Whistleblowing

Exprivia has always paid close attention to preventing risks that could compromise responsible and sustainable business management, and it is convinced that working in compliance with ethical principles is favourable to its business. Therefore, it combats the occurrence of phenomena deriving from the violation of all regulations governing fairness, honesty and reliability in all internal and external relationships, committing to zero tolerance for corruption in any form whatsoever, reaffirmed both in the Code of Ethics and in the Organisation, Management and Control Model adopted pursuant to Italian Legislative Decree 231/01 since 31/3/2008.

Therefore, Exprivia not only follows the guidelines set forth by the Corporate Governance Code for listed companies issued by Borsa Italiana, but it has also introduced a digital platform that can be used by all stakeholders to report possible unlawful or irregular conduct and violations of company procedures and instructions, through an online portal.

The reports are handled by the Exprivia Ethics Committee and the Supervisory Body. The Ethics Committee consists of Internal Audit, the Head of the Human Resources Office, the Head of the Legal Office and by the RGPC (person responsible for the Anticorruption Management System).

Reports can be sent through the system without the need to either register or provide personal information. If whistleblowers decide to provide their personal information, they can be assured that it will remain confidential.

All personal data will be processed pursuant to regulations in force on the protection of personal data, i.e., Regulation (EU) 2016/679 (GDPR), as well as any other regulation on the matter applicable in Italy, with full respect for the rights and fundamental freedoms of the data subjects, particularly with regard to the confidentiality of their identity and processing security.

REGULATIONS

• Italian Legislative Decree no. 24 of 10 March 2023 “Implementation of directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019, relating to the protection of people reporting violations of Union law and providing dispositions on the protection of people reporting violations of national regulatory provisions”
• Italian Law no. 179 of 30 November 2017 “Provisions for the protection of whistleblowers reporting offences or irregularities of which they become aware as part of public or private work relationships” 
• Italian Legislative Decree no. 231 of 8 June 2001 “Regulations on the administrative liability of legal entities, companies and associations, even without legal personality, in accordance with article 11 of Italian Law no. 300 of 29 September 2000“
• Exprivia Code of Ethics
• Exprivia Organisation, Management and Control Model pursuant to Italian Legislative Decree 231/2001
• Law SA 8000 – Social Responsibilities Management System
• Law UNI/PdR 125 – Gender Equality Management System
• Law ISO 37001 – Anticorruption Management System
• European Regulation 2016/679 - GDPR (General Data Protection Regulation) of 27 April 2016
• Italian Legislative Decree no. 196 of 30 June 2003 “Personal Data Protection Code” supplemented with the amendments introduced by Italian Legislative Decree no. 101 of 10 August 2018 “Provisions for the adaptation of national law to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

FAQ

1. Who can submit a report?
   Anyone can send a report to Exprivia SpA or Exprivia Projects Srl (the "Companies"): employees, directors, statutory auditors, shareholders, managers and, in general, all those who operate, in Italy and abroad, on behalf of or in favour of the aforementioned companies, who work for them or who have business relations with them through any type of contract or assignment (self-employed, collaborators, freelancers, customers, suppliers, partners, consultants, agents, intermediaries, trainees, volunteers, interns, etc.).
2. What is the subject of the reports?
   Reports must concern, in general, reasonable and legitimate suspicion or bona fide awareness of unlawful conduct or irregularities in the context of work or collaboration with the Company that may harm the integrity of the Company itself or the Exprivia Group. They can therefore be traced back to:

• violation of national or European legislation, including administrative, accounting, civil or criminal offences
• violations of the Organisation, Management and Control Model pursuant to Legislative Decree 231/2001;
• violations of the Code of Ethics (discrimination, harassment, conflict of interest, ...);
• violations of internal provisions or procedures that can be sanctioned by disciplinary means, including those relating to social responsibility issues (e.g. respect for work required by law, adequate, safe and healthy workplace, non-discrimination , gender equality, fairness) and the prevention of corruption (e.g. active and passive corruption events, gifts, donations);
• in general, facts that may constitute crimes or cause damage (financial or reputational) to the Company or the Exprivia Group.

They should not be reported and, in any case, will be ignored by the system:

• facts based on "rumours" or reported "hearsay";
•  disputes, claims or requests related to a personal interest of the reporting person that relate exclusively to their individual employment relationships.

3. What channels can I use to submit a report?The following
   internal channels can be used:

For written reports

• web portal: Whistleblowing
• sending ordinary mail to the address Via Adriano Olivetti n.11—70056 – Molfetta (BA), specifying the recipient Company (Exprivia SpA or Exprivia Projects Srl), for the attention of the Supervisory Body or the Ethics Committee

For oral reports

• Telephone call to the direct number +39 080 5362998
• request for a direct meeting with the managers of the report, through the telephone number +39 080 5362998

The web portal is the reporting channel that offers the greatest guarantees of confidentiality and protection of the identity of the whistleblower and of all data related to the report, including the data of the reported person.

4. When can I use external channels (ANAC and public disclosure) to send a report?

The whistleblower may use the external reporting channels established by ANAC on its institutional portal, only when one of the following conditions is met:

1. 1. the whistleblower has already made an internal report and it has not been followed up;
   2. the whistleblower has reasonable grounds to believe that, if the whistleblower were to make an internal report, it would not be effectively followed up or that the same report could lead to the risk of retaliation;
   3. The whistleblower has reasonable grounds to believe that the breach may constitute an imminent or obvious danger to the public interest.

On a residual basis and limited to the occurrence of the conditions indicated below, reporting is allowed through public disclosure through the press or electronic means or in any case through means of dissemination capable of reaching a large number of people. The whistleblower who makes a public disclosure benefits from the protection provided by the Decree if, at the time of public disclosure, one of the following conditions is met:

1. 1. the whistleblower has previously made an internal and external report or has directly made an external report and has not been responded to within the established deadlines;
   2. the whistleblower has reasonable grounds to believe that the breach may constitute an imminent or obvious danger to the public interest;
   3. The whistleblower has reasonable grounds to believe that the external report may entail the risk of retaliation or may not be effectively followed up due to the specific circumstances of the specific case, such as those in which evidence may be concealed or destroyed or where there is a well-founded fear that the person receiving the report may be colluding with the infringer or involved in the breach itself.

5. What are the necessary contents of a report?
   The report must contain elements useful to allow the bodies responsible for the analysis and processing of the report to carry out the appropriate checks to verify its validity. The report must therefore contain the following elements:

• a clear and complete description of the facts reported;
• the circumstances of the time and place in which they were committed;
• personal details or other elements (such as the position and the service in which the activity is carried out) that make it possible to identify the person(s) who has/have carried out the reported facts;
• the indication of any other subjects who may report on the facts being reported;
• the indication of any documents or other evidence that may confirm the validity of such facts;
• any other information that may provide useful feedback on the existence of the reported facts.

6. Can I submit an anonymous report?
   Yes, it is possible to submit anonymous reports. The Company will consider such reports if the elements indicated are detailed in such a way as to bring to light facts and situations on which it is possible to make the necessary findings.
7. Who will take charge of and process my report sent through internal channels?
   The management of reports through internal channels is entrusted to a Whistleblowing Office which is composed as follows:
   1. the Ethics Committee, made up of the Internal Auditor and the heads of Human Resources, Legal and the RGPC (Head of the Management System for the Prevention of Corruption), which, upon receipt of the reports, will analyse, verify and process them, informing the Supervisory Body (SB); if the reports relate to offences referred to in Legislative Decree 231/01, it will refer them to the management of the SB
   2. by the SB, which will analyse, verify and process the reports falling within the offences referred to in Legislative Decree 231/01 and which, if it deems the reports not within its competence, will refer them to the management of the Ethics Committee. Even where the report is the responsibility of the SB, the latter will inform the Ethics Committee, with the exception only of those member(s) who may be in conflict of interest with the report, of the report received and managed by it.

In the event that it is considered that one of the members of the evaluation team is involved in some way in the report or it is considered necessary or even appropriate that one of these members should be excluded from the management of the report, it is possible, using the web portal, to highlight this circumstance within the portal itself and exclude certain subjects from submission.

8. Does the whistleblower receive confirmation of acceptance and feedback on the management of the report sent?

Yes, within seven days of receipt of the report, the managers of the same will issue to the whistleblower an information notice of receipt and acceptance of the report. This notice will be forwarded to the address indicated by the whistleblower in the report, if any.

In addition, the reporting handlers will provide feedback to the report within three months of the date of the acknowledgement of receipt or, in the absence of such an acknowledgement, within three months of the expiry of the seven-day period from the submission of the report.

9. Can I track the processing status of my report?
   Certainly. The author of the report sent through the Whistleblowing web portal will have continuous access to verify the evolution of his report using the unique code provided by the web portal at the time of opening the report.
10. What are the protection measures guaranteed to the whistleblower by the Whistleblowing Procedure?

The protection system prescribed by Legislative Decree no. No. 24/2023 provides for a set of protections granted to the whistleblower and the so-called facilitators, i.e. the subjects who are part of the same working context as the whistleblower and who have facilitated the submission of the report, as well as to the person reported or involved in the report. Provided that the report has been made in accordance with the procedures and requirements set forth in Legislative Decree no. No. 24/2023 and set out in the Procedure, the main safeguards are:

1. 1. the protection of the confidentiality of the whistleblower, the facilitator, the person involved and the persons mentioned in the report;
   2. protection from any retaliatory measures adopted by the Company against the whistleblower and facilitators;
   3. exclusion from civil, criminal, administrative or disciplinary liability of the whistleblower with respect to the disclosure and dissemination of certain information.