Menu

Dataflow Security SRL Organizational, Management and Control Model

(In force since December 19 2024, last update December 19, 2024)

GENERAL PART

Index
Glossary

1. General aspects
2. The Legislative Decree n. 231/2001: nature of the responsibility and interested subjects
3. Administrative penalties applicable to the company
4. Why the choice of adopting the Organizational, Management and Control Model
5. Contents of the Decree and 231 crimes
5.1. Subjective scope and need for the crime to be committed in the interest or to the advantage of the company
5.2. Types of crimes whose occurrence depends on the administrative liability of the company
5.3. Crimes committed abroad
6. Mapping of areas of the company at risk of committing 231 crimes
7. General structure of protocols
8. Supervisory Body and informative obligations
8.1. Composition and rules
8.2. Functions of the Supervisory Body: reporting to the company’s organs
8.3. Informative obligations
8.3.1. Obligations of information
8.3.2. Reporting of offenses or violations of the Model – c.d. Whistleblowing
9. Disciplinary system
9.1. Sanctions for employees
9.2. Measures against administrators and control body
9.3 Measures against suppliers, customers, commercial partners, collaborators, consultants
9.4 Measures against the Supervisory Body
10. Publicity, dissemination and updating of the MOGC
10.1 Communication to employees
10.2 Communication to clients, suppliers, business partners, consultants and Supervisory Body
10.3 Training
10.4 Updating of the Model

 
APPENDICES

1. Company Registration
2. Company Statute
3. Minutes of Delegations
4. Organizational Structure
5. Whistleblowing Procedure

 
Glossary

Sensitive activity

Process or activity that presents direct risk of penal relevance in relation to the crimes as identified by the Decree 231; in other words, within such processes/activities, conditions or opportunities for the commission of the unlawful acts may, in theory, be prefigured.

Instrumental activity

Activity that, although not presenting direct risk of penal relevance, when combined with the directly sensitive activities, may support the realization of the crime and is therefore functional to the unlawful conduct.

Authority

Judicial Authority, Institutions and Local, National and Foreign Public Administrations, “Data Protection Officer” and other Italian and foreign Supervisory Authorities.
Legislative Decree. n. 231/2001 (or Decree): The Legislative Decree of June 8, 2001 n. 231, laying down “Discipline of administrative liability of legal persons, companies and associations, also without legal personality, pursuant to Article 11 of Law No. 300 of September 29, 2000”, and subsequent amendments and integrations.

Addressees

Subjects interacting with the Company for business reasons: administrators, shareholders, employees, collaborators and any other different subject if it interacts with DATAFLOW SECURITY SRL.

 

Entities

Companies and entities with legal personality and associations, even without legal personality.

 

MOGC

Model of Organization, Management and Control, in accordance with Art. 6, co.1, lett. a), of the Legislative Decree n. 231/2001, hereinafter also referred to as the “Model” or “Organization Model”.

 

Deliberative Body

By “deliberative body” of the Company, the Board of Directors of DATAFLOW SECURITY SRL or any other management system adopted by the Company is meant.

 

Monitoring Body

a body equipped with autonomous powers of monitoring and control, to which the responsibility of monitoring the correct functioning and adequate compliance with Model 231 is entrusted, equipped with the requirements of Art. 6, co. 1, lett. b) of the Legislative Decree n. 231/2001 and appointed to propose the necessity of updating it.

 

Control Body

The Auditing Body is meant.

 

Procedures

Usages and customs/operational instructions/regulations/protocols aimed at defining the modalities of realization of a specific activity or process and which constitute the relative internal regulatory system.

 

Crimes

Crimes (hereinafter also referred to as “presupposed crimes”) for which, currently, the Legislative Decree n. 231/2001 provides for the administrative liability of entities.

 

Reporting

By “reporting” any notice is meant having as object presumed flaws, irregularities, violations, behaviors and facts liable to be censured, illicit conducts relevant to Legislative Decree n. 231/2001 or any practice not in compliance with what established in the Organization Model adopted by the Company (the Code of Ethics being an integral part of it).

 

Disciplinary System

The set of measures provided for the application of sanctions in case of violation of Model 231.

 

Top Management

Persons holding representative, administrative or management functions of the entity, responsible for one of its organizational units endowed with financial and functional autonomy, as well as persons who effectively manage and control the company [ex Legislative Decree n. 231/2001, art. 5, co. 1, letter a)].

 

Subordinates

Persons subject to the direction or supervision of Top Management [ex Legislative Decree n. 231/2001, art. 5, co. 1, lett. b)].

 

Third Parties

For mere example and not exhaustive, suppliers, consultants, contracting parties and third parties in general, not falling within the definition of Subordinates given the absence of subordination bond.

 

1. General aspects

The socioeconomic international panorama shows market dynamics in continuous evolution. Companies operating in this context adapt to this evolution, shaping their corporate structures on complex organizational and management models.
In light of this, the national legislator, as well as that of other countries, has had to adjust the existing regulatory system on one hand to the requirements imposed by the market, and on the other to certain transparency obligations necessary to ensure the correctness of the operations carried out by the companies themselves, especially considering the relationships between these and third parties.

In Italy, specifically, the Legislative Decree 8 June 2001, n. 231 (hereinafter the “Legislative Decree n. 231/2001” or the “Decree”) was introduced, which, in implementation of Delegation Law 29 September 2000, n. 300, has introduced in Italy the “Discipline of administrative liability of legal persons, companies and associations, even without legal personality”; the Decree is part of a broader legislative process against corruption and has adapted the Italian legislation on the liability of legal persons to some International Conventions previously signed by Italy.
The Legislative Decree n. 231/2001 establishes an administrative liability regime (essentially equivalent to criminal liability) against legal persons, which is added to the criminal liability of the physical person who committed the crime and aims to involve the entities in whose interest or advantage the crime was committed. This type of administrative liability exists solely for the crimes for which this regime of attribution is expressly provided for by the Decree.

A characteristic aspect of the Legislative Decree n. 231/2001 is the attribution of an exculpatory value to the Organization, Management and Control Model adopted by the entity, whose concrete application can therefore constitute a legitimate cause of non-punishability. Specifically, if the organizational model has been effectively adopted before the commission of the illegality, it can allow the exclusion of the entity’s liability; conversely, if it was prepared after the commission of the illegality and, before the declaration of the opening of the trial, it presents an attenuating circumstance of responsibility, in the sense that it can represent a cooperative attitude of the entity, useful for the purposes of measuring the sanctions.

The Organization, Management and Control Model (hereinafter also “MOGC”) of DATAFLOW SECURITY SRL (hereinafter also “DATAFLOW”) consists of a “General Part”, a “Special Part”, and protocols and annexes that constitute an integral part of it.
The present “General Part” indicates the essential features of the Legislative Decree n. 231/2001, the relevant characteristics of DATAFLOW and the investigative activity carried out for the preparation of the Model.

The subsequent “Special Part” contains the operational aspects of the Model and proposes the potential crimes that can be committed in the business of DATAFLOW, as well as the related prevention protocols. The set of internal control protocols, analyzed (where already existing) and implemented during the drafting of this Model, is inspired by national and international best practices in the field of internal control systems, the risk fiscal control system of the Agenzia delle Entrate n. 54337 of April 14, 2016, and is in line with the Confindustria guidelines and the provisions of the Guardia di Finanza’s Circular n. 83607/2012 and ss.ii. The set of internal protocols can be divided into:


(i) general protocols, which regulate the internal control system of the Company, namely the key components of the MOGC (organizational system, power system, process system, code of conduct, information system from and to the Monitoring Body, training and dissemination of the Model);
(ii) specific protocols and procedures, which are addressed to each identified process/activity as “sensitive” and “instrumental” during the risk assessment.

The principles guiding the behaviors of those operating in DATAFLOW and conducting business with the Company are contained in the Code of Ethics, which is an integral part of this Model.

Finally, some documents are attached to the present Model, which, by helping to understand how DATAFLOW is structured, guide the interpretation of the choice of preventive protocols that DATAFLOW is committed to implementing, as well as the documents with their relative operational instructions already adopted by the Company.

 

2. The Legislative Decree n. 231/2001: nature of the responsibility and interested subjects

The Legislative Decree 8 June 2001 n. 231 has introduced in the Italian legal system a new liability against companies, entities with legal personality, and associations also without legal personality.

The liability is of an administrative nature, but it depends on the commission of one of the presupposed crimes, committed (also only in the form of “attempt” (1) ) in the interest or advantage of the entity. The Legislative Decree n. 231/2001, also following numerous and disorganized legislative novelties, details the crimes to which the administrative liability of the entity is connected (the so-called “presupposed crimes”).

According to the Decree, if a subject commits (or attempts to commit) a certain crime in the interest or advantage of an entity, from such conduct both the penal liability of the physical person who committed it, and the administrative liability of the entity in whose interest or advantage the crime was committed, will follow.

DATAFLOW fully falls within the addressees of the provisions contained in the Legislative Decree n. 231/2001.

(1) In cases where the crimes sanctioned under Decree-Law No. 231/2001 are committed in a “attempted” form, the pecuniary sanctions (in terms of amount) and the prohibitive sanctions (in terms of duration) are reduced by one-third to one-half (Articles 12 and 26 Decree-Law No. 231/01).

 

3. Administrative penalties applicable to the company

The company’s liability is added to the personal liability of the person who committed the fact.
Once the entity’s liability is established, the Legislative Decree n. 231/2001 provides for four types of administrative penalties:

  1. Administrative pecuniary penalties: for each crime, a quota is prepared that must necessarily respect a minimum and maximum quantum. This ranges from 100 to 1000 shares (depending on the gravity of the fact, the entity’s degree of responsibility, the activity carried out to eliminate or attenuate the consequences of the fact and to prevent the commission of further illegalities) and can have a value between Euro 258.00 and Euro 1,549.00 (this amount is fixed “on the basis of the economic and patrimonial conditions of the entity, in order to ensure the effectiveness of the penalty”, in accordance with articles 10 and 11, co. 2, Legislative Decree n. 231/01). As stated in point 5.1 of the Report to the Decree, “As for the modalities of determining the economic and patrimonial conditions of the entity, the judge can avail himself of the balance sheets or any other writings suitable to photograph these conditions. In some cases, the proof can be obtained by also considering the size of the entity and its market position. (…). The judge cannot fail to immerse himself, with the help of consultants, in the reality of the business, where he can draw on information related to the state of economic, financial, and patrimonial solidity of the entity”.
    Article 12 of the Legislative Decree n. 231/2001 provides for some cases of reduction of the pecuniary penalty. They are schematically summarized in the following table, with indication of the reduction applied and the prerequisites for its application. In any case, the pecuniary penalty cannot be less than Euro 10,329.00.

 

  Presuppositions 
1/2 (not exceeding Euro 103,291.00) The author of the crime has committed the fact in the predominant interest of their own or of third parties and the entity has not obtained any benefit or has obtained a minimum benefit; – The patrimonial damage caused is of particular slightness.
From 1/3 to 1/2 (Before the declaration of the opening of the first instance trial)  The entity has fully compensated the damage and has eliminated the harmful or dangerous consequences of the crime, or has otherwise effectively acted in this sense; – A suitable organizational model for preventing crimes of the same kind as the one that occurred has been adopted and made operational.
From 1/2 to 2/3 (Before the declaration of the opening of the first instance trial and if both of the following conditions are met) The entity has fully compensated the damage and has eliminated the harmful or dangerous consequences of the crime or has otherwise effectively acted in this sense; – A suitable organizational model for preventing crimes of the same kind as the one that occurred has been implemented and made operational.

2. Prohibitive penalties: they comprise the prohibition to exercise the activity; the suspension or revocation of authorizations, licenses, or concessions functional to the commission of the illegality; the ban on contracting with the Public Administration, except for obtaining public service performances; the exclusion from benefits, financing, contributions, or subsidies and the possible revocation of those already granted; finally, the ban on publicizing goods or services.

Prohibitive penalties are applied in relation to the crimes for which they are expressly provided, if at least one of the following conditions occurs:

a) The entity has obtained a significant profit from the crime and the crime was committed by top-level subjects or by subjects under the direction of others; in this case, the commission of the crime is a consequence of serious organizational shortcomings or was facilitated by such shortcomings.

b) In the case of repeated illegalities (2) .

The duration of these penalties is not less than three months and not more than two years, unless otherwise provided for by Article 25, paragraph 5, of the Legislative Decree n. 231/2001 for the crimes of extortion, own corruption, corruption in judicial acts, undue inducement to give or promise benefits, and instigation to own corruption. They can be definitive, for example in the case of repeated commission of the crime (3).

The application of prohibitive penalties is also excluded if the entity has implemented the reparatory conduct provided for by Article 17 of the Legislative Decree n. 231/01, and more precisely, when the following conditions are met:

o “The entity has fully compensated the damage and has eliminated the harmful or dangerous consequences of the crime or has otherwise effectively acted in this sense”;
o “The entity has eliminated the organizational shortcomings that determined the crime by adopting and implementing organizational models suitable for preventing crimes of the same kind as the one that occurred”;
o “The entity has made the profit obtained available for confiscation”.

The choice of the measure to be applied and its duration is made by the judge based on the criteria previously indicated for the commensurability of the pecuniary penalty, “taking into account the suitability of each sanction to prevent crimes of the type committed” (Article 14, Legislative Decree n. 231/2001).

3. The publication of the sentence: the publication of the sentence of conviction in one or more newspapers, either in extract or in full, can be ordered by the judge together with the affixing in the municipality where the entity has its main seat, when a prohibitive penalty is applied. The publication is carried out at the expense of the entity and on behalf of the competent judge’s court;


– The confiscation: against the entity, the confiscation of the price or profit of the crime is always ordered, with the sentence of conviction, unless for the part that can be returned to the harmed party. The rights acquired by third parties in good faith are reserved.
Finally, it is specified that the judge can also order:
– The preventive seizure of things subject to confiscation, in accordance with Article 53 of the Decree; or,
– The conservatory seizure of the movable and immovable property of the entity if there is a founded reason to believe that the guarantees for the payment of the pecuniary penalty, the procedure expenses, or other amounts due to the State’s treasury are lacking or dispersed, as provided for by Article 54 of the Decree.

(2) According to Article 20 of Decree-Law No. 231/2001, “reiteration” occurs when the entity, having already been definitively condemned at least once for an offense dependent on a crime, commits another within five years following the definitive condemnation”.

(3) Law No. 3/2019 increased the maximum duration of prohibitive sanctions for the crimes of extortion, bribery, corruption in judicial acts, undue influence to give or promise benefits, and instigation to bribery, from seven years when committed by top-level subjects [subjects as per Article 5, paragraph 1, letter a) of Decree-Law No. 231/2001].

 

4. Why the choice of adopting the Organizational, Management and Control Model

The Legislative Decree n. 231/2001, in case of commission of crimes included in the “231 catalog” and upon occurrence of specific conditions provided for by the Decree, allows to exclude administrative liability of the entity, with consequent determination of criminal liability exclusively in the person of the agent who committed the offense.

The preventive measures provided for by the Decree are the so-called Organizational, Management and Control Models: a set of organizational and conduct regulations with which the Company sets rules to be respected in all activities carried out, capable of preventing the commission of offenses.

If such Models are adopted and effectively and efficiently implemented, the Company may obtain – against it, and independently of the liability of the natural person who committed the fact – the archiving of the proceedings or a judgment of non-prosecution or, finally, a judgment excluding its administrative liability.

Not least, in addition to the exemption effect, the adoption of the Model constitutes an opportunity for growth and development for companies that can improve their public image – increasing competitiveness on markets – so much so that the adoption of the MOGC is promoted, for example, for the recognition of the “legality rating” provided for by Law n. 62 of 2012.

With the adoption and effective implementation of the Organizational, Management and Control Model, DATAFLOW intends to establish a tool for improving its organization that can also provide the exemption explicitly provided for by Legislative Decree n. 231/2001.
The present Model aims to:

  • infuse in all those who operate on behalf of DATAFLOW the awareness of being able to incur personal sanctions and liability of the Company (if it has benefited from the commission of the crime, or at least if it has been committed in its interest);
  • reaffirm that DATAFLOW condemns illegal behavior, as it is contrary to the provisions of the law and the principles to which the Company intends to adhere in the exercise of its activity;
  • enable internal monitoring and control actions, particularly in the areas of the company most exposed to the risk of committing the crimes provided for by Legislative Decree n. 231/2001, to prevent and counter the commission of the same crimes.

 

5. Contents of the Decree and 231 crimes

5.1. Subjective scope and need for the crime to be committed in the interest or to the advantage of the company

Two different types of relationships are provided that “connect” the entity, in whose interest or advantage a crime can be committed, and the perpetrator of the same crime.

Art. 5 of the Decree refers, in co. 1, to the so-called top-level subjects, namely “persons holding representation, administration or management functions of the entity”. The legislator recalls, with this definition, the members of the administrative body, general managers, directors, managers of second-level branches, division managers with financial autonomy, as well as individuals who exercise, even de facto, the management and control of the entity.

Co. 2 of the aforementioned art. 5 refers instead to “persons subject to the direction or supervision of one of the subjects referred to in point a)”.
The different position of the individuals who may be involved in the commission of crimes entails different criteria for attributing responsibility to the entity itself.

Art. 6 of the Decree places on the entity the burden of proving the adoption of preventive measures only in the case where the perpetrator of the crime is a person in the so-called “top-level” position. In other words, if the crime was committed by a top-level person, they are presumed by law to be guilty, as these individuals express and represent the policy and, therefore, the will of the entity itself; the company has the burden of proving the adoption of the Organizational, Management and Control Model, the appointment of the Supervisory Body, the effective exercise by this of its own control functions, the fraudulent evasion of the Organizational, Management and Control Model by the perpetrator of the material crime (so-called culpa in eligendo, directly referable to the company and consequent to the organizational and managerial choices of it).

Differently, if the crime is committed by a person subject to the supervision of others, the liability of the company arises only if the commission of the crime was made possible by the failure to comply with the obligations of direction and supervision by the governing bodies (so-called culpa in vigilando attributable to those responsible for control, who did not supervise at all or did not supervise properly), which must be proven by the public prosecutor and which is excluded by the prior adoption of an appropriate Organizational, Management and Control Model.

As can be seen, in both cases, the realization of one of the presupposed crimes must be an expression of an organizational deficit and is therefore “blameworthy” to the company. The difference lies in the exemption effect of the adoption of the Model 231, which is presumed to be capable of preventing the crime only with regard to the subordinates. With regard to the top-level, the correct functioning of an appropriate Organizational, Management and Control Model is a necessary but not sufficient requirement to exclude the administrative liability of the company, because the top-level must have fraudulently evaded the aforementioned Model.

The illegal conduct in which the crime presupposed to the administrative liability of the company is realized must, however, be committed in the interest (and that therefore exists the intentionality) or to the advantage of this. The company is liable only for administrative offenses dependent on crimes committed in its interest or to its advantage (also relevant if “indirect”), which may not have a strictly economic or patrimonial connotation.

In fact, the Legislative Decree n. 231 of 2001 explicitly provides that, where the natural person has acted in the exclusive interest of himself or of third parties, no liability arises in the company. And this also if, by hypothesis, it had casually benefited from the illegal conduct.

The risk, instead, that the administrative liability of the company arises when the top-level or the subordinate colossally contribute to the crime (even only contraventional) of the third party must be coordinated with the need for the company to have benefited from the illegal conduct and, at the same time, requires the company to adopt all the necessary operational procedures to verify that the third parties with whom it collaborates or to whom it entrusts certain operations are reliable and possess all the necessary requirements (e.g., authorizations, licenses, etc.) for the performance of the assignment.

 
5.2. Types of crimes whose occurrence depends on the administrative liability of the company

Section III of Legislative Decree n. 231/2001 details the crimes for which the “administrative liability” of entities is configurable, specifying the measure of sanctions.
At the time of adoption of the present Model, the categories of crime referred to by the Decree are as follows:

  • Crimes against the Public Administration, ex art. 24 Legislative Decree n. 231/2001, entitled “Unlawful receipt of grants, fraud against the State, a public entity or the European Union or for the award of public grants, computer fraud against the State or a public entity and fraud in public contracts”;
  • “Computer crimes and illegal treatment of data”, ex art. 24-bis Legislative Decree n. 231/2001;
  • “Organized crime”, ex art. 24-ter Legislative Decree n. 231/2001;
  • “Transnational crimes”, ex artt. 3 and 10 L. n. 146/2006;
  • “Embezzlement, extortion, undue inducement to give or promise benefits, corruption and abuse of office”, ex art. 25 Legislative Decree n. 231/2001;
  • “Falsification of coins, public credit cards, stamp duties and recognition instruments or signs”, ex art. 25 – bis Legislative Decree n. 231/2001;
  • “Crimes against industry and commerce”, ex art. 25-bis Legislative Decree n. 231/2001;
  • “Company crimes”, ex art. 25-ter Legislative Decree n. 231/2001;
  • “Crimes with terrorist or anti-democratic purposes”, ex art. 25-quater Legislative Decree n. 231/2001;
  • “Female genital mutilation practices”, ex art. 25-quater Legislative Decree n. 231/2001;
  • “Crimes against personal identity”, ex art. 25-quinquies Legislative Decree n. 231/2001;
  • “Market abuses”, ex art. 25-sexies Legislative Decree n. 231/2001;
  • “Grossly negligent or extremely serious injuries committed with violation of the provisions on the protection of health and safety at work”, ex art. 25-septies Legislative Decree n. 231/2001;
  • “Recipients, money laundering and use of illegal goods or benefits, as well as autoriciclaggio”, ex art. 25-octies Legislative Decree n. 231/2001;
  • “Crimes related to payment instruments other than cash”, ex art.25-octies Legislative Decree n. 231/2001;
  • “Crimes related to copyright infringement”, ex art. 25-novies Legislative Decree. n. 231/2001;
  • “Inducement to not make statements or to make false statements to the judicial authority”, ex art. 25-decies Legislative Decree n. 231/2001;
  • “Environmental crimes”, ex art. 25-undecies Legislative Decree n. 231/2001;
  • “Use of citizens of third countries with irregular stay”, ex art. 25-duodecies Legislative Decree n. 231/2001;
  • “Racism and xenophobia”, ex art. 25-terdecies Legislative Decree n. 231/2001;
  • “Fraud in sports competitions, abusive exercise of games or bets, and games of chance exercised through prohibited devices”, ex art. 25-quaterdecies Legislative Decree n. 231/2001;
  • “Tax crimes”, ex art. 25-quinquiesdecies Legislative Decree n. 231/2001;
  • “Smuggling”, ex art. 25 – sexiesdecies Legislative Decree n. 231/2001;
  • “Crimes against Cultural Heritage”, ex art.25-septiesdecies Legislative Decree n. 231/2001;
  • “Riciclaggio di beni culturali e devastazione e saccheggio di beni culturali e paesaggistici”, ex art. 25-duodevicies Legislative Decree n. 231/2001.

 

In detail, the crimes whose occurrence depends on the administrative liability of the company are various and specifically: embezzlement against the State, unlawful receipt of grants, fraud against the State or a public entity or for the award of public grants, computer crimes and illegal treatment of data, organized crimes, illegal manufacture or possession of arms, extortion, corruption, undue inducement to give or promise benefits, influence peddling, falsification of coins, in public credit cards, stamp duties and recognition instruments or signs, crimes against industry and commerce, trademark counterfeiting, company crimes provided for by the Civil Code (false statements by companies, minor offenses and non-punishability for minor facts, false statements by quoted companies, fraud in financial statements (4) , obstruction of control, fictitious formation of capital, undue return of contributions, illegal distribution of profits and reserves, illegal operations on shares or social shares or the controlling company, operations prejudicial to creditors, omitted communication of conflicts of interest, undue distribution of social assets by liquidators, corruption between private individuals, instigation to corruption between private individuals, false or omitted declarations for the release of the prior certificate provided for by the implementing regulation of the directive (EU) 2019/2121, of the European Parliament and of the Council of 27 November 2019 (5) , illegal influence on the assembly, wash trading, obstruction of the exercise of functions, by the public authorities of surveillance), crimes with terrorist or anti-democratic purposes, practices of female genital mutilation, crimes against personal identity, market abuses, grossly negligent or extremely serious injuries committed with violation of the provisions on occupational safety and health, receivership, money laundering and use of illegal goods or benefits, autoriciclaggio, crimes related to payment instruments other than cash, crimes related to copyright infringement, inducement to not make statements or to make false statements to the judicial authority, environmental crimes, use of citizens of third countries with irregular stay (including the crime of illegal intermediation and exploitation of work), transnational crimes, racism and xenophobia; fraud in sports competitions, abusive exercise of games or bets and games of chance exercised through prohibited devices, tax crimes, smuggling crimes as provided for by the Customs Code, crimes against cultural heritage, money laundering of cultural goods and devastation and looting of cultural and landscape goods.

Some types of crimes provided for by Legislative Decree n. 231/2001 are strongly doubted whether they can be committed in the context of the company’s entrepreneurial activity of DATAFLOW. DATAFLOW has nevertheless chosen to adopt and share measures to prevent illegal conduct, even potentially non-commissible in the interest or advantage of the Entity. These conduct and the related safeguards will be distinctly treated in the “Special Part”.

(4) The crime of “Falso in prospetto” was originally provided for by Article 2623 of the Civil Code, abrogated by Article 34 of Law No. 262 of 2005 (“Provisions for the protection of savings and regulation of financial markets”), which reproduced it, with some modifications, in Article 173-bis of the TUF (Italian Financial Act). The migration of this delictual figure from the codicistic discipline to that of the TUF has caused several problems of coordination between the abrogated norm and the new formulation, also in relation to the provisions of Decree-Law No. 231 of 2001, since Article 25-ter, paragraph 1, letter d) maintains a reference to an already abrogated norm and a distinction between contravention and delitto that is no longer existing. Due to the lack of coordination between the abrogating law and the Decree, the applicability of the administrative liability of entities ex Decree-Law No. 231 of 2001 with regard to this delictual figure is controversial.

(5) Previsione inserita dall’art. 55, co. 1, lett. c), Legislative Decree. 2.3.2023 n. 19, pubblicato in G.U. 7.3.2023 n. 56. Ai sensi del successivo art. 56, co. 1, tale disposizione ha effetto a decorrere dal 3.7.2023. Per l’applicazione delle altre disposizioni che regolano le operazioni straordinarie transfrontaliere, si veda altresì l’art. 56, co. 3, 4 e 5.

 
5.3. Crimes committed abroad

The entity that has its main office within the territory of the State can be called to respond to the Italian criminal court also for the administrative offense dependent on crimes committed abroad, in the cases and conditions provided for by articles 7 to 10 of the Criminal Code and provided that the State where the fact was committed does not proceed against it.
Therefore, the entity is prosecutable when:

  • it has its main office in Italy, that is the effective seat where administrative and management activities are carried out, which may be different from the one where the company or the legal seat is located (entities with legal personality), or the place where the activity is carried out continuously (entities without legal personality);
  • the State where the fact was committed does not proceed against the entity;
  • the request of the Minister of Justice, which may be conditional on punishability, is also referred to the entity itself.

 

These rules concern crimes committed entirely abroad by top-level or subordinate subjects.

For criminal conduct that has occurred even partially in Italy, the principle of territoriality ex art. 6 of the Criminal Code applies, according to which “the crime is considered committed in the territory of the State when the action or omission that constitutes it has taken place there in whole or in part, or when the event that is the consequence of the action or omission has occurred there”.

Finally, Law No. 146 of 2006, which ratified the United Nations Convention and Protocols against transnational organized crime, adopted by the General Assembly on November 15, 2000, and May 31, 2001, provided for art. 10 the liability of entities for some transnational crimes, such as, for example, the association for Mafia-like delinquency.

 

6. Mapping of areas of the company at risk of committing 231 crimes

Since the Model must be prepared taking into account the characteristics proper to the company to which it is applied, here below are summarized the main connotations of DATAFLOW, referring to the “Special Part” and the annexes for more detailed indications.

DATAFLOW was born in 2019, has its registered office in Bassano del Grappa (VI) and mainly carries out activities of analysis, design and development of software and electronic products, sale of software in the field of cybersecurity, corporate consulting in the field of information technologies.

The Company is managed by a Board of Directors composed of five members, appointed in accordance with art. 18 of the Statute. At the time of adoption of the present Model, the Board of Directors appointed a Managing Director, for whose delegations and attributions reference is made to the minutes of May 25, 2022. The organizational structure is rather articulated and divided by business line. The activity carried out by the company is concretized by an internal team (of full-time employees) and external professionals.

The social capital deliberated, divided among the shareholders, is entirely paid up.

For the purpose of preparing the Model, a mapping of the areas/activities at risk was first carried out, that is, potentially susceptible to the risk of committing “231 crimes”.
To this end,

  • the documentation and information that describe the structure, the organizational articulation and the operation of DATAFLOW, the external operating context, that is the economic sector, and the geographical area in which the Company operates, and the internal operating context, that is the organizational structure, the dimensions and the territorial articulation of the Company, which consists of a registered office and an operational headquarters in Bassano del Grappa (VI);
  • meetings were held with the Managing Director, a reference person for the “Finance” function, the “Office Manager” and the internal “Legal” staff; the individual areas of DATAFLOW were analyzed and the modalities through which the crimes considered by Legislative Decree. n. 231/2001 could be committed were evaluated, with particular attention to the modalities through which financial flows are managed;
  • the following aspects were analyzed: the economic dimension of the Company (turnover, fixed assets, credits towards customers, social capital, etc.); the subjective dimension of the Company (number of shareholders, number of employees and researchers, articulation of social offices); the objective dimension of the Company (number of branches, etc.); the activity of the Company (services, size of the market, types of relationships with the Public Administration, etc.). And again: payment modalities; contract stipulation modalities, etc…
  • In particular,
  • based on the Organizational Chart, a survey was conducted of the institutional areas where there is a higher probability of committing the crimes provided for by the Decree;
  • an appropriate “map” of the areas at potential “231 risk” was drawn up – contextualizing the so-called “sensitive activities” and the so-called “instrumental activities”;
  • the suitability of the organizational, procedural and administrative safeguards (internal organization, delegations of responsibility and expenditure powers, protocols and behavioral principles) was evaluated, and, where necessary, the necessary integration was made to complete the behaviors that DATAFLOW is already required to respect by law, that is, the behaviors that the Company must respect if it intends to comply with the applicable regulations in matters of civil, tax, etc… and those that DATAFLOW has decided to adopt in compliance with the applicable regulations;
  • existing documentation useful for defining the MOGC 231 was collected (the Risk Assessment Document ex Legislative Decree. 81/2008).
    In the following pages, therefore, the essential features of a preventive control system are fixed, which provides for behavioral principles, roles of the subjects operating in the risk areas, protocols for the programming of training and implementation of decisions, control procedures (including the choice of a specific Supervisory Body, which must monitor the functioning and observance of the Model), training and information of personnel, progressive updates of the Model and sanctions applicable in case of non-compliance with the measures provided for by the Model, in order to ensure its effectiveness.
 

7. General structure of protocols

The operation of DATAFLOW, as better detailed in the “Special Part” of the Model, is inspired by the following principles:

  • the principle of legality. The full respect of the law constitutes a strong and stringent constraint on the activity of DATAFLOW. The principle of legality will be valued by conferring it a strong meaning (that is, not programmatic and of “principle”) outlining a comprehensive framework of duties incumbent on DATAFLOW;
  • clear assumption of responsibility, according to formally attributed delegations;
  • separation of duties and/or functions. The authorization to perform an operation must be given by a person different from the one who is responsible for accounting, operational execution or control of the operation;
  • adequate authorization for all operations, a principle that can have both a general character (referring to a homogeneous complex of business activities) and a specific character (referring to single operations) and translates into the need for the person responsible for an operation to have adequate technical skills and professional preparation to perform the function;
  • adequate and timely documentation and registration of operations, transactions and actions, in order to carry out checks that attest to the characteristics of the operation, the motivations and identify who authorized, performed, recorded and verified the operation itself;
  • independent verification of the operations carried out, thanks to which activities are also performed by people outside the organization (the Supervisory Body).
 

8. Supervisory Body and informative obligations

8.1. Composition and rules

A particularly important function is assigned to the Supervisory Body, as art. 6 of Legislative Decree n. 231/2001 provides for the non-punishability of the entity in the event that it has entrusted the task of supervising the functioning and observance of the Model to its own Supervisory Body, endowed with autonomous powers of initiation and control.

The task of continuously supervising the effective functioning and observance of the Model, as well as proposing the necessary updates, is therefore entrusted to a distinct Supervisory Body, endowed with subjective and objective requirements that will be better described below:

a. Subjective requirements. The concrete configuration of these requirements will be exemplified in the subsequent “Special Part”; here it is necessary to provide some general definitions: among the subjective requirements are autonomy and independence, professionalism, integrity, continuity of action and absence of incompatibilities.

    • Autonomy and independence. This double requirement imposes a hierarchical position of the Supervisory Body that is as high as possible; this is the reason that induces to link the Supervisory Body directly to the Deliberative Body (Board of Directors), without any intermediate hierarchical passage. However, the Supervisory Body must be independent from the Deliberative Body. This independence can be achieved both by not entrusting operational tasks and by attributing a limited financial autonomy. The non-entrustment of operational tasks prevents this body from being part of operational decisions and activities that can compromise its objectivity of judgment. The attribution of a limited financial autonomy allows the Supervisory Body to finance its own verification and update activities, without conditioning and limiting them to the decision (or the influence) of third parties. For the same reasons, the Supervisory Body will be equipped with tools that it will use in accordance with the privacy regulations;
    • Professionalism. The Supervisory Body must possess a baggage of experiences and techniques that enables it to exercise its inspection activity correctly;
    • Integrity. The Supervisory Body must possess honor and dignity. This generic “good reputation” of the Supervisory Body refers both to the absence of criminal convictions or disciplinary proceedings against its members, and to the loyalty, seriousness and collaboration that must inform its relationships with employees and any external collaborators of the company;
    • Continuity of action. The activity of prevention and control of risk activities must be continuous and constant. To achieve this continuity, the Supervisory Body must prepare a system of verification that allows for the continuous and secure collection of information and data about the company’s activity;
    • Absence of incompatibilities. This requirement can be understood as the absence of all circumstances that alter the objectivity of judgment and that can harm the company. The most evident incompatibility is the conflict of interests: situations of conflict of interests, in fact, not only risk making the Supervisory Body lose its necessary objectivity, but can also benefit it, thanks to the function it performs, harming the company;

b. Objective requirements. The activity of the Supervisory Body takes place in two directions. Autonomous powers of initiative for the collection of information and data are foreseen, on the one hand, and a separate and reserved organization for the collection and conservation of information, on the other hand. It must be remembered that the other organs of the company are required, in order to protect their own confidentiality, to inform the Supervisory Body about a wide category of news that can constitute a risk or a violation of the Model, which will be exemplified in the following pages. The subsequent control and verification activity is, instead, left to the discretion and responsibility of the Supervisory Body, which will not be burdened with an obligation to intervene for all the reports received;

c. Responsibility. The Supervisory Body can also be subject to disciplinary measures if it does not perform its institutional duties with diligence.

In the search for a balance between autonomy and efficiency, an attempt has been made to privilege the functionality of the company, through the choice of a tool that is quick and easy to use.

The reflections formulated in light of the organizational peculiarities of DATAFLOW lead to identifying an optimal composition of the Supervisory Body that values, above all, the following aspects:

    • Collegiality of the Supervisory Body,
    • Professionalism of individual members;
    • Knowledge of the company’s sector and the company’s organizational system;
    • Functional autonomy.

 

The members of the Supervisory Body must be chosen and maintained in office without having been convicted, even with a sentence not yet become irrevocable, of having committed one of the crimes provided for by Legislative Decree n. 231/01, or a penalty that entails the disqualification, even temporary, from public offices or from the management of legal persons.
If an external person is nominated as a member of the Supervisory Body, they must send a declaration to the Board of Directors, at the time of accepting the assignment:

    • that attests the absence, in their own regard, of reasons for incompatibility or inconvenience (conflicts of interest, relevant criminal convictions or ongoing proceedings, etc.);
    • in which they declare to have been adequately informed about the behavioral rules and ethical rules that the Company has adopted, including those contained in the present Model, and that they will make their own in the performance of the assignment.

 

In detail:

  • DATAFLOW appoints a Supervisory Body, with a motivated resolution, chosen exclusively on the basis of the requirements of professionalism, integrity, competence, independence and functional autonomy, and such as to ensure continuity of action;
  • The nomination resolution also determines the compensation and duration;
  • The Supervisory Body can be revoked for (i) the occurrence of a cause of incompatibility or inelegibility; (ii) repeated failure to perform the duties provided for by the Model; (iii) unjustified inactivity that has resulted in sanctions being applied to the Company;
  • The member revoked or who resigns from the assignment is replaced promptly and remains in office until the expiry of the Supervisory Body in force at the time of their appointment;
  • The Supervisory Body reports directly to the Deliberative Body;
  • The Supervisory Body has autonomous powers of initiative and control within the entity, which enable the effective exercise of the functions provided for by the Model, as well as subsequent provisions adopted in implementation of the same;
  • In order to perform its function with objectivity and independence, the Supervisory Body has an autonomous power of expenditure, approved by the Board of Directors, on the proposal of the Supervisory Body itself;
  • The Supervisory Body may engage resources that exceed its expenditure powers, with the obligation to request prior authorization from the Board of Directors;
  • The Supervisory Body may be assisted by external consultants, who can provide specific professional expertise that may be lacking in the Supervisory Body itself;
  • The Supervisory Body is required to maintain confidentiality about all the information it has come to know in the exercise of its functions or activities;
  • The Supervisory Body carries out its functions, taking care to favor a rational and efficient cooperation with the existing organizational structure in DATAFLOW;
  • The Supervisory Body does not have, nor can it be attributed, even in a substitutive way, powers of managerial, decision-making, organizational or disciplinary intervention, relating to the performance of activities by DATAFLOW.

 

To ensure an effective and effective performance of its functions, the Supervisory Body has the option to establish specific operating rules and adopt its own internal Regulation, also in order to guarantee its maximum organizational and action autonomy. The Regulation constitutes an autonomous and specific document of the Supervisory Body.

 
8.2. Functions of the Supervisory Body: reporting to the company’s organs

With respect to the Board of Directors, the Supervisory Body has the responsibility to:

  • send a plan of activities that it intends to carry out to fulfill the tasks assigned to it;
  • immediately communicate any significant problems that have arisen from the activities carried out;
  • report in writing on its activities, in particular on the implementation of the Model by the Company, as well as on the verification of company acts and activities, according to the modalities provided for by the Model itself;
  • communicate in writing any violations of the Model that it has been informed of or that it has directly detected and that are not already known to the Board of Directors;
  • contribute to the training and information process for personnel.

 

The Supervisory Body prepares an annual report on the activities carried out and submits it to the Deliberative Body. The Supervisory Body, whenever it deems it necessary, may also make reports to the Deliberative Body and propose modifications and/or integrations to the Organizational Model.

 

8.3. Informative obligations

8.3.1. Obligations of information

The Supervisory Body, within the limits of applicable legislation, has free access to all relevant company documentation, as well as the possibility of directly acquiring data and information from responsible parties. Taking into account the opinion expressed by the Data Protection Authority on May 12, 2020, regarding the treatment of personal data of the Supervisory Body in the exercise of its duties and functions, DATAFLOW designates the individual members of the Supervisory Body as authorized persons for the processing of personal data ex art. 29 of the EU Regulation 679/2016 (GDPR) and art. 2-quaterdecies of the Unified Code on data protection.

The recipients of the Model are required to provide the information requested by the Supervisory Body according to the contents, modalities, and frequency defined by it. The informative obligations towards the Supervisory Body represent a useful tool for it to carry out vigilance activities on the effectiveness of the Model and to ascertain ex post the causes that may have allowed the occurrence of an offense.

In addition to the news provided for in the procedures and protocols of the Model (“Special Part”), the following information/documents specific to the activities carried out by the Company are communicated by the Managing Director to the Supervisory Body:

  • news related to work accidents or incidents, or related to requests for recognition of occupational diseases;
  • measures and/or news from judicial police authorities, or from any other authority, from which it can be inferred that investigations are being carried out, also against unknown persons, for the crimes provided for by Legislative Decree n. 231/2001;
  • news related to procedures for granting or authorization, or otherwise connected to the exercise of business activities;
  • decisions relating to the request, granting, and use of public financing or contributions, as well as tax credits;
  • requests for legal assistance submitted by top-level officials and/or employees, and collaborators, against whom the judiciary may proceed for the crimes provided for by the aforementioned legislation;
  • internal commissions of inquiry or reports from which responsibilities can be inferred for the hypotheses of offenses provided for by Legislative Decree n. 231/2001;
  • news related to the actual implementation, at all levels of the company, of the Organizational Model.
    The Managing Director, in addition,
  • will make available to the Supervisory Body the evidence of the application of the company’s identified protocols and the underlying supporting documentation;
  • will inform the Supervisory Body of any situation that they consider not in line with the company’s rules, or where they identify an anomaly related to the risk of committing one of the crimes provided for in the “Special Part” of the Model.

 

The news and information collected are kept in a specific register, at the care of the Supervisory Body, according to rules, criteria, and conditions of access to data that are suitable to guarantee their integrity and confidentiality, and cannot be disclosed to individuals other than the Judicial Authority and the Deliberative Body.
It is explicitly forbidden, in any case, to destroy, alter, or modify in whole or in part the communications made to the Supervisory Body.

 
8.3.2. Reporting of offenses or violations of the Model – c.d. Whistleblowing

Within the “System 231”, to protect corporate integrity, DATAFLOW adopts the Whistleblowing procedure (hereinafter also “Procedure WB”) in accordance with Legislative Decree 10 March 2023 n. 24.
The recipients of the Procedure are:

  • top-level officials, members of the company’s organs, and the Supervisory Body;
  • employees, former employees, and job applicants;
  • volunteers and trainees, paid and unpaid;
    shareholders, clients, as well as, by way of example, partners, suppliers, consultants, collaborators in the performance of their work activity at DATAFLOW;
  • independent workers and freelancers, who possess information on violations, as defined in the relevant Procedure.

 

Also included among the recipients are physical and legal persons not included in the above categories, but who are subject to the measures of protection provided for in the Procedure.
The Procedure allows for the timely reporting of:

  • any illegal conduct relevant to Legislative Decree n. 231/2001;
  • any violation of the Organizational Model, Corporate Governance and Ethics Code, of which notice is obtained in relation to the functions performed.

Through the “Procedure WB”, DATAFLOW also allows for the reporting of:

  • administrative, accounting, civil, or penal offenses;
  • any action capable of causing pecuniary or reputational damage to the Company;
  • any action capable of causing harm to the health or safety of employees, users, or citizens;
  • any violation committed with the disregard of behavioral codes or other internal regulations or procedures, punishable by disciplinary measures.

 

The internal communication channels (IT platform and verbal reporting) integrate what is required by art. 6 of Legislative Decree n. 231/2001 regarding circumstantial reports of illegal conduct or violations of the Model (c.d. Whistleblowing).

DATAFLOW ensures that whistleblowers and individuals for whom Legislative Decree n. 24/2023 has extended protection (see Whistleblowing Procedure) are not subject to retaliation, discrimination, or penalization, and ensures that their identity, facts, and confidentiality are protected, except for legal obligations and the protection of the rights of the Company or individuals falsely or in bad faith accused.

Violating this prohibition constitutes a disciplinary offense and is punished in accordance with the disciplinary system of this Model; equally, constituting a disciplinary offense, with the application of the sanctions provided for by the Model, is the performance, with gross negligence or intent, of reports that prove to be unfounded, the violation of confidentiality obligations, and the failure to communicate reports to the Reporting Recipient within the time limits provided for in the Procedure.

DATAFLOW adopts and disseminates its own “Whistleblowing Procedure” (Operational Protocol P_01).

 

9. Disciplinary system

An essential aspect for the effectiveness of the Model is the construction of an adequate disciplinary system, capable of detecting violations of conduct rules and, in general, of internal protocols and procedures.

In fact, art. 6, co. 2, let. e) and art. 7, co. 4, let. b) of Legislative Decree n. 231/2001 indicate, as a condition for an effective implementation of the Organizational, Management, and Control Model, the introduction of a disciplinary system capable of sanctioning the non-compliance with the measures indicated in the same.

An adequate disciplinary system constitutes an essential prerequisite for the exemption value of the Model 231 with respect to the administrative liability of entities.

The application of disciplinary sanctions for violations of company conduct rules is independent of the outcome of the criminal judgment, as these rules are assumed by DATAFLOW in full autonomy and regardless of the offense that any conduct may determine.
In particular, disciplinary offenses, with the effects provided for by law and collective bargaining agreements applicable, are:

  • the failure to apply or the fraudulent circumvention of the behavioral rules provided for by the operational procedures referred to in the Model;
  • the failure, incompleteness, and dishonest documentation of the activity performed prescribed for sensitive processes;
  • obstruction of controls, unjustified hindrance to access to information and documentation opposed to officials responsible for controlling procedures and decisions, including the Supervisory Body, or other conducts capable of violating or circumventing the control system;
  • repeated and unjustified violations of other prescriptions of the Model, including the failure to inform the Supervisory Body;
  • failure to respect the measures to protect the person reporting illegal conduct or violations of the Model, and/or the adoption of retaliatory or discriminatory acts, direct or indirect, against the whistleblower and connected individuals, for reasons related, directly or indirectly, to the reporting;
  • the performance, with gross negligence or intent, of reports that prove to be unfounded;
  • failure to comply with the deadlines for communicating a report received, as indicated in the Whistleblowing Procedure.

 

The disciplinary system introduces, consistently with the protections assigned to workers by the so-called Workers’ Statute (L. n. 300/1970), a specific disciplinary system, aimed at conferring effectiveness to the provisions of this Model and modulable according to the gravity of the violation and its voluntariness by the perpetrator. In particular, sanctions will be applied based on the following criteria:

  • the degree of intentionality of the violations committed;
  • the level of negligence, imprudence, or lack of skill related to the violations committed;
  • cases of recidivism or commission of multiple offenses;
  • the extent and gravity of the consequences produced;
  • the overall behavior of the individual who committed the violation;
  • the type of tasks and duties entrusted to him;
  • the functional position occupied and/or the responsibilities assigned.

 

The Supervisory Body is entrusted with the task of informing the Board of Directors so that it can update, modify, and/or integrate the Disciplinary System itself, if it deems it necessary for the best effectiveness of the Model.

 
 9.1. Sanctions for employees

The observance of the Model’s rules by subordinate workers integrates and explicitly sets out the obligations of loyalty, fidelity, and correctness in the performance of the employment contract according to good faith, and is required by DATAFLOW also in accordance with and for the purposes of art. 2104 of the Civil Code (6) .

Therefore, in relation to the gravity of the shortcomings and the circumstances that accompany them, the conduct of subordinate workers that violates the individual rules of this Model can be sanctioned with the following measures:

  • verbal reprimand;
  • written reprimand;
  • pecuniary sanction not exceeding the amount of three hours of the normal hourly wage calculated on the minimum rate;
  • suspension from work and pay for a period not exceeding three days;
  • dismissal for just cause.

 

No disciplinary measure will be adopted against the worker without having previously informed him of the charge and without having heard him in his defense. The imposition of the measure must be motivated and communicated in writing.

If with a single act more infractions are committed, punished with different sanctions, the more severe sanction applies. Recidivism within three years automatically triggers the application of the more severe sanction.

The person responsible for the actual application of the above-described disciplinary measures for employees is the Managing Director – also employer – according to the attributions set out in the minutes of May 25, 2022.

In any case, the Supervisory Body is promptly informed of every act concerning the disciplinary procedure against an employee for violating this Model, from the moment of the disciplinary charge.

It is attributed to the Supervisory Body the task of verifying and evaluating the suitability of the Disciplinary System, in accordance with and for the purposes of the Decree.

The involvement of the Supervisory Body in the procedure for imposing sanctions for violating the Model is provided for, through adequate information regarding the content of the charge and the type of sanction intended to be imposed.

The Supervisory Body is also informed of every decision to archive proceedings related to the disciplinary procedures referred to in this chapter.

(6) It is understood that any disciplinary measure must respect the procedures provided for by Law No. 300/1970 (Workers’ Statute), the applicable C.C.N.L. (National Collective Labor Agreement), the Civil Code, and the Social Statute. Therefore, in particular, the Model – whose non-compliance is to be sanctioned – must be made available in a way that is accessible to all and must be expressly inserted into the company’s disciplinary regulation, or formally declared binding for all employees through, for example, an internal circular or a formal communication. Disciplinary sanctions other than those indicated in the text, such as transferring an employee from one unit to another, are only hypothetical if expressly provided for among the disciplinary measures established by the collective bargaining and the disciplinary codes that, at the company level, have been adopted in accordance with them.

 

 9.2. Measures against administrators and control body

The Company evaluates with extreme rigor the infractions of this Model committed by those who represent the top of the Company and express its image towards Institutions, employees and collaborators, shareholders, and the public.

In the event of a violation of the indications of this Model by individual members of the Board of Directors, the Supervisory Body promptly and formally informs the entire Board of Directors, which takes all the necessary initiatives provided for by the applicable legislation.

The following constitute disciplinary offenses relevant to the Deliberative Body: (i) failure to disseminate the Model and the Ethics Code to the recipients; (ii) failure to supervise delegates in matters of adoption, respect, and management of the Model and the Ethics Code; (iii) failure to report or tolerance of violations committed by other administrators, with reference to the protocols and procedures of the Model; (iv) non-compliance with the provisions relating to signature powers, and the delegation/procurations attributed; (v) Through negligence or incompetence, the failure to prevent or facilitate the discovery of violations of the Model until the most severe cases of commission of crimes relevant to the Decree; (vi) the lack of supervision by the personnel of the respect of the legal rules, of the Model and of the Ethical Code.

Against the Control Body, depending on the gravity of the committed fact, a pecuniary sanction is provided from a minimum of € 500.00 to a maximum of twice the compensation and the revocation of the mandate.

 
9.3 Measures against suppliers, customers, commercial partners, collaborators, consultants

The violation of the rules of the Model, recalled by the contract, may constitute, depending on the gravity, a just cause for the interruption of the contractual relationship with all legal consequences (including the application of any penalties consequent upon such suspension), including compensation for damages (7) .

These infractions, even minor, are however valued negatively in the context of the renewal of the contract and/or the assignment to the perpetrator.

Each violation carried out by the aforementioned subjects is reported by the Supervisory Body through a written report to the Board of Directors.

The “Legal” function, responsible for drafting contracts, takes care of the elaboration, insertion and updating in contracts of contractual clauses suitable for observing the above specified. The Managing Director verifies the insertion of said clauses.

Regarding the procedure for detecting such infractions and for the subsequent written warning or activation of the above-mentioned clauses, the Supervisory Body verifies that the Managing Director has formally pointed out the fact to the perpetrator of the infringement, specifying the specific facts attributed, issuing a concurrent written warning to strictly observe the rules of conduct violated with formal notice to remedy the detected infringement, or resolving the contractual relationship.

The Supervisory Body also checks that the contract modality prepared by DATAFLOW includes such clauses.

 

(7) In this sense, it is foreseen to insert express rescinding clauses in the contracts that explicitly refer to the observance of the provisions of the Model.

 

9.4 Measures against the Supervisory Body

The observance of the Model by the members of the Supervisory Body integrates and expresses the obligations of diligence in the performance of the mandate assumed. If the violation of the indications of the present Organizational Model is attributable to a member of the aforementioned body, the other members inform the Board of Directors without delay. The Board of Directors promotes the investigation of the case and any further investigations, adopting, once the violation has been contested, the necessary measures.

 

10. Publicity, dissemination and updating of the MOGC

The Model must be widely disseminated and made available to administrators, shareholders, legal representative, employees, collaborators, clients, suppliers, business partners, consultants and the Supervisory Body.

The Model is made available in paper and/or electronic format on the online platform, in such a way as to allow employees and the Supervisory Body to view it and according to modalities that allow them to confirm receipt and awareness of the indications.

DATAFLOW brings the Model to the attention of clients, suppliers, business partners, consultants and the Supervisory Body with the means considered appropriate at the time, also through the modalities mentioned above.

Periodic internal training sessions are provided for the effective implementation of the Model, in order to make aware the top-level subjects, employees and collaborators of the contents of the Model itself.

The Supervisory Body checks the actual dissemination of the Model and the training activity.

 
10.1 Communication to employees

The adoption of the present Organizational Model is communicated to all resources present in the company at the time of its approval through the modalities mentioned above.

In the case of new hires, a copy of the General Part of the Model, of the Ethical Code and of the Legislative Decree 231/2001 is made available to the employee at the time of the verbal agreement on the start of the employment relationship. Once the employment relationship has been perfected, the complete documentation is made available to the employee according to the modalities mentioned above.

DATAFLOW delivers to all employees, both existing and new, a contract integration module declaring adhesion to the contents of the Model, to be signed and personally returned to the employer. Analogous indications are also provided for relationships with collaborators.

 
10.2 Communication to clients, suppliers, business partners, consultants and Supervisory Body

For contracts/assignments in progress at the time of approval of the present document, an autonomous communication (standard informative letter concerning the system of responsibility ex Legislative Decree 231/2001) is sent to DATAFLOW, informing of the adoption of the MOGC (of which the Ethical Code is an integral part) and referring to the reading of the published documents on its own website.

For new contracts/assignments, DATAFLOW provides appropriate information on the adoption and implementation of the MOGC and the Ethical Code, also inserting in the contracts express resolving clauses/prevision of revocation of the mandate that explicitly refer to the compliance with the provisions of the Model and the Ethical Code, subject to any other legal consequences.

 
10.3 Training

The training activity aimed at disseminating the knowledge of the Decree, of the Model and of the conduct rules is differentiated, in terms of contents and modalities of supply, depending on the qualification of the addressees, the risk level of the area in which they operate, and whether or not they have representation functions of DATAFLOW.

The training of members of the corporate bodies and of subjects endowed with representation powers is carried out through repeated meetings at least triennially. The periodic training activity is carried out while making sure to respect the following minimum contents:

  • Explanation of the prescriptions of the Decree, in particular, the crimes provided and considered of particular relevance with respect to the activities carried out by the Company; the addressees, the normative conditions under which the Company may be considered responsible, as well as the possible exemptions from liability;
  • Examination of the characteristics and purposes of the Model and, in particular, the criteria of conduct to be followed in the performance of sensitive activities in order to avoid the commission of the crimes provided for in the Model;
  • Indication of the addressees, the modalities of dissemination and the principles contained in the Model and in the Ethical Code;
  • Description of the requirements, composition and responsibilities of the Supervisory Body;
  • Indication of the addressees of the system of sanctions and the modalities with which the amount of the sanction to be imposed in case of violation, infringement, imperfect or partial application of the Model is established.

 

The above constitutes a basic training which may be added specific contents, defined case by case according to the need, also with reference to targeted categories of addressees or specific topics of particular relevance. Basic training of the remaining categories of personnel may take place in the classroom or in e-learning modalities, hearing the Supervisory Body and respecting the minimum contents of the basic training mentioned above.

The training of new hires is carried out according to the criteria provided for in the present chapter. Participation in the training activity according to the defined modalities and timing is mandatory: failure to comply with the obligation is susceptible to disciplinary evaluation.

 
10.4 Updating of the Model

Modifications and integrations to the present Model are adopted directly by DATAFLOW, or on proposal of the Supervisory Body. The modifications are decided by the Board of Directors of DATAFLOW.

The Model is promptly modified when there are changes in the regulatory system and the corporate structure, which result in the need to vary the provisions of the Model itself, to maintain its efficiency.

The present Model must also be modified when significant violations or circumventions of the prescriptions are identified, which highlight the inadequacy of the Model adopted to guarantee the effective prevention of risks.

The Model is reviewed periodically by the Supervisory Body, in order to verify its effectiveness, adequacy, maintenance over time of the requirements of effectiveness and functionality.

The Managing Director, with the support of the competent functions, must constantly verify the effectiveness and effectiveness of the procedures and protocols aimed at preventing the commission of crimes. The “Special Part” of the MOGC, in particular, is subject to continuous maintenance by the competent company function.

Registered office:

Via Vittorelli, 3

Bassano del Grappa, 36061, Italy

 

VAT number: 04232280240

REA number: VI-389384

 

Privacy Policy: EN, IT

Compliance: EN, IT

Contact

Business enquires:

[email protected]

Found a vuln? 

[email protected]

Dataflow Security

About
Inventory
Services
Careers
Blog
Events

Dataflow Group

Dataflow Security
Dataflow Forensics

© 2025 Dataflow Security S.r.l, All Rights Reserved

© 2025 DFSEC. All rights reserved.