Procedure for reporting crimes and irregularities

Legislative decree 10 March 2023, n. 24 (hereinafter also "Decree"), published in the Official Journal of 15 March 2023, transposed into Italian law the EU Directive 2019/1937 concerning "the protection of persons who report violations of Union law" (so-called regulation whistleblowing).


The expression whistleblower refers to the natural person, among those indicated below, who reports violations or irregularities committed in the work context and detrimental to the public interest or the integrity of the entity.

Reports can be made by:

• employees of Kocca S.r.l., in any contractual form (permanent or non-permanent, manager, middle management and employee);

• self-employed workers, collaborators and external consultants;

• volunteers or interns, paid or unpaid;

• people with administrative, management, control, supervisory or representation functions;

• employees and collaborators of companies that carry out work or provide services to the Company Kocca S.r.l.

The reports may concern violations of national or European Union regulatory provisions which damage the integrity of KOCCA S.r.l. (hereinafter, also KOCCA), of which the reporter became aware in the working context of the Company.

In detail, violations are behaviors, acts or omissions, which consist of:
• offenses committed in violation of EU legislation - indicated in Annex 1 to Legislative Decree no. 24 of 2023 - relating to the following sectors: public procurement; financial services, products and markets and prevention of money laundering and terrorist financing; product safety and compliance; transport safety; environmental Protection; radiation protection and nuclear safety; food and feed safety and animal health and welfare; public health; consumer protection; protection of privacy and protection of personal data and security of networks and information systems;
• acts or omissions detrimental to the financial interests of the EU (Article 325 TFEU, fight against fraud and illegal activities detrimental to the financial interests of the EU) as identified in the regulations, directives, decisions, recommendations and opinions of the EU;
• acts or omissions concerning the internal market, which compromise the free movement of goods, people, services and capital (art. 26, paragraph 2, TFEU); This includes infringements of EU competition and state aid rules, corporate tax rules and schemes the aim of which is to obtain a tax advantage which defeats the object or purpose of the applicable corporate tax law. .

The reports relating to the matters indicated above may also concern well-founded suspicions regarding violations committed or which, based on concrete elements, could be committed in KOCCA, as well as elements regarding conduct aimed at concealing such violations.

The whistleblower must provide all the useful elements to allow the person responsible for managing the report, i.e. the Report Manager (identified as the Head of the Human Resources Office of KOCCA), to proceed with the necessary and appropriate checks and investigations to confirm the validity of the facts being reported.

To make a report, a template in editable format is available at the following link.

It is therefore essential that the report contains at least the following elements:
• a clear and complete description of the facts being reported, with express indication that the report refers to KOCCA;
• the indication of any documents that can confirm the validity of such facts;
• if known, the circumstances of time and place in which the reported facts were committed;
• if known, the personal details or other elements (such as the qualification and the service in which the activity is carried out) that allow the person involved to be identified;
• any other information that can provide useful feedback regarding the existence of the facts reported.

Reports from which it is not possible to obtain the identity of the reporter are considered anonymous and, if detailed, are treated as ordinary reports, i.e. managed according to the procedures already adopted in the Company.
The anonymous report can be taken into account when it is adequately detailed and, in any case, such as to bring out facts and situations relating to specific contexts (for example, indications of specific offices/areas, procedures or particular events).

The reporting party can resort to:
• internal reporting: written or oral communication of information on violations using the channels referred to in paragraph 4.1;
• external reporting: written or oral communication of information on violations using the channel referred to in paragraph 4.2;
• public disclosure, with the methods described in paragraph 4.3.
In any case, the possibility remains for the whistleblower to report violations to the judicial authorities.

The channels for internal reporting are as follows:

Written comunication
• By ordinary mail to be sent to the following address: KOCCA Interporto di Nola-lotto C/2 n°1/5. - Nola.
In order to allow confidential registration, the report can be received via the postal service or manually; to guarantee the confidentiality of the communication, it is necessary that the report is inserted in a double sealed envelope, including, in the first, the identifying data of the person making the report, together with an identity document; in the second, the subject of the report; both envelopes must then be inserted into a third envelope with the words "Reserved for the Whistleblowing Report Manager" on the outside.

Oral communication
• Through direct meeting:
The Reporter, upon request, may request to have a direct meeting with the Reporting Manager.
Therefore, the whistleblower - even through an initial telephone contact on the telephone line indicated on the KOCCA website - without providing identification data, must specify that he/she wishes to make a whistleblowing report - and, when contacted with the Reporting Manager, can request to set a meeting in person. During the meeting, the report is collected by the Reports Manager, through the drafting of a specific report signed by the Reports Manager and the reporting party.

The reporting party can make an external report to the ANAC if, at the time of its submission, one of the following conditions occurs:
• the reporting party has already made an internal report and it has not been followed up on;
• the whistleblower has reasonable grounds to believe that, if he/she made an internal report, it would not be followed up effectively or that the same report could lead to the risk of retaliation;
• the reporting party has reasonable grounds to believe that the violation may constitute an imminent or obvious danger to the public interest.

The whistleblower may make a public disclosure, placing information on violations in the public domain through the press or electronic means or in any case through means of dissemination capable of reaching a large number of people if, at the time of its presentation, one of the following conditions occurs:
• the reporting party has previously made an internal and external report or has directly made an external report, and no response has been given within the established deadlines;
• the reporting party has reasonable grounds to believe that the violation may constitute an imminent or obvious danger to the public interest;
• the whistleblower has reasonable grounds to believe that the external report may involve the risk of retaliation or may not have an effective follow-up due to the specific circumstances of the specific case, such as those in which evidence may be hidden or destroyed or in which there is well-founded fear that the person receiving the report may be colluding with the perpetrator of the violation or involved in the violation itself.

With specific reference to internal reporting, the management and verification of the validity of the circumstances represented in the report are entrusted to the Head of the Human Resources Office (Reports Manager) who, in compliance with the principles of impartiality and confidentiality, carries out all investigative activities deemed appropriate, including the personal hearing of the whistleblower and any other subjects who may report on the facts reported.
To this end, the Reporting Manager may avail itself of the support of other organizational units/company areas and/or external consultants to examine matters that do not fall within its competence.
At the end of the investigation, the Channel Manager provides a final response to the report, declaring its unfoundedness or validity, and giving an account of the measures envisaged or adopted or to be adopted to follow up on the report and the reasons for the choice made.
The investigation must end within 90 (ninety) days, starting from the date of the acknowledgment of receipt or, in the absence of such notice, within three months of the expiry of the seven-day period from the submission of the report.

Internal reports and the related documentation are kept for the time necessary to process the report and in any case no later than five years from the date of communication of the final outcome of the reporting procedure, in compliance with the confidentiality obligations indicated below.

A) Confidentiality obligations
The Reporting Manager who receives and processes the report must guarantee at every stage of the reporting process the confidentiality not only of the reporting person and, where present, of the facilitator (intended as the person who assists the reporting person in the reporting process), but also of the other subjects possibly involved in the report (e.g. the person reported as well as the people mentioned in the report).
As part of the disciplinary proceedings, the identity of the reporting person:
• cannot be revealed where the dispute of the disciplinary charge is based on investigations that are distinct and additional to the report, even if consequent thereto;
• can be revealed where the disciplinary complaint is based, in whole or in part, on the report and knowledge of the identity is essential for the defense of the accused subject to (i) written communication to the reporting person of the reasons for the disclosure of the confidential data and subject to (ii) express consent of the reporting person; the Reporting Manager will acquire the reporting party's consent to reveal the identity. If the reporting person objects, the report cannot be used in the disciplinary proceedings which, therefore, cannot be started or continued in the absence of further elements on which to base the dispute.

B) Prohibition of discrimination
Any form of retaliation or discriminatory measure, direct or indirect, having effects on working conditions for reasons directly or indirectly linked to the report is not permitted or tolerated against the person who makes a report.
Acts taken in violation of the prohibition on retaliation are void.

The protection referred to in this point also applies to the following subjects:
• the natural person who assists the reporter in the reporting process (so-called facilitator);
• to people from the same working context as the reporting person who are linked by a stable emotional or kinship bond within the fourth degree;
• to the whistleblower's work colleagues, who work in the same work context and who have a usual and current relationship with said person;
• to entities owned by the reporting party or for which the reporting party works, as well as to entities that operate in the same working context as the aforementioned persons.

C) Limitation of Liability
A further form of protection concerns the exemption from liability for the reporter in the event of:
• revelations of information covered by the obligation of secrecy, therefore excluding the integration of the crimes of "revelation and use of official secrecy" (art. 326 c.p.), "revelation of professional secrecy" (art. 622 c.p.), " revelation of scientific and industrial secrets” (art. 623 c.p.) and “violation of the duty of fidelity and loyalty” (art. 2105 c.c.);
• violation of copyright protection;
• violation of personal data protection;
• revelation or dissemination of information about violations that offend the reputation of the person involved.
At the time of disclosure or dissemination, the whistleblower must, however, have reasonable grounds to believe that the information is necessary to discover the violation and not act for further and different reasons (for example, vindictive, opportunistic or scandalous purposes);

Violation of the provisions contained in the Decree and described in the previous paragraphs may activate the sanctioning procedure; in particular, the following cases and/or behaviors are subject to sanctions:
(i) the person making the report who has made reports with malice or gross negligence or which turn out to be false, unfounded, with defamatory content or in any case made for the sole purpose of damaging the Company, the person reported or other subjects affected by the report;
(ii) the person who violated the confidentiality of the reporter;
(iii) the person who has been responsible for acts of retaliation;
(iv) the person who obstructed or attempted to obstruct the report.

Information pursuant to art. 13 of the European Regulation (EU) 679/2016.
KOCCA S.r.l., Data Controller of personal data, pursuant to art. 13 of the European Regulation (EU) 679/2016, will process the personal data of the reporter and of the other subjects indicated in the report or who have contributed to the formalization of the report exclusively to carry out the procedure for acquiring and managing the reports, pursuant to the Legislative Decree n. 10 March 2023 n.24 containing provisions regarding the protection of people who report violations of national regulatory provisions (so-called Whistleblowing Decree).

The data contained in the reports of conduct carried out in violation of regulatory provisions are processed by the KOCCA Reports Manager, identified as the Human Resources Manager, in carrying out the tasks entrusted to him by law, with particular reference to the necessary activities aimed at verifying admissibility of the report and the validity of the fact being reported and the adoption of the consequent measures pursuant to Legislative Decree. 10 March 2023 n. 24.
The legal basis of the processing is represented
- the need to fulfill the obligations imposed by the legislation on whistleblowing, and in particular by Legislative Decree no. 10 March 2023. 24 (art. 6, par. 1, letter c), art. 9 par. 2, letter. b) and g) as well as art. 10 of EU Regulation 2016/679 (GDPR),
- from the legitimate interest of the Data Controller to defend his rights and/or interests in any competent forum and to combat illicit, fraudulent or irregular behavior within the scope of company activities, also by activating any disciplinary and judicial actions.
Consent to the processing of data is not necessary when activating the reporting procedure, but, during disciplinary proceedings, where it is necessary to reveal the identity of the reporting person as it is indispensable for the defense of the accused, we will proceed to request the reporter's express and specific consent to the disclosure of their data. Consent will be optional and can be freely revoked at any time, but in the absence of said consent, the report cannot be used in disciplinary proceedings which, therefore, cannot be started or continued in the absence of further elements on which to base the dispute.

The information managed may concern common personal data (e.g. personal data, contact data, data relating to the interested party's work activity, other data contained in the report and/or documentation attached or collected during the report management process, etc. ) and, to the extent strictly necessary to pursue the processing purpose described below, personal data belonging to particular categories referred to in art. 9 of the GDPR (e.g. data relating to health, trade union membership, data suitable for revealing racial origin, political opinions, religious or philosophical beliefs of the interested party, etc.) or data relating to criminal convictions and crimes referred to in art. . 10 of the GDPR.
The provision of data by reporting is optional, but without them the Company may not be able to receive and manage the report in the manner required by law. The identity of the whistleblower, in any case, will be protected from the moment the report is received and in every subsequent phase.
The processing of personal data will take place with the support of paper and IT means, in order to guarantee its security and confidentiality, in compliance with the provisions of the law and the provisions contained in the ANAC (National Anti-Corruption Authority) Guidelines.
The information collected from the reports, where necessary for the purposes of the overall analysis of the investigation, can be processed by subjects (internal and external) who can be called upon to support the Reports Manager in managing the report.
Following the report, the data may be communicated, where necessary, to the Ordinary Judicial Authority, to the ANAC. In addition to this, the personal data provided by the reporter are not subject to communication or dissemination.

The data provided in the report and the related documentation are stored and protected by suitable security measures for the time necessary to process the Report and in any case no later than five years from the closure of the report, unless it is necessary to continue processing for the time further necessary to comply with legal provisions and/or for judicial protection purposes.
The reporting party and the other subjects indicated in the report or who have contributed to the formalization of the report, as interested parties, can exercise the following rights by contacting KOCCA S.r.l. at the Nola headquarters, Nola Interport - lot C/2 n°1/5:
• Right of access: they have the right to obtain confirmation as to the existence or otherwise of processing concerning their data, as well as the right to receive any information relating to the same processing;
• Right to rectification: they have the right to obtain rectification of their data, if the same is incomplete or inaccurate;
• Right to cancellation: they have the right to obtain the cancellation of their data present in the archives, within the limits of the provisions of the art. 17 of the GDPR;
• Right to limitation of processing: they have the right to obtain the limitation of processing concerning their data within the limits of the provisions of the art. 18 of the GDPR;
• Right to object: they have the right to object to the processing of their data;
• Right to lodge a complaint with the Supervisory Authority: if they deem it necessary, they have the right to lodge a complaint with the Guarantor, in the event that the Company refuses to satisfy their requests.
Pursuant to the aforementioned art. 2-undecies of Legislative Decree 196/2003, the above-mentioned rights cannot be exercised with a request to the Company or with a complaint, when the exercise of such rights could result in an effective and concrete prejudice to the confidentiality of the identity of the person reporting.