Legal & Corporate

Whistleblowing

Enterprise-grade whistleblowing policy for reporting relevant breaches, with confidentiality safeguards, anti-retaliation protection, investigation governance and coordination with the compliance framework.

1. Purpose and regulatory framework

This section sets out the principles, safeguards and handling rules applicable to reports concerning relevant breaches connected with UESE ITALIA S.p.A., in line with Italian Legislative Decree No. 24 of 10 March 2023, implementing Directive (EU) 2019/1937, as well as with the applicable principles on personal data protection, confidentiality, procedural fairness, proportionality and non-retaliation.

The whistleblowing system is intended to support the timely disclosure of breaches of EU law or national law, unlawful conduct, material irregularities, misconduct, internal control failures or behaviour contrary to the integrity, legality, security and compliance principles adopted by or applicable to UESE.

This page is of an informational and general policy nature. The operational procedures for submitting reports, the active channels, the response timeframes and any procedural annexes must be read together with the internal instructions and the reporting tools actually made available by the organisation.

2. Persons entitled to report

Subject to the conditions and limits laid down by applicable law, reports may be submitted by employees, managers, contractors, self-employed workers, consultants, professionals, business partners, suppliers, subcontractors, candidates, interns, trainees, volunteers, shareholders, members of corporate bodies and any other person who has obtained information about a breach in a work-related, professional or pre-contractual context connected with UESE.

Where provided by law, protection may also extend to facilitators, colleagues or persons operating in the same work-related context, as well as legal entities connected with the reporting person that may suffer retaliation because of the report.

3. Reportable matters

Reports may concern, where relevant and based on sufficiently detailed elements, conduct or omissions affecting the public interest, the integrity of the organisation or compliance with applicable legal and organisational obligations, including for example:

  • breaches of laws, regulations, administrative measures or applicable EU obligations;
  • corruption, fraud, misappropriation, false statements, accounting or documentary irregularities;
  • breaches relating to privacy, cybersecurity, information security, data protection, business continuity and risk management;
  • conduct contrary to the Code of Ethics, compliance policies, internal controls or anti-corruption and anti-fraud safeguards;
  • breaches concerning health and safety, environment, products, services, competition, consumer protection, procurement, financial markets or other areas covered by applicable whistleblowing rules;
  • acts or omissions aimed at concealing a breach or obstructing internal checks, controls or investigations.

4. Excluded matters

As a general rule, whistleblowing does not cover complaints, grievances or requests linked to the reporting person’s strictly personal interest and relating exclusively to their individual employment or collaboration relationship, unless such matters also involve misconduct or systemic risk that is relevant under applicable law.

Reports that are manifestly unfounded, generic, unverifiable, defamatory, retaliatory or abusive may also fall outside the protected scope, as may matters that must be handled exclusively through sector-specific mandatory channels where the law so requires.

5. Reporting requirements

A report should be as clear, complete and detailed as possible. Where known and available, it is advisable to indicate the relevant facts, context, timeframe, persons or functions involved, possible witnesses, supporting documents and any other information useful for a reliable preliminary assessment.

Reports may concern past, ongoing or reasonably likely breaches, provided that the reporting person had reasonable grounds to believe, at the time of reporting, that the information was true and fell within the scope of the applicable regime.

6. Reporting channels

As a general rule, UESE encourages the use of the internal reporting channel, where available and appropriate in light of the nature of the reported matter. This is without prejudice, in the cases and under the conditions provided by law, to the possibility of using the external reporting channel before the competent authority, making a public disclosure or reporting to judicial or accounting authorities.

The choice of channel must be made responsibly and proportionately, taking into account the applicable legal framework, the actual availability of channels, the nature of the breach, the risk of retaliation and the need to ensure effective and confidential handling of the report.

7. Receipt, assessment and follow-up

Reports are received and handled by authorised, independent and appropriately trained persons or functions, in accordance with principles of impartiality, confidentiality, traceability, proportionality and segregation of duties. Upon receipt, a preliminary review may be carried out to assess admissibility, completeness and relevance.

Where a report is deemed admissible, an internal investigation may be opened, possibly involving competent internal functions, qualified advisers or third parties bound by confidentiality obligations. Where legally permitted and appropriate, the reporting person may receive an acknowledgement of receipt and feedback on the follow-up given to the report within the deadlines required by applicable law and compatible with investigative needs.

8. Confidentiality and protection of identity

The identity of the reporting person, the persons concerned and the individuals mentioned in the report is protected within the limits and under the conditions laid down by applicable law. Information is accessible only to authorised persons who need to know it for the purpose of handling the report or complying with legal obligations.

The disclosure of the reporting person’s identity, or of information likely to enable indirect identification, is permitted only in the cases and with the safeguards expressly provided by law, including situations in which such knowledge is indispensable for the defence of the person concerned in disciplinary or judicial proceedings, where applicable.

9. Personal data protection

Personal data related to reports are processed in accordance with Regulation (EU) 2016/679, Italian Legislative Decree No. 196/2003 as amended, and the principles of data minimisation, purpose limitation, accuracy, security, confidentiality and storage limitation. Only data that are relevant and necessary for the management of the report are processed.

Appropriate technical and organisational measures may be adopted to ensure channel security, segregated access, encryption or pseudonymisation where appropriate, controlled retention of evidence, access logging and documented management of investigative steps.

10. Prohibition of retaliation and protective measures

UESE does not tolerate any form of retaliation, discrimination, disadvantage, intimidation or unjustified detriment against the reporting person or other protected persons where the report has been made under the conditions required by the applicable regime. Examples of retaliation include dismissal, suspension, demotion, non-renewal, unjustified transfer, disproportionate disciplinary action, mobbing, professional isolation or induced reputational harm.

Persons who believe they have suffered retaliation may seek the remedies and channels provided by applicable law, including those before the competent authorities. Any support measures provided by the legal framework remain available where applicable.

11. Bad-faith reports and liability

Whistleblowing protection does not cover reports made with wilful misconduct or gross negligence, nor manifestly false, defamatory or malicious statements. The civil, disciplinary, administrative or criminal liability of anyone who abuses the reporting channel or knowingly submits false allegations remains unaffected.

At the same time, the mere fact that a report is not confirmed following an investigation does not automatically imply bad faith, provided that the reporting person acted on reasonable grounds to believe the information was true and within the intended scope of the regime.

12. Retention, documentation and audit trail

Reports and related documentation are retained for no longer than necessary for managing the procedure and, in any event, within the time limits laid down by law, taking into account defence needs, legal obligations, disputes, inspections or requests from competent authorities.

Receipt, analysis, classification, investigation, escalation, outcome and closure activities may be logged so as to ensure accountability, auditability, operational continuity and proper documentation of the process followed.

13. Coordination with the compliance framework

The whistleblowing system is coordinated with the Code of Ethics, anti-corruption, privacy, cybersecurity, health and safety policies, internal controls, disciplinary procedures and, where applicable, with the organisation, management and control model adopted pursuant to Italian Legislative Decree No. 231/2001 or with other equivalent governance and risk management arrangements.

Where a report reveals disciplinary, contractual, regulatory, reputational or criminal relevance, UESE may adopt any necessary and proportionate measure, including further investigations, remediation, corrective actions, interim safeguards, notifications to competent authorities or updates to internal controls.

14. Policy updates and contacts

This policy may be updated, amended or supplemented at any time for regulatory, organisational, technological or compliance-improvement reasons. The version published on the website supersedes, from its update date, any previous version.

For clarifications on the operation of the whistleblowing system or information on the available channels, UESE may be contacted through the institutional contacts published on the website. Reports must in any case be submitted exclusively through the dedicated channels, where activated.