Promotion of Ethical and Responsible Corporate Culture: Reporting Channels at Nextworks


Nextworks promotes an open corporate culture based on ethics, transparency, and accountability, inspired by our core values: trust, integrity, courage, passion, and inclusion.

To this end, Nextworks provides internal channels for reporting to the Oversight Body information related to violations of laws and regulations, the Nextworks Code of Ethics and Conduct, the Organizational Model 231, as well as the system of rules and procedures in force at Nextworks, concerning personnel and/or third parties. Please note that these channels are not intended for commercial complaints or personal disputes and requests.


1. SYNTHESIS AND PURPOSE
This procedure aims to regulate the reporting of unlawful or irregular activities within the company with the aim of protecting the individual making the aforementioned reports.
Further objectives of this Whistleblowing Procedure can be summarized as follows:
− Define and formalize the reporting procedure by establishing terms and responsibilities in the process of reporting unlawful activities;
− Define the rules to be observed in order to ensure the confidentiality of the reporter, other involved parties, and the report itself;
− Define the role of the recipient of the reports;
− Promote within the Company a culture based on responsibility and ethics, believing that active participation and involvement of all employees/collaborators are fundamental to the Company's development process;
− Enable the Company to be promptly informed about facts or behaviors contrary to the ethical principles pursued, for prompt intervention, as well as to identify and manage possible deficiencies in the internal control system and risk management.



2. LEGAL FRAMEWORK
This procedure refers to Legislative Decree no. 24 of 10/03/2023 implementing EU Directive 2019/1937, concerning the protection of individuals reporting violations of Union law. For the drafting of this document, the ANAC Guidelines on the protection of individuals reporting violations of Union law and protection of individuals reporting violations of national legal provisions have also been considered. Procedures for the presentation and management of external reports, approved by resolution no. 311.


3. SCOPE / RECIPIENTS
This procedure applies exclusively to Nextworks S.R.L. (hereinafter also referred to as "Nextworks" or "the Company"). This procedure applies to reports relating to the application field provided by the regulation.
It is recalled that Legislative Decree 24/2023 provides that the violations subject to reporting, complaint, or public disclosure must concern offenses committed in violation of EU regulations and acts or omissions that harm the financial interests of the EU or concerning the internal market that compromise the free movement of goods, persons, services, and capital and all national provisions implementing them. From the subjective side, this procedure applies to:
− Subordinate workers;
− Autonomous workers carrying out their work activity for private sector subjects;
− Freelancers and consultants providing their services to private sector subjects;
− Volunteers and trainees, paid and unpaid, providing their services to private sector subjects;
− Shareholders and persons with administrative, managerial, supervisory, surveillance, and representational functions;
− Facilitators;
− Other subjects provided for by Legislative Decree 24/2023.
For all the aforementioned subjects, protection also applies during the probationary period and before or after the establishment of the employment relationship or other legal relationship. Considering the purposes of this procedure, the confidentiality of the reporter's identity and all involved parties is guaranteed from the receipt and in every subsequent phase of its management. For more details on the theme of confidentiality protection, refer to Annex 1.


4. DEFINITIONS
a) Reporting Procedure (Whistleblowing)
Procedure for managing the report as defined below.
b) Internal Channel
Internal reporting channel set up by the Company, suitable for ensuring the confidentiality of the reporter's and reported party's identity, as well as the content of the report and related documentation, also through the use of encryption.
c) Reporter (Whistleblower)
The individual who reports information on violations acquired within their work context: this definition includes all individuals who are even temporarily in working relationships with the Company, even if they do not have the status of employees (such as volunteers, interns, paid or unpaid) and, under certain conditions, those who do not yet have a legal relationship with the Company (in pre-contractual negotiations) as well as those whose relationship has ceased or who are in the probationary period.
d) Facilitator
The individual who assists the reporter in the reporting process, operating within the same work context, and whose assistance must be kept confidential (for example: a colleague from a different Office than the one the reporter belongs to, who assists the latter in the reporting process confidentially, i.e., without disclosing the learned news, or a colleague who also holds the position of union representative if they assist the reporter on their behalf and for their account, without using the union acronym).
e) Reported/involved person
The natural or legal person mentioned in the internal report or as the subject to whom the violation is attributed or as any other person involved in the reported violation.
f) Reporting Management Structure (SGS)
Person or autonomous internal office dedicated to the management of reports, or autonomous external subject.
g) Report
In accordance with Legislative Decree no. 24/2023, a report is considered to be written or oral communication containing information about the reported violation.
h) External Channel at ANAC
Those wishing to make a report may, alternatively to the internal channel established by Nextworks, resort to the external channel managed by ANAC, if the following conditions are met:

  • When the internal channel, although mandatory, is not active or, even if activated, is not compliant with what is provided for by Legislative Decree no. 24/2023 with reference to the subjects and the methods of presenting internal reports that must be able to guarantee the confidentiality of the reporter's identity and of the other protected subjects;
  • When the reporting person has already made an internal report and it has not been followed up by the designated person or office;
  • When the reporting person has good reason to believe reasonably based on concrete circumstances alleged and information actually obtainable, and therefore not based on mere speculation, that, if they were to make an internal report: a) it would not be effectively followed up; b) this could entail the risk of retaliation;
  • When the reporting person has good reason to believe that the violation may constitute an imminent or obvious danger to the public interest.

i) Public Disclosure
Another reporting method introduced by Legislative Decree no. 24/2023, through which information about violations is made public through the press or electronic means or in any case through dissemination means capable of reaching a large number of people (social networks, web, television, radio, etc.).
l) Conflict of Interest
By "conflict of interest" is meant any situation in which the functions involved in the management of reports (Investigation Officer) have personal or professional interests conflicting with the impartiality required for their responsibility, preventing the objective evaluation of the report.
m) Confidentiality Regarding the Content of the Report and the Identity of the Reported and Other Involved Parties
The Company guarantees the confidentiality, in addition to the identity of the reporter and all subjects enjoying the same protections, of any other information or element of the report from which the identity of the reporter can be directly or indirectly inferred.
n) Privacy Protection
This reporting management procedure has been developed with the aim of protecting the privacy of the subjects involved in the reports, in accordance with the principles established by the GDPR.


5. OPERATIVE PROCEDURES
5.1 Introduction
Nextworks has adopted this procedure in order to ensure compliance with legality and the principles of fairness and transparency, as well as the confidentiality of the subjects and the content of the report.


6. PRELIMINARY OPERATIVE ACTIVITIES
6.1 Identification of the Reporting Management Structure (SGS)
In light of article 4, paragraph 2 of Legislative Decree no. 24/2023, Nextworks has chosen to entrust the management of reports to an Internal Committee specially designated, which consists of the following figures: Administration manager (AM) and Human Resources Manager (HRM).
6.2 Definition of the procedures for managing anonymous reports
Reports from which the identity of the reporter cannot be derived are considered anonymous. Anonymous reports are equated with ordinary reports, if detailed. If the Reporting Management Structure of Nextworks receives anonymous reports through the prescribed channels, they will be considered as ordinary reports. In cases of anonymous reporting, if the reporting person is subsequently identified and has suffered retaliation, they will still be subject to retaliation protection measures.


6.3 Description of the reporting methods adopted by the Company
(a) Oral Channel
Reports can be transmitted to the SGS by requesting a face-to-face meeting with the latter, using the email address segnalazioni@nextworks.it for this purpose. The oral report made during the meeting with the SGS is formalized by a report signed by those present. The reporter can verify, rectify, and confirm the minutes of the meeting before formalization.
(b) Traditional Mail
Reports can also be transmitted by traditional mail. In these cases, for Nextworks, through the SGS, to ensure the correct management of the report itself, it is appropriate for the reporter to use two sealed envelopes: the first with the identifying data of the reporter together with a photocopy of the identification document; the second with the report, in order to separate the identifying data of the reporter from the report. Both must then be inserted into a third sealed envelope addressed as follows:

INTERNAL COMMITTEE Via Livornese 1027 56122 - PISA

Indicating "NEXTWORKS REPORT – CONFIDENTIAL" The report is then subject to confidential registration by the SGS on a specific form.
Regardless of the reporting channel chosen by the reporting person, the Company guarantees the confidentiality of the reporter's identity, the involved person, and any other person mentioned in the internal report, as well as the content of the internal report and related documentation.
Nextworks undertakes to protect the confidentiality of the reporter even when the report is made through methods other than those established in accordance with Legislative Decree no. 24/2023 or is received by subjects other than the SGS.


6.4. Report Sent to an Incompetent Party
In the event that the report is submitted to a party other than the SGS identified and authorized by Nextworks, the report must be forwarded, within seven calendar days of its receipt, to the SGS through the channels provided in paragraph 5.3, with simultaneous notification of the transmission to the reporting person.
6.5. Conflict of Interest
If the reporter detects involvement in the events subject to the report by one of the two members of the Internal Committee, they may consider requesting a meeting directly with the member not in a conflict position, by writing to their respective personal email addresses (i.brancaccio@nextworks.it / v.felli@nextworks.it).


7. PROCEDURAL FLOW
7.1 Assumptions
This procedure assumes that:
  • The reporter acts in good faith. A reporter who maliciously makes a report may be subject to disciplinary measures (for example: conservative sanctions, dismissal, termination of contractual relationship, compensation actions, etc.);
  • The Reporting Management Structure manages reports received in an objective, impartial, and confidential manner, involving exclusively the figures identified in this procedure.



7.2 Submission and Monitoring of a Report
For the submission of reports, the reporter uses the forms and tools provided by the internal channel established by the Company. At this stage, the reporter may be assisted by the facilitator, if one has been identified.
Reports must be:
− in good faith: the reporter has reasonable certainty about the truthfulness of the report, has no biases and/or purpose to harm someone and/or to obtain personal benefits.
− detailed: they must allow for the identification of objectively reasonable elements to initiate an investigation, for example, they must contain:
✔ the description of the fact;
✔ personal data or other elements that allow the identification of the subject to whom the reported facts should be attributed;
✔ the circumstances of time and place in which the reported fact occurred;


It is also useful to attach documents that may provide credibility to the reported facts, as well as indicate other individuals who may be aware of the facts.


7.3 Management of Received Reports
The management phase of reports is overseen by the Reporting Management Structure and is divided into four sub-phases:
● Pre-analysis;
● Investigation;
● Evaluation and final outcome;
● Archiving.



7.4 Pre-Analysis of Reports
The Reporting Management Structure, upon receiving a report at the dedicated address, evaluates its contents by conducting an initial screening and immediately identifying those that are clearly unfounded, unsubstantiated, concerning an irrelevant subject matter, slanderous, and/or defamatory. In any case, within seven days of receiving the report, the Reporting Management Structure communicates receipt to the reporter.


7.5 Investigation of Reports
The investigation consists of activities aimed at verifying the content of the received reports and acquiring useful elements for the subsequent evaluation phase, ensuring maximum confidentiality regarding the identity of the reported individual and other involved parties, as well as the subject matter of the report. If deemed necessary, the Reporting Management Structure may collaborate with authorized company functions and competent external figures based on the subject matter of the report. It should be noted that since the Reporting Management Structure does not have autonomous spending powers, the assignment to any external party identified will be granted by company figures with adequate powers in this regard. The Reporting Management Structure, or any authorized parties providing support to it, may:
● contact the reporter in confidence and request any additional documents and/or information;
● suspend the investigation if the unfoundedness of the report is identified.


7.6 Evaluation and Final Outcome of Reports
The Reporting Management Structure evaluates the outcome of the investigation and provides feedback to the reporter within three months from the report being taken into consideration. The Reporting Management Structure summarizes the results of its investigation in a specific report that is transmitted to the Chairman of the Board of Directors. In case the Chairman of the Board of Directors is involved in the reported event, sharing will be done with the remaining members of the Board of Directors. If the report is found to be substantiated, the competent company individuals may decide to apply disciplinary measures provided by the Sanctioning System and/or consider the possible communication of events to the competent authorities.
If the report is found to be unfounded, the competent company individuals may consider the possibility of applying the Sanctioning System to the reporter acting in bad faith. In the event of identified gaps in the control and risk management system in response to a report, it will be the responsibility of the competent company units to define appropriate improvement actions. This procedure is schematically represented in the "Flow" attached (Attachment 2).


8. DEFINITION OF PERSONAL DATA PROTECTION MANAGEMENT METHODS
The data controller for personal data related to the Whistleblowing Procedure is identified as Nextworks S.R.L., which will process the personal data of all subjects involved in the report in compliance with the principles set forth in the GDPR, providing adequate information to the data subjects pursuant to articles 13 and 14 of the GDPR, as well as adopting appropriate measures to protect the rights and freedoms of the data subjects. In managing reports and the related procedure, the Data Controller is assisted by the Reporting Management Structure and the internal structures identified for conducting investigations. Specifically, the Reporting Management Structure and any internal figures involved in the investigation operate with specific authorization from the Data Controller and based on instructions provided by the latter. Processing of personal data related to the receipt and management of reports is carried out in compliance with the principles set forth in articles 5 and 25 of Regulation (EU) 2016/679, providing adequate information to reporting individuals and involved individuals pursuant to articles 13 and 14 of the same Regulation (EU) 2016/679, as well as adopting appropriate measures to protect the rights and freedoms of the data subjects. The company ensures that the management of reports and the related data processing is carried out in compliance with applicable legal provisions, taking into account the principles of European Regulation 2016/679 (GDPR). Specifically, Nextworks guarantees throughout the procedure:
− providing adequate information on the processing of personal data to the reporter and other involved individuals;
− processing personal data in full compliance with the GDPR;
− conducting a specific impact assessment on the processing in question (DPIA);
− identifying technical and organizational measures suitable for ensuring an adequate level of security;
− regulating relationships with individuals involved in personal data processing processes;
− not processing and/or storing personal data that are manifestly not useful for processing the report. Regarding the exercise of the rights of data subjects, European legislation on personal data protection provides that, in some specific cases, national law may limit the scope of the data controller's obligations and the rights generally recognized to data subjects concerning their personal data as provided in CHAPTER III of Regulation (EU) 2016/679 (Article 23 of Regulation (EU) 2016/679). As established by Article 13 paragraph 3 of Legislative Decree no. 24/2023, within the scope of reports, a limitation of the rights of data subjects is provided for under Article 2-undecies of Legislative Decree no. 196 of June 30, 2003; this limitation applies because exercising such rights could result in an actual and concrete prejudice to the confidentiality of the reporter's identity and of the individuals possibly involved/mentioned in the report itself. Therefore, the reporter can exercise the right of access to their own data, rectification or integration, erasure, and restriction of processing in the same way they made the report.
The reporter, pursuant to Article 77 of Regulation (EU) 2016/679, also has the right to lodge a complaint with the Data Protection Authority if they believe that the processing violates the aforementioned Regulation. The exercise of the rights provided for in CHAPTER III of Regulation (EU) 2016/679 by other data subjects, such as the reported individual or other involved persons, may be delayed, restricted, or excluded if such exercise could result in an actual and concrete prejudice to the confidentiality of the reporter's identity as provided for in Article 2-undecies, letter f of Legislative Decree no. 196 of June 30, 2003 (implementing Article 23 of Regulation (EU) 2016/679). In such cases, such subjects may exercise the aforementioned rights through the Data Protection Authority using the methods provided for in Article 160 of Legislative Decree no. 196 of June 30, 2003. For further information on the processing of personal data, please refer to the whistleblowing information (Attachment 3).


9. PROHIBITION OF RETALIATION, SANCTIONS, AND LIABILITY REGIME

Whistleblowing is a measure that aims to strengthen the dissemination of a culture of ethics, transparency, and legality within Nextworks. This important objective can only be achieved if the reporting individual, in addition to having the means to make reports, also, and above all, has the certainty that they will be protected from retaliation by colleagues or superiors or from the risk of their report being ignored.
For these reasons, Legislative Decree no. 24 and the Company explicitly provide for a prohibition of retaliation to protect the reporter and other subjects as stipulated by the regulation, even in cases of attempted or threatened retaliation, which cause or may cause unjust harm directly or indirectly to the individual/entity.
For retaliation to be established, and consequently for the subject to benefit from protection, a strict connection between the report, disclosure, and accusation, and the adverse behavior/action/omission suffered, directly or indirectly, by the reporting individual, accused, or disclosing party, is necessary. For the purpose of protection, the personal and specific reasons that led individuals to make the report, public disclosure, or accusation are irrelevant. Without respect for these general conditions, protection cannot be guaranteed even for subjects other than the reporter, accuser, or public discloser if, due to the role assumed in the context of the reporting/accusation process and/or the particular relationship linking them to the reporter or accuser, they indirectly suffer retaliation.
In adopting this procedure, the Company is aware of the administrative sanctions applicable by ANAC pursuant to Article 21 of Legislative Decree no. 24/2023. Disciplinary sanctions may also be applicable to the reporter in cases of reports found to be unfounded, made with intent or gross negligence, or those that are manifestly opportunistic and/or made solely for the purpose of harming the accused or other individuals.
Disciplinary sanctions will be proportional to the extent and severity of the unlawful behaviors ascertained and may also lead to the termination of the relationship, in compliance with legal provisions and applicable National Collective Bargaining Agreement regulations.
The Reporting Management Structure may also be subject to contractual sanctions if there has been a deficiency in the application of confidentiality measures or failure to assess the report. Similarly, all confirmed violations of measures designed to protect the reporter are subject to sanctions.


10. TRAINING
Nextworks' Reporting Management Structure has been adequately trained to handle reports according to the principles and methods outlined in this procedure. Given that whistleblower protection is fully part of general corruption prevention measures, the Company undertakes to ensure annual awareness and training initiatives or, in the event of significant regulatory updates, for:
− First-level corporate managers, who must be adequately informed about the content of the regulation, how it is implemented in the company (procedure), and how to handle information related to a report;
− Other employees and collaborators, who must be trained and informed on how to activate the internal reporting channel and how and when to potentially activate external reporting channels and/or public disclosure. Additionally, these individuals must be informed about the protections activated by the company and how to stay updated on the progress of reports made.


11. PUBLICITY
Nextworks' adopted procedure is made available to all employees through the shared company Drive folder and to external parties indicated by the regulation through publication on the company website.


12. ARCHIVING OF REPORTS
The Reporting Management Structure proceeds to archive all documentation in specific dedicated folders, managed according to strict confidentiality criteria. Upon the expiration of five years from the date of communication of the final outcome of the reporting procedure, the Reporting Management Structure will await instructions from the Company regarding the methods of return and/or deletion of data. It is understood that in the case of return, it will be the responsibility of the Reporting Management Structure to transmit only the strictly necessary information regarding the report (e.g., subject, outcome, dates of feedback to the reporter, etc.). The Reporting Management Structure is also required to keep the register of received reports updated, ensuring that the outcome reached is indicated each time. If the investigation activity yields negative results, the Reporting Management Structure still proceeds to archive the report, adequately explaining the reasons for the evaluation.