, and duties outlined in its own Code of Ethics, encouraging anyone who identifies possible inappropriate, non-compliant, or suspicious conduct in violation of internal or external regulations to report it to the appropriate authorities.

CNCCS encourages maximum collaboration in reporting incorrect or unacceptable behaviors in order to promptly prevent their spread and take necessary measures against those responsible.

1. PURPOSE

The presence of a dedicated reporting channel, in addition to complying with specific regulations, contributes to strengthening the principles of legality, transparency, and accountability of CNCCS.

In particular, the present Whistleblowing Procedure aims to establish and regulate internal reporting channels in accordance with EU Directive 2019/1937 and Legislative Decree 24/2023, ensuring the expression of freedom of speech and information while simultaneously protecting the identity and confidentiality of the Reporting Person, the Reported Person, and any individuals mentioned in the Report, as well as the content of the Report and related documentation.

The objective is not only to prevent non-compliance or irregularities within the organization but also to involve all employees and third parties in the activity of combating illegality through active and responsible participation.

This document aims, among other things, to regulate the procedural management of the Report (acknowledgment, verification, and analysis), ensuring that it occurs in the manners and timelines stipulated by the relevant legislation.

 

To this end, the following are defined:

a. The scope of application of the Whistleblowing Procedure;

b. The management procedures of the Reports;

c. The governance model through which such Reports are managed and the guarantees of protection of the whistleblower's confidentiality put in place to prevent any discriminatory measures and/or retaliatory acts against them.

 

The principles underlying this Procedure are:

Legality: the principle that implies the importance of disclosing illicit behaviors;

Confidentiality: Reports can only be used by those managing the channel to follow up on them, with an explicit prohibition on disclosing the Reporting Person's identity. The identity of the Reporting Person and any other information from which their identity can be directly or indirectly inferred cannot be disclosed without the express consent of the Reporting Person to persons other than those competent to receive and/or follow up on the Reports. The identity of individuals involved and mentioned in the Report is also subject to the same protections; therefore, the same confidentiality guarantees are recognized.

Protection of the whistleblower: the whistleblower cannot suffer any retaliation (e.g., dismissal, suspension, failure to promote, demotion, etc.) and is protected by specific legal provisions, including, for example, the nullity regime of retaliatory acts suffered in violation of this prohibition.

Truth and transparency: promoting the principles of truth and transparency to prevent the commission of illicit acts, as well as to counteract misconduct and the risks of crimes or irregularities, even if only attempted;

Responsibility and accountability of organizations and individuals: reports of wrongdoing can induce positive changes in ethics and business practices.

 

2. APPLICATION FIELD

This Procedure applies to companies within the CNCCS S.c.a.r.l.

 

3. TERMS, DEFINITIONS, AND ACRONYMS

• "CNCCS": Collezione Nazionale Composti Chimici e Centro Screening Scarl;

• "Reporting Person" (hereinafter referred as “whistleblower”): the individual who makes the Report or publicly discloses information about violations acquired within their work context;

• "Reported Person" or "Involved Person": the individual mentioned in the whistleblowing Report as the person to whom the violation is attributed or as a person otherwise implicated in the reported violation;

• "Facilitator": an individual who assists the Reporting Person in the reporting process, operating within the same work context, and whose assistance must be kept confidential;

• "Reports Manager": the competent body for managing Reports in the Whistleblowing context;

• "Supervisory Body": the corporate body appointed pursuant to Legislative Decree no. 231 of June 8, 2001;

• "Report": the communication, written or oral, of information about violations;

• "Work Context": the work or professional activities, present or past, through which, regardless of the nature of such activities, an individual acquires information about violations and within which they may risk retaliation in the event of Reporting or public disclosure or reporting to the competent Judicial Authority;

• "Public Disclosure" or "Publicly Disclose": making information about violations public through the press, electronic means, or in any case through means of dissemination capable of reaching a large number of people;

• "Retaliation": any behavior, act, or omission, including threats of acts, connected to or resulting from the Report, which causes or may cause unfair harm to the Reporting Person;

• "Violations": behaviors, acts, or omissions related to CNCCS’ activities that harm the public interest or the integrity of the CNCCS itself;

• "Offenses": the term offenses refers to civil, administrative, and criminal offenses.

 

4. LEGAL REFERENCES

This Procedure has been drafted taking into account the following regulatory sources:

 

a. Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of European Union law;

b. Legislative Decree no. 24/2023 implementing Directive (EU) 2019/1937 on the protection of persons entitled to report breaches of European Union law and containing provisions concerning the protection of persons equally entitled to report breaches of national legislation (hereinafter "Whistleblowing Decree");

c. Legislative Decree no. 231/2001, concerning the discipline of the administrative liability of legal entities, companies, and associations, even without legal personality;

d. Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (hereinafter "GDPR");

e. Legislative Decree no. 196/2003, Personal Data Protection Code (hereinafter "Privacy Code").

 

Furthermore, the "Guidelines on the protection of persons who report breaches of European Union law and protection of persons who report breaches of national legislative provisions - procedures for the submission and management of external reports" issued by the National Anti-Corruption Authority ("ANAC"), Resolution no. 301 of July 12, 2023 (hereinafter also "ANAC Guidelines") as well as the "Operational Guide for private entities" disseminated by Confindustria on Whistleblowing matters have been taken into consideration.

 

5. CONTENTS OF THE REPORT

The purpose of the Report is to investigate potential unlawful and unethical conduct, to identify risks promptly, and to prevent damage to the reputation of the CNCCS. In this way, the Report can contribute to minimizing risks for the company, the work environment, and all collaborators. Each Report contributes to the success of CNCCS and to the promotion of an ethical, healthy, and sustainable culture, offering an important contribution to the internal compliance control system.

The scope of application of the Whistleblowing Decree includes reports of information on violations integrated by behaviors, acts, or omissions that harm the public interest or the integrity of CNCCS, which the Reporting Person becomes aware of in a work context and which consist of:

• relevant unlawful conduct under Legislative Decree no. 231/2001, such as, for example, fraud, third-party corruption acts towards employees or by them towards third parties, conflict of interest situations deemed unknown to the company;
• violations of the Model 231, including violations of rules related to the Model 231 such as the Code of Ethics and internal procedures, such as, for example, behaviors that constitute workplace harassment or violation of Equal Opportunity principles;
• offenses falling within the scope of application of EU or national acts indicated in the specific annex to Legislative Decree no. 24/2023, belonging to the following sectors: public procurement, services, financial products and markets, prevention of money laundering and terrorism financing, product safety and compliance, transport safety, environmental protection, radiation protection and nuclear safety, food and feed safety, and animal health and welfare, public health, consumer protection, privacy protection and personal data protection, and network and information system security;
• acts or omissions that harm the financial interests of the European Union, including, for example, violations in the field of VAT and customs law;
• violations in competition law and/or State aid;
• acts or behaviors that frustrate the purpose or objectives of EU acts, including, for example, the use of abusive market practices.

Regarding this, it is highlighted that the Whistleblowing Decree provides that in companies that have not reached the average of 50 workers and have adopted the Organizational Model 231 - such as Ad CNCCS - reports may only concern relevant unlawful conduct for discipline 231 or violations of Model 231 and can only be made through the internal channel.

The information may concern both committed violations and those not yet committed but that the Reporting Person reasonably believes could be committed based on concrete elements.

The provisions of the Whistleblowing Decree do not apply to:

• Reports made in bad faith;
• Disputes, claims, or requests related to a personal interest of the Reporting Person that concern exclusively their individual employment relationships, even with hierarchically superior figures;
• Information blatantly unfounded;
• Information that is already entirely public knowledge;
• Information acquired only on the basis of poorly reliable rumors (so-called hearsay).

It is the responsibility of the Reporting Person to make reports in good faith, i.e., based on the belief that what is stated is true (regardless of whether what is reported is subsequently confirmed in the investigations that follow), and in line with the spirit of this Procedure: manifestly unfounded, opportunistic, and/or made solely for the purpose of harming the Reported Person or subjects otherwise involved in the Report will not be considered and may be subject to sanctions and/or actions before the competent Judicial Authority.

 

6. SUBJECTS AUTHORIZED TO REPORT

Recipients of this Procedure include:

• Corporate executives and members of the corporate bodies of CNCCS;
• Employees of CNCCS;
• Partners, clients, suppliers, consultants, collaborators, shareholders, and anyone else with a business relationship with the CNCCS ("Third Parties").

In particular, Reports can be made by anyone who, in any capacity, provides their work activity in favor of a company within the CNCCS, including: employees, freelancers, holders of collaboration agreements, even occasional ones, temporary workers, interns, trainees, and volunteers, freelance professionals, consultants, workers, or collaborators who perform activities at suppliers of goods or services or at entities that provide works and/or services to the respective company within the CNCCS (e.g., suppliers or contractors), individuals performing administrative, managerial, supervisory, oversight, or representative functions, even de facto, within CNCCS.

All the aforementioned subjects are covered by the protective measures guaranteed by the Whistleblowing Decree not only if the Report is made during the course of the employment relationship or other type of legal relationship but also during the probationary period and before or after the establishment and/or termination of the legal relationship.

 

7. REPORTING THROUGH INTERNAL CHANNEL

Regarding the type of reporting channel, it is highlighted that - as the CNCCS falls among private entities that have adopted an organizational and management model 231 but have not reached an average of 50 subordinate workers - in accordance with the regulatory provisions of the Whistleblowing Decree, only an internal reporting channel has been activated for such entities.

The management of the Report through the internal company channel proceeds according to the following stages:

1. Submission of the Report;
2. Receipt and acknowledgment of receipt;
3. Initial assessment regarding the admissibility and procedural of the Report;
4. Investigation and verification of the Report;
5. Feedback to the Reporting Person;
6. Outcome of the investigation and Closure of the Report;
7. Subsequent actions.

 

1. 1. Submission of the Report

CNCCS has its own internal reporting channel which - through the use of a computer platform implemented with every appropriate security measure, including encryption - ensures the confidentiality of the Reporting Person, Reported Person, and Involved Person's identities, as well as the content of the Report and related documentation, as documented analytically in the impact assessment, pursuant to Article 35 of the GDPR.

To submit a Report, the following steps are required:

• Access the computer platform through the link:  https://cnccs.segnalazioni.net, accessible from the intranet as well as the company website;
• Accept the terms and conditions, including the privacy policy, displayed on the page;
• Register and Log In;
• Once logged into the platform, select the company to which the Report should be addressed;
• Fill in the fields in the Report form, providing information about the violation;
• Upload any relevant documents in your possession (including evidence of the violation);
• Indicate any other individuals who may be aware of the facts;
• Once the message is sent, you can access the platform to check the status of your Report;

 

Reports can be submitted through the platform in written form or via voice messaging. The Reporting Person's data is separated from the Report, so the Report is sent to the Manager via the platform while hiding the Reporting Person's identity. For technical information, refer to the instructions provided on the platform.

The platform ensures compliance with accessibility criteria required by the Whistleblowing Decree and allows for the uploading of files of any type, including audio files. A digital folder is created for each Report, containing the information submitted with the initial Report, message exchanges, and documents collected during the investigation.

Upon completion of data upload, the platform generates a code that becomes the practice ID, i.e., the unique key with which the Reporting Person can communicate with the Manager. The Reporting Person is also granted the option to request a direct meeting with the Manager.

The progress of the practice, along with relevant information and attached documents, as well as corresponding feedback, is tracked on the platform.

 

7.2 Report Recipient

Recipient and Manager of the Report for CNCCS is the President of the Supervisory Body or the Supervisory Body itself if acting in a monocratic capacity (hereinafter referred to as the "Manager") of CNCCS, who is responsible for managing the internal reporting channel as they possess suitable autonomy and competence.

If the Manager coincides with the Reporting Person, Reported Person, or is otherwise involved or affected by the Report, the management of the reporting channel will be entrusted to another member of the Supervisory Body (hereinafter referred to as the "Deputy"), who can ensure effective, independent, and autonomous management of the Report, always respecting the confidentiality obligations imposed by the regulations and with the obligation for the Manager to refrain from conducting the investigative activity.

In the event of prolonged and unforeseeable absences of the Manager, the company's management identifies a new Manager of the Reports for the relevant period, in compliance with the subjective requirements provided by the Whistleblowing Decree.

The Manager:

a. Has suitable professional training on whistleblowing, including reference to concrete cases, as provided for in Article 4 of the Whistleblowing Decree;

b. Ensures impartiality and independence in managing the reporting channel;

c. Is appointed as the data controller, in accordance with Article 28 of the GDPR.

 

7.3 Receipt of the Report and Acknowledgment of Receipt

Once the Report is submitted, the Manager proceeds to take it into consideration. If deemed necessary, the Manager may view the identity of the Reporting Person, who is automatically notified through the platform.

Upon taking the Report into consideration, the Manager, through the designated computer platform, issues an acknowledgment of receipt to the Reporting Person within 7 (seven) days from the date of receiving the Report. It should be noted that this timeframe is subject to suspension during the periods from August 1st to August 31st and from December 24th to January 6th.

7.4 Admissibility and Procedurability of the Report

 

Upon completion of the phase related to the transmission of the acknowledgment of receipt, the Manager proceeds to the preliminary examination of the Report. Specifically, during this phase, the Manager assesses its procedurability and subsequently its admissibility.

To proceed with the procedure, the Reporting Manager must verify the procedurability in light of the subjective and objective scope of the Whistleblowing Decree, specifically:

• That the Reporting Person is authorized to make the Report.
• That the subject matter of the Report falls within the scope of the discipline.

 

To process the Report, the Manager may request clarification from the Reporting Person, who will receive a notification on the reporting platform.

If the Report concerns a matter excluded from the objective scope of Whistleblowing application, it will be treated as ordinary and/or archived, with communication to the Reporting Person.

Once it is verified that the Report meets the subjective and objective requirements defined by the legislator and is thus procedurable, the Manager evaluates its admissibility as a Whistleblowing Report.

For admissibility, it is necessary that the Report clearly includes:

• The circumstances of time and place in which the reported incident occurred and, therefore, a description of the reported facts, including details relating to circumstantial information, and, if applicable, the means by which the Reporting Person became aware of the facts.
• The particulars or other elements that allow the identification of the subject to whom the reported facts are attributed.

The Report may be considered inadmissible if:

• It lacks essential data;
• The factual elements related to the violations typified by the legislator are manifestly unfounded;
• The facts reported are of a generic nature, making them incomprehensible to the designated person;
• Only documentation is provided without the actual reporting of violations;
• There is a lack of identifying information about the Reporting Person and contact information.

If the Report is found to be unprocedural or inadmissible, the Reporting Manager proceeds with archiving. Furthermore, even during the preliminary verification, if necessary, the Manager can request further information from the Reporting Person, initiating a dialogue with them.

The platform tracks the various steps described, whether the Report continues with the process outlined in this Procedure or is closed because it is not relevant.

 

7.5 Investigation and Assessment of the Report

Once the admissibility and feasibility of the Report have been verified, the Manager initiates an internal investigation into the reported facts and conduct to assess their validity. To protect the Reported Person, a mere Report is not sufficient to initiate disciplinary proceedings against them; instead, a thorough investigation following this Procedure is required.

The Manager of the Report ensures that all appropriate checks on the reported facts are conducted, ensuring promptness and adherence to the principles of objectivity, competence, and professional diligence.

Specifically, they proceed with specific verifications, analyses, and evaluations regarding the validity of the reported facts by:

• Gathering the necessary informational elements for assessments through the analysis of received documentation/information;
• Involving other company departments or specialized external entities;
• Considering the specific technical and professional competencies required;
• Conducting hearings with any internal/external individuals, etc.

These investigation and verification activities are exclusively the responsibility of the designated Manager handling the Reports, including all activities necessary to follow up on the Report (such as hearings or document acquisitions). Furthermore, these activities are always carried out in compliance with the principles of impartiality and confidentiality.

During the investigation phase, the Manager interacts with the Reporter, requesting further information if necessary to diligently pursue the Reports received. Any additional information and/or documents requested from the Reporter must be transmitted through the platform.

Any involvement of other individuals, employees, or collaborators of the Company, or third parties who can provide information about the reported facts to help verify the validity of the Report, must ensure the confidentiality of the Reporter and the case, i.e., the Report, the entire investigation, and the related acquired and/or produced documentation.

If it becomes necessary to disclose the identity of the Reporter, the authorization of the Reporter themselves is required. During the investigation, the Reported Person may be heard or, upon their request, heard, including through observations and written documents.

The Report is exempt from the right of access to administrative acts provided for in other cases by law.

 

7.6 Feedback to the Reporter, investigation outcome, and procedure closure

Once the investigation process is complete, the Reporting Officer can:

• Archive the report if it is deemed unfounded, providing reasons for the decision:
• Declare the report as founded and refer it to the relevant internal organs/functions for subsequent measures or proceedings.

The Reporting Officer must provide feedback to the Reporter within three months from the date of the acknowledgment of receipt. This feedback can be final if the investigation is completed or interim in nature, providing updates on the progress of the investigation, which is not yet finalized.

Therefore, upon the expiration of the three-month period, the Reporting Officer can communicate to the Reporter:

• The archival of the report;
• The confirmation of the report's validity and its referral to the competent internal bodies;
• Updates regarding the progress of the investigation and the planned closing timelines.

In the latter case, the Reporting Officer also informs the Reporter about the final outcome of the investigation (archival or confirmation of the report's validity).

 

7.7 Specific investigations and consequent actions

Following the verification, the Manager, depending on the nature of the violation, also takes the following actions:

• Communicates the outcome of the investigation to the President and the Board of Directors and/or the relevant oversight bodies;
• Agrees with the Management and/or other relevant functions on any initiatives to be taken to protect the interests of CNCCS (e.g., legal actions, suspension/removal of suppliers from CNCCS’ Supplier Register);
• Notifies the outcome of the investigation to the Head of the department to which the violator belongs, so that appropriate management measures can be taken, including, if necessary, disciplinary action in accordance with applicable regulations;
• Collaborates with the responsible management of the function affected by the report to develop any necessary action plans for addressing identified control weaknesses, implementing corrective actions, and/or improvement plans;
• Takes any additional measures and/or actions deemed necessary and appropriate in the specific case.

 

8. PROTECTION OF REPORTS

The IT platform adopted by CNCCS is equipped with all appropriate security measures, including encryption.

Confidentiality of sources and information obtained is ensured, subject to legal obligations.

Furthermore, CNCCS will not take retaliatory actions (disciplinary sanctions, demotion, suspension, termination) or discriminate in any way in the workplace against employees who have acted in good faith to report events or situations related to compliance with the Code of Ethics, Model 231, company procedures, or any legal regulations.

This protection is also extended to Facilitators; individuals within the same work context as the Reporter and those with stable emotional or familial ties; coworkers who have a habitual and current relationship with the Reporter; entities owned by or employing the Reporter, as well as entities operating within the same work context, and all individuals identified in Article 3 of Legislative Decree 24/2023.

Individuals involved in the activities governed by this Procedure are required to act in accordance with legal regulations and applicable regulations, and in compliance with the principles outlined below.

Confidentiality

Anyone receiving, analyzing, or evaluating a report is required to ensure the confidentiality of the information processed and the confidentiality of the identity of the Reporter, Facilitator, third parties connected to the Reporter, and the Reported Person.

CNCCS therefore commits to ensuring maximum confidentiality regarding the subjects and facts reported, as well as the identity of the Reporter. However, a derogation is permitted in cases where there is a necessary and proportionate obligation imposed by Union law or national law in the context of investigations by national authorities or judicial proceedings, also in order to safeguard the defense rights of the interested party.

Restricted Sharing

Access to Reports and/or the information contained therein is only permitted to those who have a genuine need to know for the performance of their duties and in accordance with the "need-to-know" principle.

Objectivity and Impartiality

Any action taken against the Reported Person must be based on objective evidence and following an investigation and verification of the reported facts.

Data Minimization

Information for the management of Reports is collected and processed only to the extent necessary and relevant for the purposes of the investigations. If the collected data is not relevant or of interest for the investigation of the Report, it will not be considered, processed, or stored.

Processing of Personal Data

Within the framework of the Report management procedure, especially during the conduct of preliminary analysis and investigations, the information and personal data acquired will be processed in accordance with the principles of the GDPR and applicable regulations.

To this end:

1. The companies of CNCCS, as Data Controllers, guarantee:

• to process data lawfully, fairly, and transparently;
• to collect data only for the purpose of managing and following up on Reports in accordance with the principle of purpose limitation;
• the adequacy, relevance, accuracy, and limitation of the processed data in accordance with the principles of minimization and accuracy;
• to retain data in a form that allows identification of the data subjects for the time necessary for the processing of the specific Report and in any case not beyond 5 (five) years from the date of communication of the final outcome of the Reporting procedure;
• to process data in a manner that ensures adequate security of personal data, including protection through appropriate technical and organizational measures, against unauthorized or unlawful processing and accidental loss, destruction, or damage. For these reasons, the platform uses encryption tools. In any case, the security measures adopted are periodically reviewed and updated;
• to have updated the register of processing activities;
• to comply with the prohibition of tracking the reporting channel, even if mediated by firewall or proxy devices, both on the computer platform and on the network devices potentially involved in the transmission or monitoring of communications.

 

2. The Manager has been duly appointed as the Data Processing Manager, pursuant to Article 28 of the GDPR;
3. The company providing the Reporting management platform has been appointed as the Data Processing Manager, pursuant to Article 28 of the GDPR;
4. An impact assessment on the processing of personal data carried out through the reporting channel has been conducted, pursuant to Article 35 of the GDPR;
5. Those who use the reporting channel are promptly informed, directly on the platform, of the processing methods of personal data, pursuant to Articles 13 and 14 of the GDPR.

It is specified that the Reported Person or the person mentioned in the Report, with reference to their personal data processed within the framework of the Report, cannot exercise the rights that the GDPR normally grants to data subjects (the right of access to personal data, the right to rectify them, the right to obtain their erasure or the so-called right to be forgotten, the right to restrict processing, the right to data portability, and the right to object to processing). This is because the exercise of these rights could result in a concrete and effective prejudice to the protection of the confidentiality of the Reporter's identity.

 

9. PROTECTION AGAINST RETALIATORY ACTS

Threats, retaliation, and discrimination against anyone reporting in good faith are not tolerated. Employees making reports will not face dismissal, threats, harassment, discrimination, or any other form of retaliation. Any individual engaging in retaliatory actions against a reporter will be subject to disciplinary measures, including the possibility of dismissal.

Measures to protect reporters also apply, where relevant, to facilitators, third parties connected to reporters, and those at risk of retaliation in a work context, as well as to legal entities connected or controlled by reporters or for whom they work.

To enjoy protection, it is necessary that:

1. The reporter has reported based on a reasonable belief that the information on the reported violations disclosed or reported is true and falls within the objective scope of application of the Whistleblowing Decree;
2. The report is made in accordance with the Whistleblowing Decree and this Procedure;

c. There is a causal relationship between the report and the retaliatory measures suffered.

In any case, the protection provided in the event of retaliation is not guaranteed when the reporter's criminal liability is established, even by first-instance judgment, for the crimes of defamation or slander, or for the same crimes committed with the report to the competent Authority, or their civil liability, for the same reasons, in cases of intent or gross negligence. If liability is established, the reporter or complainant may be subject to the appropriate disciplinary sanction.

 

10. WHISTLERBLOWER’S RESPONSIBILITY

The whistleblower remains subject to criminal and disciplinary liability in the event of false, defamatory, or slanderous reporting according to the criminal code.

Any abuse of this procedure, such as opportunistic or malicious reporting, or intentional misuse or manipulation of the procedure, also constitutes grounds for disciplinary action and liability in other competent forums.

 

11. REPORTING OF COMPLAINTS TO AUTHORITIES

The Manager prepares a report semi-annually, ensuring confidentiality as outlined in this Procedure, regarding the received complaints and the activities carried out, which is then submitted to the Board of Directors and the oversight bodies.

 

12. DOCUMENTATIONS STORAGE

The information and documentation related to the complaint, as well as the flow of information with the entities involved in the verification, are managed and stored exclusively within the platform, in order to ensure the highest level of security and confidentiality and in compliance with the Whistleblowing Decree. The complaints and related documentation are retained for the time necessary for processing the complaint, and in any case not exceeding five years from the date of communication of the final outcome of the complaint procedure.

 

13. DISTRIBUTION AND ADOPTION

The procedure is aimed at ensuring maximum dissemination and is published on CNCCS , within a dedicated Whistleblowing page that provides access to the internal reporting channel. Additionally, it is made available through publication on the company's intranet.

Furthermore, CNCCS conducts communication and training initiatives for employees regarding the Procedure, including activities aimed at promoting awareness of whistleblowing principles.

Regular reviews are conducted to update the Policy and Portal, ensuring alignment with relevant regulations and incorporating operational and experiential feedback.