Procedure and Privacy Whistleblowing nimax

seo Whistleblowing policy
Download the procedure in PDF format
Privacy policy in PDF format

1. PREMISES

Legislative Decree No. 24 of 10 March 2023, implementing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019, concerning the protection of persons who report breaches of Union law and laying down provisions regarding the protection of persons who report violations of national regulatory provisions, has significantly reorganised the framework governing the management of reports of unlawful conduct (so-called whistleblowing), introducing a comprehensive and uniform regulatory system.

The recently introduced provisions, in particular, impose on companies/entities the obligation to adopt a structured and adequately formalised whistleblowing system. Essential elements of such system include the implementation of internal reporting channels – managed internally by offices or personnel belonging to the organisation who have been specifically trained, or by external third parties – through which individuals who become aware of unlawful conduct may submit a report (see paragraph 5.2 of this Procedure), as well as a specific internal procedure regulating organisational and process-related aspects for the proper management of reports falling within the scope of the new whistleblowing regulations.

In general, reports may be submitted through the internal channel either in written form, including by electronic means, or orally (e.g. dedicated telephone lines or voice messaging systems).

At the request of the reporting person, a face-to-face meeting must also be arranged with the individuals responsible for handling the reports.

In addition to internal reporting, and only where the specific conditions set out in Articles 6 and 15 of Legislative Decree 24/2023 are met (reference is made thereto), the reporting person has the option to use an external reporting channel established at ANAC or to make a public disclosure – that is, to make the information concerning the aforementioned violations publicly available through the press or electronic means that enable dissemination to multiple persons.

This Procedure, updated in accordance with the currently applicable regulatory framework, forms an integral part of the Code of Ethics adopted by NIMAX S.P.A. and is consistent with the company’s compliance policy. 

2. PURPOSE AND SCOPE OF THE PROCEDURE

In order to effectively prevent and counter fraudulent behaviour and unlawful or irregular conduct, an internal system for reporting violations (so-called “Whistleblowing” system) is established in compliance with the provisions of Legislative Decree 24/2023.

For this purpose, the Procedure defines:

  • the subjective scope of application, namely the individuals who may submit a report;
  • the objective scope of application, namely the violations that may be reported;
  • the methods for submitting reports;
  • the role of the parties responsible for receiving reports;
  • the process for evaluating reports;
  • the forms of protection for reporting persons and reported persons.

It is specified that the individuals authorised to receive and manage reports pursuant to Article 4 of Legislative Decree 24/2023 are exclusively: the HR departmen

3. DEFINITIONS AND ACRONYMS

  • Nimax S.p.A or Company: with registered office in Bologna, Via dell’Arcoveggio 59/2
  • Code of Ethics: the document that defines the set of ethical and behavioural principles which the corporate bodies, employees, collaborators and, in general, all third parties having legal relationships with NIMAX S.P.A are required to comply with
  • Recipients: the personnel of NIMAX S.P.A and any other third party, natural or legal person, such as suppliers, consultants, customers or other entities having contractual relationships with the Company, such as collaborators, consultants, business partners and, in general, all subjects referred to in Article 3 of Legislative Decree 24/2023 (Personal scope of application)
  • Internal Procedures: all procedures, protocols, company regulations and/or operating instructions, as well as all other documents forming part of the company’s regulatory system
  • Violations: behaviours, acts or omissions that harm the public interest or the integrity of the public administration or private entity and which consist of unlawful conduct relevant under Article 2 of Legislative Decree 24/2023 (see paragraph 5.2)
  • Information on Violations (or “related to violations” or “concerning violations”): information, including well-founded suspicions, regarding violations that have been committed or that, based on concrete elements, could be committed within the organisation with which the reporting person has a legal relationship, as well as elements relating to conduct aimed at concealing such violations
  • Retaliation: any behaviour, act or omission, even if only attempted or threatened, carried out as a result of the report and which causes or may cause unjust harm, directly or indirectly, to the reporting person
  • Report: the communication (written or oral) of information relating to a violation submitted through the internal reporting channels adopted by the Company
  • Reporting Person (or “Whistleblower”): the natural person who submits a report of information relating to a violation acquired within their work-related context
  • Person Concerned (or “Reported Person”): the natural or legal person mentioned in the internal report as the person to whom the violation is attributed or as a person otherwise involved in the reported violation
  • Facilitator: a natural person who assists the reporting person in the reporting process, operating within the same work-related context, whose assistance must be kept confidential
  • Address for submitting Whistleblowing reports: Whistleblowing Report Management Office, at HR Department – confidential report – c/o Nimax S.p.A, Via dell’Arcoveggio 59/2 – 40129 BOLOGNA
  • Mobile number for oral reporting: 3406803219
  • Report Manager: HR Department, which is the recipient of the Reports
  • CEO: Chief Executive Officer of NIMAX S.P.A

4. REGULATORY FRAMEWORK

4.1 Mandatory Regulations

  • Civil Code
  • Criminal Code
  • Legislative Decree No. 24 of 10 March 2023 – Implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019, concerning the protection of persons who report breaches of Union law and laying down provisions regarding the protection of persons who report violations of national regulatory provisions
  • Legislative Decree No. 231 of 8 June 2001 governing the administrative liability of legal entities, companies and associations, including those without legal personality
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (“GDPR”)
  • Legislative Decree No. 196 of 30 June 2003, as amended (“Privacy Code”)

4.2 Internal Regulations

  • Code of Ethics of NIMAX S.P.A
  • Internal Procedures and Regulations

For the purposes of this Procedure, other regulatory provisions may also be relevant, including those relating to employment law, as well as, where applicable, civil and criminal provisions that may apply on a case-by-case basis.

5. FORMS OF PROTECTION AND CONFIDENTIALITY GRANTED TO THE REPORTING PERSON AND THE REPORTED PERSON

5.1 Protection of the Reporting Person

In order to ensure the effectiveness of the internal reporting channel and its proper use, NIMAX S.P.A guarantees the confidentiality of the identity of the Reporting Person, also in compliance with the provisions on personal data protection set out in Regulation (EU) 2016/679 and Legislative Decree 196/2003 (“Privacy Code”), and implements all necessary measures to prevent any form of retaliation directly or indirectly connected to the Report.

In particular, by way of example and not exhaustive, the following may constitute retaliation:

  • dismissal, suspension or equivalent measures
  • failure to promote or demotion
  • change of duties, change of workplace, salary reduction, modification of working hours
  • negative performance assessments or negative references
  • suspension of training or any restriction of access thereto
  • adoption of disciplinary measures or other sanctions, including financial ones
  • coercion, intimidation, harassment or ostracism
  • discrimination or otherwise unfavourable treatment
  • failure to convert a fixed-term employment contract into a permanent one, where the employee has a legitimate expectation of such conversion
  • non-renewal or early termination of a fixed-term employment contract
  • damages, including to the person’s reputation, particularly on social media, or economic or financial losses, including loss of economic opportunities and loss of incomeinclusion in improper lists on the basis of a formal or informal sectoral or industry agreement, which may result in the person being unable to find employment in the sector or industry in the futureearly termination or cancellation of contracts for the supply of goods or servicesrevocation of a licence or permitrequest to undergo psychiatric or medical examinations
  • The Reported Person who believes they have suffered an act of retaliation connected to the Report may submit a communication to the National Labour Inspectorate or to ANAC, so that the most appropriate measures within their competence may be adopted.
  • Retaliatory or discriminatory measures arising from the Report (including dismissal and/or change of duties pursuant to Article 2103 of the Civil Code) are null and void pursuant to Articles 6, paragraph 2-quater of Legislative Decree 231/2001 and 19, paragraph 3 of Legislative Decree 24/2023. In the event of dismissal, the person who submitted the Report is entitled to reinstatement in their job position pursuant to Article 18 of Law No. 300/1970 (“Workers’ Statute”) or Article 2 of Legislative Decree 23/2015, depending on the specific applicable employment regulation.
  • The protection measures provided for by Legislative Decree 24/2023 also apply to:
  • Facilitators
  • persons within the same work-related context as the Reporting Person who are linked to them by a stable emotional relationship or kinship up to the fourth degree
  • colleagues of the Reporting Person who work in the same work-related context and who have an ongoing and regular relationship with the Reporting Person, meaning not sporadic or occasional, but continuous and lasting over time
  • legal entities owned by the Reporting Person, for which they work or with which they are otherwise connected in a work-related context (e.g. partnerships between companies)

5.2 Protection of the Reported Person

In order to prevent any abuse of the reporting system and to avoid defamatory or slanderous conduct that could harm the reputation of the person involved in a Report, or cause them discrimination, retaliation or other disadvantages, this Procedure provides measures to protect the Reported Person.

In particular:

  • Reports made with intent or gross negligence that are manifestly unfounded are prohibited
  • Reports made in bad faith are prohibited
  • Reports submitted for personal reasons are prohibited
  • Reports submitted solely for the purpose of obtaining advantages or causing harm to the Reported Person and/or the Company are prohibited

In the event of a reckless Report as described above:

  • the Reporting Person may be subject to disciplinary sanctions provided for by the Company’s Disciplinary System
  • if an employee, sanctions provided for by the applicable National Collective Labour Agreement may apply
  • administrative monetary sanctions within the competence of ANAC may be imposed

The person to whom the violation is attributed may:

  • request to be heard by the Report Manager
  • submit written statements
  • submit other documentation in their defence

A record of the meeting with the Reported Person shall be drawn up, dated and signed by the Reported Person, and kept at the HR offices.

5.3 Confidentiality and Privacy

In managing Reports, NIMAX S.P.A guarantees the confidentiality of:

  • the identity of the Reporting Person
  • any information from which such identity may be inferred, directly or indirectly

 

The identity of the Reporting Person may not be disclosed, without their express consent, to persons other than those competent to receive or follow up on the Reports.

Likewise, the following identities are protected:

  • Reported Persons
  • persons mentioned in the Report

This protection applies until the conclusion of the proceedings initiated as a result of the Report and in compliance with the same safeguards granted to the Reporting Person.

The obligation of confidentiality does not apply in the following cases:

  • when the Reporting Person gives express consent to disclose their identity
  • within criminal proceedings, after the closure of preliminary investigations, unless otherwise ordered by the public prosecutor pursuant to Article 329 of the Italian Code of Criminal Procedure
  • within proceedings before the Court of Auditors, after the closure of the investigative phase
  • within disciplinary proceedings, only with the express consent of the Reporting Person, when knowledge of their identity is indispensable for the defence of the Reported Person

In the absence of such consent:

  • the information contained in the Report may not be used for disciplinary purposes

The Reporting Person is always informed in writing of the reasons underlying the disclosure of confidential data.

5.4 Processing of Personal Data

The personal data of the following subjects are processed in compliance with applicable legislation:

  • Reporting Persons
  • Reported Persons
  • all individuals involved in the Report

Processing is carried out in accordance with Regulation (EU) 2016/679 and Legislative Decree 196/2003, as amended by Legislative Decree 101/2018.

NIMAX S.P.A:

  • does not process personal data that are not clearly necessary for managing a Report
  • deletes any such data immediately if collected accidentally

In particular:

  • the Reporting Person and the person involved receive a privacy notice pursuant to Articles 13 and 14 of the GDPR
  • only strictly necessary and relevant personal data are processed
  • appropriate technical and organisational measures are implemented to ensure adequate data security
  • authorised personnel are formally appointed pursuant to Articles 29 and 32(4) GDPR and Article 2-quaterdecies of the Privacy Code

The exercise of rights under Articles 15–22 GDPR by the Reported Person may be limited:

  • where this could prejudice the confidentiality of the Reporting Person’s identity
  • where necessary to protect investigations related to the Report
  • where necessary for the exercise of legal rights by the Data Controller

Such limitations apply only for the period strictly necessary and in accordance with:

  • Article 2-undecies, paragraph 1, letter f) of the Privacy Code
  • Article 2-undecies, paragraph 1, letter e) of the Privacy Code

6. SCOPE OF APPLICATION

6.1 Subjective Scope of Application

This Procedure applies to all personnel of NIMAX S.P.A, namely to workers operating on the basis of relationships that determine their integration into the company organisation, including in forms other than employment relationships, as specified in more detail below.

The provisions of this Procedure also apply to external parties who submit Reports, as specified in paragraph 7.1, as well as, with regard to protection measures, to the subjects indicated in paragraph 5.1.

Only Reports concerning facts directly observed by the Reporting Person are taken into consideration and must not in any way represent personal claims or grievances.

6.2 Objective Scope of Application

For the purposes of this Procedure, by way of example and not exhaustive, the following may be subject to reporting:

  • unlawful conduct relevant pursuant to Legislative Decree 231/2001 – namely the so-called predicate offences
  • violations concerning acts of the European Union or national acts relating, by way of example and not exhaustive, to the following sectors: public procurement, financial services, products and markets, prevention of money laundering and terrorist financing, transport safety, environmental protection, public health, privacy, network and information systems security, etc.
  • acts or omissions that harm the financial interests of the European Union referred to in Article 325 of the TFEU (Treaty on the Functioning of the European Union)
  • acts or omissions concerning the internal market referred to in Article 25 of the TFEU, including violations of EU rules on competition and State aid, as well as violations relating to the internal market connected to acts that breach corporate tax regulations or aimed at obtaining a tax advantage in order to circumvent corporate tax laws

The following Reports are not permitted:

  • reports characterised by a clear lack of interest in protecting the integrity of the Company or aimed exclusively at protecting individual interests (e.g. personal complaints against colleagues, supervisors, etc.)
  • reports submitted for clearly emulative purposes (e.g. reports made in bad faith or with the intent to harm or harass the Reported Person)
  • reports containing unfounded information or based solely on rumours (i.e. information lacking supporting evidence)

Such reports do not fall within the scope of whistleblowing regulations and will therefore be archived following appropriate verification.

In the cases specified above, NIMAX S.P.A reserves the right to take the actions deemed most appropriate to protect its interests and those of the Reported Person, including in relation to any liability of the Reporting Person, where their identity is known.

7. REPORTING SYSTEM

7.1 Reporting Subjects

Reports may be submitted both by internal personnel of NIMAX S.P.A and by external parties.

In particular, pursuant to Legislative Decree 24/2023, Reporting Persons include workers operating on the basis of relationships that determine their integration into the company organisation, including forms other than employment relationships, such as intermittent workers, apprentices, temporary agency workers and occasional workers.

The provisions of this Procedure also apply to the following subjects:

  • self-employed workers, as well as collaborators referred to in Article 409 of the Italian Code of Civil Procedure and Article 2 of Legislative Decree No. 81/2015
  • freelancers and consultants
  • volunteers and trainees (paid and unpaid)
  • shareholders, directors (including de facto), general managers, persons with powers of attorney, members of the Board of Statutory Auditors
  • candidates for a job position who become aware of a violation during the selection process or in pre-contractual phases
  • workers during probation periods
  • former workers, if the information relating to the violation was acquired during the employment relationship

7.2 Reported Subjects

The conduct subject to a Report may concern:

  • the Legal Representative
  • members of the Board of Directors
  • members of the Board of Statutory Auditors
  • employees (including managers)
  • external collaborators of the Company
  • third parties (e.g. agents, suppliers, consultants, customers, etc.) contractually linked to the Company

7.3 Reporting Channels

NIMAX S.P.A has established an internal reporting channel in accordance with Article 4 of Legislative Decree 24/2023, ensuring the confidentiality of:

  • the Reporting Person
  • the Reported Person
  • persons mentioned in the Report
  • the content of the Report
  • any attached documentation

The management of the internal reporting channel is entrusted to the HR Department.

Reports may be submitted in written form through:

  • confidential postal mail, to be sent in a sealed envelope by registered mail with return receipt, ordinary mail or hand delivery to:Whistleblowing Report Management OfficeHR Department – confidential reportc/o Nimax S.p.AVia dell’Arcoveggio 59/2 – 40129 BOLOGNA

For confidential registration purposes, it is recommended that the Report be placed in:

  • a first sealed envelope containing the Reporting Person’s identification details and a copy of their ID
  • a second sealed envelope containing the Report

Both envelopes should then be placed in:

  • a third sealed envelope bearing the wording “Whistleblowing Report”

This ensures that, if mistakenly received by an unauthorised person, the Report can be promptly forwarded to the authorised recipient.

Reports may also be submitted through:

qr code whistleblowing nimax italiaThese channels ensure that:

  • the identity of the Reporting Person is protected
  • the content of the Report is accessible only to authorised personnel

7.4 Subject Matter and Form of the Report

Reports must concern information relating to violations that have occurred or that there are well-founded and concrete suspicions may occur within the organisation with which the Reporting Person has a legal relationship.

Reporting Persons may report violations as specified in paragraph 6.2.

Reports must include the following essential elements:

  • Subject: a clear and detailed description of the facts and conduct considered to constitute a violation, including, where known, time, place and circumstances[1]
  • Reported Person and other involved subjects: any element (e.g. identity, role, function) enabling identification of the alleged perpetrator(s)

The Reporting Person should also provide:

  • identity and category of Reporting Person (e.g. employee, consultant, agent), unless anonymous
  • names of any persons able to provide useful information
  • supporting documentation
  • any other relevant information useful for evidence collection

The Report should, where possible, include supporting documents.

If additional information emerges during the investigation, the Reporting Person may:

  • supplement the Report after submission

Lack of essential elements may lead to:

  • archiving of the Report
  • The truthfulness of reported facts remains essential for the protection of all parties.

The Reporting Person may be assisted by a Facilitator, such as:

  • a colleague from another department
  • a trade union representative (acting personally, not on behalf of the union)

Before submitting a Report:

  • the Reporting Person must acknowledge a privacy notice pursuant to Article 13 GDPR

At all stages, the Company ensures:

  • confidentiality
  • personal data protection

7.5 Prohibited Reports

Reports must not contain offensive expressions or moral judgments that damage the dignity or reputation of the Reported Person.

In particular, it is prohibited to:

  • use offensive or defamatory language
  • submit slanderous Reports
  • report private matters unrelated to work
  • submit discriminatory Reports (e.g. based on religion, politics, ethnicity, sexual orientation)
  • submit clearly unfounded Reports made in bad faith

Where violations occur:

  • disciplinary sanctions may be applied

This does not apply where:

  • the disclosure is true and necessary to reveal the violation

7.6 Anonymous Reports

Reports that do not allow identification of the Reporting Person are considered anonymous.

Such Reports:

  • are treated as ordinary Reports
  • are processed only if sufficiently detailed

Anonymous Reporting Persons later identified:

  • may benefit from whistleblowing protections if retaliation occurs

8. MANAGEMENT OF REPORTS

The management of Reports is the responsibility of the HR Department of NIMAX S.P.A.

The process includes:

  • access to the Report (written or oral)
  • preliminary assessment
  • internal investigations
  • conclusion and reporting to management
  • archiving and document retention

8.1 Submission and Receipt of a Report

  • Submission of the Report: upon receipt, the Report Manager acknowledges receipt to the Reporting Person and records it in a dedicated register
  • Monitoring the status of the Report:
  1. Acknowledgement of receipt:confirmation must be provided within 7 days
  2. Feedback on the Report:within 3 months from acknowledgement (or from expiry of the 7-day period), the Reporting Person must be informed of actions taken
  3. Closure of the Report:after investigation, final feedback is provided and the Report is closed

8.2 Preliminary Assessment of the Report

The Report Manager acknowledges receipt of the Report within 7 (seven) days from the date of its receipt.

The Report Manager then performs a preliminary analysis of the Report in order to assess its validity and subject matter.

If necessary, the Report Manager may:

  • request additional information or documentation from the Reporting Person to conduct a complete assessment

The Report Manager ensures:

  • continuous monitoring of the Report management process in all its phases

Reports are handled:

  • in chronological order of receipt
  • unless specific circumstances require prioritisation (e.g. seriousness, urgency, potential impact on the Company, risk of recurrence)

In managing Reports, the Report Manager:

  • acts with professionalism and diligence
  • carries out all activities deemed appropriate in compliance with this Procedure and applicable regulations

Where necessary, the Report Manager may:

  • involve other company functions
  • engage external consultants

provided that:

  • confidentiality is always guaranteed
  • only strictly necessary information is shared

Following the preliminary assessment, the Report is classified into one of the following categories:

 

  • Non-relevant Report:the Report concerns facts that do not constitute:predicate offences under Legislative Decree 231/2001violations of the Code of Ethicsviolations under Legislative Decree 24/2023

In such cases, if the Report still contains relevant elements (e.g. labour law issues), the Report Manager:

  • forwards the Report to the competent company function

The Report Manager must:

  • notify the Reporting Person of the archiving within 3 months

 

  • Relevant but not actionable Report:this occurs when:
  • the Report falls within scope
  • but lacks sufficient elements for further investigation

In this case, the Report Manager:

  • archives the Report with justification
  • informs the Reporting Person within 3 months

 

  • Prohibited Report:in cases under paragraph 7.5, the Report Manager:
  • informs the CEO for potential disciplinary action
  • evaluates whether to inform the Reported Person

If submitted by external parties:

  • the CEO is informed for contractual actions (e.g. termination)

It remains possible to:

  • refer the matter to judicial authoritiespursue civil, administrative or criminal liability
  • Relevant Report:
  • in the case of sufficiently detailed Reports:
  • the investigation phase is initiated

The process is normally concluded within:

  • 3 months

The Reporting Person is:

  • informed of the status

8.3 Internal Checks and Investigations

Where a Report is classified as relevant, the Report Manager:

  • initiates internal investigations
  • collects further evidence

The Report Manager may:

  • request additional information from the Reporting Person

The Report Manager ensures:

  • ongoing communication with the Reporting Person

During investigations, the Report Manager may involve:

  • internal departments
  • external consultants (e.g. lawyers, accountants)

All involved parties must:

comply with this Procedure
maintain confidentiality

In case of violations:

disciplinary measures may be applied

8.4 Conclusion of the Process and Reporting to Management

At the end of the investigation, the Report Manager prepares a report including:

  • description of reported facts
  • activities carried out
  • evidence collecte
  • outcome of the investigation
  • assessment of whether violations occurred
  • recommended actions

If the Report is unfounded:

  • it is archivedthe Reporting Person is informed
  • If the Report is founded and concerns employees:
  • the CEO is informeddisciplinary proceedings may be initiatedcompetent authorities may be notified
  • If it concerns third parties:
  • contractual measures may be applied (e.g. termination)authorities may be notified
  • The Report Manager is informed of:
  • decisions taken by the Company
  • For disciplinary details, reference is made to:
  • the Disciplinary System of the MOGC
  • The Report Manager submits annually to the CEO:
  • a summary report of all Reportsstatus and actions taken

All communications must:

  • ensure confidentiality of the Reporting Person

8.5 Reports Concerning Corporate Bodies

If the Report concerns:

  • the CEO → the Board of Statutory Auditors is informed
  • the Chairman of the Board → the Board and Statutory Auditors are informed
  • another Board member → the Chairman and Statutory Auditors are informed
  • a Statutory Auditor or external auditor → the CEO is informed

8.6 Archiving and Retention of Documentation

Reports and documentation are:

  • stored by the Report Manager
  • in digital and/or paper format
  • in restricted-access folders

Retention period:

  • only as long as necessary
  • maximum 5 years from final outcome

The same applies to:

  • anonymous Reports

Oral Reports made during meetings are:

  • recorded (with consent)
  • or documented in minutes

In case of minutes:

the Reporting Person verifies, corrects and signs

9. VIOLATIONS OF THE WHISTLEBLOWING PROCEDURE

Any violation of this Procedure constitutes:

  • a disciplinary offence

In particular, sanctions apply to:

  • retaliation or discrimination against the Reporting Person
  • breaches of confidentiality obligations

False Reports made with:

  • intent or gross negligence

may also constitute:

  • disciplinary offences

[1] In the description of the violation committed, a legal classification of the same is not required, as such activity presupposes specific technical and legal knowledge and is entrusted solely to the individuals authorized to conduct the investigation and, where applicable, to the judicial or administrative authority subsequently involved.