This procedure (hereinafter the Procedure) has the purpose of regulating the process of transmission, reception, analysis and management of Reports (so-called Whistleblowing) on information, adequately substantiated, referable to GMDE srl (hereinafter GMDE) relating to violations of laws and regulations, of the Company's Code of Ethics and Conduct, of the Organizational Model 231, as well as of the system of internal rules and procedures.

The procedure is aimed at implementing Legislative Decree March 10, 2023 n. 24, published in the Official Gazette on 15.03.2023, containing the transposition of Directive (EU) 2019/1937 regarding “the protection of persons who report violations of Union law (so-called Whistleblowing discipline)”. For what is not expressly indicated by this Procedure, what is provided for by the aforementioned Legislative Decree remains fully applicable. The aforementioned legislation provides, in summary:

- a protection regime towards specific categories of subjects who report information, acquired in the work context, relating to violations of national or European Union regulatory provisions that harm the public interest or the integrity of the entity

- protection measures, including the prohibition of retaliation, to protect the Reporting Person as well as Facilitators, colleagues and relatives of the reporting person and legal entities connected to the Reporting Person

- the establishment of reporting channels internal to the Company (computer, telephone, oral) for the transmission of Reports that guarantee, also through the use of encryption tools, the protection of the confidentiality of the identity of the Reporting Person, of the Person involved and/or in any case mentioned in the Report, of the content of the Report and of the related documentation

- in addition to the option to lodge a complaint with the judicial or accounting authority, the possibility (when one of the conditions provided for in art. 6, paragraph 1, of legislative decree n. 24/2023 occurs) to make external Reports through the channel managed by the National Anti-Corruption Authority (hereinafter ANAC), as well as to make public Disclosures (upon the occurrence of one of the conditions provided for in art. 15, paragraph 1, of legislative decree n. 24/2023), through the press or electronic media or dissemination capable of reaching a large number of people

- disciplinary measures as well as administrative pecuniary sanctions imposed by ANAC in the cases provided for by arts. 16 and 21 of legislative decree n. 24/2023.

2. Regulations

- Legislative Decree June 8, 2001 n. 231 (“Discipline of the administrative liability of legal persons, companies and associations even without legal personality, pursuant to article 11 of law September 29, 2000, n. 300”);

- Regulation (EU) n. 2016/679 (General Data Protection Regulation - GDPR);

- Legislative Decree June 30, 2003 n. 196 (Code on the protection of personal data) and subsequent amendments and supplements, including Legislative Decree August 10, 2018, n. 101, as well as the related legislative provisions;

- Directive (EU) 2019/1937 regarding the protection of persons who report violations of Union law (so-called Whistleblowing);

- Legislative Decree March 10, 2023 n. 24, published in the Official Gazette on 15.03.2023, containing the transposition of Directive (EU) 2019/1937;

3. Definitions

· ANAC: National Anti-Corruption Authority

· work context: work or professional activities, present or past, carried out within the scope of the relationships referred to in point 4, through which, regardless of the nature of such activities, a person acquires information on violations and within which they could risk suffering retaliation in case of reporting or public disclosure or complaint to the judicial or accounting authority;

· public disclosure or publicly disclose: making public information on violations through the press or electronic media or in any case through means of dissemination capable of reaching a large number of people;

· facilitator: a natural person who assists a reporting person in the reporting process, operating within the same work context and whose assistance must be kept confidential;

· information on violations: information, including well-founded suspicions, concerning violations committed or which, based on concrete elements, could be committed within the company GMDE as well as elements concerning conduct aimed at concealing such violations;

· person involved: the natural or legal person mentioned in the internal or external report or in the public disclosure as a person to whom the violation is attributed or as a person in any case implicated in the violation reported or publicly disclosed;

· reporting person (also: «whistleblower»): the natural person who makes the report or public disclosure of information on violations acquired within their own work context;

· responsible person: The subject, appointed by the Company's Board of Directors to whom are assigned the activities connected to the proceedings arising from reports of violations committed within the Company.

· feedback: communication to the reporting person of information relating to the follow-up given or intended to be given to the report.

· retaliation: any conduct, act or omission, even if only attempted or threatened, put in place by reason of the report, the complaint to the judicial or accounting authority or the public disclosure and which causes or may cause to the reporting person or to the person who lodged the complaint, directly or indirectly, an unjust harm;

· external report: the communication, written or oral, of information on violations, submitted through the external reporting channel referred to in point 7;

· internal report: the communication, written or oral, of information on violations, submitted through the internal reporting channel referred to in point 6;

· report or to report: the communication, written or oral of information on violations;

· follow-up: the action taken by the subject to whom the management of the reporting channel is entrusted to assess the existence of the reported facts, the outcome of the investigations and any measures adopted;

· company: GMDE srl., with registered office at Via Archimede 43 - 20864 Agrate Brianza (MB) - Italy; Tax Code and VAT IT 08773700961

· violations: conduct, acts or omissions that harm the public interest or the integrity of GMDE

4. Subjects who may make reports

Recipients of the Procedure are:

- the Company Top Management and the members of the corporate bodies and of the Supervisory Body of GMDE

- employees, former employees and candidates for job positions, shareholders, clients of GMDE, as well as - not exhaustively - partners, suppliers (also under contract/subcontract), consultants, collaborators in carrying out their work activity at GMDE

who are in possession of Information on violations as defined in this Procedure. Among the Recipients also fall natural and legal persons not included in the previous categories but to whom the protection measures provided for by this Procedure apply. What is provided for in this document also applies to anonymous Reports, provided they are adequately substantiated, as defined in this Procedure.

5. Subject matter of reports

Reports must concern, in general, the reasonable and legitimate suspicion or the awareness in good faith of illegal conduct or irregularities within the work activity that may harm the integrity of GMDE and/or that may constitute a violation of national or European Union legislation. They must therefore be attributable to:

- administrative, accounting, civil or criminal offenses

- illegal conduct relevant pursuant to legislative decree 231/2001, or violations of the organization and management models provided for therein

- offenses falling within the scope of application of European Union or national acts relating to the following sectors: public procurement; financial services, products and markets and prevention of money laundering and terrorist financing; product safety and conformity; transport safety; environmental protection; radiation protection and nuclear safety; food and feed safety and animal health and welfare; public health; consumer protection; protection of privacy and protection of personal data and security of networks and information systems

- acts or omissions that harm the financial interests of the Union

- acts or omissions concerning the internal market

- acts or conduct that defeat the object or purpose of the provisions of Union acts

The provisions of this procedure do not apply:

- to disputes, claims or requests linked to an interest of a personal nature of the reporting person or of the person who lodged a complaint with the judicial or accounting authority that relate exclusively to their own individual employment relationships, or concerning their own employment relationships with hierarchically superior figures;

- to reports of violations where already regulated on a mandatory basis by the European Union or national acts indicated in part II of the annex to legislative decree March 23, 2023 n. 24 or by national acts that constitute implementation of European Union acts indicated in part II of the annex to directive (EU) 2019/1937, albeit not indicated in part II of the annex cited previously;

- to reports of violations concerning national security.

6. Internal reporting

Anyone who becomes aware of information on conduct, acts or omissions that harm the public interest or the integrity of GMDE is required to make a Report, through the reporting channels described below.

The responsible person who receives a Report, in any form (oral or written), must take it into management promptly, giving feedback to the reporting person within 7 days of its receipt.

The same person is bound to confidentiality of the identity of the Reporting Person, of the Persons involved and/or in any case mentioned in the Report, of the content of the Report and of the related documentation. The failure to manage a received Report as well as the violation of the confidentiality obligation constitute a violation of the Procedure and may result in the adoption of disciplinary measures.

In order to diligently follow up on internal Reports received, the Company has equipped itself with:

- a computer portal accessible at the address https://segnalazioniodv.gmde.it

The Portal allows the transmission, also anonymously, of Reports after viewing the methods of using the portal, the Privacy Notice pursuant to art. 13 Regulation 16/679 (GDPR) and the clauses of assumption of responsibility in case of non-truthful reports. At the end of the entry, the Reporting Person must note the KEY CODE identification code (numeric code that uniquely identifies the Report), automatically produced by the Portal, which allows to follow over time the processing status of the Report, guaranteeing confidentiality and anonymity. This KEY CODE will not be available to any other person. The Reporting Person who has not registered the KEY CODE at the end of the report, will not be enabled in any way to access the report for the review and communication phases with the Responsible Persons.

- the Reporting Person may also request to make an oral Report through a direct meeting with a Responsible Person. In such case, with the consent of the Reporting Person, the interview is documented by the Responsible Person through recording on a device suitable for storage and listening or through minutes, which the Reporting Person can verify, rectify and confirm through signature.

6.1 Preliminary analysis

The Responsible Persons analyze and classify the Reports, to define those potentially falling within the scope of application of this Procedure. Within the scope of such support activities, the Responsible Persons provide the Reporting Person through the Portal:

- within 7 days from the date of receipt of the Report, an acknowledgment of receipt of the same

- within 3 months from the acknowledgment of receipt of the Report or, in the absence of such acknowledgment, within 3 months from the expiry of the 7-day term from the submission of the same, feedback with information on the follow-up given or intended to be given to the Report, specifying whether or not the Report falls within the scope of application of legislative decree n. 24/2023.

At the end of the Report management process, on a documentary basis and also in consideration of the outcomes of any preliminary analyses carried out, the Responsible Person evaluates:

- the closure of the Report, as:

o generic or not adequately substantiated;

o clearly unfounded;

o referring to facts and/or circumstances that were the subject in the past of specific investigative activities already concluded, where from the preliminary verifications carried out no new information emerges such as to make further investigation necessary;

o “substantiated verifiable”, for which, in light of the outcomes of the preliminary verifications carried out, no elements emerge such as to support the initiation of the subsequent investigation phase;

o “substantiated non-verifiable”, for which, in light of the outcomes of the preliminary verifications carried out, it is not possible, based on the analysis tools available, to carry out further investigation to verify the validity of the Report.

- the initiation of the subsequent investigation phase

In order to acquire information elements the Responsible Person has the power to:

- activate audits on the reported facts

- carry out, also directly, in compliance with any specific applicable regulations, further investigation through, for example, formal convening and hearings of the Reporting Person, of the Reported Person and/or of Persons involved in the Report and/or in any case informed of the facts, as well as request from the aforementioned subjects the production of information reports and/or documents;

- make use, if deemed appropriate, of experts or external consultants to GMDE, in compliance with the right to confidentiality

6.2 Execution of the investigation

The investigative phase of the Report has the objective of:

- proceeding, within the limits of the tools available to the Responsible Person, with further investigation and specific analyses to verify the reasonable validity of the reported factual circumstances

- reconstructing the management and decision-making processes followed on the basis of the documentation and evidence made available

- providing any indications regarding the adoption of necessary remedial actions aimed at correcting possible control deficiencies, anomalies or irregularities detected on the company areas and processes examined

Merit or opportunity assessments, discretionary or technical-discretionary, of the decision-making and management aspects from time to time made by the company structures/positions involved do not fall within the scope of analysis of the investigation, except within the limits of manifest unreasonableness, as they are the exclusive competence of the latter.

The Responsible Person during the investigation may request additions or clarifications from the Reporting Person. Furthermore, where deemed useful for further investigation, they may acquire information from the Persons involved in the Report, who also have the power to request to be heard or to produce written or documentary observations. In such cases, also in order to guarantee the right of defense, notice is given to the Person involved of the existence of the Report, while guaranteeing confidentiality on the identity of the Reporting Person and of the other Persons involved and/or mentioned in the Report. The Responsible Person oversees the conduct of the investigation also by acquiring from the interested structures the necessary information elements, involving the competent Company Functions and making use, if deemed appropriate, of external experts or consultants.

The investigative activities are carried out using, not exhaustively:

- company data/documents useful for the purposes of the investigation (e.g. extractions from company systems and/or other specific systems used);

- external databases (e.g. info providers/databases on corporate information);

- open sources;

- documentary evidence acquired from company structures;

- where appropriate, statements made by the interested parties or acquired during recorded interviews.

6.3 Protection and responsibility of the reporting person

The reporting person is granted protection:

a) of the confidentiality of their own identity, referring not only to the name, but also to all elements of the report, including the documentation attached to it, to the extent that their disclosure, even indirectly, may allow the identification of the reporting person. The processing of such elements must therefore be based on maximum caution, starting with the obscuring of data when for investigative reasons other subjects must be made aware of it;

b) from retaliatory or discriminatory measures, direct or indirect, adopted following the report made in good faith, such as, not exhaustively, disciplinary sanctions, demotion, dismissal, transfer, worsening of working conditions. The retaliatory intent exists whenever it can be said that the reason that led to the adoption of the measure against the reporting person is the will to “punish” them for having reported.

Sanctions are provided against those who violate the protection measures for the reporting person.

Sanctions are provided against the reporting person, where possible, in case of reports made with intent or gross negligence or that should prove to be false, unfounded, with defamatory content or in any case made for the sole purpose of damaging the Company, the reported person or other subjects affected by the report.

The Company may also take appropriate initiatives also in legal proceedings.

6.4 Protection of the reported person

The reported person is granted protection of the confidentiality of their own identity, in order to avoid detrimental consequences, even if only of a reputational nature, within the work context in which the reported subject is inserted.

The report is not sufficient to initiate any disciplinary proceedings against the reported person.

Should, following concrete findings acquired regarding the report, it be decided to proceed with the investigative activity, the reported person may be contacted and will be assured the possibility to provide any eventual and necessary clarification.

The protection of the reported person applies without prejudice to legal provisions that impose the obligation to communicate the name of the reported subject suspected of being responsible for the violation (for example requests from the Judicial Authority).

7. External reporting

It is possible to make an external report when, at the time of submission, one of the following conditions occurs:

a) the reporting person has already made an internal report and it has had no follow-up;

b) the whistleblower has well-founded reasons to believe that, if they made an internal report, no effective follow-up would be given to it or that the same report may determine the risk of retaliation;

c) the reporting person has well-founded reason to believe that the violation may constitute an imminent or obvious danger to the public interest.

The external reporting channel is established at the National anti-corruption authority (ANAC) (https://www.anticorruzione.it/-/whistleblowing).

8. Public disclosure

The reporting person may make a public disclosure benefiting from the protection provided by what is established in Legislative Decree 24/23 if, at the time of public disclosure, one of the following conditions occurs:

a. the reporting person has previously made an internal and external report or has made an external report directly, under the conditions and with the methods provided for by articles 6 and 7 and no timely feedback has been given regarding the measures provided for or adopted to follow up on the reports;

b. the reporting person has well-founded reason to believe that the violation may constitute an imminent or obvious danger to the public interest;

c. the reporting person has well-founded reason to believe that the external report may involve the risk of retaliation or may not have effective follow-up by reason of the specific circumstances of the concrete case, such as those in which evidence may be concealed or destroyed or in which there is well-founded fear that the person who received the report may be colluding with the perpetrator of the violation or involved in the violation itself.

9. Preservation of documentation and privacy protection

Every processing of personal data, also in the context of the Portal, is carried out in compliance with the confidentiality obligations referred to in art. 12 of legislative decree n. 24/2023 and in conformity with the legislation on the protection of personal data referred to in Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), in legislative decree June 30, 2003 n. 196 and in legislative decree May 18, 2018 n. 51. The protection of personal data is ensured not only to the Reporting Person (for non-anonymous reports), to the Facilitator but also to the Person involved or mentioned in the report. Possible interested parties are provided with information on the processing of personal data through publication on the dedicated portal

In order to guarantee the management and traceability of Reports and consequent activities, the Responsible Persons oversee the preparation and updating of all information concerning Reports and ensure, making use of the Portal, the preservation of all related supporting documentation for the time strictly necessary for their definition, and in any case for no more than 5 years, starting from the date of completion of the processing of the report. Personal data that are manifestly not useful for the processing of a specific report are not collected or, if collected accidentally, are promptly deleted.

10. Disciplinary sanctions

Effective, proportionate and dissuasive disciplinary sanctions may be applied:

• against the Reported Person, if the Reports prove to be well-founded;

• against the Reporting Person, if Reports are made in bad faith;

• against the responsible person, if the protection principles provided for by the Procedure are violated

or if Reports have been obstructed or attempts have been made to obstruct them.

The disciplinary proceeding is initiated in application of the principle of proportionality, as well as of the criterion of correlation between infraction and sanction and, in any case, in compliance with the methods provided for by the applicable current legislation.

In order to guarantee impartiality and avoid conflicts of interest, decisions about any disciplinary measures, complaints or other actions to be taken are made by the designated company organizational functions and, in any case, by subjects other than those who conducted the Report ascertainment activities.

11. Information and training

The Procedure is disseminated through uploading on the company website, posting on company bulletin boards and any other tool deemed appropriate.

The Company promotes a communication, information and training activity regarding the Procedure, to ensure the most effective application of the same and the widest knowledge of the discipline on Reports, of the operation and access to channels and tools made available to make Reports and of the measures applicable in case of Violations.

12. Update

GMDE reviews on a periodic basis, and possibly updates, the Procedure, to ensure its constant alignment with company practice and reference legislation.

To make a report, click HERE.