Whistleblowing policy

General principles for the management of reports

1. SUMMARY AND PURPOSE
The purpose of this Policy (the “Policy“) is to describe and regulate the organizational aspects and operational processes related to reports of misconducts and violations, as more fully described below, of which Business Integration Partners S.p.A. or other Group Companies (hereinafter also only “BIP” or the “Group“) whistleblowers become aware.

2. SCOPE OF APPLICATION
The procedure is issued by Business Integration Partners S.p.A., which, as the Parent Company, promotes its adoption by its Subsidiaries, which shall: (i) adopt the procedure, including through the drafting of a local version, taking into account applicable regulations, laws and, in general, local regulations, its own operations and organizational structure, and (ii) promote its adoption, if necessary, also by its own Subsidiaries.

3. REFERENCES
The following are the main references relevant to the Policy:

Group Code of Ethics (the “Code of Ethics“)
Organizational Models (e.g., for Italy, Model of Organization, Management and Control pursuant to Legislative Decree 231/2001 – hereinafter also “Model 231”), Guidelines, Company Policies and Procedures (from time to time applicable to individual Group companies)
EU Directive 1937/201
UNI ISO 37002:2021
Existing local regulations/laws on reporting/whistleblowing and as applicable from time to time

For Italy:

Law No. 179 of November 30, 2017
Legislative Decree No. 24 of March 10, 2023

4. DEFINITIONS
Business Integration Partners S.p.A. – Parent Company.
Bip Services S.r.l. – subsidiary Company of Business Integration Partners S.p.A.
Subjects related to the whistleblower – all subjects under the same protection regime as the whistleblower, such as facilitators, those who help the whistleblower during the reporting process and whose activities must remain confidential, third parties connected with the whistleblower (such as colleagues and/or family members), and finally to legal subjects related to the whistleblower.
BIP Group – all subsidiaries of Business Integration Partners S.p.A. and other Group Companies.
Platform – computerized tool used as a reporting channel capable of guaranteeing the confidentiality of the identity of whistleblowers.
Receiver – a person who receives the report and designated to handle it.

Whistleblower – subject who may proceed with a report by virtue of his / her relationship (present or past) with the Company or the BIP Group.
Reported person – subject of the report and whose conduct/act is being challenged.
Report – communication concerning facts related to illegal conduct or irregularities, violations of the Company’s Control System, corrupt actions, circumstances or conduct, violations of national and international laws or regulations, violations of company procedures and provisions in general.
Subsidiaries – companies in which Business Integration Partners S.p.A. has control (for Italy, pursuant to Article 2359, paragraphs 1 and 2 of the Civil Code).

For companies located on the Italian territory:
Supervisory Board – independent supervisory and control body established pursuant to Legislative Decree 231/2001 (applicable only to Italian companies which approved a Model 231) (hereinafter also only “SB“).
ANAC – National Anticorruption Authority (located in Italy), i.e., independent administrative authority for the prevention of corruption in all areas of administrative activity.

5. GENERAL PRINCIPLES
The recipients of this document (Whistleblowers, facilitators, reporting recipients, other parties involved in the management of reports, or any party who receives a report even through other channels not provided for in this document), depending on (and within the scope of) the specific competencies assigned by the Policy, must:

foster and promote a culture of transparency and legality and of “zero tolerance” towards any act and phenomenon of corruption in all company areas and in relations with third parties.
make reports in good faith, circumstantiated and based on precise and concordant factual elements.
refrain from making unfounded or unsubstantiated reports, based on unconfirmed rumors or hearsay, or reports that do not fall within the object identified in this Policy.
not use reports as tools to resolve mere personal issues or for the sole purpose of harming the reported person or for opportunistic reasons.
encourage and protect the positive behavior, physical integrity and moral character of employees or collaborators who report illegal acts or illegitimate behavior of which they become aware.
take the reports received seriously and evaluate them scrupulously and carefully.
to ensure the confidentiality of the identity and personal data of the Whistleblower and any individuals related to the Whistleblower in the activities of handling the report.
avoid direct or indirect acts of retaliation or discrimination against the person making the report (and/or any persons connected to him/her) and affecting his/her working conditions, even if the report turns out to be unfounded.
ensure the traceability of the process relating to the evaluation of the report and the adoption of any consequent measures.

6. MODES OF OPERATION

6.1 Reports

6.1.1 Object of Reports
Reports may concern:

unlawful conduct or irregularities (committed or those not yet committed but which are believed to be likely to be committed based on concrete elements).
violations of the Group’s Code of Ethics.
other illegal conducts of which the Whistleblower has become aware by reason of his/her relationship with BIP.
other corrupt actions, circumstances or conducts.
violations of national laws or regulations that occurred in the business environment and that harm the public interest or integrity of BIP.
violations of organizational models, procedures or company regulations.
violations of EU law (such as offenses committed in violation of EU law and national provisions implementing it, acts or omissions that harm the EU’s financial interests or the internal market, acts or conduct that frustrate the object or purpose of EU provisions).
Reports may not relate to information already in the public domain, or to the Whistleblower’s personal complaints or grievances related to the employment relationship.

Reports may relate to:

individuals linked to BIP and its Subsidiaries by an employment or collaboration relationship (employees, self-employed workers and collaborators, volunteers and trainees, paid and unpaid, who work at BIP).
members of corporate bodies (e.g., Board of Directors, Independent Auditors, control/supervisory bodies/committees, etc.).
third parties linked to the Group by a contractual relationship (e.g., business partners, customers, suppliers, contractors, subcontractors, etc.).

6.1.2 Whistleblowers
Whistleblowers may be:

individuals linked to BIP and its Subsidiaries by an employment or collaboration relationship (employees, self-employed workers and collaborators, candidates, volunteers and trainees, paid and unpaid, who work at BIP).
members of corporate bodies (e.g., Board of Directors, Independent Auditors, control/supervisory bodies/committees, etc.).
third parties linked to the Group by a contractual relationship (e.g., business partners, customers, suppliers, contractors, subcontractors, etc.).

6.1.3 Reporting characteristics
The report must contain elements that are useful to enable the persons in charge of their examination and evaluation to carry out the appropriate checks and verifications as to the merits of the facts and circumstances that are the subject of the report.
The report must substantiate the facts reported, indicating the time and place of commission/omission, the author or, if more than one, the authors of the facts themselves as well as any documents proving the same.
The Whistleblower may at any time supplement, rectify or complete the report made or add further evidence, including documentary evidence, in the same manner in which he/she made the report.

6.1.4 Mode of reporting
Reporting can be done anonymously or non-anonymously through the channels described below.
NB: Please note that the reporting channel must be identified by considering the company to which the reported person belongs, to identify the correct Receiver who will have to handle the report.

a. Reporting via Platform
Digitally (both written and oral) through a dedicated Platform, which the Whistleblower can access through the following links:

NB: To optimize and specialize the work on the reports under review, as required by local regulations, the Italian companies Bip Services S.r.l., Vidiemme Consulting S.r.l., Sketchin Italia S.r.l. Openknowledge S.r.l. and Cogea S.r.l. share the reporting channel. By using a single platform and common IT systems for the management of reports, the companies involved act as Co-Processors of the Processing of Personal Data and therefore agree to draft a “Co- Processing Agreement” that will be made available on the intranet and website. In particular, the agreement identifies and details their respective responsibilities regarding compliance with their obligations under current legislation regarding the processing of personal data, with specific reference to the provisions of Article 26 of the GDPR.
The companies involved guarantee that each company, by means of its Receiver, will be able to access only the reports pertaining to it taking also into account the allocation of the relevant responsibility. Therefore, technical and organizational measures have been taken to ensure that each Receiver has access only to the reports for which it is responsible. In fact, each company involved is individually responsible for prosecuting and sanctioning violations committed by employees of that company.

Depending on the reporting company, the Receivers are specified below:

Business Integration Partners S.p.A. > Supervisory Board of Business Integration Partners S.p.A.
Bip Services S.r.l. > Supervisory Board of Bip Services S.r.l.
Vidiemme Consulting S.r.l. > Supervisory Board of Vidiemme Consulting S.r.l.
Sketchin Italia S.r.l. > Supervisory Board of Sketchin Italia S.r.l.
Openknowledge S.r.l. > Supervisory Board of Openknowledge S.r.l.
Cogea S.r.l. > Supervisory Board of Cogea S.r.l.
Bip Consulting Iberia, S.L. > HR Director
Other Group companies > Internal Audit Director

While entering the report data, the Whistleblower must specify whether the report concerns facts or actions carried out by the Receiver of the chosen channel. If the report concerns the Receivers indicated above, the report will be automatically routed through the platform to the Group General Counsel (except for Bip Consulting Iberia for which the report will be automatically routed to the CEO).

In the case of reports concerning Italian companies, if the Whistleblower believes that this modality may result in possible retaliation, he/she could refer to external sources, as indicated in the following point.

The Receivers:

if internal, are authorized to process personal data by the Company and therefore are the recipients of specific privacy training.
if external, are responsible for processing under an agreement specifically made with the Company.
ensure independence and impartiality.
receive adequate professional training on the discipline of whistleblowing, also with reference to concrete cases.

NB: Please note that it is important to verify the composition of the bodies/functions receiving the report from time to time in force, so as not to direct the report to the Reported person.

b. Reports to ANAC, public disclosure or judicial authority
If the reported Company is based in Italy, it is envisaged, under certain conditions, that the Whistleblower may make reports (excluding those pertaining to violations of Model 231) through “external” channels, such as:

ANAC website, if:

when there is no obligation, in the work context in which the Whistleblower operates, to activate the internal reporting channel, or if, if mandatory, it has not been activated or, if present, is not compliant.
when an internal report has already been submitted that has not been processed or has a negative final decision.
when the Whistleblower has reasonable grounds to believe that if he/she made the report he/she would run the risk of possible retaliation.
when the Whistleblower has reasonable grounds to believe that the violation may pose imminent or obvious danger to the public interest.

Public disclosure (via press, media or social media), if;

an internal report, to which the administration/entity has not provided feedback on the measures planned or taken to follow up the report within the prescribed timeframe or has been followed up by an external report to ANAC, which, in turn, has not provided feedback to the Whistleblower within a reasonable timeframe.
the person has already directly made an external disclosure to ANAC which, however, has not provided feedback to the Whistleblower on the measures planned or taken to follow up the report within reasonable timeframes.
the person directly makes a public disclosure because based on reasonable grounds grounded in the light of the circumstances of the case, he/she believes that the violation may pose an imminent or obvious danger to the public interest.
or the person directly makes a public disclosure because, based on reasonable and well-founded grounds in light of the circumstances of the case, he/she believes that the external report may pose a risk of retaliation or may not be effectively followed up because, for example, he/she fears that evidence may be concealed or destroyed or that the person who received the report may be colluding with or involved in the violation.

Competent national authorities (judicial and accounting), in cases where Union or national law requires reporting persons to address the competent national authorities, for example as part of their professional duties and responsibilities or because the violation constitutes a crime.

The Whistleblower, or any related person, may also report to ANAC any retaliation they believe they have suffered as a result of the report, whistleblowing or public disclosure made.

6.2 Report Management

6.2.1 Receiving the report
Once received, the report is accepted by the Receiver who takes it in and initiates the preliminary evaluation.

6.2.2 Preliminary evaluation
Upon receipt of the report, the Receiver performs a preliminary evaluation of the report by checking:

its completeness.
compliance with the criteria and requirements established in the Policy.
the existence of the legal and/or factual prerequisites for initiating the next phase of analysis.
the possible seriousness of the reported facts and urgency.

Once the preliminary evaluation has been completed:

if the report is found to be unrelated to the subject matter of the Policy or lacks the requirements set forth therein, the Receiver shall proceed to dismiss the report by informing the Whistleblower.
if the report is excessively general or incomplete, the Receiver contacts the Whistleblower through the Platform or summons him/her in person – if the report is not received anonymously – to ask for further elements useful for the preliminary evaluation.
if it detects a possible violation or misconduct relevant under the Procedure, the Receiver proceeds with the next phase of analysis by informing the Whistleblower.

This phase shall be completed within 7 (seven) days of receipt of the report and an acknowledgement of receipt of the report shall be issued to the Whistleblower. Upon completion of the preliminary phase, the Receiver shall prepare a report (the “Preliminary Report“) indicating the type of report, the date of receipt, the date of completion of the preliminary evaluation, and the related outcome (dismissal or continuation of analysis), with the reasons for it.

6.2.3 Analysis
At this stage, taking care not to disclose the identity of the Whistleblower, that of the persons involved in the report and the subject of the report, the Receiver may (i) interface with other functions in the Group to request their cooperation, through the provision of data, documents or information useful for the analysis itself and (ii) request further elements or insights from the Whistleblower, leaving evidence of the relevant interview.
The Receiver carries out any activity deemed useful or necessary, including the hearing of the Whistleblower and/or any other individuals who may report on the facts reported, in compliance with the principles of confidentiality and impartiality of judgment, the legislation on the protection of personal data and the relevant applicable labor contracts.
Initial feedback on the status of the procedure (with an obligation, if necessary, to speak with the Whistleblower) must be provided to the Whistleblower within 3 (three) months of receipt of the report.

6.2.4 Conclusion and Final Report

At the end of the analysis phase, the Receiver:

Informs the Whistleblower of the outcome of the analysis, specifying whether the report was rejected or accepted.

Prepares the “Final Report”, showing:

the data of the report (name of the Whistleblower – if there is consent of the Whistleblower
and the Reported person(s), place and date of occurrence of the facts, evidence or documentary evidence).
the verifications carried out, their outcomes and corporate or third parties involved in the analysis phase.
a summary evaluation of the analysis process with an indication of the established facts and the reasons for them.
the outcome and conclusion of the analysis (filing or substantiation of the report).

The Final Report is transmitted:

to the Chief Executive Officer (hereinafter also “CEO”) of the Company involved in the report or, if the report concerns the latter or the analysis is carried out by the Group General Counsel, to the CEO and the Chairman of the Board of Directors of Business Integration Partners S.p.A.
only in cases where the analysis is conducted by the Head of Internal Audit and/or (for Italian companies) is also relevant for the purposes of Legislative Decree 231/2001 (for violation of Model 231) or the Group Code of Ethics, to the Supervisory Board of the company involved in the report (if the company has a 231 Model and the Supervisory Board is not the Reported person); if the report concerns a company other than the Parent Company, the Final Report will also be sent to the Supervisory Board of Business Integration Partners S.p.A.

6.3 Decision Making Measures

6.3.1 Disciplinary measures against employees
Upon receipt of the Final Report, the Chief Executive Officer of the Company involved and/or the CEO and the Chairman of the Board of Directors of Business Integration Partners S.p.A., having consulted with the relevant Human Resources Department, shall decide whether to initiate disciplinary proceedings against the Reported person if he/she is deemed responsible for the violation or unlawful behavior and held accountable as a result of the analysis performed and the assessment made.
If the Whistleblower is co-responsible for the fact that is the subject of the report, he/she may be given more favorable treatment than the other co-responsible persons, provided that he/she complies with the applicable regulations and labor contract.
In addition, the Managing Director of the Company involved, i.e., the CEO and/or the Chairman of the Board of Directors of Business Integration Partners S.p.A, shall also assess, with the assistance of the Human Resources Department of the Company involved, whether to initiate disciplinary proceedings: (i) against the Whistleblower who has acted with proven willful misconduct or gross misconduct; (ii) against any perpetrators of retaliatory/discriminatory conduct against the Whistleblower; (iii) against any individuals involved in the process of evaluating and analyzing the report who have breached confidentiality obligations or have failed to consider the report received.
Disciplinary proceedings will be taken in accordance with the corporate disciplinary system, where it exists.

In addition to disciplinary sanctions, any power of attorney granted to the employee may also be revoked. The Whistleblower is not required to know the measures taken.

6.3.2 Measures against corporate bodies
If the violation or illegitimate behavior concerns a member of the Corporate Bodies, the Board of Directors and/or the control body/committee, according to their respective competencies, will proceed to take the most appropriate and adequate initiatives in view of the seriousness of the violation and in compliance with the law and the Articles of Association.
In the most serious cases, the Board of Directors, having heard the local control body/committee, may propose to the Shareholders’ Meeting to also proceed to remove the director concerned from office. In the case of a violation by a member of the local control body/committee, the Board of Directors may propose that the Shareholders’ Meeting also proceed to remove the person concerned from office.
In the case of violations or illegitimate conduct by a director who is also an employee of the Group, the applicability of the various disciplinary actions under the employment relationship will in any case be without prejudice.
In the case of Italian companies, if the violation or illegitimate behavior concerns a member of the Supervisory Board, the Board of Directors will proceed to take the most appropriate and adequate initiatives considering the seriousness of the violation and in compliance with the Organization, Management and Control Model pursuant to Legislative Decree 231/2001.

6.3.3 Measures towards third parties
In the event of violation or unlawful behavior by third parties linked to BIP by a contractual relationship, the Group will consider taking appropriate remedies under the contract and/or law.

6.3.4 Consequential and additional measures
The Receiver may inform the Judicial Authority and/or the local Supervisory Authorities of the facts that are the subject of the report if he/she detects that such facts have the characteristics of a crime or a civil or administrative offence.
The Receiver may indicate to the Chief Executive Officer of the Company involved (if it is not the Parent Company, also informing the CEO and/or the Chairman of the Board of Directors of Business Integration Partners S.p.A.) the implementation, in consultation with the Departments concerned, of any preventive measures that may be necessary to foster the promotion of the culture of legality and transparency within BIP and promotes the adoption of any amendments and additions to this policy and control systems in the light of constant monitoring of its application of the results obtained.

7. DOCUMENTATION STORAGE AND REPORTING
All documentation relating to this Policy shall be archived by the Receiver for a period of 5 years or otherwise for a period not exceeding that necessary for the purposes for which it was processed, in an appropriate manner to ensure its confidentiality.

On a quarterly basis, the Receiver shall send to the Group General Counsel (lodovico.bianchidigiulio@bip- group.com) (if the Receiver is obviously different from the same) and, if the Receiver is not the Head of Internal Audit, to the Head of Internal Audit (veronica.molaschi@bip-group.com) a synthesis on the reports received during the period, specifying, for each report received, the following information:

date of the report.
date of the reported fact.
brief description of the subject of the report.
status of progress (e.g., preliminary analysis, investigation, etc.).
manner of resolution/closure (if a Final Report has already been issued).
other information deemed useful by the Receiver.

Annually, the Receiver shall prepare a summary report regarding the reports received, the analyses performed, and the outcome of those analyses.
The report shall contain at least: (i) an indication of all reports received, those under analysis and the outcome (dismissal, in-depth assessment); (ii) the assessment of accepted reports and their outcomes (dismissal, initiation of disciplinary proceedings, sanctions applied); and (iii) the proposal of any corrective or supplementary criteria to the Policy.
The above report is kept available to the corporate and supervisory bodies of each Group company.

8. PROTECTIVE MEASURES
Business Integration Partners S.p.A. guarantees the confidentiality of the Whistleblower, related parties and persons mentioned in the report, as well as the data/information transmitted, to protect the Whistleblower or related parties from any form of retaliation or discrimination, regardless of the chosen internal channel (written or oral).
The identity of the Whistleblower may not be disclosed without the Whistleblower’s express consent (except when requested by judicial or administrative authorities).
In order to guarantee the right to protection of personal data to the reporting or whistleblowing persons, the acquisition and management of reports is carried out in accordance with the legislation on the protection of personal data. All parties involved in this Policy are required to maintain such confidentiality or anonymity of the Whistleblower, except in cases where (in Italy): (i) the Whistleblower incurs a claim for slander or defamation under the Criminal Code; (ii) the Whistleblower performs an act that constitutes an extra- contractual tort, pursuant to Article 2043 of the Civil Code.
About the processing of personal data, please refer to the privacy notice attached in the Platform.

The Whistleblower is also recognized as having a limitation of liability with respect to the disclosure and dissemination of certain categories of information that could result in liability for the same. This is done in cases where two conditions are met:

at the time of disclosure or dissemination there are reasonable grounds for believing that the information is necessary for the breach to be discovered. The Whistleblower, therefore, must reasonably believe, and not on the basis of mere inferences, that the information must disclose because it is indispensable to bring out the violation, to the exclusion of superfluous information, and not for any additional and different reasons.
the reporting, public disclosure, or whistleblowing was done in compliance with the conditions set forth in the regulations to benefit from the protections.

Both conditions must be met to exclude liability. If met, the Whistleblower will not incur any kind of civil, criminal, administrative, or disciplinary liability.