Menu

Whistleblowing Procedure

(In force since December 19, 2024, last update December 19, 2024)

Index

1. Introduction
2. Recipients of the Procedure
3. Object of the Report
4. Content of the Reports
5. Recipient of the Reports (also “Manager of the Reports”)
6. Communication Channels of the Reports
7. Management of Reports
8. Protection of the Reporter’s Confidentiality
9. Prohibition of Discriminatory and Retaliatory Behavior
10. Prohibited Reports
11. Sanctioning System

 

1. Introduction

Within the “System 231”, to protect the integrity of the company, DATAFLOW SECURITY SRL (hereinafter also “DATAFLOW”) adopts the Whistleblowing procedure (hereinafter also “WB Procedure”) in accordance with Legislative Decree No. 10 March 2023, n. 24.

 

2. Recipients of the Procedure

The Procedure is addressed to:

  • shareholders and individuals holding administrative, management, control, supervision, or representation functions within DATAFLOW;
  • subordinate employees, former employees, and job applicants;
  • volunteers and trainees, whether remunerated or not;
  • employees or collaborators of organizations providing goods or services to DATAFLOW;
  • consultants and collaborators performing their work activities at DATAFLOW;
  • self-employed workers and freelancers, who possess information on violations, as defined in this Procedure, of which they have become aware within their work context.

 

Additionally, the recipients of the Procedure include physical and legal entities not included in the above categories, but to whom the protection measures provided for in this Procedure apply. What is stated in this document also applies to anonymous reports, provided they are adequately specified, as defined below.

 

3. Object of the Report

The Whistleblowing procedure enables the timely reporting of:

  • any illegal conduct relevant to Legislative Decree No. 231/2001;
  • any violation of the Organizational, Management, and Control Model adopted by the Company, of which the Ethical Code is an integral part;
  • any violation of procedures and company regulations adopted by DATAFLOW;
  • any active or passive behavior related to the work context that may harm public interest, the integrity, or the reputation of the Company, of which knowledge is acquired in relation to the functions performed (hereinafter also “Reports”).
 

4. Content of the Reports

Reports must be adequately specified, based on factual elements, precise, and consistent, as they must be useful for verifying, through appropriate checks, the facts reported. It is not necessary for the Reporter to have sufficient evidence to demonstrate the fact reported.

A well-made Report, specified, and detailed, can be managed without further involvement of the Reporter.

The Report must therefore contain all the necessary elements to ensure the collection of what is indispensable for reconstructing the fact and for verifying the grounds of what is reported. Specifically, the Report must contain the following elements:

  • a description of the facts subject to the report, including, if known, the circumstances of time and place in which the facts reported were committed;
  • if known, identification elements (such as function/role within the company) that allow for easy identification of the presumed perpetrator of the illegal behavior.

 

The Reporter may indicate the following additional elements:

  • any other individuals who may report on the facts;
  • further information/documents in support of the Report.

 

For a Report to be specified, these requirements do not necessarily have to be respected simultaneously, considering that the Reporter may not have all the requested information at their disposal. Reports cannot concern mere suspicions or news merely reported by third parties or any other information that does not have factual elements or supporting documents. In any case, it is not necessary for the Reporter to be certain of the actual occurrence of the reported facts and the perpetrator, but it is sufficient that, in good faith or on the basis of a reasonable conviction based on factual elements and specified circumstances, they consider it highly probable.

 

5. Recipient of the Reports (also “Manager of the Reports”)

The Supervisory Body constitutes the recipient of the Reports referred to in point 3. All members of the Supervisory Body have the power to manage the Reports. The communication channels of the Reports, as described in the following paragraph, ensure the traceability of the activity carried out by each individual member of the Supervisory Body’s recipient of the Reports. The recipient of the Reports, appointed by the Board of Directors, oversees the formation of employees and collaborators on the topic of Whistleblowing.

 

6. Communication Channels of the Reports

DATAFLOW activates and maintains the following internal communication channels (hereinafter also referred to as “Receiving Channels”) towards the recipient of the Reports:

i. in writing, through the electronic platform “My Whistleblowing” accessible from the dedicated page on its own website. The system ensures the complete confidentiality of the data of the Reporter and the Report, separating the content of the Report from the identity of the Reporter and encrypting the data and documents inserted;
ii. orally, through a voice message that will be possible to record by accessing the electronic platform “My Whistleblowing”; the system ensures the confidentiality of the identity of the Reporter, as above. In addition, the voice message, which must have a maximum duration of 5 minutes, will be processed by the system functions in such a way as to operate a transformation on the recorded voice altering its features, so as not to make it recognizable;
iii. orally, through a direct meeting with the recipient of the Report upon request of the Reporter; such request must preferably be transmitted through the above-mentioned channel. The meeting is set within a reasonable term (10/15 days). In this case, upon the Reporter’s consent, the conversation is documented through recording on a suitable device for conservation and listening or through a minute, which the Reporter can verify and/or correct and must confirm by signature.

The receiving channels ensure the confidentiality of the identity of the Reporter, the people involved, the facilitators (1), and the people mentioned in the Report, as well as the content of the Report and the related documentation.

The electronic channel allows for anonymous Reports and ensures the anonymization of the data (encryption technique). It is understood that anyone receiving a Report, in any form (oral or written), must transmit it without delay (2), and in any case within 7 days from its receipt to the recipient of the Reports through the internal reporting channels described above, informing the Reporter of this.

In this case, it is necessary for the Reporter to explicitly state their intention to benefit from the protections related to Whistleblowing, or for such intention to be inferable from the Report; otherwise, the latter will be treated as an ordinary Report.

Failure to communicate a received Report within the aforementioned terms constitutes a violation of the Procedure and may result in disciplinary measures.

(1) These are the people who work in the same work context as the Reporter and assist the Reporter in the reporting process.

(2) They must also transmit the original of the Report, including any supporting documentation, as well as evidence of the communication to the Reporter of the Report’s submission. They cannot retain a copy of the original and must delete any copies, even in digital format, and refrain from taking any autonomous initiative for analysis and/or investigation.

 

7. Management of Reports

The recipient of the Reports carries out the following activities:

a) notifies the Reporter of the receipt of the Report no later than 7 days from the date of receipt;
b) maintains communication with the Reporter and may request additional information if necessary;
c) diligently follows up on the Reports received;
d) provides feedback on the Report within 3 months from the date of the receipt notice or, in the absence of such notice, within 3 months from the expiration of the 7-day term from the submission of the Report.

 
7.1. Tasks of the person receiving the Report

Once the Report is received, its management is articulated in three phases:

a) protocol and custody;
b) investigation and communication of the results;
c) archiving.

 
7.1.1. Protocol and custody

In the case of a Report submitted through “My Whistleblowing,” the electronic platform will provide a complete and confidential protocol in accordance with the relevant regulations. In the case of communications received through the other modalities provided for in the procedure (modality iii, paragraph 6), the recipient of the Report will promptly insert the Report into the platform, reporting:

  • the Reporter’s identification data;
  • the date of receipt;
  • the channel used for receipt. The recipient of the Reports updates the platform, which serves as the “Register of Reports,” with the indication of the processing status of the practice.
 
7.1.2. Investigation and communication of the results

The recipient of the Report who receives the Report performs an initial screening of admissibility, as it is important to distinguish a Report that meets certain subjective criteria (from “Recipients of the Whistleblowing Procedure”) and objective criteria (as identified in paragraph 3) from a mere complaint. The recipient of the Report will evaluate:

a. whether the subject of the Report has already been evaluated in the past by the organization or by the competent authority, or whether it can be classified as a mere complaint;
b. whether the Report contains sufficient elements to be verified or whether it is too generic and lacks the necessary elements for a subsequent investigation.

 
7.1.2.1. “Irrelevant” Report

If the recipient of the Report evaluates the Report as a mere complaint, or if the recipient verifies that the subject of the Report has already been found to be valid in the past by the organization or by the competent authority, the recipient will proceed to archive the Report, informing the Reporter. The recipient of the Report will record this in the “Register of Reports” (through the “My Whistleblowing” platform) and will transmit the Report to the competent internal functions for its treatment.

 
7.1.2.2. “Insufficient” Report

If the recipient of the Report evaluates the Report as too generic and requires additional elements for the investigation, the recipient must contact the Reporter, while protecting the Reporter’s identity. If no additional elements are provided or if insufficient elements are provided for the investigation, the recipient will evaluate any underlying reasons, if indicated, and will proceed to verify the possibility of obtaining the necessary information by contacting the other subjects involved in the Report.

Based on the results of these additional investigations, the recipient of the Reports will reclassify the Report as a “Relevant” Report, to be treated in accordance with the following paragraph, or, otherwise, will proceed to archive it. As above, these evaluations will be recorded in the “Register of Reports.”

 
7.1.2.3. “Relevant” Report

For “Relevant” Reports, which are sufficiently detailed and relevant to allow the initiation of verification investigations, the recipient of the Reports will carry out the necessary internal checks, including involving other internal functions, to verify the grounds of the facts reported. If deemed necessary, the recipient may avail themselves of external consultants, who are bound to maintain confidentiality regarding the facts they become aware of in the performance of their consulting activities and the identity of the persons involved.

If the Report is found to be “founded,” the recipient of the Reports will promptly and formally notify the alleged violator of the violations reported, who may, within 30 days from receipt of the notification, request to be heard or submit written observations and documents.

Following the checks, the recipient of the Reports will prepare a specific report for the Board of Directors, formalizing the context, the relevant legal and procedural framework, the verification activities carried out, the results emerging, the documents, and/or other elements proving the illegal conduct or violation committed. The Board of Directors will take the necessary decisions.

If, instead, from the analysis carried out the Report, if not anonymous, is found to be unfounded and reasonably made with gross fault or bad faith by the Reporter, the recipient of the Report will activate the competent internal functions to initiate disciplinary proceedings against the Reporter. In this case, the recipient of the Report will notify the alleged violator of this, to allow them to exercise their right to defense.

In all these cases, it is necessary to record the activity carried out.

In the case of Reports concerning members of the Board of Directors, the recipient of the Reports will immediately notify the supervisory body, as defined in the General Part of the MOGC 231 adopted by the Company.

 
7.1.3. Archiving

The recipient of the Reports will proceed with the archiving of all related documentation, in a way that protects the Reporter’s identity and in a manner that prevents access by third parties to the information and documents. DATAFLOW’s privacy compliance activity has implemented specific safeguards to protect the Reporter’s data and the activities of analysis and processing of the Report in the event of any access, for work-related purposes (system administrators, authorized by the data controller, etc.) to the aforementioned documents, information, or computer systems. Reports are kept for the time necessary for the treatment of the Report and in any case not exceeding 5 years from the date of communication of the final outcome of the reporting procedure. Personal data that are manifestly not useful for the treatment of a specific Report are not collected or, if collected accidentally, are deleted promptly. The originals of Reports submitted through the modalities of paragraph 6, number iii, as well as any other paper documents, are stored in a protected environment (locked cabinets), under the responsibility of the recipient of the Reports, in accordance with modalities that preclude access by third parties.

 

8. Protection of the Reporter’s Confidentiality

The internal reporting channels ensure the confidentiality of the Reporter’s identity in the activities of managing Reports (starting from the receipt of the Report, and in all phases of the process).

The use of the electronic platform “My Whistleblowing” ensures the complete confidentiality of the Reporter, as only the recipient of the Reports can access the Report itself.

In the case of Reports submitted through other modalities, the recipient of the Reports, upon receipt of the Report, will load it into the platform.

Anyone receiving a Relevant Report is required to maintain the confidentiality of the Reporter’s identity, as well as the identities of the facilitators, the people involved, and/or mentioned in the Report, the content of the Report, and the related documentation.

The protection of the Reporter is extended to the following cases:

  • when the legal relationship has not yet begun, if the information on the violations was acquired during the selection process or in other pre-contractual phases;
  • during the trial period;
  • after the termination of the relationship, if the information on the violations was acquired during the relationship itself.

 

The protection measures also apply to facilitators and other persons involved and/or mentioned in the Report.

Any legal obligations regarding communications to the Authorities are excluded.

The Reporter’s identity and any other information that may be inferred, directly or indirectly, from such information cannot be disclosed, without the explicit consent of the Reporter, to persons other than those competent to receive or follow up on the Reports, expressly authorized to process such data in accordance with Regulation (EU) 2016/679 and Legislative Decree 30 June 2003, n. 196 (Italian Data Protection Code).

Within the disciplinary procedure, the Reporter’s identity cannot be disclosed, if the disciplinary charge notification is based on separate and additional findings compared to the Report, even if consequent to the same.

If the notification is based, in whole or in part, on the Report, and the knowledge of the Reporter’s identity is indispensable for the defense of the accused, the Report will only be usable for the disciplinary procedure with the explicit consent of the Reporter to the disclosure of their identity. Moreover, the Reporter’s confidentiality may not be respected in the following cases:

  • the Reporter gives their explicit consent to the disclosure of their identity;
  • it is established by a first-instance judgment that the Reporter is guilty of criminal offenses of calumny or defamation or, in any case, of crimes committed with the Report, or their civil liability for the same title, in cases of gross fault or serious negligence;
  • anonymity is not opposable by law, and the Reporter’s identity is requested by the Judicial Authority.

 

The violation of the obligation of confidentiality is a disciplinary offense, subject to further forms of liability provided for by the applicable regulations. The Reporter is indemnified from discriminatory or retaliatory acts, direct or indirect, related to the Report. Regarding this, reference is made to paragraph 9.

 

9. Prohibition of Discriminatory and Retaliatory Behavior Against the Reporter

No form of retaliation or discriminatory action, direct or indirect, affecting the Reporter’s working conditions for reasons related, directly or indirectly, to the Report is allowed or tolerated. In particular, the law provides for the nullity of the retaliatory or discriminatory dismissal of the Reporter, the change of duties in accordance with Article 2103 of the Italian Civil Code (demotion, unjustified transfer, etc.), as well as any other retaliatory or discriminatory measure adopted against the Reporter (mobbing, workplace harassment, any other behavior that determines intolerable working conditions).

The recipient of the Reports ensures the observance of the prohibition of “retaliatory or discriminatory actions, direct or indirect, affecting the Reporter’s working conditions for reasons related, directly or indirectly, to the Report.”

The violation of the aforementioned prohibition is disciplinarily sanctionable in accordance with the Company’s Disciplinary System adopted within the Organizational, Management, and Control Model. The power of sanction remains with the competent authorities as provided by the regulations. The protection is also guaranteed to the anonymous Reporter, who believes they have suffered retaliation and has been subsequently identified.

The protection measures apply within the limits and conditions provided for by Chapter III of Legislative Decree No. 24/2023 and are extended to:

  • facilitators;
  • persons from the same work context as the Reporter, who are linked to them by a stable affective or familial bond within the fourth degree;
  • the Reporter’s colleagues who work in the same work context and who have a regular and current relationship with them;
  • entities owned by the Reporter or for which they work, as well as entities operating in the same work context of the Reporter.
 

10. Prohibited Reports

DATAFLOW does not admit that the present reporting procedure for illicit acts and violations may represent the tool for giving vent to disputes or conflicts between the organization’s personnel. In particular, the following are prohibited:

  • submitting Reports with purely defamatory or calumnious purposes;
  • using insulting expressions;
  • submitting Reports that relate exclusively to private aspects, without any direct or indirect connection with the company’s activity.

 

DATAFLOW will consider these Reports even more serious when related to sexual habits, religious, political, and philosophical orientations.

 

11. Sanctioning System

The following constitute disciplinary offenses, punishable with the measures provided for by the Company’s Disciplinary System adopted within the Organizational, Management, and Control Model, to which reference is made:

a. violation of the protection measures for the Reporter (who acted in good faith by making the Report) and other persons mentioned in paragraph 9, such as the adoption of retaliatory or discriminatory acts for reasons related, directly or indirectly, to the Report;
b. violation of confidentiality obligations;
c. prohibited Reports, as anticipated in the previous point;
d. submitting Reports with gross fault or serious negligence, which are found to be unfounded;
e. failure to communicate to the recipient of the Reports a received Report, within the terms indicated in this procedure.


In the case of the recipient of the Reports (or a member thereof), together with the case of failure to verify the information reported by the Reporter, the Company may decide to impose sanctions. It is understood that any violation of this procedure will be sanctioned in proportion to its gravity and in accordance with applicable laws, contractual provisions, and company regulations in force.

Registered office:

Via Vittorelli, 3

Bassano del Grappa, 36061, Italy

 

VAT number: 04232280240

REA number: VI-389384

 

Privacy Policy: EN, IT

Compliance: EN, IT

Contact

Business enquires:

[email protected]

Found a vuln? 

[email protected]

Dataflow Security

About
Inventory
Services
Careers
Blog
Events

Dataflow Group

Dataflow Security
Dataflow Forensics

© 2025 Dataflow Security S.r.l, All Rights Reserved

© 2025 DFSEC. All rights reserved.