Whistleblowing Procedure

The purpose of this Procedure is to regulate the process of receiving, analysing and managing reports (so-called Whistleblowing) on adequately substantiated information of which the whistleblower has become aware in the context of his/her work context regarding violations, referable to the staff of BetaGlue Therapeutics SpA (hereinafter also “BetaGlue” or “the Company”) and/or third parties, national or European Union regulatory provisions that harm the public interest or integrity of BetaGlue, as well as violations of the Code of Ethics, the 231 Organizational Model and the Corporate Governance system.

The procedure also regulates the process of archiving and subsequent deletion of both reports and related documentation, in the manner indicated in this document.

The procedure is also aimed at implementing Legislative Decree no. 24 of 10 March 2023, published in the Official Gazette on 16.03.2023, transposing Directive (EU) 2019/1937 on “the protection of persons who report breaches of EU law” (the so-called Whistleblowing rules).

BetaGlue adopts the measures deemed most appropriate to facilitate the timely reporting of violations of the Model, the procedures established for its implementation and the Code of Ethics, inspired by the principles and requirements set out in the aforementioned Legislative Decree no. 24/2023

Reports relating to the following are excluded:

• commercial complaints or other regarding the quality of the services/products sold or purchased by BetaGlue for which reference should be made to the appropriate contact channels;
• security incidents affecting human resources, tangible and intangible resources (such as, for example, software malfunctions, failures in the company network, loss or accidental destruction of documents, ICT security incidents, theft);
• requests to exercise personal data protection rights against the Company (so-called privacy rights), pursuant to Regulation (EU) No. 2016/679 (General Data Protection Regulation – GDPR) and Legislative Decree No. 196 of 30 June 2003 (Personal Data Protection Code) and Legislative Decree No. 101 of 10 August 2018 and subsequent amendments and additions;
• disputes, claims or requests related to a personal interest of the whistleblower, which relate exclusively to the discipline of the employment contract or to connections with hierarchically superior figures, unless they are related to or referable to the violation of internal rules or rules/procedures;
• violations in the field of national security, as well as procurement relating to defence or national security aspects, unless these aspects fall within the relevant secondary legislation of the European Union;
• violations that are compulsorily regulated by European Union or national acts, as indicated in Article 1, paragraph 2, letter b) of Legislative Decree 24/2023 (on financial services, products and markets and prevention of money laundering and terrorist financing, transport safety and environmental protection);
• facts or circumstances falling within the scope of national or European Union provisions on classified information, forensic or medical secrecy and the secrecy of court decisions, or falling within the scope of national provisions on criminal procedure, the autonomy and independence of the judiciary, the provisions on the functions and powers of the Superior Council of the Judiciary, in matters of national defence and public order and security, as well as in the exercise and protection of the right of workers to consult their representatives or trade unions.

Reports falling within the above categories will not be processed in accordance with this Procedure and will be forwarded to the competent internal structures.

All reports must be as detailed and factual as possible; as a general rule, and by way of example and not limited to, the reports must indicate: a) the circumstances of time and place in which the event that is the subject of the report occurred; (b) a description of the fact; (c) personal details or other elements that make it possible to identify the person to whom the facts reported are to be attributed. The Company is not required to handle reports that are based on mere rumours or suspicions or that are so general that an investigation cannot be initiated.

The forwarding of the following reports is sanctioned:

• reports made for the sole purpose of retaliation or intimidation or unfounded reports made with intent or gross negligence;
• any communication that proves to be unsubstantiated on the basis of objective elements, with the sole purpose of causing unfair harm to the person reported;
• reports containing insulting expressions or with defamatory, libelous, or discriminatory purposes.

The recipients of the Procedure are:

• the members of the corporate bodies and the Supervisory Body of BetaGlue;
• employees of BetaGlue (hereinafter referred to as Personnel),
• partners, suppliers in general (including under contracting/subcontracting), self- employed workers or holders of coordinated and continuous or occasional collaboration contract, freelancers, consultants, scholarship holders and trainees (paid or unpaid), who carry out their work at BetaGlue, or anyone who has a legitimate interest in the company’s activity (hereinafter Third Parties),

who are in possession of information on violations referable to the members of the corporate bodies and the Supervisory Body of BetaGlue, to BetaGlue’s Personnel and/or to Third Parties, violations as defined above in this Procedure.

The report must concern the communication, written or oral, of information referring to the Company’s personnel and/or third parties, of which the whistleblower has become aware in the context of his or her work context, regarding violations of national or European Union regulatory provisions that harm the public interest or the integrity of the Company, as well as violations of the Code of Ethics, Model 231 and the system of rules and procedures in force.

With Legislative Decree no. 241 of 10 March 2023 (hereinafter also the “Decree”), at the end of a long regulatory process, Directive (EU) 2019/1937 was implemented, concerning the protection of persons who report breaches of EU law and laying down provisions concerning the protection of persons who report breaches of national legislation (so-called whistleblowing).

This national legislation on whistleblowing, completely repealing the previous discipline, contains, in a single text, a system of rules intended for the public and private sectors aimed at protecting those who report the unlawful conduct of which they have become aware in the workplace that aim to encourage reporting in order to protect the public interest and the integrity of the entity.

The new regulation, between obligations and safeguards, provides for the establishment and regulation of specific reporting procedures (internal and external channels and public disclosure), guaranteeing confidentiality and establishing a specific regime applicable in the event of retaliation.

There is no doubt, therefore, about the impact of this new method of managing reports on the internal control system and on the organizational structures of companies, as well as on the organizational models pursuant to Legislative Decree no. 231/2001. Hereinbelow a description of the regulatory framework underlying this BetaGlue reporting procedure (hereinafter the “Procedure”).

Legislative Decree no. 24 of 10 March 2023, published in the Official Gazette on 16.03.2023, transposing Directive (EU) 2019/1937 on Whistleblowing;

• Legislative Decree no. 231 of 8 June 2001 on the administrative liability of legal persons and subsequent amendments;
• “Guidelines on the protection of persons reporting violations of EU law and protection of persons reporting violations of national regulatory provisions – procedures for the submission and management of external reports” adopted by ANAC with resolution of 12.07.2023;
• “New Whistleblowing Regulations – Operational Guide for Private Entities” published by Confindustria on 27 October 2023;
• GDPR – Regulation (EU) 2016/679;
• Legislative Decree No. 196 of 30 June 2003 (Personal Data Protection Code) and subsequent amendments and additions, including Legislative Decree No. 101 of 10 August 2018, as well as related legislative provisions;
• Law no. 300 of 20 May 1970 (Workers’ Statute) art. 7, Disciplinary sanctions.

With reference to the objective scope, the Decree concerns “violations of national or European Union regulatory provisions that harm the public interest or the integrity of the public administration or private entity, of which they have become aware in a public or private work context”.

The following items remain outside the objective scope:

a) disputes, claims or requests related to a personal interest of the whistleblower or of the person who has filed a complaint with the judicial or accounting authority that relate exclusively to their individual employment or public employment contract, or inherent to their employment or public employment contract with hierarchically superior figures;

b) reports of violations where they are already compulsorily regulated by European Union or national acts (indicated in the annexes to the Directive and the Decree);

c) reports of breaches in the field of national security, as well as of procurement relating to defence or national security aspects, unless such aspects fall within the relevant secondary legislation of the European Union.

The expression “work context” must be understood in a broad sense, considering not only those who have an employment “relationship” in the strict sense with the organization of the public or private sector, but also those who have structured other types of legal connections with public and private entities: what is relevant in any case is the existence of a qualified connection between the whistleblower and the public or private entity in which the former operates, which concerns present or past work or professional activities.

Infringements of national or European Union regulations are defined as conduct, acts or omissions that harm the public interest or the integrity of the public administration or private entity. Reports, complaints, public disclosures can concern both violations and information on violations, therefore:

a) information, including well-founded suspicions, concerning violations already committed or unlawful offences which, although not yet committed, are considered to be committed, on the basis of precise and consistent concrete evidence, in the organisation with which the reporting person or complainant has a legal connection;

b) evidence of conduct intended to conceal such violations.

The violations indicated have been typified by the legislator as pursuant to art. 2, paragraph
1, of Legislative Decree 24 of 2023, reports, complaints and public disclosures may concern:

1. administrative, accounting, civil or criminal offences that do not fall under numbers 3, 4, 5 or 6 of Article 2 paragraph 1 of Legislative Decree 24/2023, therefore not attributable to violations of European Union law;
2. unlawful conduct within the meaning of Legislative Decree 231/2001 or violations of the organisational and management models provided for, not attributable to violations of European Union law;
3. offences falling within the scope of European Union or national acts indicated in the Annex to Legislative Decree 24/2023 or within the scope of national acts implementing the European Union acts indicated in the Annex to EU Directive 2019/1937, although not indicated in an annex to Legislative Decree 24/2023, relating to the following sectors:
   • procurement,
   • Services, products Financial markets and prevention of money laundering and terrorist financing
   • product safety and compliance;
   • transport safety;
   • environmental protection;
   • radiation protection and nuclear safety;
   • food and feed safety and animal health and welfare;
   • public health;
   • consumer protection;
   • protection of privacy and protection of personal data and security of networks and information systems;
4. acts or omissions affecting the financial interests of the Union as referred to in Art. 325 TFEU;
5. acts or omissions concerning the internal market, as referred to in Art. 26(2) TFEU, including infringements of EU competition and State aid rules, as well as infringements of the internal market linked to acts infringing corporate tax rules or mechanisms the purpose of which is to obtain a tax advantage which defeats the object or purpose of the applicable corporate tax legislation;
6. acts or conduct that frustrate the object or purpose of the provisions referred to in the acts of the Union in the sectors indicated in nos. 3, 4, 5 of Article 2, paragraph 1 of Legislative Decree 24/2023.

4.1 Systems of internal reporting

In order to ensure wide and indiscriminate access to all those who wish to make a report concerning facts (of any nature, even merely omissive), which have already occurred or are very likely to happen, referable to BetaGlue, the Company has made the following channels available:

• My Whistleblowing webpage, accessible from the “Whistleblowing” section of the Company’s website, at https://areariservata.mygovernance.it/#!/WB/BETAGLUE-TECHNOLOGIES;
• direct meeting at the Company’s headquarters at the explicit request of the whistleblower.

The aforementioned webpage guarantees maximum protection of the confidentiality of the whistleblower’s identity and the content of the reports, through advanced encryption systems and high levels of IT security. Access to the channel for the management of reports is allowed only to the subjects indicated in this procedure and in accordance with the procedures described therein.

The webpage allows to send reports, in written form, through a guided path that allows to define and substantiate the type of unlawful act that you intend to report.

In the path of forwarding the report, it is possible to attach electronic documents, whose metadata are anonymized by the software in order to make their origin untraceable.

The Company may also consider anonymous reports, if these are adequately circumstantial¹, and made in great detail, i.e. they are such as to bring out facts and situations relating them to specific contexts (e.g.: documentary evidence, indication of names or particular qualifications, mention of specific offices, procedures, or particular events, etc.).

The report – even if it is not anonymous – must be detailed and have the widest possible degree of completeness and exhaustiveness.

In the event of a direct meeting with the whistleblower, the interview, subject to the whistleblower’s consent, is documented by the staff in charge by drawing up a special report, which the whistleblower may verify, rectify, and confirm by signing. The whistleblower is required to provide all available and useful elements to allow the competent parties to proceed with the due and appropriate checks and assessments to verify the validity of the facts reported, such as:

1. a clear and complete description of the facts that are the subject of the report;
2. ii. the circumstances of time and place in which the facts that are the subject of the report were committed;
3. personal details or other elements that make it possible to identify the person(s) who have/have carried out the reported facts (e.g. title, place of employment where the activity is carried out);
4. any documents supporting the report;
5. the indication of any other subjects who may report on the facts being reported;
6. any other information that may provide useful evidence about the existence of the facts reported.

In order for a report to be substantiated, these requirements do not necessarily have to be met at the same time, in view of the fact that the whistleblower may not be fully available to all the required information.

Through the IT channel and therefore through the Software, the whistleblower will be guided in every phase of the report and will be asked, in order to better substantiate the same, a series of fields to be filled in in compliance with the required requirements.

It is essential that the elements indicated are known directly by the whistleblower and not reported or reported by other parties.

1. A report can be considered detailed if it allows the identification of factual elements reasonably sufficient to initiate an investigation (e.g.: the offence committed, the reference period and possibly the value, the causes and purpose of the offence, the company/division concerned, the persons/units involved, the anomaly in the control system).

4.2 Owner of the reporting process

For reports concerning BetaGlue, the person responsible for the management process is the Chief Financial Officer (CFO) of the Company (hereinafter also referred to as the Reporting Manager).

For the management of reports, the CFO may avail himself, at his sole discretion, of the operational support of personnel of the Company’s Management adequately trained in the management of reports who will be obliged to comply with all the guarantees of confidentiality provided for by the law.

If the report concerns the commission of predicate offences referred to in Legislative Decree 231/2001, the CFO will transmit the report to the Supervisory Body, transferring the subsequent management to this body.

In order to ensure maximum protection of confidentiality on the identity of the whistleblower, the reported person, as well as on the content of the report itself, access to and management of the IT reporting system is restricted only to the subjects indicated above.

Where the report relates to:

• the Company’s CFO, the CFO and the support management staff are excluded from the management of the report, which must be addressed to the Company’s registered office by ordinary mail exclusively to the Chairman of the Board of Directors and the Chief Executive Officer, affixing the words “Personal confidential” on the envelope;
• one or more members of the Supervisory Body, the CFO will promptly inform the Board of Directors, which will evaluate whether to entrust the investigation to the Supervisory Body with the exclusion of the person(s) involved or whether to manage it directly;
• one or more members of the Board of Directors, the CFO will inform the Supervisory Body and the Chairman of the Board of Directors without delay in order to assess the most suitable methods for carrying out the investigation. The whistleblower also carries out the in-depth investigations requested by ANAC on reports transmitted through an external channel or on public disclosures.

4.3 Verification on internal reporting

Upon receipt of the report, the Whistleblowing Manager shall provide the whistleblower, within seven days from the date of receipt, with an acknowledgement of receipt of the report.

The Manager must immediately carry out the necessary preliminary investigations, analyse and classify the reports and proceed with any requests for document integration, guaranteeing the confidentiality of the identity of the whistleblower throughout the management phase of the report.

Within three months from the acknowledgment of receipt of the report or, without such a notice, within three months from the expiry of the period of seven days from the submission of the report, the operator shall provide feedback with information on the action that is or intends to be given to the report.

The Manager proceeds with the filing of the news, formalizing the analytical motivation if at the end of the investigation no elements emerge to follow up on the report, where the same is deemed i) generic or insufficiently detailed; (ii) manifestly unfounded; iii) referring to facts and/or circumstances that have been the subject of specific preliminary activities that have already been completed in the past, if the preliminary checks carried out do not reveal any new information that would require further investigations; iv) not verifiable through the analysis tools available.

If, at the end of the investigation, the report is found to be well-founded, the managing body initiates the next phase of investigation.

During the investigation phase following the preliminary investigations, the Whistleblowing Manager may avail himself of the support of competent Departments/Functions/Company subjects or, if and as necessary, of external consultants. It is the responsibility of the operator to inform the Board of Directors, if deemed appropriate – depending on the nature of the alleged violation.

4.4 Preliminary phase and specific investigation

In the event of a report to be investigated, the Manager proceeds with an in-depth analysis of the reported facts, following procedures in accordance with the laws in force and the applicable employment contracts, which include, among other things, the right to analyse the company e-mail (only upon notice) and all documents pertaining to the company’s activities, as well as carrying out interviews with employees and third parties. For this purpose, the Manager may make use of internal (Company Functions/Departments) or external resources, in relation to the necessary skills.

It may also request additions or clarifications from the whistleblower. In addition, it may obtain information from the persons involved in the report, who may also request to be heard or to submit written observations or documents.

In any case, the Company guarantees that as part of internal investigation activities, the processing of personal data, including those of a sensitive or judicial nature, is carried out in full compliance with privacy regulations.

4.5 Outcome of the investigation and subsequent fulfilments

If, as a result of the investigation, the report is found to be well-founded, the Whistleblowing Manager shall indicate the provisions of the Model or the Code of Ethics or any legal provisions that are alleged to have been violated and shall express its assessment of the evidence ascertained, the nature of the violation and its seriousness with respect to the principles and provisions of the Model or the Code of Ethics.

The Manager is in turn required to immediately inform, in accordance with its competence, the Chief Executive Officer and/or the company subjects with the necessary sanctioning and disciplinary powers and authorities.

In addition, it may propose to the competent bodies the disciplinary measure it considers most appropriate, proportionate, and sufficiently dissuasive in order to prevent the recurrence of the infringement.

Closed reports, as they are clearly unfounded, will be evaluated by the Manager with the other competent corporate structures in order to verify whether the report was made for the sole purpose of damaging the reputation or damaging or in any case causing prejudice to the reported person and/or the Company, for the purpose of activating any appropriate initiative against the whistleblower.

4.6 Retention and filing of documentation

The information and any other personal data acquired are processed in compliance with the confidentiality obligations referred to in art. 12 of Legislative Decree 24/2023 and the principle referred to in art. 5, par. 1, lett. e) as well as art. 5 par. 1 letter c) and art. 25 of Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and art. 3, par. 1, letter e) of Legislative Decree no. 51 of 2018. Personal data that is clearly not useful for the processing of a specific report is not collected or, if collected accidentally, is deleted immediately.

In order to ensure the management and traceability of reports and consequent activities, the head of the Legal department is responsible for the preparation and updating of all information regarding reports and ensures the archiving of all related supporting documentation for the time strictly necessary for their definition and in any case for no longer than 5 years, from the date of communication of the final outcome of the report. The originals of the reports received in paper form are kept in a special protected environment.

At the end of the investigation and in relation to the several categories of subjects, the holder of disciplinary power, also according to the proposal of the Whistleblowing Manager / Supervisory Body, activates the sanctioning measures provided for in the Disciplinary System referred to in the General Part of the Company’s Organisation, Management and Control Model.

The Whistleblowing Manager shall annually inform the Board of Directors, the Supervisory Body, and the Board of Statutory Auditors in writing on the status of the reports received, with details of any checks carried out and their outcomes, when the periodic reports are issued.

These periodic reports must include the submission of the following documentation:

• a summary table containing the number of reports received, the type of report received (written / oral), the status, the subject, the outcome of the activities carried out and any measures taken;
• any indications regarding the necessary corrective actions on the areas and business processes examined, adopted by the competent management who is informed of the results of the analysis.

In addition, if at the end of the investigation unequivocal elements emerge that indicate the validity and particular seriousness of the subject of the report and/or possible cases of criminal relevance or civil liability, the manager of the reports shall promptly inform the Board of Directors and the Board of Statutory Auditors, to allow any interventions deemed appropriate by the administrative body.

In compliance with current legislation on whistleblowing, in parallel with the internal reports regulated above, the whistleblower may make a report through the external channel managed by the National Anti-Corruption Authority (ANAC), when one of the following conditions is met:

• • the internal system, although mandatory, is not active or does not comply with the provisions of the law;
  • the whistleblower has already made an internal report and the same has not been followed up within the deadlines provided for by the legislation;
  • the whistleblower has reasonable grounds to believe that the Company would not effectively follow up on the internal report or sees a real risk of retaliation in the event of an internal report;
  • the whistleblower has reasonable grounds to believe that the breach may constitute an imminent or obvious danger to the public interest.

It is the responsibility of the whistleblower to assess the recurrence of any of the situations listed above before proceeding with the making of an external report.

External reports are made by the whistleblower directly to ANAC through the channels specifically made available by the Authority on the institutional website accessible at the following link: www.anticorruzione.it.

Finally, the whistleblower has the right to make public information on relevant violations pursuant to this Procedure, through the press or electronic means or in any case through means of dissemination capable of reaching a large number of people, provided that:

• • has previously made, without success, an internal or external report;
  • has reasonable grounds to believe that the infringement may constitute an imminent or obvious danger to the public interest;
  • has reasonable grounds to believe that the external report may entail a risk of retaliation or may not be effectively followed up due to the specific circumstances of the case.

8.1 Protection of the identity of the whistleblower

All the Company’s staff involved in the management of reports are required to guarantee the confidentiality of the identity of the whistleblower, of the persons involved and/or otherwise mentioned in the report, of the content of the report and of the related documentation, also in accordance with the regulations on privacy (EU Regulation 2016/679 – GDPR).

Confidentiality is also guaranteed to those who report before the beginning or after the termination of the employment contract, or during the probationary period, if such information has been acquired in the context of the work or in the selective or pre-contractual phase.

The protection of the anonymity of the whistleblower operates exclusively in cases of reporting
made in the absence of bad faith or gross negligence.

In the context of disciplinary proceedings, if the complaint is based, in whole or in part, on the report and knowledge of the identity of the whistleblower is essential for the defence of the accused, the report can be used for the purposes of disciplinary proceedings only in the presence of the whistleblower’s express consent to the disclosure of his/her identity.

In any case, the protection of the whistleblower is lost in cases in which the Judicial Authority has ascertained, in criminal proceedings, a liability for the crimes of slander, defamation or other crimes committed through the report, or a civil liability, for the same reason, in cases of wilful misconduct and gross negligence, as well as in other cases in which anonymity is not enforceable by law (e.g. criminal investigations, tax or administrative matters, inspections by control bodies).

The disclosure of the identity of the reporting person and of any other information or element of the report from the disclosure of which the identity of the whistleblower can be inferred directly or indirectly is permitted only if this represents a necessary and proportionate obligation imposed by law, in the context of investigations by national authorities or judicial proceedings, including in order to safeguard the right of defence of the person concerned. In such cases, the whistleblower shall be notified in writing of the reasons for the disclosure of confidential data.

Violation of the obligation of confidentiality, subject to the exceptions mentioned above, may result in the imposition of administrative fines by ANAC as well as the adoption of sanctioning and disciplinary measures by the Company.

8.2 Protection of the reported person and responsibility of the whistleblower

One of the objectives of this Procedure is to protect the reported person from any abuse of the reporting tools made available by the Company (e.g. unfounded reports sent with intent or gross negligence).

The Company discourages and deplores any form of abuse of this Procedure and the use of reports for purposes other than those described herein, committing itself to adopt (pursuant to Article 16, paragraph 3, Legislative Decree 24/2023) appropriate sanctioning and disciplinary measures against those who make reports with intent or gross negligence that prove to be unfounded, manifestly opportunistic and/or made for the sole purpose of harming the complainant or other subjects.

This Procedure therefore does not affect the criminal liability of the whistleblower in the event of a report made in bad faith or with gross negligence, as well as the obligation to compensate (pursuant to Article 2043 of the Civil Code) for any damage caused by the aforementioned unlawful conduct.

It is a disciplinary offence, sanctioned under the current sanctioning system, to voluntarily report facts that are known to be false or manifestly unfounded or that are not known to have been committed by the person reported.

The Company reserves the right to take any action, including non-disciplinary action, against anyone who makes untruthful reports with intent or gross negligence or aimed at damaging the Company, the Corporate Bodies, or its staff.

8.3 Protective measures

The Company prohibits any act of retaliation or discrimination, direct or indirect, against the whistleblower for reasons related, directly or indirectly, to the report, even if the report proves to be unfounded on the merits.

The protection measures apply within the limits and under the conditions set out in Chapter III of Legislative Decree 24/2023 and are also extended to:

• facilitators, persons in the same working context as the whistleblower who are linked to him by a stable emotional or family bond within the fourth degree, the whistleblower’s work colleagues who work in the same work context and who have a habitual and current connection with him;
• entities owned by the whistleblower or for which the whistleblower works, as well as entities operating in the same working environment as the whistleblower.

Violations of measures to protect the confidentiality of the identity of the whistleblower or measures to protect against retaliatory or discriminatory acts constitute a disciplinary offence sanctioned under the sanctioning system.

The conduct or fact that is the subject of the report, in case of particular seriousness, may be brought to the attention of the Police Authorities, the Judicial Authority or other competent Authorities, together with the results of the verification activities already carried out by the Company.

The Company’s internal disciplinary proceedings and/or measures must not be affected by any proceedings initiated by the judiciary for the same offence.

The personal data of whistleblowers, reported persons and all subjects involved in the report are processed in accordance with the current legislation on the protection of personal data referred to in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”) and Legislative Decree 196/2003, as amended by Legislative Decree 101/2018. In particular, it should be noted in this context that:

• the processing activities underlying the management of the report are carried out in compliance with the principles dictated by Article 5 of the GDPR;
• the reporting party must receive an information notice pursuant to Article 13 of the GDPR specifying the purposes and methods of the processing of their personal data and the period of storage of the same, the conditions of lawfulness on which the processing is based, the categories of recipients to whom the data may be transmitted as part of the management of the report and the rights recognized to the whistleblower by the Regulation;
• the reporting system provides for the processing of personal data (potentially, also the special data referred to in Article 9 of the GDPR) that are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are collected;
• personal data will be processed for the time necessary to achieve the purposes that justify their collection (e.g. evaluation and management of the report); once the purpose of processing has been exhausted, the personal data will be stored on the basis of the criteria and for the periods indicated in the privacy policy provided to the data subject and subsequently deleted or anonymized;
• appropriate technical and organisational measures are put in place to ensure the security of personal data, in accordance with current legislation, both during the transmission of the report and during the management and archiving of the report;
• the exercise of rights by the whistleblower, the reported party or the third party (“data subjects” pursuant to privacy legislation), in relation to their personal data processed as part of the reporting management process as described in this procedure, may be limited, pursuant to and for the purposes of Article 2-undecies of Legislative Decree 196/2003 as amended by Legislative Decree 101/2018, in the event that such an exercise may result in an actual and concrete prejudice to other interests protected by specific regulatory provisions, with the clarification that under no circumstances may the reported person be allowed to make use of his or her rights to obtain information on the identity of the whistleblower;
• access to personal data is granted only to those responsible and authorized to receive
  this type of report, limiting the transfer of confidential information and personal data
  only when necessary;
• personal data are kept only for the appropriate and proportionate time in order to allow the following procedure to be carried out.

This Procedure was approved by the Company’s Board of Directors on February 7, 2024, and is stored in the corporate cloud in a dedicated folder in SharePoint and made available and searchable to the Company’s employees.

For all interested parties, it is also published in the “Whistleblowing” section of the Company’s website https://betaglue.com.

Effective Date: 07-FEB-2024
First edition

To submit a claim, please read to the bottom of this policy and click on the link below: