1. PREMISES

Legislative Decree 10 March 2023, no. 24 implementing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons reporting breaches of Union law and containing provisions on the protection of persons reporting breaches of national legislative provisions, has profoundly reorganised the rules relating to the management of reports of wrongdoing (so-called whistleblowing), providing for organic and uniform legislation.

The recently introduced rules, in particular, require companies/entities to have a structured and adequately formalized whistleblowing system, of which the implementation of internal reporting channels – managed internally by offices or personnel belonging to the organization specifically trained or by external third parties – are essential elements, through which individuals who become aware of an illicit act can make a report (see paragraph 5.2 of this Procedure), as well as a specific internal procedure that regulates the organizational and process aspects for the correct management of reports that fall within the scope of the new provisions on whistleblowing.

Generally speaking, reports can be sent via the internal channel either in written form, including electronic means, or orally (e.g. dedicated telephone lines or voice messaging systems).

Upon request of the reporting person, a face-to-face meeting must also be arranged with the individuals responsible for managing the reports.

In addition to internal reports, and only if the specific conditions indicated in articles 15 and 16 are met, 6 and 15 of Legislative Decree 24/2023 (to which reference is made), the reporting party has the right to use an external reporting channel activated at ANAC or to publicly disclose – that is, make public through the press or electronic means that allow dissemination to multiple people – the information regarding the violations mentioned above.

This Procedure, updated to the currently applicable regulatory framework, forms an integral part of the Code of Ethics adopted by NIMAX S.P.A and complies with the company compliance policy.

2. SUBJECT AND PURPOSE OF THE PROCEDURE

In order to effectively prevent and combat fraudulent behavior and illegal or irregular conduct, an internal system for reporting violations (so-called “Whistleblowing” system) is established in accordance with the provisions of Legislative Decree 24/2023.

To this end, the Procedure identifies:

·         the subjective scope of application, i.e. the subjects who can submit a report;

·         the objective scope of application, i.e. the crimes that can be reported;

·         the methods for sending reports;

·         the role of the subjects responsible for receiving reports;

·         the procedure for evaluating reports;

·         the forms of protection for reporting and reported subjects.

·          

It is specified that the subjects authorized to receive and manage reports pursuant to art. 4 of Legislative Decree 24/2023 are exclusively: HR office.

3. DEFINITIONS AND ACRONYMS

·         Nimax S.p.A or Company: with registered office in Bologna, Via dell’Arcoveggio 59/2

·         Code of Ethics: the document that defines the set of ethical and behavioral principles that corporate bodies, employees, collaborators and, in general, all third parties who have legal relationships with NIMAX S.P.A are required to comply with

·         Recipients: the staff of NIMAX S.P.A and any other third party, natural or legal person such as suppliers, consultants, customers or other parties who have contractual relationships with the Company such as collaborators, consultants, business partners and in general all the parties referred to in art. 3 of Legislative Decree 24/2023 (Personal scope of application).

·         Internal procedures: all procedures, protocols, company regulations and/or operating instructions and all other documents that are part of the company regulatory system.

·         Violations: behaviors, acts or omissions that harm the public interest or the integrity of the public administration or private entity and that consist of unlawful conduct relevant under art. 2 of Legislative Decree 24/2023 (see paragraph 5.2.).

·         Information on violations (or “inherent to violations” or “relating to violations”): information, including well-founded suspicions, regarding violations committed or that, on the basis of concrete elements, could be committed in the organization with which the reporting person has a legal relationship as well as elements regarding conduct aimed at concealing such violations.

·         Retaliation: any behavior, act or omission, even attempted or threatened, carried out as a result of the report and which causes or may cause the reporting person, directly or indirectly, unjust damage.

·         Report: the communication (written or oral) of information relating to a violation submitted through the internal reporting channels adopted by the Company.

·         Reporting entity (or “Reporter”): the natural person who makes a report of information relating to a violation acquired within the scope of his/her work context.

·         Person involved (or “Reported”): the natural or legal person mentioned in the internal report as the person to whom the violation is attributed or as a person in any case implicated in the reported violation.

·         Facilitator: natural person who assists the whistleblower in the reporting process, operating within the same work context and whose assistance must be kept confidential.

·         Address for forwarding Whistleblowing reports: Whistleblowing Reporting Manager Office, at the HR Office – confidential reporting – c/o Nimax S.p.a. via dell’Arcoveggio 59/2 – 40129 BOLOGNA

·         Mobile number for oral reporting: 3406803219

·         Reporting manager: HR Office which is the recipient of the Reports,

·         DG: General Manager of NIMAX S.P.A

·          

4. REGULATORY FRAMEWORK OF REFERENCE

4.1 Binding Legislation

·         Civil Code;

·         Criminal Code;

·         Legislative Decree 10 March 2023, no. 24 – Implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons reporting

·         breaches of Union law and containing provisions on the protection of persons reporting breaches of national legislation;

·         Legislative Decree 8 June 2001, no. 231 on the discipline of the administrative liability of legal persons, companies and associations, including those without legal personality;

·         Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”);

·         Legislative Decree 30 June 2003, no. 196 and subsequent amendments (“Privacy Code”);

4.2 Internal regulations

·         NIMAX S.P.A. Code of Ethics;

·         Internal procedures and regulations;

For the purposes of this Procedure, other regulatory provisions may also be relevant, including those on employment law, as well as, where relevant, civil and criminal provisions that may be applicable on a case-by-case basis.

5. FORMS OF PROTECTION AND CONFIDENTIALITY RECOGNIZED FOR THE REPORTER AND THE REPORTED

5.1 Protection of the Reporter

In order to ensure the effectiveness of the internal reporting channel and its correct use, NIMAX S.P.A guarantees the protection of the confidentiality of the identity of the Reporter, also in compliance with the provisions of the legislation on the protection of personal data pursuant to Regulation (EU) 2016/679 and Legislative Decree 196/2003 (“Privacy Code”), and implements all necessary measures to avoid any form of retaliation that is directly or indirectly connected to the Report.

In particular, by way of example and not limited to, the following may constitute retaliation:

·         dismissal, suspension or equivalent measures;

·         failure to promote or demote;

·         change of functions, change of workplace, reduction of salary, change of working hours;

·         negative marks of merit or negative references;

·         suspension of training or any restriction of access to it;

·         adoption of disciplinary measures or other sanctions, including financial ones;

·         coercion, intimidation, harassment or ostracism;

·         discrimination or otherwise unfavourable treatment;

·         failure to convert a fixed-term employment contract into a permanent employment contract, where the worker has a legitimate expectation of such conversion;

·         failure to renew or early termination of a fixed-term employment contract;

·         damage, including to the reputation of the person, in particular on social media, or economic or financial prejudice, including loss of economic opportunities and loss of income;

·         inclusion in improper lists on the basis of a formal or informal sectoral or industrial agreement, which may make it impossible for the person to find employment in the sector or industry in the future;

·         early termination or cancellation of contracts for the supply of goods or services;

·         the cancellation of a license or permit;

·         the request to undergo psychiatric or medical tests.

·          

The Reported Person who believes he or she has suffered an act of retaliation connected to the Report, may send a communication to the National Labor Inspectorate or to the ANAC, so that the most appropriate measures of their competence can be adopted.

The retaliatory or discriminatory measures that find their cause in the Report (including dismissal and/or change of duties pursuant to art. 2103 of the Civil Code) are null and void pursuant to art. 6, paragraph 2-quater of Legislative Decree 231/2001 and 19, paragraph 3 of Legislative Decree 24/2023, and, in the event of dismissal, the person who made the Report has the right to be reinstated in the workplace pursuant to art. 18 of Law no. 300/1970 (“Workers’ Statute”) or art. 2, Legislative Decree 23/2015, based on the specific rules applicable to the worker.

The protection measures provided for by Legislative Decree 24/2023 also apply to:

·         facilitators;

·         people in the same work context as the Reporter and who are linked to the latter by a stable emotional or kinship bond within the fourth degree;

·         work colleagues of the Reporter, who work in the same work context and who have a habitual and ongoing relationship with the Reporter, i.e. not sporadic, occasional or episodic, but present, systematic and prolonged over time;

·         legal entities of which the reporting person is the owner, for which he or she works or to which he or she is otherwise connected in a work context (e.g. partnerships between companies).

5.2 Protection of the Reported Person

In order to prevent any abuse of the reporting system and to prevent slanderous or defamatory conduct that could cause harm to the reputation of the person involved in a Report, or cause discrimination, retaliation or other disadvantages, this Procedure provides for measures to protect the Reported Person.

In particular, Reports characterized by fraud or gross negligence, which are clearly unfounded, made in bad faith, or presented for personal reasons or for the sole purpose of obtaining advantages or causing damage to the Reported Person and/or the Company are prohibited.

In the event of a reckless Report within the terms specified above, the disciplinary sanctions provided for by the Company’s Disciplinary System and by the applicable CCNL (if the person is an employee) as well as the administrative pecuniary sanctions under the jurisdiction of ANAC may be imposed on the Reporting Person.

The person to whom the violation is attributed may always ask the Report Manager to be heard or, alternatively, produce written reports or other documentation in his/her defense. Minutes of the meeting with the Reported Person are drawn up, dated and signed by the Reported Person, which are kept at the HR offices.

5.3 Confidentiality and privacy

In managing Reports, NIMAX S.P.A guarantees the protection of the confidentiality of the identity of the Reporter and of any other information from which such identity can be deduced, directly or indirectly.

The identity of the Reporter cannot be revealed, without the express consent of the same reporting person, to persons other than those competent to receive or follow up on the reports. Likewise, the

identity of the Reported persons and of the persons mentioned in the Report is protected until the conclusion of the proceedings initiated on the basis of the Report and in compliance with the same guarantees recognized to the Reporter.

The obligation of confidentiality on the identity of the Reporter and on the information from which such identity can be deduced is not applicable:

·         when the Reporter expresses his/her express consent to reveal his/her identity to persons other than those authorized to receive and manage the Reports;

·         in the context of criminal proceedings, beyond the closure of preliminary investigations, unless the public prosecutor, with a reasoned decree, orders the maintenance of the confidentiality of the investigation for individual acts in the cases provided for by art. 329 of the Code of Criminal Procedure;

·         in the context of proceedings before the Court of Auditors, after the closure of the investigation phase;

·         in the context of disciplinary proceedings, only with the express consent of the Reporting Person to the disclosure of his or her identity, when knowledge of such identity is essential for the defense of the Reported Person and the dispute is based, in whole or in part, on the Report. In these cases, in the absence of express consent, the information contained in the Report cannot be used for the purposes of the disciplinary proceedings.

The Reporting Person is in any case informed, by written communication, of the reasons on which the disclosure of confidential data is based.

5.4 Processing of personal data

The personal data of the Reporting Persons, the Reported Persons and all the subjects involved in the Report are processed in accordance with the current legislation on the protection of personal data (Regulation (EU) 2016/679 and Legislative Decree 196/2003, as amended by Legislative Decree 101/2018).

NIMAX S.P.A refrains from processing personal data that are not manifestly useful for managing a Report. If such personal data are collected accidentally, they are immediately deleted.

In particular, with respect to the processing of personal data in the management of Reports, it is highlighted that:

·         the reporting person and the person involved in the report will receive, at the time of the Report or at the first useful contact, information on the processing of personal data pursuant to Articles 13 and 14 of Regulation (EU) 2016/679;

·         the procedure for managing Reports involves the processing of only personal data that is strictly necessary and relevant to the purposes for which it was collected;

·         NIMAX S.P.A, as data controller, has implemented technical and organizational measures suitable for ensuring a level of security appropriate to the specific risks arising from the processing of personal data carried out, in compliance with the applicable personal data protection legislation;

·         the Company has identified the persons responsible for receiving and managing Reports, authorizing them in writing pursuant to Articles 29 and 32, paragraph 4 of the GDPR and 2-quaterdecies of the Privacy Code;

·         the exercise of the rights provided for by Articles 15 to 22 of the GDPR by the Reported Person (“interested party” pursuant to the legislation on personal data protection) with respect to the processing of personal data carried out in the context of managing Reports may be limited if this could result in prejudice to the confidentiality of the identity of the Reporting Person. More specifically, the possibility of exercising the rights provided for by Articles 15 to 22 of the GDPR may be precluded. from 15 to 22 of the GDPR, limited to the period in which this is effectively and strictly necessary, if the exercise of such rights may result in actual and concrete damage to the confidentiality of the identity of the whistleblower, pursuant to art. 2-undecies, paragraph 1, letter f) of the Privacy Code; or to the performance of defensive investigations connected to the management of reports or for the exercise of a right in court by the Data Controller, pursuant to art. 2-undecies, paragraph 1, letter e) of the Privacy Code.

6. SCOPE OF APPLICATION

6.1 Subjective scope of application

This Procedure applies to all NIMAX S.P.A. personnel, i.e. workers who operate on the basis of relationships that determine their inclusion in the company organization, even in a form other than an employment relationship, as indicated more specifically below. The provisions contained in this Procedure also apply to external parties who make

Reports as specified in paragraph 7.1. as well as, with regard to protection measures, the parties indicated in paragraph 5.1.

The reports taken into consideration are only those that concern facts found directly by the Reporting Party and must not in any way represent claims/requests of a personal nature.

6.2 Objective scope of application

For the purposes of this Procedure, by way of example and not limited to, the following may be reported:

·         the relevant illicit conduct pursuant to Legislative Decree 231/2001 – i.e. the so-called predicate offences.

·         offences involving European Union or national acts, relating, by way of example and not limited to, the sectors of public procurement, services, products and financial markets and prevention of money laundering and terrorist financing, transport safety, environmental protection, public health, privacy, network and information systems security, etc.

·         acts or omissions that harm the financial interests of the European Union pursuant to art. 325 of the TFEU (Treaty on the Functioning of the European Union);

·         acts or omissions that affect the internal market pursuant to art. 25 of the TFEU, including the violation of EU rules on competition and State aid, as well as offences concerning the internal market connected to acts that violate the rules on corporate tax or violations whose purpose is to obtain a tax advantage aimed at evading the application of the legislation on corporate tax.

Reports are not permitted if they are:

·         characterized by a manifest lack of interest in protecting the integrity of the Company or aimed at the exclusive protection of individual interests (e.g. mere claims against colleagues, hierarchical superiors, etc.);

·         sent for clearly emulative purposes (e.g. reports made in bad faith, or with the aim of harming or harassing the Reported Person);

·         containing unfounded information or reporting mere “rumors” (information without supporting evidence).

·          

Such reports do not fall within the scope of the reports to which the Whistleblowing legislation applies and, therefore, will be archived following the appropriate checks.

In the cases specified above, NIMAX S.P.A reserves the right to take the actions deemed most appropriate to protect its interests and those of the Reported Person for any liability of the reporting person, on the assumption that the actual identity of the latter is known.

7. THE REPORTING SYSTEM

7.1 Reporting Parties

Reports may be made both by internal staff of NIMAX S.P.A and by external parties.

In particular, pursuant to Legislative Decree 24/2023, Reporting Parties include workers who operate on the basis of relationships that determine their inclusion in the company organization, even in a form other than subordinate employment, including intermittent workers, apprentices, temporary workers and occasional workers.

The provisions contained in this Procedure also apply to the following parties:

·         self-employed workers, as well as workers holding a collaboration relationship pursuant to art. 409 of the Italian Code of Civil Procedure and art. 2, Legislative Decree no. 81/2015;

·         freelance professionals and consultants;

·         volunteers and trainees (paid and unpaid);

·         shareholders, directors (including de facto directors), general managers, managers, attorneys, members of the Board of Statutory Auditors;

·         candidates for a job who become aware of a violation during the selection process or in other pre-contractual phases;

·         probationary workers;

·         terminated workers, if the information relating to the violation was acquired during the employment relationship.

7.2 Reported Parties

The conduct that is the subject of the Report may concern the Legal Representative, or the members of the Board of Directors, the Board of Statutory Auditors, or the employees (including managers), external collaborators of the Company or third parties (e.g. agents, suppliers, consultants, customers, etc.) to whom the Company is bound by contractual relationships.

7.3 Reporting channels

NIMAX S.p.A has activated an internal reporting channel in accordance with the provisions of art. 4 of Legislative Decree 24/2023, which guarantees the confidentiality of the Reporter, the Reported Person, the persons mentioned in the Report, as well as the content of the Report and any attached documents.

The HR Office is responsible for managing the internal reporting channel.

Reports can be sent in written form via:

·         private paper mail to be sent in a sealed envelope with registered mail with return receipt, ordinary mail or by hand to the Whistleblowing Reporting Manager Office, at the HR Office – confidential reporting – c/o Nimax S.p.a. via dell’Arcoveggio 59/2 – 40129 BOLOGNA.

In order for the Manager to keep the report confidential, it would be advisable for the report to be placed in two closed envelopes: the first with the reporting person’s identification data together with a photocopy of the identification document; the second with the report, so as to separate the reporting person’s identification data from the report. Both envelopes should then be placed in a third sealed envelope that bears the wording “Whistleblowing Report” on the outside. This last specification allows, where the report is mistakenly received by an incompetent person, the timely transmission by the latter to the person authorized to receive and manage whistleblowing reports.

·         Oral channel: using the WhatsApp number 340 6803219, the channels used by the Company protect the confidentiality of the Reporting Person, ensuring that the identity of the Reporting Person and third parties as well as the content of the Report cannot be accessed by persons who have not been formally authorized to manage reports based on this Procedure.

7.4 Subject and form of the report

Reports must have as their subject information regarding facts that constitute violations committed or of which there are well-founded and concrete suspicions of commission within the organization with which the Reporting Party has a legal relationship.

Reporting Parties may communicate information relating to the violations better specified in paragraph 6.2 (“Objective scope of application”).

Reports must have the following essential elements:

·         Subject: a precise and detailed description of the facts and conduct that are believed to constitute a violation, with the indication – if known – of all the factual elements and the circumstances of time and place in which the reported facts were committed[1].

·         Reported Party and other parties involved: any element (e.g. personal details, corporate function/role, etc.) suitable to allow easy identification of the alleged perpetrator(s) of the illegal conduct that is the subject of the Report.

The Reporting Person must also indicate the following additional elements:

·         personal details and type of Reporting Person (e.g. employee, collaborator, agent, consultant, etc.), unless the Report is anonymous;

·         any additional persons who can report useful circumstances on the reported facts;

·         any documents suitable to support the validity of the reported facts and to better substantiate the Report;

·         any other information that can facilitate the collection of evidence on what has been reported.

The report must also be integrated, if possible, by attaching any documentation supporting the contested fact.

If the Reporting Person becomes aware, during the investigation, of additional information relating to the reported facts, he or she may integrate the information provided even after the Report has been sent. The lack of one or more of the aforementioned mandatory minimum contents may constitute

grounds for archiving the report. The requirement of the truthfulness of the reported facts remains in place, also for the purposes of protecting the Reporting Person and the Reported Person.

In the reporting process, the Reporter may be assisted by a facilitator, i.e. a person who provides advice and support to the Reporter and operates in the same work context. For example, the facilitator may be a work colleague belonging to a different office than that of the Reporter or a trade union representative, provided that, in this case, he or she assists the Reporter in his or her name and on his or her behalf, without using the trade union acronym.

The sending of the Report is preceded by the Reporter’s confirmation of having read a specific privacy notice pursuant to art. 13 of the GDPR.

In all phases of management of the Whistleblowing Report, the Company guarantees the protection of the confidentiality of the Reporter and of the persons involved in the Report as well as the security in the protection of personal data.

7.5 Prohibited Reports

Reports may not contain insulting expressions or moral judgments aimed at offending or harming the honor and personal decorum and/or professional dignity of the person to whom the reported facts refer.

By way of example and not limited to, it is prohibited to:

·         use insulting or defamatory expressions;

·         send Reports with purely slanderous purposes;

·         send Reports that concern aspects of the private life of the Reported Person, without any connection or link, direct or indirect, with the work/professional activity carried out within the Company or third-party entities/companies;

·         send Reports of a discriminatory nature, as they refer to sexual, religious and political orientations or to the racial or ethnic origin of the Reported Person;

·         send Reports that are clearly unfounded and in bad faith, as they are based exclusively on claims and/or reasons of a personal nature, which have the sole purpose of damaging the Reported Person.

If a violation of the above provisions is ascertained, a disciplinary sanction may be imposed on the Reporting Person, unless there are reasonable grounds to believe that the disclosure or dissemination of information

relating to a violation that offends the reputation of the Reported Person is truthful and necessary for knowledge of the violation.

7.6 Anonymous Reports

Reports from which it is not possible to trace the identity of the Reporter are considered anonymous.

Generally speaking, in the event of receiving an anonymous report through the internal reporting channel, these must be treated as ordinary reports, provided they are sufficiently detailed[2]. In particular, anonymous reports containing the content indicated in the previous paragraph 7.4 will be taken into account and managed.

In any case, the anonymous Reporter, subsequently identified, who communicates that he has suffered retaliation due to the Report, can benefit from the protection that Legislative Decree 24/2023 provides in the face of retaliatory measures[2].

8. MANAGEMENT OF REPORTS

The process of managing Reports, which is the responsibility of the HR Office of NIMAX S.P.A, is described below, with particular reference to the following phases:

·         access to the paper or oral Report;

·         preliminary assessment of the Report;

·         internal checks and investigations;

·         conclusion of the process and reporting to the top management;

·         archiving and storing the documentation relating to the Reports.

8.1 Sending and receiving a Report

·         Sending the Report: following receipt of the Report, the Manager confirms that the Report has been taken charge of by the reporting party and will keep a special register.

·         Checking the progress of the Report: the three main cases relating to the status of a Report are reported below:

1.       Taking charge: the Manager will be responsible for responding to the Reporting Party regarding the status of “taking charge” of the Report, which must in any case occur within 7 (seven) days of receiving the Report itself;

2.       Response to the report: within 3 (three) months from the date of notification of acceptance or, in the absence of such notice, within three months from the expiry of the seven-day deadline from the submission of the report, a response must be provided to the Reporting Party by the persons

authorised to manage the Reports, informing them of the actions taken; Closing the report: following the investigations, the Manager proceeds to provide a final response to the reporting user and to close the report itself.

8.2 Preliminary evaluation of the Report

The Manager takes charge of the Report within 7 (seven) days from the date of receipt of the Report itself.

The Manager then carries out a preliminary analysis of the Report received in order to assess its validity and subject.

If necessary, the Manager may request from the Reporting Person, additional information or documentation to support the Report in order to conduct a complete evaluation of the reported facts.

The Manager ensures monitoring of the Report management process in all its phases.

Reports are processed in the chronological order in which they reach the Manager, except for any specific assessments regarding the need to manage a specific Report as a priority, if particular profiles of severity or urgency are highlighted (e.g.: severity of the reported conduct, current and potential consequences of particular relevance for the Company, risk of repetition of the illicit conduct, etc.).

In managing the Reports received, the Manager acts with the professionalism and diligence required by the tasks entrusted to them, carrying out any activity deemed appropriate, in compliance with this Procedure and the relevant legislation. Within the scope of the autonomy of its powers of initiative and control, the Manager, if necessary for the purposes of the investigation, may also avail itself of the support of other company functions or external consultants, provided that the confidentiality of the Reporting Person and the persons involved in the Report is always guaranteed and no information is communicated that is not essential to the ascertainment of the reported facts.

Following the preliminary assessment, the Manager proceeds to classify the Report in one of the following categories, which will imply a different and specific work flow for managing them:

·         Irrelevant Report: the Report refers to behaviors, acts or facts that do not constitute a predicate crime provided for by Legislative Decree 231/2001 or the principles of the Code of Ethics or violations of national or European Union regulations referred to in Legislative Decree 24/2023. If the Manager believes that the Report, although not relevant for the purposes of applying this Procedure and, therefore, not falling within the so-called whistleblowing Reports, nevertheless contains detailed elements from which irregularities, violations or omissions may emerge that concern other sectors – e.g. violations in the field of employment law – not falling within the matters governed by Legislative Decree 24/2023 and related Annexes, it transmits the Report to the Company Management competent for the matter and/or to the relevant company functions so that they can carry out the necessary checks. The Manager is in any case required to send the Reporting Party a reasoned archiving notice within 3 (three) months of receiving the Report.

·         Relevant but non-treatable Report: this hypothesis occurs when the Manager has received a Report that is relevant with respect to the application of this Procedure, but at the end of the preliminary analysis phase and any request for further information, it has not collected sufficient elements to be able to proceed with further investigations and verify the validity of the facts reported. In this case, the Manager orders the motivated archiving of the proceeding, notifying the Reporting Party within 3 (months) of receiving the Report.

·         Prohibited Reporting: in the event of receiving Reports falling within the cases referred to in paragraph 7.5 “Prohibited Reports”, the Manager communicates this circumstance to the General Manager for the possible initiation of disciplinary proceedings against the Reporting Party (in the event that the Report comes from an employee/collaborator of the Company) as well as to assess the need to communicate the facts that are the subject of the Report in question to the Reported Party, in order

to allow him to exercise his rights of defense. In the event that, however, the Report was made by third parties with whom the Company has contractual relationships (such as, for example, suppliers, external consultants/collaborators, commercial partners, etc.), the Manager informs the General Management without delay for the purposes of applying the remedies provided for by the specific contractual clauses included in the relevant contracts (e.g. termination of the contract, in addition to any compensation for damages). The right to appeal to the Judicial Authority to ascertain any criminal liability arising from the defamatory or slanderous nature of NIMAX S.P.A (or, in any case, of criminal relevance) of the content of the Report, as well as any other liability, including civil and administrative, that may arise from the facts reported in the prohibited Report, remains reserved.

·         Relevant Report: in the case of Reports that are sufficiently detailed and fall within the matters referred to in the legislation on whistleblowing, the Manager initiates the investigation phase, described in the following paragraph. Except in justified exceptional cases, the Manager concludes the evaluation process of the Report within 3 (three) months of receiving it, providing the Reporting Party with adequate feedback on the status of the Report.

8.3 Internal checks and investigations

At the end of the preliminary assessment phase, where the Report received has been classified as “relevant”, the Manager starts internal checks and investigations in order to collect further information useful for ascertaining the validity of the reported facts.

The Manager reserves the right to request, if necessary for the continuation of the investigation, further information or documentation from the Reporting Party. In any case, the Manager maintains discussions with the Reporting Party, providing feedback on the progress of the processing of the Report.

As part of the investigation activity, based on the specific subject of the Report, the Manager may avail of the support of internal company structures/Directorates or external consultants (e.g. lawyers, accountants, etc.).

In such an event, the subjects involved in the investigation activity are required to comply with the provisions contained in this Procedure and are consequently required to comply, among others, with the confidentiality obligations towards the Reporting Person, the persons involved and the facts being ascertained. In the event of violations by such subjects of the principles defined in this Procedure, the Company may apply the measures indicated in the disciplinary system.

8.4 Conclusion of the process and reporting to the top management

Once the investigation phase is concluded, the Manager is required to draft a specific report (or report) in which the reported facts, the verification activities carried out, the elements acquired (e.g. documentation, testimonies, etc.) in support of the Report are indicated in detail, as well as the results of the investigation and the observations regarding the existence or otherwise of the reported violations. The final report also indicates the actions that it seems appropriate to undertake in relation to the reported facts. If, following the investigations and checks carried out, the validity of the illicit behaviors described in the Report is not found or, in any case, any relevant violation pursuant to Legislative Decree 231/01, the Manager shall archive the Report, informing the Reporting Party.

If the Report is considered well-founded and concerns employees/collaborators of NIMAX S.P.A, the Manager shall promptly inform the General Manager to assess the possible initiation of disciplinary proceedings and/or to make the necessary communications to the competent Authorities (judicial, administrative, etc.). If the person involved is the General Manager, the communication is made only to the CEO. At the same time, the Manager shall transmit the final report of the investigation to the CEO.

The manager shall initiate disciplinary proceedings against the employee to whom the violation is attributed.

In the event that the Report is well-founded and concerns third parties with whom the Company has contractual relationships (e.g. contractors/suppliers, external consultants, commercial partners, etc.), the Manager shall promptly inform the DG for the possible application of the measures (e.g. termination of the contract) provided for by the specific clauses included in the contracts stipulated with the counterparty to whom the violation is attributed, as well as for any communications to the competent Authorities.

The Manager shall subsequently be notified of the decisions adopted by the Company against the Reported Person.

For further details on the regulation of the disciplinary procedure and any sanctions that may be imposed, please refer to the General Part of the MOGC dedicated to the « Disciplinary/Sanctioning System ».

On an annual basis, the Manager shall send the DG a summary report indicating the Reports received and managed, specifying for each of them the progress status and the measures adopted in relation to those concluded.

In the Manager’s communications addressed to the corporate bodies and company management, the identity of the Reporting Person must always be kept confidential and information that does not need to be disclosed must be omitted.

8.5 (Relevant) Reports concerning Corporate Bodies, Control Bodies.

In the event that the Report is relevant and well-founded and concerns:

·         The Chief Executive Officer, the DG informs the Board of Auditors of the outcome of the investigation, in order to coordinate and define the measures to be adopted;

·         the Chairman of the Board of Directors, the DG informs the other members of the Board of Directors as well as the Board of Auditors of the outcome of the investigation, in order to coordinate and define the measures to be adopted;

·         a member of the Board of Directors other than the Chairman, the DG informs the Chairman of the Board of Directors and the Board of Auditors of the outcome of the investigation, in order to coordinate and define the measures to be adopted;

·         a member of the Board of Auditors or one of the statutory auditors, the DG notifies the Chief Executive Officer;

8.6 Archiving and storage of documentation relating to Reports

Reports and related documentation are stored by the Manager, in digital and/or paper format, in a dedicated folder in a manner that prevents access by unauthorized persons.

Reports and related documentation are stored for the time necessary to process the Report itself and in any case no longer than 5 (five) years from the date of communication of the final outcome of the reporting procedure, in compliance with the confidentiality obligations referred to in this Procedure.

The same retention period (no longer than 5 years from receipt) also applies to documentation relating to anonymous reports, so as to allow the Manager to trace them if the Reporting Person, subsequently identified, has suffered retaliation due to the Report.

When, at the request of the reporting person, the Report is made orally during a meeting with the Manager, it is, with the prior consent of the Reporting Person, documented by the Manager by recording, with the prior consent of the Reporting Person, on a device suitable for storage and listening or by means of a report. In the case of a report, the Reporting Person proceeds to verify and, if necessary, to correct the statements reported therein and to confirm them by signing the report itself.

9. VIOLATIONS OF THE WHISTLEBLOWING PROCEDURE

Any violation of this Procedure constitutes a disciplinary offense punishable by the Company, in accordance with the provisions of the Nimax Disciplinary System.

In particular, it is highlighted that, in order to guarantee the protection of the Reporter, the Disciplinary System provides for the sanctions to be applied to retaliatory or discriminatory acts carried out against  those who have reported an illicit conduct relevant for the purposes of the application of Legislative Decree 231/2001 or the Code of Ethics, as well as any violations of the confidentiality obligations regarding the identity of the Reporter.

Even the hypothesis of a Report that turns out to be unfounded, carried out with malice or gross negligence, may constitute a disciplinary offense punishable by the Company in accordance with the Disciplinary System.

INFORMATION ON THE PROCESSING OF PERSONAL DATA PURSUANT TO ARTICLES 13 AND 14 OF REGULATION (EU) 2016/679 IN RELATION TO “WHISTLEBLOWING” REPORTS

This information is provided by the company Nimax S.p.a. with respect to the processing of personal data of interested parties (intended as interested parties are the reporting party, the reported party and any other natural person involved in the report) in the context of the management of reports of alleged illicit conduct of which it has become aware by virtue of its employment, service or supply/consultancy relationship with the Data Controller (so-called whistleblowing reports, hereinafter only “Reports”), received through the channels provided for by the Whistleblowing Procedure adopted by the Company (“Procedure”).

1.      Data Controller and Data Protection Officer

Nimax S.p.a., Via dell’Arcoveggio 59/2, Bologna (hereinafter “Nimax” or the “Data Controller”), reachable at the email address: privacy@nimax.it.

The Data Controller is available for all matters relating to the processing of your personal data and the exercise of the rights deriving from the data protection legislation and can be contacted, in addition to the physical address at the registered office, also by email at the address: privacy@nimax.it

2.      Type of data processed

The personal data collected and processed by the Data Controller in the context of receiving and managing the Reports received through the channels provided for by the Whistleblowing Procedure adopted by the Company are those contained in the Report as well as those acquired during the related investigative activities. Such data may belong to the following categories:

– common personal data (e.g. the personal details of the person making the report, with an indication of their qualification or professional position; a clear and complete description of the facts being reported and the ways in which they were discovered; the date and place where the fact occurred; the name and role – qualification, professional position or service in which the activity is carried out – which allow the identification of the person/persons who carried out the reported facts; the indication of the names and roles of any other persons who may report on the facts being reported; information relating to any documents which may confirm the validity of the reported facts; the progress of your report and any other information contained in the reports relating to the reporting person, the persons reported and any other third parties involved in accordance with the company procedure (hereinafter, collectively, “interested parties”).

– personal data belonging to the so-called “special” categories pursuant to art. 9, par. 1 of the Regulation (“racial and ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade union nature, as well as personal data disclosing the state of health and sexual life”) attributable to the interested parties possibly provided by the reporting party.

– data relating to criminal convictions and crimes or related security measures contained and/or emerging in the context of the report pursuant to art. 10 of the Regulation.

All the personal data indicated above will be jointly defined hereinafter as “personal data”.

It is also specified that, in compliance with applicable laws, the Data Controller may process personal data, including data attributable to third parties, which are already available to the Data Controller.

3.      Purpose of processing, legal basis and nature of the provision

The personal data provided to report alleged unlawful conduct of which you have become aware by virtue of your employment, service or supply/consultancy relationship with the Data Controller, in accordance with the provisions of the Procedure adopted, will be collected and processed by the Data Controller to allow the Company’s Report Manager to carry out its functions in accordance with the Procedure and carry out the necessary investigative and instrumental activities to verify the validity of the fact that is the subject of the Report and, if applicable, the adoption of the consequent corrective measures and take appropriate disciplinary and/or judicial action against those responsible for the unlawful conduct (“Purpose of managing the Report”).

The legal basis for the processing of the above data is to be identified:

– for common personal data, processing for the above purpose is necessary to fulfill a legal obligation to which the Data Controller is subject, pursuant to art. 6, par. 1, lett. c) of the Regulation, taking into account Legislative Decree no. 24 of 10 March 2023, implementing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons reporting breaches of Union law and laying down provisions on the protection of persons reporting breaches of national legislation;

– for personal data belonging to the so-called “special” categories, such processing is legitimate pursuant to art. 9, paragraph 2, letter b) of the Regulation. In any case, the reporting person is invited not to provide personal data belonging to the so-called “special” categories pursuant to art. 9, paragraph 1 of the Regulation where this is not strictly necessary.

Any processing of personal data relating to potential crimes or convictions that are the subject of the report is carried out in accordance with the provisions of art. 10 of the GDPR as authorized by specific regulations on whistleblowing, as well as for the protection or defense of rights in court [see art. 2-octies co. 3 lett. e) of Legislative Decree no. 196/2003 – so-called “Privacy Code”].

The provision of personal data for this purpose – with the exception of references to the name and surname, since the possibility of making anonymous reports is provided where adequately detailed and based on precise and consistent factual elements (and not of generic or confusing content), so as to allow for the evaluation and investigation of the case – is mandatory, therefore in the event of failure to provide the same, it will not be possible to take charge of and manage the Report. In the event that the reporter still wishes to proceed with an anonymous report, the latter will be managed exclusively.

Once provided, your personal data may also be processed to:

– fulfill any other obligations established by law, regulations and European legislation as well as by provisions issued by judicial authorities in the exercise of their functions on the basis of art. 6, par. 1, letter c) of the Regulation and, with regard to personal data belonging to special categories, 9, par. 2, letter g) of the Regulation (“Compliance purposes”);

– to satisfy any defensive needs on the basis of art. 6, par. 1, letter f) and 9, par. 2, letter f) of the Regulation (“Defensive purposes”).

4.      Recipients of personal data

The personal data contained in the Reports received by the Data Controller will not be communicated to third parties or disseminated, except within the limits of what is provided for by national and European Union law and in accordance with the procedure adopted by the Data Controller; in particular, your data may be shared, in compliance with the provisions of the legislation on the processing of personal data, with the following subjects:

– specifically identified personnel, authorized to process personal data and duly trained pursuant to Articles 29 of the Regulation and 2-quaterdecies of Legislative Decree 196/2003 (“Privacy Code”) as well as the Code of Ethics;

– subjects external to the Data Controller’s corporate reality who act as data controllers pursuant to Article 28 of the Regulation;

– public and/or private bodies and authorities, acting as independent controllers, to whom it is mandatory to communicate personal data pursuant to provisions of law or orders of the authorities, in particular in relation to investigative activities relating to reported facts on which the existence of ongoing investigations by public authorities is known.

The complete and updated list of data recipients may be requested from the Data Controller, at the contact details indicated above.

In any case, the utmost confidentiality of your identity, as the reporting party, will be guaranteed, in accordance with company procedures. In particular, in the event of transmission of the report to other structures/bodies/third parties for the performance of investigative activities, priority will be given to forwarding only the content of the report, removing all references from which it is possible to trace, even indirectly, the identity of the reporting party. If, for investigative purposes, it is necessary to disclose the identity of the reporting party to parties other than those authorised to receive and follow up on reports, the consent of the reporting party to reveal his/her identity will be expressly requested.

In the context of disciplinary proceedings, the identity of the whistleblower will not be revealed in all cases in which the challenge of the disciplinary charge is based on investigations that are separate and additional to the report, even if consequent to the same, while it may be revealed where three conditions concur, namely (a) that the challenge is based, in whole or in part, on the report, (b) that knowledge of the identity of the whistleblower is essential for the defense of the accused and that (c) the whistleblower has given specific consent to the disclosure of his or her identity.

5.      Methods of processing

The data will be processed mainly with computerized tools, with organizational and processing logics strictly related to the purposes indicated above and in any case in such a way as to guarantee the security, integrity and confidentiality of the data in compliance with the organizational, physical and logical measures provided for by the provisions in force. The channels dedicated and used for sending Reports pursuant to the internal procedure adopted by the Data Controller offer a high guarantee of confidentiality of the information through the use of encryption technologies of the data that transit on the servers. The Data Controller implements appropriate measures to ensure that the data provided is processed adequately and in accordance with the purposes for which it is managed; the Data Controller uses appropriate security, organizational, technical and physical measures to protect the information from alteration, destruction, loss, theft or improper or illegitimate use. Personal data that are clearly not useful for processing a specific Report are not collected or, if collected accidentally, are promptly deleted.

6.      Period of retention of personal data

Personal data will be retained only for the time strictly necessary for the purposes for which they are collected, respecting the principle of minimization and the principle of limitation of storage pursuant to art. 5, par. 1, letters c) and e) of the Regulation.

In particular, the personal data contained in the Report and in the related accompanying documentation are retained in a form that allows the identification of the interested parties for the time necessary for the processing of the specific Report and in any case no longer than five (5) years from the date of communication of the final outcome of the reporting procedure. The Data Controller reserves the right, however, to retain the aforementioned personal data also for the entire time necessary for the fulfillment of regulatory obligations and to satisfy any defensive needs. It is understood that in the event that a judgment is instituted, the terms indicated above may be extended until the conclusion of the judgment itself and the consequent limitation periods of rights. After the times indicated above, the reports and any accompanying documentation will be deleted and/or anonymized.

Further information is available from the Owner at the contact details above.

7.      Transfer of personal data outside the EU

We also inform you that your personal data will be processed by the Data Controller within the territory of the European Union. If for technical and/or operational reasons it becomes necessary to use entities located outside the European Union or it becomes necessary to transfer some of the data collected to technical systems and services managed in the cloud and located outside the European Union area, the processing will be regulated in accordance with the provisions of Chapter V of the Regulation and authorized on the basis of specific decisions of the European Union. The Data Controller ensures that the processing of your personal data by these recipients takes place in compliance with the GDPR. In particular, the transfers will be based on an adequacy decision of the European Commission, or on the adherence of the recipient of the data to certification mechanisms for the transfer of data (e.g. Data Privacy Framework) or on the Standard Contractual Clauses approved by the European Commission or on another suitable legal basis, in compliance with the recommendations 01/2020 adopted on 10 November 2020 by the European Data Protection Board.

It is possible to have more information, upon request, from the Data Controller at the contacts indicated above.

8.      Your privacy rights

You have the right to access the data concerning you at any time, pursuant to Articles 15-22 of the Regulation. In particular, you may request rectification, erasure, limitation of data processing in the cases provided for by Article 18 of the Regulation, revocation of consent given pursuant to Article 7 of the Regulation, and to obtain data portability in the cases provided for by Article 20 of the Regulation.

You may submit a request to object to the processing of your data pursuant to Article 21 of the Regulation, in which you must highlight the reasons justifying the objection: the Data Controller reserves the right to evaluate your request, which would not be accepted in the event of the existence of compelling legitimate reasons to proceed with the processing that prevail over your interests, rights and freedoms.

You also have the right to lodge a complaint with the competent supervisory authority pursuant to Article 77 of the Regulation (Data Protection Authority) or to take legal action pursuant to Article 79 of the Regulation.

Requests must be addressed in writing to the Data Controller at the contact details indicated above.

Please note that, in order to protect the confidentiality of the identity of the person making the report, the possibility of exercising the rights provided for in Articles 15 to 22 of the Regulation may be precluded, if the exercise of such rights could result in actual and concrete damage to the confidentiality of the identity of the reporting person, pursuant to Article 23, paragraph 1, letter i) of the Regulation and Article 2-undecies, paragraph 1, letter f) of the Privacy Code.

We also inform you that the reported person may exercise his/her rights under Articles 15 to 22 of the Regulation through the Guarantor Authority, in the manner set out in Article 160 of the Privacy Code. In this case, the Guarantor Authority will inform the interested party that it has carried out all the necessary checks or that it has carried out a review, as well as the interested party’s right to appeal to the courts.