PROCEDURE FOR HANDLING REPORTS IN ACCORDANCE WITH LEGISLATIVE DECREE N° 24/2023

Foreword

IIT Foundation promotes activities aimed at preventing infringements within its organisation.

To this end, IIT has defined specific tools for reporting said infringements (so-called Whistleblowing), with the aim of discouraging these infringements through the active and responsible participation of its stakeholders (employees, collaborators, suppliers, partners, consultants, etc.) and the general public in compliance with Legislative Decree 24/2023.

Objective

The purpose of this procedure is to establish the procedures for reporting unlawful conduct, whether a criminal act or an omission, which constitutes or may constitute a violation, or an inducement to the violation, of laws and regulations, and of the values and principles enshrined in the Foundation's Code of Conduct and Scientific Integrity.

The principles of this procedure do not prejudice or limit in any way the legal obligations concerning reporting to the Judicial Authorities or to the Supervisory Authorities and those concerning the processing of personal data and the protection of privacy.

Content of reports

The subjects of reports comprise facts, actions, omissions, anomalies or critical issues encountered that employees or third parties ("Whistleblowers") wish to bring to the attention of IIT, with reference to:

• acts of corruption;
• proven or suspected violations of the Code of Conduct and Scientific Integrity;
• proven or suspected violations of the Model as per Legislative Decree 231/01;
• non-compliance with the European Union regulations described in the attachment to Legislative Decree 24/2023 or in Directive (EU) 2019/1937, relating to the following areas: public contracts; services, products and financial markets, the prevention of money laundering and financing of terrorism; product safety and compliance; transport safety; environmental protection; radiation protection and nuclear safety; food and animal feed safety and animal health and welfare; public health; consumer protection; the protection of privacy and personal data, and the security of networks and information systems;
• damage to the EU's financial interests and violation of EU regulations on competition and state aid, or regarding corporate taxation; mechanisms whose purpose is to obtain an undue tax advantage;
• other forms of conduct that do not comply with laws or regulations.

This procedure does not apply to reports of a disciplinary nature or relating to the management of human resources, which should be addressed to the respective manager or the Human Capital and Organisation directorate for their handling.

In addition, the following issues cannot be the subject of reports:

•            objections, claims or requests linked to interests of a personal nature on the part of the Whistleblower;

•            reports of violations that are already regulated through mandatory provisions of the European Union or national laws;

•            reports of violations in matters of national security.

The report must not provide details of anyone's private life, including any kind of personal comment, unless strictly necessary and relevant to what is being reported.

Recipients

The recipients of this procedure (hereinafter: “recipients” or “whistleblowers”) are:

• Members of the Foundation’s Organs; employees and collaborators of the Foundation;
• Suppliers, clients, partners, consultants and, in general terms, the Foundation's stakeholders.

Reports of unlawful activities

Recipients who detect or become aware of possible unlawful conduct or irregularities are required to report without delay the facts, events and circumstances that, according to what they believe in good faith and on the basis of reasonable factual elements, have led to violations and/or conduct that do not comply with IIT’s principles.

For making reports, the Foundation has set up an online platform accessible from the “whistleblowing” page on the home page of its website, or directly at

https://iit.segnalazioni.net

Reports may be made in a form that includes the whistleblower’s name (registered user) or anonymously (non-registered user). However, the first method is that recommended, in order to allow more effective investigation, with the respective safeguards.

The report, even if anonymous, must be documented and circumstantiated, so as to provide the necessary and appropriate information permitting appropriate verification regarding the authenticity of the reported facts.

In cases in which these elements are known to the whistleblower, it is particularly important that the report includes:

• a detailed description of the events that occurred and how the whistleblower came into possession of this knowledge;
• the date and place where the event occurred;
• the names and roles of the persons involved or, in any case, elements that could enable their identification;
• the names of any other persons who could provide information on the facts described in the report;
• reference to any documents that could confirm the accuracy of the reported facts.

Moreover, reports should not be aimed at denouncing situations of an exclusively personal nature.

The Organ responsible for receiving reports is the Foundation's Supervisory Board, appointed pursuant to Legislative Decree n° 231/2001.

Any report can also be sent via the voice mailbox of the above-mentioned platform (requiring the whistleblower’s specific consent) and the following alternative communication channels:

• E-mail: organismodivigilanza@iit.it
• Traditional mail, sent to the address: Fondazione - IIT - Organismo di Vigilanza - Via Guidubaldo del Monte 54, 00197 Rome

Confidentiality and prohibition of retaliation

While encouraging Recipients to promptly report possible episodes of unlawful conduct or violations, the Foundation guarantees the whistleblower’s anonymity, as well as the confidentiality of the report and of the data contained therein, even in the event that the report should prove to be erroneous or unfounded following the checks performed. Where the platform's voicemail is used to communicate a report, the whistleblower’s voice is altered so as to render it unrecognisable.

The Whistleblowing Manager (see next paragraph) is allowed to learn the whistleblower’s identity, if said manager deems it necessary for the purposes of the investigation, for instance if the report leads to legal proceedings and the name has been requested by the investigating or judiciary authorities for the purposes of the investigation.

The learning of identity must always be justified, and the whistleblower must be informed that the Whistleblowing Manager has decided to learn about his or her identity, through the communication of the reason behind this decision. More specifically:

• the whistleblower’s identity, along with any other information, may not be disclosed, without the specific consent of said whistleblower, to persons other than those authorised to receive or follow up reports;
• In the context of disciplinary proceedings, the whistleblower’s identity may not be disclosed, in the case in which opposition to the disciplinary measure is based on investigations that are separate from and additional to the report, even if they are a direct consequence of said report. If the opposition is based, in whole or in part, on the report, and the knowledge of the whistleblower’s identity is indispensable for the defence of the person accused, the report can be used for the purposes of disciplinary proceedings only if the whistleblower has given specific consent to the disclosure of his or her identity. In the latter case, the whistleblower shall receive written notification of the reasons for the disclosure of the confidential data.

Any kind of threat, retaliation, penalty or discrimination against the whistleblower, the person implicated by the report or those who have taken part in the investigation determining the validity of the report will not be tolerated.

The Foundation also reserves the right to take appropriate action against anyone who implements, or threatens to implement, acts of retaliation against those who have presented reports in accordance with this procedure, without prejudice to the right of the parties concerned to seek legal protection should the whistleblower be found to have criminal or civil liability on the basis of the falsity of what has been declared or reported.

It is understood that the Foundation may take the most appropriate disciplinary and/or legal measures to protect its rights, property and image against anyone who has made, in bad faith, false or unfounded reports, with the sole purpose of slandering, defaming or prejudicing the person implicated by the report or other persons mentioned in the report.

Management of reports

Once the report has been submitted, the system issues one-off codes that must be saved and retained by the whistleblower in order to be able to consult the report at any time, follow its progress and access the system's messaging platform.

Whistleblowers can manage their reports, tracking their processing status and the replies received through a special control panel.

The recipient of the reports is the Supervisory Board, which performs an initial check on the reported facts and assesses whether the report lies within its functions; if this is not the case, the Supervisory Board forwards it to the individuals holding responsibility for the matter (Managers). In both cases, the Supervisory Board issues the whistleblower an acknowledgement of receipt of the report within seven days from the date of receipt.

The Supervisory Board is responsible for reports of violations of the principles contained in Section II of the Code of Conduct and Scientific Integrity adopted by the Foundation (hereinafter the Code) and the cases in which the reported episode is presumed to be a relevant violation of the Organisation, Management and Control Model adopted by IIT pursuant to Legislative Decree 231/2001.

Reports of violations of the principles and rules set out in Section III of the Foundation's Code of Conduct and Scientific Integrity are the responsibility of the Ombudsperson, in all cases in which the episode reported can be construed as scientific misconduct.

Reports on transparency, anti-corruption and conflict of interest (the latter with the exception of cases that are handled by the Ethics Committee) are the responsibility of the Head of the Compliance Department.

The Ethics Committee is responsible for reporting on the compatibility of the mandate of the members of the organs with any other activities and roles.

Reports of discrimination, harassment and bullying are the responsibility of the Human Resources and Organisation Department.

In the course of verification, Managers may utilise support from the organisational structures with responsibility on each specific occasion, and, when deemed appropriate, they may utilise external consultants specialising in the field of the report received and whose involvement is necessary for the verification of the report, ensuring the confidentiality and, where possible, the anonymisation of any personal data that may be contained in the report.

During the verification and ascertainment of possible violations, the individuals indicated by the report may be involved in or informed of such activities, but in no case will proceedings be initiated solely on the grounds of the report in the absence of concrete confirmation as regards its content.

Should the conclusion of the analysis reveal the absence of sufficiently-circumstantiated elements or, in any case, the unfounded nature of the facts referred to in the report, the latter shall be archived, together with the respective justifications, by the Managers.

If, on the other hand, the analysis of the report reveals violations of the principles set forth in this procedure, the Managers involved will report to the respective Organs or the organisational structures of the Foundation holding appropriate responsibility, which will proceed to apply the penalties envisaged. In both cases the Supervisory Body will provide feedback on the report within three months from the date of notification of receipt or, in the absence of such notice, within three months from the expiry of the period of seven days from the presentation of the report.

The reports and related documents are kept for as long as necessary to process the report, but no longer than five years from the date of the communication of the final outcome of the reporting procedure.