INDEX

 

 

 

 

1. Legislative framework on Whistleblowing

The term whistleblowing refers to the possibility, recognised for employees and third parties who interact with the company (for example suppliers, consultants or clients), to report, in a confidential and protected manner, any unlawful or irregular conduct that they become aware of in the course of their activity.

This system of safeguards was introduced for public employees by Law No. 190/2012 and, subsequently, with Law No. 179/2017, it was updated and extended also to the private sector, within the framework of Legislative Decree No. 231/2001. The described legislation has recently been supplemented and amended by Legislative Decree No. 24/2023, implementing European Directive No. 2019/1937, concerning the protection of persons who report breaches of Union law and containing provisions regarding the protection of persons who report breaches of national legal provisions.

In particular, the legislation has broadened the scope of recipients, including not only public bodies (including publicly controlled companies and in-house companies), but also private sector entities that meet at least one of the following characteristics:

1. Companies that have employed, over the past year, an average of at least fifty employees under permanent or fixed-term employment contracts;
2. Companies operating in the field of financial services, products, and markets, as well as in the prevention of money laundering and the financing of terrorist activities;
3. Companies that have adopted specific organisation and management models pursuant to Legislative Decree No. 231/2001, even if in the past year they have not reached an average of fifty employees.

Furthermore, Legislative Decree No. 24/2023, by introducing a common framework for public and private entities, has clearly outlined the obligations to be implemented in order to comply with the aforementioned legislation.

In particular, these consist of:

• activating specific internal reporting channels;
• assigning the management of such channels to an individual or to an independent internal office dedicated to this purpose, or to an external entity, which, in private companies equipped with Organisation Models pursuant to Legislative Decree 231, is the relevant Supervisory Body;
• disseminating clear information on the channels available for internal reports and on the conditions for making external reports to the National Anti-Corruption Authority (ANAC).

The legislative amendment also expressly provides for a composite set of protections for the so-called whistleblower; in particular, private and public entities covered by the legislation are prohibited from:

• disclosing the identity of the reporting person and any other information from which that identity may be directly or indirectly deduced, without their express consent, to persons other than those authorised to receive or follow up on the reports;
• carrying out retaliatory actions against reporting persons, such as, by way of mere example: dismissal, suspension, demotion or failure to promote, change of duties, change of workplace, reduction of salary, modification of working hours, etc.

It is expressly provided that, in judicial or administrative proceedings, or in out-of-court disputes concerning the verification of any retaliatory conduct suffered by reporting persons, it is presumed that such acts were carried out because of the report, with the consequence that the person responsible must prove that they were motivated by reasons unrelated to the report (the so-called reversal of the burden of proof).

Furthermore, it is provided not only that the whistleblower may directly report to ANAC any retaliations they believe they have suffered, but also that they are entitled to reinstatement in their job if they have been dismissed as a result of the report made.

It should also be noted that Legislative Decree No. 24/2023, for the greater protection of the whistleblower, establishes in Article 20 that a person is not punishable who discloses or disseminates information on violations:

• covered by an obligation of secrecy, other than professional legal or medical privilege,
• relating to the protection of copyright,
• relating to the protection of personal data,
• which offend the reputation of the person involved or reported,

 

if, at the time of disclosure or dissemination, the reporting person had reasonable grounds to believe that the disclosure or dissemination of the information was necessary to reveal the violation and the report was made in accordance with the procedures required by law.

Finally, it should be specified that the legislation, with the aim of balancing the right of the whistleblower to adequate protection against possible retaliation with the interest of the entity in receiving only well-founded and truthful reports, provides certain provisions against false, defamatory or slanderous reports. In particular, Article 16 of Legislative Decree No. 24/2023 provides that protection is not guaranteed when it is established, even by a first-instance judgment, that the reporting person is criminally liable for the offences of defamation or slander, or for the same offences committed through the report to the judicial or accounting authority, or is civilly liable, for the same cause, in cases of wilful misconduct or gross negligence; in such cases, the reporting or denouncing person may be subject to a disciplinary sanction.

 

2. Definitions and Purpose of the Procedure

The following definitions are provided for certain terms frequently used in this Procedure and which have a precise meaning.

• Whistleblowing: an instrument that allows employees and third parties to report, in a confidential and protected manner, unlawful or irregular conduct identified within the company’s activity.
• Reporting person, or Whistleblower: the individual (employee or third party) who, in good faith and with the intention of protecting the public interest or the integrity of the company, reports in a confidential and protected manner unlawful or irregular conduct of which he/she has become aware.
• Company: negg Group S.r.l., which has adopted this whistleblowing procedure and ensures its application within its organisation.
• Model 231: the organisation, management and control system adopted by the company to prevent the commission of the offences provided for by Legislative Decree No. 231/2001 and to protect the integrity of the entity.
• Supervisory Body, hereinafter also ODV: an independent body endowed with autonomy, entrusted with supervising the effective implementation and updating of Model 231, as well as compliance with the related rules by the organisation.
• Person Responsible for Whistleblowing: the individual, internal or external to the Company, entrusted with the management of the internal reporting channels. negg, which has adopted the Organisational Model pursuant to Legislative Decree No. 231/2001, has assigned this sensitive role to the Supervisory Body (“ODV”), an external entity consisting of a Sole Member – Manager of Studio Associato Consulenza Legale e Tributaria (“KPMG”), appointed within the adoption of the Organisation and Control Model pursuant to Legislative Decree No. 231/2001, who is therefore the recipient and person responsible for the reports.
• Reported person: the individual to whom the presumed and possible unlawful conduct is attributed and who must likewise be guaranteed the right of defence against unjust, unsubstantiated or uncorroborated accusations.

The purpose of this Procedure is to provide all the necessary guidance to ensure that the management of whistleblowing is carried out correctly, in full compliance with the provisions of Legislative Decree No. 24/2023.

 

3. Recipients

This Procedure is addressed to all persons who, having become aware of unlawful conduct, acts or omissions, intend to report them through the internal reporting channels implemented by the Company. Therefore, the recipients of this Procedure are to be found among the following persons:

• employees who carry out their work in negg;
• self-employed workers who perform their professional activity for negg;
• collaborators, freelancers and consultants;
• volunteers and interns, whether paid or unpaid;
• shareholders and persons with functions of administration, management, control, supervision or representation, even where such functions are exercised de facto.

 

4. Obligations of the Company

This paragraph outlines the operational methods through which the Company intends to fulfil the obligations identified in Articles 4 et seq. of Legislative Decree No. 24/2023. In particular, in order to enable and facilitate the reporting of unlawful or irregular conduct, while ensuring the confidentiality of the reporting person, the person involved, any persons mentioned in the report, as well as the content of the report and its related attachments, the Company has activated two specific internal reporting channels, the management of which is expressly entrusted to the Person Responsible for whistleblowing, who, as previously mentioned, has been identified as the Supervisory Body.

Persons wishing to report an offence may either submit the report through the dedicated Platform available on the official website of negg, or send a registered letter with return receipt; both methods are explained in detail in paragraph 5.3.

Furthermore, the Company posts on its notice boards the information notice containing clear information regarding:

• the internal reporting channels, the procedures to be followed and the conditions for making an internal report; as well as
• the channel, the procedures and the conditions for making any external reports using the tools made available by the National Anti-Corruption Authority (ANAC).

This Procedure shall be made available within a dedicated section on the Company’s website, in order to make the information accessible also to those persons who, although not attending the workplace, have a legal relationship with the Company itself.

 

5. Reporting through internal channels

5.1.  Subject of the Report

Through the use of internal reporting channels, the reporting person may make detailed reports concerning:

1. unlawful conduct relevant pursuant to Legislative Decree No. 231/2001, that is, potentially constituting the so-called predicate offences, of which he/she has become aware by reason of the functions performed within the Company or of any type of relationship with the same;
2. behaviours and/or practices that violate the provisions of Model 231, the related Protocols, Internal Procedures, or the Code of Ethics adopted by the Company;
3. unlawful acts falling within the scope of application of the European Union or national acts listed in the Annex to Legislative Decree No. 24/2023, or of national acts implementing the European Union acts listed in the Annex to Directive (EU) 2019/1937, in any case relating to the following sectors: public procurement; financial services, products and markets and prevention of money laundering and financing of terrorism; product safety and compliance; transport safety; environmental protection; radiation protection and nuclear safety; food and feed safety and animal health and welfare; public health; consumer protection; protection of privacy and personal data and security of networks and information systems;
4. acts or omissions that harm the financial interests of the European Union; acts or omissions relating to the internal market, including infringements of European Union rules on competition and State aid, as well as infringements of rules on corporate taxation;
5. acts or behaviours which, although not expressly included in the preceding points, may potentially frustrate the purpose or the objective of the provisions laid down in the European Union acts regulating the sectors referred to in points c, d and e of this paragraph.

In order to facilitate the identification of facts that may be the subject of a report, an illustrative and non-exhaustive list of relevant conduct and behaviours is provided below:

• violation of codes of conduct;
• accounting and administrative irregularities and irregularities in accounting and tax compliance or in the preparation of the annual financial statements;
• false declarations and false certifications;
• violation of environmental, occupational safety and control regulations;
• non-transparent recruitment;
• behaviours aimed at obstructing the supervisory activities of the Supervisory Authorities (e.g. failure to provide documentation, presentation of false or misleading information);
• offering or giving money, goods or services or other benefits intended to bribe suppliers, customers or public officials;
• actions likely to damage the Company’s reputation.

The category of unlawful acts that may be reported also includes, at least for certain types of criminal offences, the attempt to commit such offences.

5.2. Prohibited Reports

Conversely, it is strictly forbidden to make reports that:

• concern violations, conduct or omissions that the reporting person has no reasonable grounds to believe are true; are pretextual, defamatory or slanderous;
• constitute personal grievances, complaints, suspicions or rumours;
• are of a discriminatory nature, as they relate to the sexual, religious or political orientation, or to the racial or ethnic origin of the reported person;
• are aimed solely at damaging the reported person;
• ultimately, constitute forms of abuse and/or misuse of this Procedure and of the whistleblowing system.

Furthermore, it is hereby specified that reports shall not be taken into consideration if they concern exclusively:

• disputes, claims or requests connected to a personal interest of the reporting person;
• individual employment or collaboration relationships between the reporting person and the Company, or with hierarchically superior figures;
• aspects of the private life of the reported person, without any direct or indirect connection with the company and/or professional activity.

5.3. Operating procedures for submitting reports

The reporting person who intends to report an allegedly unlawful act must follow the following operational instructions.

In particular, the report:

• must be made in good faith and must not be based on mere suspicions or rumours;
• must be as detailed as possible and provide the greatest number of elements to allow the Person Responsible for the report to carry out the necessary verifications and investigative activities;
• must not contain offensive language or personal insults or moral judgments aimed at offending or harming the honour and/or the personal and/or professional decorum of the person or persons to whom the reported facts refer.

Specifically, for the purposes of this paragraph, the reporting person may proceed with the report by means of:

1. Priority reporting channel:

The use of the Platform dedicated to Whistleblowing, available in the “Ethics” – “Model 231 & Whistleblowing” Section of the official website of negg Group: https://negg.group/

The GlobaLeaks platform is a software product developed by Whistleblowing Solutions Impresa Sociale S.r.l. (WBS), VAT No. IT09495830961. The IT Department of negg Group has analysed the measures adopted to ensure anonymity on GlobaLeaks in a specific technical report. The Legal Department has, in turn, carried out the impact assessment pursuant to Article 35 of the GDPR and has not identified any significant critical issues.

The Platform is not accessible either from the company network or through the internal VPN, in order to guarantee the anonymity of the reporting person; indeed, this measure prevents company firewall logs, centralised on the SIEM, from containing information that could be used to trace the identity of the whistleblowers.

1. Alternative channel:

The sending of the report by registered letter with return receipt, to the attention of the Person Responsible for Whistleblowing at the following address:

negg Group S.r.l. – Piazza del Popolo No. 18 – 00187 Rome (RM)

In this case, the reporting person shall place the report in two sealed envelopes: the first – optional, if he/she wishes to reveal his/her identity to the ODV – containing his/her identification details together with a photocopy of his/her identity document; the second containing the subject matter of the report, so as to separate his/her identification details from the report itself. Both envelopes shall then be placed in a third sealed envelope bearing on the outside the wording “Confidential – to the attention of the Person Responsible for Whistleblowing – Supervisory Body of negg Group.”

 

Furthermore, in the report, whatever the method chosen for its submission, the reporting person must describe in detail the facts that he/she intends to report, clearly indicating:

• the name and surname, qualification and function/role of the person responsible (the so-called reported person);
• the name of the company where the alleged offence occurred, in order to allow the related investigative activities to be carried out;
• the circumstances of time and place of the event, together with any other element considered relevant for the purposes of the report;
• any persons present at the place of the violation, who may potentially testify about the facts;
• any supporting documentation attached, which may confirm the validity of the reported fact;
• any private interests connected to the report;
• any other information that may facilitate the collection of evidence regarding the report.

 

To facilitate reporting, the negg’s Whistleblowing Platform asks the following questions in order to narrow down the circumstances:

• Are you internal or external to the organisation?
• Briefly describe your report.
• Describe your report in detail.
• Where did the facts occur?
• When did the facts occur?
• How are you involved in the reported fact?
• Do you have any evidence to support your report? [It is possible to attach any supporting evidence.]
• Describe the evidence in detail.
• Have you reported the facts to other organisations or individuals?
• What outcome would you like to achieve with our support?
• Would you like to disclose your identity to the Supervisory Body? [The reporting person decides at his/her own discretion whether to include within the communication his/her name and surname, as well as elements useful to identify his/her role within the Company, or the relationships maintained with it, or whether to make an anonymous report.]

 

The reporting person is aware that reports made anonymously may be taken into consideration only if sufficiently detailed and provided with an adequate level of detail.

The reporting person is also aware that reports which are not formalised in the manner and with the contents indicated in this Procedure may not be taken into consideration.

For completeness, it should be noted that reporting persons may also:

• Use the external channel set up by the National Anti-Corruption Authority (“ANAC”), available on the official ANAC website, when:

1. the activation of the internal reporting channel is not required within the working context, or such channel, even if mandatory, is not active, or, although active, does not comply with the requirements of the law;
2. the reporting person has already made an internal report and it has not been followed up;
3. the reporting person has reasonable grounds to believe that, if he/she were to make an internal report, it would not be effectively followed up or that such report could lead to a risk of retaliation;
4. the reporting person has reasonable grounds to believe that the violation may constitute an imminent or manifest danger to the public interest.

 

• Make a public disclosure directly when:

1. the reporting person has previously made an internal and external report, or has made an external report directly, and no feedback has been received within the time limits established regarding the measures envisaged or adopted to follow up the reports;
2. the reporting person has reasonable grounds to believe that the violation may constitute an imminent or manifest danger to the public interest;
3. the reporting person has reasonable grounds to believe that the external report may entail a risk of retaliation or may not be effectively followed up due to the specific circumstances of the case, such as where evidence may be concealed or destroyed, or where there are well-founded fears that the person receiving the report may be colluding with the perpetrator of the violation or involved in the violation itself.

 

6. Obligations of the Person Responsible for the Report

6.1. Management of the Report

The following activities are envisaged:

• upon receipt of a report, the ODV proceeds to analyse it;
• it then sends – within seven days from receipt of the report – a specific notice confirming receipt to the reporting person via the Platform;
• subsequently, within twenty days from receipt of the report, its admissibility is assessed, taking into consideration the following criteria:

 

(a) manifest absence of the objective and subjective legal requirements for exercising investigative powers (e.g. report made by a person not entitled to do so; report concerning breaches of legal provisions not included within the scope of Legislative Decree No. 24/2023, etc.);

(b) manifest absence of the essential elements of the report (e.g. description of the facts, indication of the time and place of the violation, identification of the person responsible);

(c) manifest groundlessness of the report due to the absence of factual elements justifying further investigation;

(d) report with generic content, preventing proper understanding of the facts;

(e) report concerning claims linked to a personal interest of the reporting person, without any direct and/or indirect connection to the interests of the Company.

 

• Where a report is found to be manifestly inadmissible, the ODV proceeds with its filing, providing appropriate notification to the reporting person;
• where the report is found to be admissible, further investigation is initiated to assess its validity and – if appropriate – additional parties, internal or external to the Company, may be involved, insofar as they are informed of the reported facts;
• within a maximum period of ninety days from the date of the acknowledgment of receipt or, in the absence thereof, within ninety days from the expiry of the seven-day period following submission of the report, appropriate feedback is provided to the reporting person, indicating whether the report has been deemed unfounded, and therefore two different scenarios may occur:

 

(a) At the conclusion of the investigations, if the report is unfounded, it is filed; if, however, it has been made in bad faith by the reporting person, the report shall be transmitted to the Board of Directors and the corporate ODV;

(b) At the conclusion of the investigations, if the report is well-founded, a report on the unlawful aspects identified shall be transmitted to the Board of Directors. It is specified that, where the report concerns the unlawful conduct of one or more members of the Company’s Board of Directors, the investigation findings shall be transmitted to the Chairperson of the Board of Directors for the relevant assessments and actions. Conversely, where the report concerns the unlawful conduct of the Chairperson of the Board of Directors, the findings shall be transmitted to the Board of Auditors. Where the report concerns the possible commission of any of the predicate offences referred to in Legislative Decree No. 231/2001, or violations relating to Model 231, to the related Procedures and Operating Instructions, or to the Company’s Code of Ethics, the findings of the investigation shall be assessed directly by the ODV, for the activities within its competence, ensuring in all cases that the documentation transmitted contains no explicit or implicit references to the identity of the reporting person.

 

In case (b), where the report concerns the unlawful conduct of an employee and/or collaborator of the Company, an appropriate disciplinary procedure shall follow, pursuant to Article 7 of the Workers’ Statute, in full compliance with the principle of adversarial proceedings between the parties, taking into account the specific legal status of the person concerned (executive, subordinate, collaborator).

6.2. Retention of Reports and Related Documentation

The retention of received reports and the related documentation is handled as follows:

the ODV compiles and updates the Register of Reports, indicating: the reported fact, the name and surname of the reporting person and any contact details, the date the acknowledgment of receipt was sent, any requests for additional information, the investigative activities carried out, the date of feedback on the report, the outcome of the report (founded/unfounded), notes on the consequences of the report;

• all reports are collected in a dedicated database, in electronic and/or paper format, ensuring that they are kept for the time necessary to process each report and, in any case, no longer than five years from the date of communication of the final outcome of the reporting procedure;
• the data and information stored in the database are made available to the requesting parties, where disclosure is mandatorily required by law.

In any case, action is taken to protect the authors of reports from any form of retaliation, discrimination or penalisation and, more generally, from any negative consequences arising from such reports, ensuring maximum confidentiality regarding the identity of the reporting person.

 

7. Protection of Whistleblowers

The Company intends to ensure the highest level of protection and safeguarding for the whistleblower, with particular regard to confidentiality as well as the right not to suffer any form of discrimination or retaliation as a result of reporting an unlawful act.

7.1. Protection of the Confidentiality of the Reporting Person

The internal reporting channels made available by the Company ensure the confidentiality of the identity of the reporting person and of all other elements of the report (including the documentation attached to it, insofar as its disclosure, even indirectly, could allow identification of the reporting person), as detailed in the preceding paragraphs.

It is specified that the identity of the reporting person and any other information from which such identity may be directly or indirectly deduced cannot be disclosed, without the express consent of the reporting person, to persons other than those authorised to receive or follow up on the reports.

In the context of disciplinary proceedings, the identity of the reporting person cannot be disclosed where the disciplinary charge is based on findings that are distinct and additional to the report, even if resulting from it.

Where the charge is based, in whole or in part, on the report, and knowledge of the identity of the reporting person is essential for the defence of the accused, the report may be used for disciplinary purposes only with the express consent of the reporting person to the disclosure of his/her identity.

In this case, the Person Responsible for the Report must inform the reporting person of the reasons for the disclosure of confidential data. It is specified that the report is excluded from access under Articles 22 et seq. of Law No. 241 of 7 August 1990, as well as Articles 5 et seq. of Legislative Decree No. 33 of 14 March 2013.

Finally, it is in any case forbidden for the Company and the other competent bodies to use the reports beyond what is necessary to follow them up.

7.2. Protection of Privacy and Processing of Personal Data

It is further specified that the personal data of the reporting person, the reported person, and all individuals involved in the report are processed in compliance with the applicable legislation on the protection of personal data pursuant to Regulation (EU) No. 679/2016 (GDPR) and Legislative Decree No. 196/2003, as amended by Legislative Decree No. 101/2018. In particular, the data subject may consult the information notice on the processing of personal data posted on company notice boards and published on the Company’s website, at the following link: https://negg.group/legal/privacy-policy.

Furthermore, the information notice on the processing of personal data relating to the priority reporting channel – the Platform – can be consulted in the “Ethics” – “Model 231 Whistleblowing” section, where the said Platform is accessible.

In any case, it is specified that the Data Controller processes the personal data collected only for the time necessary for the management and completion of the report, and in any event no longer than five years from the date of communication of the final outcome of the reporting procedure. The data subject is guaranteed the exercise of the rights provided for in Articles 15 et seq. of Regulation (EU) No. 679/2016, in accordance with the procedures indicated in the relevant information notice.

In this context, in accordance with Article 35 of Regulation (EU) No. 679/2016, an impact assessment (the so-called “DPIA”) has been carried out on the Platform, and no critical issues have been identified.

7.3. Protection against Retaliation

The reporting person cannot be sanctioned, demoted, dismissed, transferred, or subjected to any other organisational measure having direct or indirect negative effects on working conditions, as a consequence of his/her report. Retaliatory and/or discriminatory measures include not only acts and decisions, but also any conduct or omission directed at the reporting person, aimed at limiting and/or restricting the exercise of the worker’s functions in a manner that reveals a vexatious intent or otherwise worsens his/her working conditions.

 

8. Protection of the Reported Person against False, Defamatory, or Slanderous Reports

The person who makes prohibited reports, and in particular reports that are false, defamatory, or slanderous, with the sole purpose of damaging the reported person, is aware that the protection measures described in the previous paragraph cannot be applied in his/her favour, pursuant to and for the purposes of Article 16 of Legislative Decree No. 24/2023.

Furthermore, when it is established, even by a first-instance judgment, that the reporting person is criminally liable for the offences of defamation or slander, or civilly liable, for the same reason, in cases of wilful misconduct or gross negligence, an appropriate disciplinary sanction shall be imposed on the reporting person.

In this context, the reported person, who is informed of a report of unlawful conduct against him/her and considers it unfounded, false, slanderous or defamatory, may submit a specific request to the Person Responsible for the Report to learn the identity of the reporting person, in order to initiate appropriate civil and/or criminal proceedings for the protection of his/her interests.

The reported person is hereby aware that the identity of the reporting person may be disclosed only with his/her express consent and that, in any case, retaliatory and discriminatory acts, as listed and described in the previous paragraph, are prohibited.

 

9. Final Provisions

All company functions involved are responsible for complying with and ensuring compliance with the content of this procedure.

Each Recipient is required to notify the ODV, in addition to what is expressly provided for by this procedure, of any possible anomaly detected in relation to the provisions of this procedure.

This procedure shall be subject to annual review in order to adapt to any regulatory, legal, or corporate changes. In the event of significant amendments, the new version shall be communicated to all parties involved.

Privacy Notice pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 as amended (the “GDPR”) and of the applicable Italian and European laws that supplement it (the “Applicable Privacy Law”) (the “Notice”) – concerning

pursuant to Legislative Decree No. 24 of 10 March 2023, implementing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law and containing provisions regarding the protection of persons who report breaches of national laws (hereinafter, the “Whistleblowing Decree”), within the framework of managing reports as set out in the document titled “Procedure for the Management of Reports concerning Whistleblowing” (hereinafter also the “Procedure”), available on the website www.negg.group under the “Ethics” section, in “Model 231 & Whistleblowing”.

The Procedure describes the process for managing reports, including anonymous ones, made by anyone who becomes aware of actual or potential violations (unlawful acts, behaviors, or omissions) of laws or internal procedures of negg Group S.r.l.

negg Group S.r.l. (hereinafter, the “Company”, “negg”, or the “Data Controller”), in its capacity as data controller when the report exclusively concerns the Company itself, provides the following information.

1. Data Controller and Report Manager

1.1 The Data Controller of personal data acquired through reports relating exclusively to the Company is negg Group S.r.l., with registered office at Piazza del Popolo No. 18, 00187 Rome, Italy, telephone: +39 06 211 26804, PEC address: negg.group@legalmail.it.

1.2 negg Group has established a Priority Internal Reporting Channel for the receipt and management of reports (hereinafter, the “Whistleblowing Platform” or simply the “Platform”).

1.3 The Report Manager, who receives reports submitted via the Platform, is the Supervisory Body (“ODV”), an external entity consisting of a Sole Member – a Manager from Studio Associato Consulenza Legale e Tributaria (KPMG), appointed in the context of the adoption of the Organization, Management and Control Model pursuant to Legislative Decree 231/2001 (hereinafter, the “Model 231”).

1.4 The Company’s Legal Department is responsible for monitoring, oversight, and providing specialist advice on privacy matters and can be contacted at: privacy@negg.group.

1.5 A list of any data processors appointed pursuant to and for the purposes of Article 28 of the GDPR can be requested at the following address: privacy@negg.group.

2. Categories of Data Subjects

2.1 By way of example, data subjects include:

• Employees of the Company, and in general any natural person who submits a report concerning violations identified within their work context, including individuals who have or have had temporary working relationships with negg (such as volunteers, interns, paid or unpaid, and probationary employees), as well as individuals who do not yet have or whose relationship with the Company has ceased, provided that the information on violations was obtained during the selection process, other pre-contractual stages, or the course of employment;
• Members of corporate bodies; and
• Third parties such as suppliers, consultants, collaborators, clients, and intermediaries.

2.2 In accordance with the Whistleblowing Decree, additional categories of data subjects benefiting from specific protections also include:

• Reported persons (or persons involved) and other individuals mentioned in the report;
• Facilitators (i.e., individuals assisting the whistleblower within the same work context, whose support must remain confidential);
• Persons within the same work environment as the whistleblower who have a close personal or family relationship (up to the fourth degree of kinship) with the whistleblower;
• Colleagues who work in the same environment and maintain a regular and ongoing working relationship with the whistleblower.

3. Categories of Data Processed

3.1 The processing concerns personal data acquired through the receipt of reports submitted via the Whistleblowing Platform. Such data may include, among others:
 (i) Identification data (e.g., first and last name) of reported persons, involved persons, and facilitators, as well as any additional personal data contained in the report referring to such subjects;
 (ii) In the case of identified reports, where the whistleblower provides their personal details, either at the time of submission or subsequently, the relevant data, such as name, surname, contact information, and any other personal data contained in the report referring to such individual.

3.2 No processing of special categories of data under Article 9 of the GDPR will take place. Should the Controller receive such data, it will be immediately deleted.

4. Legal Basis and Purpose of Processing

4.1 Personal data of data subjects will be processed in compliance with the Applicable Privacy Law for the purpose of managing reports received pursuant to the Whistleblowing Decree, and for all purposes connected with the management process described in the Procedure, including, without limitation, purposes related to defense, internal control, and corporate risk monitoring, as provided in the Procedure, employment contracts, the Code of Ethics, relevant corporate protocols, and applicable laws.

4.2 The processing is based on specific legal obligations deriving from Article 6 of Legislative Decree No. 231/2001 (as amended by Law No. 179/2017) and the Whistleblowing Decree, as well as on the legitimate interest of the Company in pursuing defensive, internal control, and risk-monitoring purposes arising from the receipt of reports.

5. Processing Methods and Description

5.1 The processing of personal data will be carried out in accordance with the methods and safeguards established by the Applicable Privacy Law, using automated and/or manual means that ensure data security, including encryption technologies.

5.2 Personal data will be processed by the Data Controller and the Supervisory Body, ensuring confidentiality and secrecy.

5.3 Processing will always be guided by the principles of proportionality, necessity, purpose limitation, and data minimization. No unnecessary personal data will be collected or processed. Processing will also comply with fairness, transparency, and the adequacy of security measures, taking into account negg Group’s Privacy Policy.

5.4 The data flow may be summarized as follows:

• Reporting: The whistleblower accesses the Platform and submits a report;
• Receipt: The report is received by the Supervisory Body;
• Management: The report is analyzed and handled in accordance with the Whistleblowing Procedure.

6. Scope of Disclosure and Dissemination

6.1 For the purposes described in Section 4.1 above, data may be disclosed to the Company’s corporate bodies, internal personnel, and external consultants, including for the purpose of initiating judicial and/or disciplinary proceedings related to the report. Data may also be disclosed to judicial authorities, the National Anti-Corruption Authority, and law enforcement authorities.

6.2 Data will not be disseminated or transferred outside the European Union or to international organizations.

7. Data Subjects’ Rights

7.1 With respect to the personal data processed by the Controller, data subjects, other than the reported persons or those mentioned in reports, may exercise all rights granted by the Applicable Privacy Law, including the right to:

a) obtain confirmation of the existence of their personal data, the origin of such data, the logic and purposes of processing, the categories of recipients, and the identification details of the Controller and processors;

b) request access, rectification, updating, integration, erasure, anonymization, or restriction of processing;

c) object to processing for reasons related to their particular situation, within the limits set by the Applicable Privacy Law;

d) exercise the right to data portability, within the limits of Article 20 GDPR;

e) withdraw consent at any time, where applicable, without affecting the lawfulness of processing based on consent before its withdrawal;

f) lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), following the procedures available on its official website (garanteprivacy.it).

7.2 Any modification, deletion, or restriction of processing carried out upon request, unless impossible or requiring disproportionate effort, will be communicated by the Controller to each recipient to whom personal data have been disclosed.

7.3 The aforementioned rights may be restricted pursuant to Article 2-undecies, paragraph 1, letter f) of the Italian Privacy Code, where their exercise could result in actual and concrete prejudice to the confidentiality of the identity of a person who has made a report of violations known in the course of their employment or duties, in accordance with the Whistleblowing Decree. In such cases, the rights of the data subject may be exercised through the Data Protection Authority, in accordance with Article 160 of the Privacy Code. The Authority will inform the data subject that the necessary verifications or reviews have been carried out and of the right to seek judicial remedy.

7.4 Any request to exercise rights by a data subject shall be managed by the Supervisory Body (ODV), reachable at odv@negg.group. The ODV will assess whether the request can be granted without compromising the whistleblower’s anonymity or the outcome of the investigation. If approved, the ODV will forward the request to negg’s Legal Department in charge of privacy matters (privacy@negg.group). This process ensures a balance between the protection of individual rights and the public interest in preventing misconduct.

8. Data Retention

Personal data processed by the Controller will be retained for the period strictly necessary to achieve the purposes described in Section 4.1 and, in any case, no longer than five (5) years from the date on which the final outcome of the reporting procedure is communicated.

Reports and related attachments are stored in a restricted and protected area, accessible only to authorized personnel, namely the Supervisory Body. The system is configured to ensure that data are neither disclosed nor lost. Regarding data storage, GlobaLeaks uses a hardened local SQLite database, which does not expose network ports and can only be accessed by the GlobaLeaks software. It restricts potentially dangerous functions and operates within a sandbox environment (specifically AppArmor) that minimizes the risk of unauthorized database access even in case of software compromise.