Whistleblowing Procedure Information

Articles 13 and 14 of EU Regulation dated April 27, 2016, No. 679

"General Data Protection Regulation"

Riccoplast Srl is constantly committed to protecting the privacy of individuals involved in any capacity in the management of reports concerning crimes, offenses, or irregularities and the subsequent investigations. As the Data Controller, we inform that the personal data acquired in the Whistleblowing procedure will be processed in the following ways and for the following purposes.

DATA CONTROLLER

The Data Controller is Riccoplast Srl, located at Via Gheghi, 68 – 55012 Segromigno in Monte – Capannori (LU).

Email: info@riccoplast.it

Phone Number: 0583929693

TYPES OF PROCESSED DATA

- Identifying and contact information of the whistleblower (in non-anonymous reports).

- Identifying information of the reported party and information related to the report.

- Personal data related to specific categories or referring to criminal convictions and offenses, necessary for the investigation.

- Any other information about the whistleblower, reported party, or other third parties shared to better describe the suspected violation.

AUTHORIZED DATA PROCESSORS

To protect itself, only the Reporting Manager is able to associate reports with the identities of the reporters. If instructional needs require that other individuals within the Company become aware of the content of the report or the attached documentation, the identity of the whistleblower will never be revealed, nor will elements that may indirectly allow their identification. These individuals, as they could still become aware of other personal data, are formally authorized to process and are specifically instructed and trained to maintain confidentiality about what they learn in the course of their duties, subject to reporting and reporting obligations under Article 331 of the Code of Criminal Procedure.

PURPOSES AND METHODS OF PROCESSING

Personal data will be collected and processed for purposes related to the management of reports concerning alleged crimes, offenses, or irregularities, based on the Whistleblowing procedure and in relation to the Organization and Management Model of the undersigned.

LEGAL BASIS OF PROCESSING AND NATURE OF THE PROVISION

The legal basis for the processing is the legitimate interest of the Data Controller to adopt an Organization and Management Model and provide a procedure for reporting offenses to protect the integrity of its company, as well as the need to comply with the provisions of Legislative Decree March 10, 2023, No. 24 implementing Directive (EU) 2019/1937 of the European Parliament and of the Council of October 23, 2019, concerning the protection of persons who report violations of Union law and containing provisions on the protection of persons who report violations of national legislation.

The provision of data is necessary and functional to the management of received reports. The procedure allows both reports by providing the whistleblower's data and anonymous reports. Please note that the latter will be considered only if the reports are adequately detailed and provided with a wealth of details, that is, if they are able to bring out facts and situations by relating them to specific contexts.

DURATION OF PROCESSING

The collected personal data will be processed and stored for a period not exceeding that necessary to achieve the purposes for which they were collected, specifically:

- Within three months of receiving the report

- In cases of initiating legal and/or disciplinary action until the final conclusion of the legal and/or disciplinary proceedings. Subsequently, this data will be destroyed or kept in anonymous form for statistical or archival purposes.

RECIPIENTS OF PERSONAL DATA

Personal data will be processed by members of the Reporting Manager who, in accordance with the current legislation and the reporting management procedure adopted by the Company, are required to ensure the confidentiality of the whistleblower's identity. In the phase of ascertaining the validity of the report, if necessary for instructional activities, personal data may be processed without revealing the identity of the whistleblower by:

- Companies, entities, or associations, or controlling, controlled, or affiliated companies, limited to areas of competence (e.g., if the report also concerns their employees);

- Other functions of the Company to which specific instructions have been provided;

- Auditing/revision companies and other companies providing instrumental services for the above purposes (e.g., IT and technological services, consulting activities) or other subjects to whom the Company has given specific mandates.

Finally, the data may be transmitted, where applicable, to the Judicial Authority and/or the competent Authorities.

YOUR RIGHTS

Regarding the same data, Data Subjects can exercise, where applicable, the rights provided in CHAPTER III of EU Regulation 2016/679 (GDPR). In particular, the whistleblower can exercise the right of access to their data, rectification or integration, deletion, restriction of processing, and opposition for reasons related to their particular situation.

Under Article 2-undecies, letter f of the Privacy Code (implementing Article 23 of the GDPR), it is informed that the exercise of these rights by other data subjects, such as the reported party or other involved individuals, may be delayed, limited, or excluded if such exercise may cause an actual and concrete prejudice to the confidentiality of the whistleblower's identity. In such cases, these rights can also be exercised through the Guarantor in accordance with the methods set out in Article 160 of the Privacy Code.

The exercise of these rights can be done by writing to the following email address: info@riccoplast.it. In accordance with Article 77 of the GDPR, Data Subjects also have the right to lodge a complaint with the Data Protection Authority if they believe that the processing violates the aforementioned Regulation.

I have read and accept the information