This Whistleblowing Procedure (hereinafter “Procedure”) applies to V2 S.p.A.
The recipients of this Procedure are:
company management and members of corporate bodies;
shareholders;
employees and corporate collaborators (e.g.: interns, trainees, temporary workers, etc.), including those on probation or whose employment has ceased;
business partners, customers, suppliers, consultants, members, and, more generally, anyone having an interest-based relationship with the company.
(Hereinafter collectively referred to as “Recipients”)
2. Information
Law 179/2017, Legislative Decree 231/2001, and Legislative Decree 24/2023 require the adoption of an IT tool through which the subjects identified by the legislation may report fraud, crimes, unlawful acts, or irregular conduct.
The European directive establishes minimum standards to ensure the protection of individuals who report violations of EU law, creating secure internal and external communication channels. In specific cases, public disclosure through the media is permitted.
This Procedure governs the receipt, analysis, and handling of reports, including anonymous ones, and describes the channels established for reporting.
Whistleblowing is a fundamental tool for combating unlawful conduct and promoting ethics and legality.
3. Procedure
All Recipients are required to report potential unlawful activities that may violate the law or the policies of V2 S.p.A.
Reports allow the company to investigate and adopt corrective measures to reduce risks or damages.
Reports can be submitted through the GRC CORA Whistleblowing Portal, which allows anonymous or named submissions. Other external channels compliant with the law may also be used.
4. Forms of Protection
V2 S.p.A. has appointed multiple case handlers and a custodian for managing reports on the platform. The custodian may, if necessary and within legal limits, grant visibility of the data to the handlers.
Other internal subjects may be involved for information or opinions without having access to the reporting person’s identifying details.
The platform provides, among other features:
separation of identifying data from report contents;
a defined procedural workflow with specific timelines for initiation and conclusion;
confidentiality of report contents;
secure protocols and encryption for data and attachments;
data storage in physical, logical, or hybrid modes;
restricted access for authorized personnel only;
the possibility for the reporter to monitor the status of the investigation;
disclosure of the reporter’s identity only in cases permitted by law;
access auditing;
compliance with the ANAC software model;
subsequent entry of personal data if needed;
advanced measures for referrer header protection and security.
The platform is web-based, accessible from PC and mobile devices, and enables anonymous communication with the case handler.
V2 S.p.A. guarantees confidentiality, prohibits retaliation, and adopts measures to protect the rights of all involved parties.
Platform Security
The platform undergoes periodic Application Security Assessments (ISO 27001, OWASP).
Data Retention Policy: reports are valid for a limited period and are removed upon expiration;
Server resiliency: protection against DDoS attacks;
Web content security: encrypted communication (TLS 1.3) and security headers;
File encryption: AES encryption with optional use of PGP keys;
GDPR: compliance with EU Regulation 2016/679.
5. What to Report
Reports relating to events already occurred or plausibly attributable to individuals at V2 S.p.A. or third parties that may constitute unlawful acts or irregularities, such as:
administrative, accounting, civil, or criminal violations;
breaches of EU or national regulations in areas such as: public procurement, financial markets, product safety, environmental protection, healthcare, consumer protection, data protection, cybersecurity, etc.;
acts or omissions affecting the financial interests of the European Union;
acts or behaviors that undermine the objectives of EU provisions.
Reports must be based on direct and substantiated knowledge. Personal grievances are excluded.
6. Why Should You Make a Report?
Reports made in good faith and in the common interest allow the timely identification and correction of irregular or unlawful conduct, protecting the company.
7. Violation of This Procedure and Reporter Responsibility
Employees who violate this Procedure will be subject to disciplinary action. For other Recipients, violation may result in contractual or non-contractual liability.
False, defamatory reports or abuse of the procedure are prohibited and punishable by law.
8. Content of the Report
The report must contain useful elements for verification. It is preferable to include:
the reporter’s role;
a description of the events with time and place, if known;
The reporter may choose to provide their identity or remain anonymous; access is subject to a “no-log” policy to prevent IP identification.
Upon submission, a unique 16-digit KEY CODE is issued, required to track the report and interact with the case handler. The KEY CODE cannot be recovered if lost.
10. Handling of the Report
Reports are received and managed by the designated case handler with impartiality and confidentiality.
Summary of the procedural steps:
acknowledgment of receipt within 7 days;
possibility of dialogue and request for additional information;
conducting the investigation, hearings, and acquisition of documents;
feedback to the reporter within 3 months (6 months if justified);
communication of the final outcome.
11. Retention of the Report and Privacy
Reports and related documentation are retained for the time necessary for processing and in any case no longer than 5 years from the communication of the final outcome, in compliance with European and national data protection regulations.
Document drafted for V2 S.p.A. — Whistleblowing Procedure
