Whistleblowing procedure

Clicca qui per l'italiano

1. Introduction to Whistleblowing

The term "whistleblowing" refers to a Report made by a person - primarily an employee - who, in the course of performing his or her duties, becomes aware of a crime, risk or dangerous situation that may cause harm to the company/entity for which he or she works or collaborates, as well as to customers, colleagues, citizens and any other category of subjects.

Legislative Decree No. 24 of 10.3.2023 (hereinafter also referred to as the "Decree") introduced the following new provisions:

- the protection of persons who Report violations of national or European Union law that harm the public interest or the integrity of the public administration or of a private entity, of which they have become aware in the course of their work;

- the management of related reports.

These rules (hereinafter referred to as the "Whistleblowing Discipline") specify in particular

  • the persons who may make a whistleblowing Report;
  • the acts or facts that may be the subject of a Report, as well as the requirements that reports must meet in order to be considered;
  • the modalities for reporting alleged violations and the persons responsible for receiving reports;
  • the process of inquiry and possible investigation when a Report is made;
  • the confidentiality and protection of the personal data of the person making the Report and of any person reported, and of the data contained in the Report;
  • the prohibition of retaliation and discrimination against the whistleblower.

Castello del Nero s.r.l. (hereinafter also referred to as "CDN" or the "Company") is one of the entities subject to the Whistleblowing Discipline.

In this context, CDN, which is sensitive to ethical issues and the proper conduct of its business, has implemented internal systems for reporting violations to enable the persons identified in the Decree to report violations of national or European Union regulations that harm the public interest or the integrity of the public administration or private entity of which they become aware in the course of their work.

CDN will also use the "SaaS My Whistleblowing" software and related services provided by the specialist company MYGO s.r.l. (hereinafter referred to as the "Software") to process the above-mentioned reports.

2. Purpose of the Whistleblowing Procedure

2.1. This Whistleblowing Procedure (hereinafter also referred to as the "Policy") sets out the rules adopted by CDN for the handling of reports of violations identified by the Decree (hereinafter also referred to as "Violations"), of which the persons authorised to report have become aware in the course of their work (hereinafter, "Reports").

The objectives of the Policy are:

  • disclose instances of wrongdoing or irregularities within the Company by clarifying and facilitating the use of whistleblowing by the whistleblower and by eliminating any factors that may hinder or discourage the use of whistleblowing;
  • provide potential whistleblowers with clear operational guidance on the subject matter, content, recipients and methods of transmission of reports
  • provide information on the forms of protection and confidentiality afforded and guaranteed to the whistleblower.

2.2. The violations that may be the subject of Reports are conduct, acts and omissions that harm the public interest or the integrity of the public administration or CDN, and consist of:

  • administrative, accounting, civil or criminal offences that do not fall under (3), (4), (5) and (6) below;
  • unlawful conduct within the meaning of Legislative Decree No. 231 of 8 June 2001 other than that referred to in points 3), 4), 5) and 6) below;
  • offences falling within the scope of European Union or national legislation (including national legislation transposing European Union legislation) in the following areas: public procurement; services, products and financial markets and prevention of money laundering and terrorist financing; product safety and compliance; transport safety; environmental protection; radiation protection and nuclear safety; food and feed safety and animal health and welfare; public health; consumer protection; privacy and protection of personal data and security of networks and information systems;
  • acts and omissions detrimental to the financial interests of the European Union as referred to in Article 325 of the Treaty on the Functioning of the European Union, as specified in the relevant secondary legislation of the European Union;
  • acts or omissions relating to the internal market, as referred to in Article 26(2) of the Treaty on the Functioning of the European Union, including violations of EU competition and State aid rules, as well as violations of the internal market relating to acts in breach of corporate tax rules or mechanisms the purpose of which is to obtain a tax advantage that frustrates the object or purpose of the applicable corporate tax law;
  • acts or conduct which frustrate the object or purpose of the provisions of Union law in the areas referred to in points 3, 4 and 5.

2.3. The scope of application of the Policy does not, however, include the cases excluded by the Decree, including:

(a) challenges, claims or demands related to a personal interest of the reporting person or of the person making a complaint to the judicial or accounting authorities and relating exclusively to his or her individual work or public employment relationship or to his or her work or public employment relationship with a hierarchical superior;

(b) Reports of violations where they are already covered by mandatory European Union or national legislation or by national legislation implementing European Union legislation;

(c) Reports of violations of national security and procurement related to defence or national security aspects, unless these aspects are covered by relevant EU secondary legislation.

3. Persons who can make a Report

The persons who can make a Report and benefit from the protection provided by the Decree are:

  • CDN employees;
  • self-employed workers who carry out their work for the benefit of CDN, including holders of a collaboration relationship referred to in Article 409 of the Code of Civil Procedure and Article 2 of Legislative Decree No. 81 of 2015;
  • workers or collaborators carrying out their work for CDN, providing works or services or carrying out works for the benefit of CDN;
  • freelancers and consultants working for CDN;
  • paid and unpaid volunteers and trainees working for CDN;
  • shareholders of CDN and persons having administrative, management, control, supervisory or representative functions in CDN, even when such functions are exercised on a de facto basis.

4. Reporting Requirements

The Report must be circumstantial and as complete and exhaustive as possible.

The person making the Report (hereinafter, also the "Reporting Party") is required to provide all the available and useful elements to enable the competent persons to carry out the due and appropriate checks and verifications to ascertain the merits of the facts that are the subject of the Report, such as

  • a clear and complete description of the facts that are the subject of the Report;
  • the circumstances of time and place in which the facts that are the subject of the Report were committed;
  • personal details or other elements enabling the identification of the person(s) who has/have carried out the reported facts (e.g. job title, place of employment where he/she carries out the activity);
  • any documents supporting the Report;
  • an indication of any other persons who may report on the facts that are the subject of the Report;
  • any other information that may provide useful feedback on the existence of the reported facts.

For a Report to be substantiated, these requirements do not necessarily have to be fulfilled at the same time, in view of the fact that the Reporting Party may not be in full possession of all the information requested.

It is essential that the elements listed are directly known to the Reporting Party and not reported or referred to by others.

The Company may also take into consideration anonymous Reports, where these are adequately circumstantiated[1] , and made with an abundance of details, i.e. they are such as to bring to light facts and situations relating them to specific contexts (e.g.: documentary evidence, indication of particular names or qualifications, mention of specific offices, proceedings or particular events, etc.).

5. Internal Signalling Channels

5.1 Reporting via the Software

This is the primary and most functional reporting channel.

Through the My Whistleblowing add-on, the Reporting Party accesses the Software, which guarantees, by computerised means, the confidentiality of the identity of the Reporting Party, of the persons involved in the Whistleblowing and of any accompanying documentation, in accordance with the legislation in force.

Through the software, the Reporting Party will be guided through each step of the reporting process and will be asked to fill in a number of fields in order to better substantiate the Report.

The relevant operating procedures are explained in detail in the document 'Guide to Reporting via the Software', annexed to this Policy.

5.2 Paper Mail Reports

The Report may be made in writing by registered letter with acknowledgement of receipt, to be sent to the Reporting Manager (hereinafter, also the 'Manager') at ..., in the following manner:

  • use of two sealed envelopes, the first with the Reporting Party's identification data and a photocopy of his/her identification document; the second with the Report (so as to separate the Reporting Party's identification data from the Report);
  • inserting the two sealed envelopes into a third sealed envelope marked "Reserved for the Reporting Manager" on the outside.

This Report will then be entered in the Report Register referred to in point 6.1.b) below.

5.3 Reports by request for a direct meeting

The Report may be made by requesting a direct meeting with the manager, to be made by telephone on the number ...

In such a case, with the consent of the Reporting Party, the Report will be documented by the Manager, either by recording it on a device suitable for storage and listening, or by taking minutes. In the case of minutes, the Reporting Party may verify and correct the minutes and must confirm the minutes of the meeting by its signature.

5.4 Reporting Manager

CDN has identified, pursuant to Article 4 of the Decree, Dr. Andrea Peloni as the Reporting Manager and a person expressly authorised to process the data referred to in this Policy, pursuant to Articles. 29 and 32 of Regulation 2016/679 of the European Parliament and of the Council dated 27.4.2016 (hereinafter, "GDPR") and Article 2-quaterdecies of Legislative Decree 30.6.2003, no. 196 (hereinafter referred to, jointly with Legislative Decree 10.8.2018, no. 101, "Privacy Code").

In this respect, the Manager is authorised to access the Software and to receive Reports via Internal Reporting Channels.

The Manager shall send the Reporting Party an acknowledgement of receipt of the Report within 7 (seven) days from the date of receipt of the Report.

Notwithstanding the provisions of Section 5 below, if the Report through internal channels is received by a person other than the Manager, that person must transmit the Report within seven days of receipt, with written notification of transmission to the Reporting Party.

6. External Signalling Channel

If the Reporting Party has well-founded reasons to consider the internal reporting channels ineffective or inadequate, or in the event of their failure to function or to receive a response, he/she may make an external Report to the National Anti-Corruption Authority (ANAC) at the following link: https://servizi.anticorruzione.it/segnalazioni.

7. Management of Reports

The handling of the Report is divided into the following stages.

7.1. Protocol and custody

a) In the event that the Report is made through the Software, it will be the Software itself that will provide for a complete and confidential protocol in compliance with the reference legislation.

b) In the case of communications on paper or by other means, upon receipt of the Report, the Manager assigns the Reporting Party a specific alphanumeric ID and proceeds to record the details of the Report in a computerised and/or paper register, in particular

  • day and time;
  • reporting subject;
  • subject of the Report;
  • notes;
  • status of the Report (to be filled in at each stage of the process, e.g. preliminary checks, preliminary investigation, communication of findings, archiving).

The aforementioned register and paper communications shall be kept in a locked cabinet located in the office of the Supervisor and accessible only to the Supervisor.

7.2. Procedural and admissibility checks of the Report

a) The Manager verifies the admissibility of the Report, i.e. the existence of the subjective (i.e. that the Reporting Party is a person entitled to make the Report) and objective (i.e. that the subject of the Report falls within the scope of the whistleblowing rules) conditions required to make an internal Report.

b) The Manager then verifies the admissibility of the Report, ensuring that it is clear:

  • (i)   the circumstances of   time and place in which the fact(s) reported occurred. A description of these facts is therefore required, containing details of the aforementioned circumstances and the manner in which the facts came to the knowledge of the Reporting Party;
  • (ii) the particulars or other elements enabling the identification of the person to whom the facts reported can be attributed;
  • (iii) the not manifestly unfounded nature of the facts attributable to the violations typified by the legislator.

7.3. Investigation

Once the admissibility and admissibility of the Report has been verified, the Manager initiates the internal investigation of the facts and conduct reported, in order to assess their justification.

The preliminary investigation is the set of activities aimed at verifying the truthfulness of the content of the Reports received and at acquiring elements useful for the subsequent assessment phase, by means of audit procedures and objective investigative techniques, providing a precise description of the facts ascertained.

The Manager must carry out all the necessary activities and verifications to follow up the Report, including but not limited to

  • the direct acquisition of the necessary elements through the analysis of the information and documentation received, which the Manager may ask the Reporting Party to supplement;
  • the involvement of other company structures, or even external specialised subjects, in view of the specific technical and professional skills required;
  • the hearing of internal or external parties.

It is the duty of all CDN employees and collaborators to cooperate with the manager in the investigation.

7.4. Conclusion of the investigation

  • The Manager shall prepare a final report of the investigation, containing at least:
    • the established facts;
    • the evidence gathered;
    • the causes and shortcomings that allowed the reported situation to occur.
  • Based on the results of the investigation and its findings, the Manager will proceed to assess the merits of the Report. In this regard, the Manager may:
    • File the Report because it considers it to be unfounded, stating its reasons;
    • if, on the other hand, it considers that the Report has a prima facie case (i.e. the plausible/probable existence of the illegal act reported), declare the Report well-founded and forward this assessment, together with the relevant report, to the Director General for follow-up.

This is because the Manager is not responsible for any assessment of individual responsibilities (of any kind) and consequent measures or proceedings (e.g. disciplinary proceedings and precautionary suspensions from service, in line with the applicable legislation and collective labour agreements; reports to the competent public authorities).

8. Archiving

In order to ensure traceability, confidentiality, preservation and retrievability of data throughout the process, documents are stored and archived both in digital format, through the Software, through password-protected network folders and in paper format, in a special locked cabinet located at the Manager's office, accessible only to the Manager.

All documentation will be retained, subject to further legal deadlines in the cases expressly provided for, for 10 years from the date of closure of the activities.

Even when archiving, the processing of personal data of persons involved and/or mentioned in reports is protected in accordance with the law in force and the company's privacy procedures.

9. Protection of the Reporting Party

The entire Whistleblowing management process ensures the confidentiality of the identity of the Reporting Party from the moment the Report is received and at every stage thereafter.

9.1 Protection of confidentiality

a) Use of the Software guarantees the complete confidentiality of the Reporting Party, as only the Manager can access the Reporting via the Software.

b) In the case of Reports made by any other means, the addressees, once the Report has been received and registered, assign a specific anonymous ID to the Reporting Party. To protect the confidentiality of the Reporting Party, the ID will be used in all official documents and communications in the course of the investigation activity.

(c) Within the framework of any disciplinary proceedings instituted against the reported person:

  • if the alleged facts are based on investigations that are separate and additional to the Report, even if consequent to the Report, the identity of the reporting person may not be disclosed;
  • if the facts alleged were based in whole or in part on the Report, the identity of the Reporting Party may be disclosed to the person(s) concerned by the Report if two requirements are met simultaneously:
    • the consent of the Reporting Party;
    • the proven need on the part of the reported person to know the name of the Reporting Party for the purposes of the full exercise of the right of defence.

9.2 Prohibition of discrimination

The Reporting Party may not be sanctioned, dismissed or subjected to any direct or indirect discriminatory measure affecting his/her working conditions for reasons directly or indirectly linked to the reporting.

Discriminatory measures include unjustified disciplinary actions, harassment in the workplace, any change of job or place of work, and any other detrimental change in working conditions that is a form of retaliation against the Reporting Party.

A Reporting Party who believes that he/she has suffered discrimination as a result of making a Report must give detailed notice to the Manager.

A Reporting Party who believes he or she has suffered discrimination may take legal action against the perpetrator of the discrimination and also against the Company - if the Company actively participated in the discrimination.

10. Violation of procedure

Failure to comply with this Policy entails the possibility of disciplinary sanctions for Company employees, in line with the provisions of the applicable legislation and the relevant collective labour agreements.


Annex to the Whistleblowing Procedure of Castello del Nero S.r.l.

The purpose of this Guide is to explain to reporting persons how to make reports using the Software.

In addition to the information provided, we invite you to read the Whistleblowing Procedure prepared by the Company.


  1. Access the link https://areariservata.mygovernance.it by filling in the form with your first name, last name and a personal e-mail address (please do not use the company one, as required by the Privacy Guarantor)
  2. Follow the instructions received with the e-mail containing the Unique Access Credentials.
  3. Log in to your account with your credentials
  4. Proceed by clicking the 'CREATE NOTIFICATION' button
  5. It will now be possible to proceed with reporting
    • (a) anonymously using the appropriate option;
    • (b) or, in non-anonymous form, but in any case with the guarantees of confidentiality provided for by law
  6. Once the reporting method has been established, the Reporting Party will proceed by filling in the form. Fields marked with an * are mandatory. Some fields are open and must have a minimum number of characters.

For any further questions or clarifications, please do not hesitate to contact the Reporting Manager.

[1] A report can be considered circumstantiated if it allows the identification of factual elements that are reasonably sufficient to initiate an investigation (e.g.: the offence committed, the reference period and possibly the value, the causes and purpose of the offence, the company/division concerned, the persons/units involved, the anomaly in the control system).