Whistleblowing

SUMMARY INFORMATION ON THE SYSTEM
REPORTING PURSUANT TO LEGISLATIVE DECREE 24/23

Scope of application

The scope of the legislation in question includes criminal, civil, administrative, or accounting offenses other than those specifically identified as violations of EU law that undermine the integrity of the private entity.

Violations of national regulations also include:

  • the predicate crimes for the application of Legislative Decree 231/01 and the violations of the organizational and management models provided for in Legislative Decree 231/01

Violations of the provisions of European legislation:

  • offences committed in violation of the EU legislation indicated in Annex 1 to Legislative Decree 24/23 and of all national provisions implementing it


Reports excluded from the scope of Legislative Decree 24/23

The new rules do not apply to reports that are related to the whistleblower's personal interests, relate to their individual employment relationships, or relate to employment relationships with hierarchically superior figures.

Content of the report

Reports are information, even in the case of well-founded suspicions, relating to violations already committed or not yet committed, as well as relating to conduct aimed at concealing them.

Reports must concern behaviors, including omissions, of which the reporter has become aware in the workplace.

The following elements must be clear in the reports:

  1. the identifying data of the reporting person (name, surname, place and date of birth), as well as an address to which subsequent updates should be communicated;
  2. the circumstances of time and place in which the reported event occurred and, therefore, a description of the reported events, specifying the details relating to the circumstantial information and, where present, also the methods by which the reported events became known;
  3. Personal information or other information that allows identification of the person to whom the reported facts are attributed and, if using an analog channel (e.g., registered mail), an indication that the reporting person is sending the report for whistleblowing purposes. It is also helpful to attach documents that can provide substantiation of the reported facts, as well as the identification of other persons potentially aware of the facts.

Internal reporting methods and subsequent phases

Reports may be made, alternatively, in the following ways:

INTERNAL WRITTEN CHANNEL: ordinary mail (Registered) addressed to “Avv. Andrea Guidi, as Report Manager of COSMETICA HUB SPA” in Bellaria IM 47814 (RN) Via Ravenna n. 151C

The reporting party is advised to place the report in two sealed envelopes. The first should include the reporting party's identifying information and an identity document, while the second should include the subject of the report. Both envelopes should be placed in a third envelope, labeled "reserved for the reporting manager" and the relevant contact details (avoiding company email addresses) on the outside.

INTERNAL ORAL CHANNEL by telephone call to no. 0541/411356 used by the Reports Manager, Attorney Andrea Guidi, as well as a direct meeting, to be arranged in agreement with the Reports Manager, at his office in Bellaria IM 47814 (RN) Via Ravenna n. 151C

Receiving the report
The Report Manager must provide the reporting party with an acknowledgement of receipt within seven days of submitting the report, to be delivered to the address indicated by the reporting party in the report. Failure to provide such acknowledgement, and therefore the possibility of interacting with the reporting party for follow-up, will result in the report being deemed unmanageable under the whistleblowing regulations. Evidence of this reason will be provided and retained by the Manager along with the report.

The admissibility of the report
For admissibility purposes, the following must be clearly stated in the report:

  • the circumstances of time and place in which the reported event occurred and, therefore, a description of the reported events, containing details relating to the circumstantial information and, where present, also the methods through which the reporter became aware of the events;
  • personal details or other information that allows us to identify the person to whom the reported facts are attributed.

In light of these indications, the report can, therefore, be considered inadmissible for:

  • lack of data which constitute the essential elements of the report;
  • manifest groundlessness of the factual elements attributable to the violations identified by the legislator;
  • presentation of facts of a generic nature that are not understood by the proposed offices or person;
  • production of documentation only without actually reporting violations.

If the report is deemed inadmissible or inadmissible, the report manager will archive it, communicating the reason to the reporter.

Outcome of the investigation.
Once the investigation activity has been completed, the report manager can:

  • archive the report as unfounded, justifying the reasons;
  • declare the report to be well-founded and contact the competent internal bodies/functions for the relevant follow-up and consequential measures.

Feedback to the whistleblower
The manager of the report must provide feedback to the reporter within three months of the date of receipt.

Where the situation requires longer investigation times, upon expiration of the indicated deadline, the Report Manager must send the reporting party an interim communication regarding the progress of the investigation, which has not yet been completed.

External reporting and public disclosure channel

To be able to use the reporting channel established by ANAC, at least one of the following conditions must exist:

  • in his work context the activation of the internal channel is not foreseen as mandatory or, if foreseen, it has not been activated;
  • the report was not followed up;
  • has reasonable grounds to believe that if he were to make the internal report it would not be followed up or that he would face retaliation;
  • has reasonable grounds to believe that the infringement may constitute an imminent or manifest danger to the public interest.

External reporting is also permitted when there are reasonable grounds to believe that reporting could lead to the risk of retaliation, such as when similar situations and events have already occurred within the organization.

In any case, the valid reasons justifying the use of external reporting due to fear of retaliation or inappropriate treatment of the report must be based on concrete circumstances that must be attached to the report and on information that can actually be obtained.

For eligibility purposes, the following must be indicated in the report:

the name and contact details of the whistleblower; the facts being reported and the Administration or Entity in which they occurred; the Administration in which the whistleblower works and the professional profile held by the latter; a brief description of how the whistleblower became aware of the reported facts.

Public Disclosure

Public disclosure, to be used as a last resort, can only be used in the presence of at least one of the following conditions:

  • that the internal and/or external channel has been previously used, but there has been no response or no follow-up within the timeframes set by the decree;
  • that the whistleblower believes there are well-founded grounds for an "imminent and manifest danger to the public interest," considered as an emergency situation or risk of irreversible harm, including to the physical safety of one or more persons, which requires that the violation be promptly disclosed with wide coverage to prevent its effects.
  • that the whistleblower believes there are reasonable grounds to believe that the external report may entail a risk of retaliation or may not be effectively followed up because, for example, there may be a well-founded risk of destruction of evidence or collusion between the authority responsible for receiving the report and the perpetrator of the violation.

These are extremely rare, particularly serious, situations of negligence or malicious conduct within the organization, which therefore justify, only in the presence of genuine circumstances, the public disclosure of facts or events that would otherwise be treated with strict confidentiality.

The prohibition and protection against retaliation

Any form of retaliation against the whistleblower that occurs in the workplace and causes unfair harm to the individuals protected is prohibited. Retaliatory actions taken in violation of this prohibition are void.

The ANAC is the authority responsible for receiving and managing reports from whistleblowers regarding alleged retaliation suffered by them.

For this form of protection to be recognized, the following conditions must exist:

  • that the whistleblower/reporter, at the time of reporting or denouncing the matter to the judicial or accounting authority or of making the public disclosure, had "reasonable grounds" to believe the information was truthful and fell within the scope of the regulation;
  • that the report, complaint or disclosure was made in accordance with the provisions of Legislative Decree 24/23.


The internal sanctioning system: disciplinary code.

The company has a disciplinary code which, together with other provisions, constitutes the Organizational, Management and Control Model pursuant to Legislative Decree 231/01.

The Disciplinary Code contains all applicable provisions, including those relating to behaviors related to non-compliance with the rules and provisions of Legislative Decree 24/23 and this document establishing the reporting system and its management. Therefore, regarding internal disciplinary sanctions, please refer to the Disciplinary Code set out in the MOGC pursuant to Legislative Decree 231/01.

The external sanctioning system

From an external perspective, the sanctions regime distinguishes, for the various cases, between natural and legal persons held liable.

With reference, however, to the possibility of sanctions against those who have adopted a retaliatory act, it was clarified that the individual identified as responsible for the retaliation will be sanctioned.

In detail, the administrative pecuniary sanctions are as follows:

a) from 10,000 to 50,000 euros when it is established that the natural person identified as responsible has committed retaliation;

b) from 10,000 to 50,000 euros when it is established that the natural person identified as responsible has hindered the reporting or attempted to hinder it;

c) from €10,000 to €50,000 when it determines that the natural person identified as responsible has violated the confidentiality obligation pursuant to Article 12 of Legislative Decree No. 24/2023. The penalties applicable by the Italian Data Protection Authority for the areas of jurisdiction under the personal data protection legislation remain unaffected;

d) from 10,000 to 50,000 euros when it finds that reporting channels have not been established; in this case, the governing body is considered responsible;

e) from 10,000 to 50,000 euros when it finds that procedures for submitting and managing reports have not been adopted or that the adoption of such procedures does not comply with the provisions of the decree; in this case, the governing body is responsible;

f) from €10,000 to €50,000 when it is determined that the verification and analysis of the reports received has not been carried out; in this case, the person responsible for the reports is considered liable;

g) from 500 to 2,500 euros, when the reporting person is found to be civilly liable for defamation or slander in cases of intent or gross negligence, even by a first-instance judgment, unless the reporting person has already been convicted, even in the first instance, of the crimes of defamation or slander or, in any case, for the same crimes committed with the complaint to the judicial authority.

The Chairman of the Board of Directors

Information on the processing of data relating to
reports concerning violations of the law
National and/or European Community (so-called whistleblowing)

COSMETICA HUB SPAPI: 09198410962 with registered office in Milan, Via Foro Buonaparte n. 67, as Data Controller, pursuant to art. 13 of EU Regulation 2016/679, informs you that:

Data subjects who - as employees, collaborators, partners, suppliers, or other stakeholders of the Data Controller - report violations of national and/or EU law (so-called whistleblowing regulations, pursuant to Legislative Decree No. 24 of March 10, 2023) that have occurred in relation to the Data Controller's organization will have their personal data processed in the manner described below.

Purpose of the processing

The collection and processing of personal data are carried out:

  • to manage the obligations set forth in Legislative Decree No. 24 of 10 March 2023, relating to the "protection of persons reporting violations of Union law" (so-called whistleblowing regulations) and, in particular, to manage reporting channels.

Types of data processed

  • common data (name, surname, address, contact details, email, telephone number) communicated by you through the reporting channels provided;
  • any special data relating to your health, trade union membership, or any political or religious opinions communicated by you through the designated reporting channels.

Data processing methods

There are two reporting channels:

  • oral telephone call to the Reporting Manager 0541/411356, Attorney Andrea Guidi
  • written by registered mail addressed to the Reports Manager, Attorney Andrea Guidi of the Rimini Court, with offices in Bellaria Igea Marina, Via Ravenna 151C.

The aforementioned data will be stored in paper form at the address of the Report Manager with adequate protection measures (archives with no possibility of access by third parties).

Legal bases of the processing

Your personal data is lawfully processed, according to the purposes listed above, in relation to the following legal bases:

  • legitimate interest (common and particular data communicated via written or paper channel);
  • consent (common and specific data communicated via verbal telephone channel);

Mandatory or optional nature of providing data and consequences of refusal

Providing your data is optional, unless otherwise required by law following the processing of your report.

Communication of data to third parties

The data of the interested parties will not be communicated or transferred to third parties, except as otherwise required by law that may arise from the report itself or unless the interested party specifically consents (upon specific request from the Report Manager in the cases specifically provided for by Legislative Decree 24/23).

External data controllers and authorized internal subjects

The Manager of the reports indicated above is considered the Data Controller.

Transfer of data abroad

Your data will not be transferred abroad.

Data retention periods

Personal data will be processed for the purposes indicated for a maximum of 5 years, unless otherwise provided by applicable law.

Rights of the interested party

You may exercise all the rights provided for in Articles 15 to 21 of GDPR 679/2016 by contacting the Reporting Manager indicated above. The Data Controller, COSMETICA HUB SPAPI, will also be available, where applicable: 09198410962, with registered office in Milan, Via Foro Buonaparte n. 67, or by contacting the following numbers: tel. 0542 670974, certified email (PEC) cosmetica@legalmail.it. You may also contact the Data Protection Officer (DPO), Enrica Vasini, Tax Code VSNNRC78M45C573E, who can be contacted by email at enrica.vasini@ordineavvocatirimini.it. You may contact the Data Controller and the DPO to exercise the rights granted to data subjects under the GDPR and to obtain an updated list of all internal and external data processors, sub-processors, and persons in charge of processing.

You may also report any reason for dissatisfaction or complaint to the Italian Data Protection Authority, Piazza Venezia, 11 – 00187 - Rome, protocollo@pec.gpdp.it .

The Chairman of the Board of Directors