General Whistleblowing Disclosure

1. Foreword
This information notice is addressed to all persons who deal with Arithmos Srl and who are entitled to report possible corporate offences in which they were directly involved or of which they became aware.
The purpose of this information notice is to inform the reporting parties about the reporting channel made available for so-called whistleblowing, its operating mechanism, the procedure and deadlines for feedback, and the Company’s compliance with the relevant legal provisions.
The information is published on the Company’s website and is made available to interested parties upon request.

2. Entitled parties
Individuals who report a violation they learnt of in the course of their work are entitled to report corporate offences. Return in that category: workers employees and autonomous, free professionals and consultants, workers and collaborators provide goods goods services Company, volunteers, volunteers, the members, people with function direction administration and control, people the relationship of work with the Company Company is terminated and candidates in view of an assumption.

3. Content of the Report
Each Report must contain, if applicable to the specific case, the following elements: (i) identification data of the Whistleblower, (ii) description of the event (type of conduct, date and place of occurrence, parties involved); (iii) indication confirming whether the fact has occurred, is occurring or is likely to occur; (ivi) indication of the manner in which the Whistleblower has become aware of the fact; (v) existence of witnesses and, if any, their names; (vi) whether the Whistleblower has already reported the matter and, if so, to which function or manager; (vii) the specific function or management within which the suspicious conduct occurred; (viii) further information deemed relevant by the Whistleblower.
The subject of the report may be any conduct or facts that, in the reporting party’s opinion, constitute or are potentially capable of constituting offences of a civil, criminal, administrative or accounting nature and are detrimental to a public or private interest.
In particular, the object of reporting may be Breaches of Model 231, i.e. unlawful conduct relevant under Legislative Decree 231/2001 and conduct contrary to the principles and rules contained in the Code of Ethics and/or the Model; Breaches of European Union law. Precisely, these are offences committed in violation of the European Union legislation indicated in Annex 1 of the Whistleblowing Decree (in particular, these are offences relating to the following sectors public contracts; financial services, products and markets; prevention of money laundering and financing of terrorism; product safety and compliance; transport safety; environmental protection; radiation protection and nuclear safety; food and feed safety, animal health and welfare; public health; consumer protection; privacy and protection of personal data, security of networks and information systems); acts or omissions that harm the financial interests of the European Union (art. 325 TFEU), as identified in EU regulations, directives, decisions, recommendations and opinions; acts or omissions affecting the internal market that jeopardise the free movement of goods, persons, services and capital (Art. 26(2) TFEU). This includes violations of competition, state aid and corporate tax rules; acts or conduct that frustrate the object or purpose of European Union provisions in the areas mentioned in the previous points.

4. Internal reporting channel
In compliance with legal obligations, Arithmos Srl has adopted an internal reporting channel pursuant to Article 4, Legislative Decree 24/2024. In line with the provisions of the ANAC Guidelines, according to which ‘in the private sector, the choice of the entity to be entrusted with the role of reporting manager is left to the organisational autonomy of each entity, in consideration of the requirements related to the size, the nature of the activity performed and the concrete organisational reality. and […] This role, purely by way of example, can be entrusted, among others […] to the Supervisory Board provided for by the regulations of Legislative Decree no. 231/2001’, Arithmos Srl has identified its own Supervisory Board, in the person of its single-member member, as the Manager of internal reports.

5. Reporting procedures
In the event of Violations of the 231 Model, the Whistleblower must exclusively use the Internal Reporting Channel and follow the procedure established by Arithmos S.r.l..
In the case of EU Violations, the Whistleblower is encouraged to report them promptly, using – in the order of priority specified below – one of the following reporting channels: Internal Channel, preferably; External Channel; Public Disclosure, residually.
In detail, Whistleblowers should preferably use the Internal Channel and only in a subordinate and residual way the External and Public Disclosure channels.
The Whistleblower may in fact resort to the external channel only if: (i) the activation of the internal channel is not envisaged as mandatory in his work context, or, if it is envisaged, it has not been activated, or, if it has been activated, it does not comply with the requirements of the Whistleblowing Decree, in that it is unsuitable for guaranteeing the confidentiality of the Whistleblower and of the Report (ii) the Report has not been followed up, as the person entrusted with the management of the channel has not undertaken any activity in relation to the Report within the timeframe set out in the Whistleblowing Decree; (iii) has reasonable grounds to believe that, if he/she were to make the Report internally, it would not be followed up or would face retaliation; (iv) has reasonable grounds to believe that the Breach may constitute an imminent or obvious danger to the public interest.
Ultimately, the Whistleblower may have recourse to the public disclosure procedure if (i) the internal or external channel has been used beforehand, but has not been followed up; (ii) he/she has reasonable grounds to believe that the Breach may constitute an imminent or obvious danger to the public interest; (iii) the internal or external channels have not been used due to risk of retaliation or ineffectiveness of those systems.

5.1. Reporting procedure via Internal Channel
Offences may be reported in written or oral form.
The Report may be sent by registered letter to the following address: Avv. Simone Baggio, Largo Parolini n. 85, 36061 Bassano del Grappa (VI), c/o Studio Plura. The Reporting Party shall put the Report in two sealed envelopes, including, in the first one, its identification data (the non-anonymous reporting procedure is in fact preferable, with a view to facilitating the assessment of the Breach) and, in the second one, the subject of the Report; both envelopes shall then be put in a third envelope bearing, on the outside, the wording “confidential to the Reporting Manager“.
The Report may also be communicated through the following unregistered telephone line 0424/524397 and, at the request of the Reporting Party, through a direct meeting with the Reporting Manager.
The Report will be promptly handled by an appropriately trained staff member to ensure that the case is handled in accordance with the relevant regulations.

5.2. Reporting procedure via External Channel
The Whistleblower may report in written form through the IT platform set up by ANAC (https://whistleblowing.anticorruzione.it/#/), which has been outlined as the priority reporting channel, as it is best suited to guarantee the confidentiality of the Whistleblower and the Report;
The Whistleblower may also report orally, through a telephone service with operators or through direct meetings with ANAC officials.

5.3. Public disclosure
The Report may be made through means of dissemination capable of reaching a large number of people, such as the press and social networks (YouTube, Facebook, Twitter, etc.).

6. Procedural procedure
In case of use of the written communication channel (i.e., by registered letter A/ R), the Reporting Manager will file the Report received in a special place protected by adequate physical security measures, informing the Reporting Subject within 7 days of receipt of the Report, unless it is impossible to interact with the latter (as is the case, for example, with Anonymous Reports).
If the communication channel is used in oral form (i.e., unrecorded telephone line or face-to-face meeting), the Manager will draw up, respectively, a detailed record of the telephone massage received, or a minute of the meeting held, which should be countersigned by the Reporting Party in both cases.
Once the Manager receives the Report in the manner described above, he will first check that it is relevant and substantiated.
In particular, the Manager will check that the Reporting Party is one of the persons entitled to make the Report and that the subject of the Report concerns a relevant breach. If the Report is assessed as not inherent (e.g., personal grievances, labour disputes, interpersonal conflicts between colleagues, etc.), it may be handled in accordance with any procedures previously adopted by the Company for such violations, notifying the Reporting person thereof. The Manager shall also check that the Report contains at least (i) the identification data of the Reporting Party (name, surname, place and date of birth), as well as an address to which subsequent updates can be sent; (ii) the circumstances of time and place in which the event that is the subject of the Report occurred (description of the facts that are the subject of the Report, the circumstantial news; the manner in which the facts that are the subject of the Report came to the knowledge of the Manager).
Once the phase relating to the preliminary examination of the Report and its admissibility and admissibility to proceed has been completed, the Manager shall carry out all the investigations, analyses and assessments necessary to verify the validity or otherwise of the facts reported, directly acquiring the necessary information through the analysis of the documentation and/or information received, involving other corporate functions or external specialists (to whom the duties of confidentiality and privacy provided for by the Whistleblowing Decree must be extended), or conducting hearings of persons internal/external to the corporate apparatus.
At the end of this assessment phase and within 3 months from the date of receipt of the Report, the Manager shall communicate to the Whistleblower, alternatively: the fact that the Report has been dismissed, stating the reasons in support thereof; the ascertainment of the merits of the Report and its transmission to the competent bodies; the activity carried out so far and/or the activity it intends to carry out, reserving the right to inform it about the subsequent final outcome of the investigation of the Report.

7. Protection of the reporter
The protections provided for in favour of the Whistleblower are as follows: prohibition of retaliatory acts against him/her; obligation of confidentiality of his/her identity and of the information transmitted; limitation of his/her liability for disclosure of certain types of protected information.
The same protections are also provided for: (i) the natural persons assisting the Whistleblower in the reporting process and working in the same work context (so-called facilitators); (ii) other persons connected to the Whistleblower who might suffer retaliation in the work context, such as colleagues who have a habitual or recurrent relationship with the person; (iii) persons in the same work context who are connected to the Whistleblower by a stable emotional or family relationship up to the 4th degree.

7.1. Prohibition of retaliatory acts
The Company takes all necessary precautions in order to guarantee Whistleblowers against any and all forms of retaliation, discrimination and/or penalisation, direct or indirect, for reasons connected with the Report made. Examples of direct or indirect retaliation are (a) dismissal, suspension or equivalent measures; (b) downgrading or non-promotion; (c) change of duties, change of workplace, reduction of salary, change of working hours; (d) suspension of training or any restriction on access to it; (e) negative merit notes or negative references; (f) the adoption of disciplinary measures or any other sanction, including a fine; (g) coercion, intimidation, harassment or ostracism; (h) discrimination or otherwise unfavourable treatment; (i) failure to convert a fixed-term employment contract into an open-ended employment contract; (l) non-renewal or early termination of a fixed-term employment contract; (m) damage, including to a person’s reputation, particularly on social media or economic or financial prejudice, including loss of economic opportunities and loss of income; (n) inclusion on improper lists on the basis of a formal or informal sectoral or industry agreement, which may result in the person being unable to find employment in the sector or industry in the future; (o) premature termination or cancellation of a contract for the supply of goods or services; (p) cancellation of a licence or permit; (q) requesting psychiatric or medical examinations. Retaliatory acts committed in breach of this prohibition are null and void. Anyone who, in his capacity as a Whistleblower, believes he has suffered retaliatory or discriminatory acts for reasons directly or indirectly linked to the Whistleblowing, shall report the abuse to the SB and to the ANAC.
The Whistleblower loses protection: (i) if it is established, even by a judgment of first instance, that he/she is criminally liable for offences of defamation or slander, or if such offences are committed by reporting to the judicial or accounting authorities; (ii) in the event of civil liability for the same offence due to wilful misconduct or gross negligence. In both cases, a disciplinary sanction shall be imposed on the Whistleblower.

7.2. Confidentiality
Arithmos ensures the absolute confidentiality and anonymity – if any – of the identity of the Reporting Party (which may not be disclosed without its express consent, except to the competent figures authorised by law), as well as of the content of the Report and of the relevant documentation.
The Manager shall process each Report in compliance with the Privacy Law and, in particular, in accordance with the following principles: (i) transparency: the possible data subjects shall be provided ex ante with appropriate information on the processing of their personal data; (ii) purpose limitation: the Reports may not be used beyond what is necessary to adequately follow up on them; (iii) data minimisation: data that are clearly not useful for processing a specific Alert will be promptly deleted; (iv) limitation of storage: the Alerts and the relevant documentation will be kept for the time necessary to process them and, in any case, no longer than 5 years from the communication of the final outcome of the procedure.

7.3. Limitations of liability
The whistleblower shall not be held liable for the following offences: disclosure and use of official secrets (Article 326 of the criminal code) disclosure of professional secrecy (Art. 622 of the Criminal Code); disclosure of scientific and industrial secrets (Art. 623 of the Criminal Code); breach of the duty of loyalty and faithfulness (Art. 2105 of the Civil Code); breach of the provisions on the protection of copyright; breach of the provisions on the protection of personal data; disclosure of information on violations that offend the reputation of the person involved.
This protection regime applies provided that (i) at the time of disclosure or dissemination there are reasonable grounds for believing that the information is necessary to disclose the Breach being reported; (ii) the Breach reported falls within those listed in the relevant definition; (iii) the Reporting Party, at the time of reporting, had “reasonable grounds” for believing the information to be true; (iv) the Reporting is carried out in accordance with the procedures set out in the communication channels.
The Company shall sanction any conduct contrary to the rules of conduct set out in this Section: the relevant disciplinary measures shall be proportionate to the extent and gravity of the conduct ascertained and may go as far as termination of employment.

8. Retention of documents relating to reports
Pursuant to Article 14 of Legislative Decree 24/2023, reports and the related documentation shall be retained for as long as necessary for the processing of the report and, in any case, no longer than five years from the date of the communication of the9final outcome of the reporting procedure in compliance with the confidentiality obligations set out in Article 12 of Legislative Decree 24/2023 and the principle set out in Article 5(1)(e) of Regulation (EU) 2016/679 and Article 3(1)(e) of Legislative Decree No. 51 of 2018.

WHISTLEBLOWING – Information on the protection of personal data pursuant to Articles 13 and 14 GDPR 679/2016

General processing principles
The processing shall be carried out by means of collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion and destruction and shall be carried out by the data controller, data processors and persons authorised to process the data.
Personal data shall be: processed lawfully, fairly and transparently; collected for specified, explicit and legitimate purposes and subsequently processed in a way that is not incompatible with those purposes; adequate, pertinent, limited to what is necessary in relation to the purposes for which they are processed; accurate and up-to-date, with the Controller undertaking to take the necessary measures to delete or rectify the data in relation to the purposes for which they are processed; kept in a form that permits identification of the data subject for the time strictly necessary to achieve the purposes for which they have been processed; processed with the utmost confidentiality, both by computer and on paper, in compliance with the principles dictated by the European Data Protection Regulation, with the prescriptions issued by the Supervisory Authority and in any case in such a way as to guarantee adequate security, including protection, with appropriate technical and organisational measures, from unauthorised or unlawful processing or from loss, even accidental.

Identity and contact details of the data controller
The data controller is Arithmos Srl, with registered office in Verona in via Roveggia n. 122, VAT number 03568990232.
For the purposes of exercising the rights provided for by the Regulation and for any request relating to personal data, the interested party may contact the Data Controller by sending a communication to the email address privacy@arithmostech.com

DPO
Arithmos Srl has appointed a Data Protection Officer (DPO), who can be reached at the email address dpo@arithmostech.com

Purpose and legal basis of processing
Personal data will be processed for the purpose of carrying out the necessary investigative activities aimed at verifying the validity of the fact being reported and the adoption of any measures that may be necessary.
Pursuant to Art. 6, para. 1, letter b), the processing is lawful insofar as it is necessary for the fulfilment of a legal obligation pursuant to Art. 6 , letter c, EU Reg. 27.4.2016, no. 670 (L. no. 179/2017, Legislative Decree no. 24/2023 on “Implementation of EU Directive 2019/1937”).

Recipients or category of data recipients
For the pursuit of the aforementioned purposes, the personal data provided may be made accessible only to those who, within the Company, need it for the role/task carried out in relation to the process of receiving, analyzing, investigating and managing reports. and any consequent actions.
These subjects are appropriately trained in order to avoid loss, access to data by unauthorized parties or unauthorized processing of the data themselves and, more generally, in relation to obligations regarding the protection of personal data.
The data may also be processed by external consultants and third parties with technical functions, who act as data processors/sub-processors and have signed a specific contract which promptly regulates the processing entrusted to them and the protection obligations. of data and security of processing pursuant to art. 28, paragraph 3 of the Regulation.
Finally, personal data may also be transmitted to other independent data controllers, based on laws or regulations (e.g. Public Authorities, Judicial Authorities, Court of Auditors and ANAC).

Data transfer to a third country
Your personal data will not be transferred outside the EU.

Personal data retention period
Your data are stored for a period of time not exceeding that necessary to pursue the purposes for which they were collected, in compliance with the provisions of legal obligations or in any case to allow the Company to protect its own rights and interests or that of third parties (e.g. defense in court).
The data is automatically deleted 5 years after the report is closed.

Right to withdraw consent
The processing of data provided by the Reporter is necessary for the fulfillment of a legal obligation and has no legal basis in the consent of the interested party. The Reporter therefore has no right to withdraw consent to the processing of personal data; in any case, the revocation of consent to processing would not affect the lawfulness of the processing based on the consent given before the revocation.

Right to lodge a complaint
The interested party has the right to lodge a complaint with the Supervisory Authority, represented in Italy by the Guarantor for the Protection of Personal Data. The complaint may be presented by the interested party in the manner deemed most appropriate: by hand, by registered letter with return receipt, by fax or by email. For information, the interested party is invited to consult the Guarantor’s website at www.garanteprivacy.it.

Mandatory or optional nature of providing data
The provision of data is optional; it is understood that any refusal to respond at the time of collection of the information, or any refusal to process the data may make it objectively impossible to take the report into consideration.

Rights recognized to the interested party
The interested party has the right to obtain access to personal data from the data controller.
In particular, the interested party has the right to obtain from the owner confirmation as to whether or not data concerning him or her are being processed and, in this case, access to the personal data and the following information:
a) the origin of the personal data, if the data are not collected from the interested party;
b) the purposes and methods of processing;
c) the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients are from third countries or international organisations;
d) the expected retention period of personal data, or, if this is not possible, the criteria adopted to determine this period;
e) the existence of the right of the interested party to ask the owner to rectify or delete personal data or to limit the processing of data concerning him or to oppose their processing;
f) the right to lodge a complaint with a supervisory authority;
g) the existence of an automated decision-making process, including profiling and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such processing for the interested party;
h) if the data are transferred to a third country or to an international organisation, the adequate guarantees pursuant to art. 46 of Regulation 679/2016 of this transfer.