Whistleblowing Procedure and Privacy Policy

(pursuant to Legislative Decree 24/2023 and EU Regulation 2016/679)

Mattioli Brand S.r.l. promotes a corporate culture based on integrity, transparency, and compliance with applicable regulations.

Through the Whistleblowing system, anyone operating within the Company’s work environment may report conduct, acts, or omissions that may constitute violations of national or European Union laws, or conduct likely to compromise the public interest, corporate integrity, or compliance with internal procedures.

The Company ensures that reports are handled in accordance with the principles of confidentiality, impartiality, and protection of the Whistleblower as provided by applicable regulations.

Reports may be made by employees, collaborators, consultants, suppliers, business partners, candidates, former employees, and any other person who has acquired relevant information in the context of their relationship with the Company.

The following may be reported, by way of example:

• violations of law;
• administrative, accounting, civil, or criminal offenses;
• violations of the Organizational Model 231 and company procedures;
• fraud, corruption, conflicts of interest;
• violations concerning health and safety, environment, privacy, and data protection;
• conduct likely to cause harm to the Company or the public interest.

Reports also include violations concerning, by way of example, public procurement, financial services, prevention of money laundering and terrorist financing, product safety and compliance, transport safety, environmental protection, public health, consumer protection, protection of privacy and personal data, security of networks and information systems, as well as violations that harm the financial interests of the European Union or compromise the proper functioning of the internal market.

The Whistleblowing system does not cover disputes, claims, or requests of an exclusively personal nature relating to individual employment relationships or relationships with direct supervisors.

Reports may be made through:

• written communication addressed to the Whistleblowing Officer;
• oral report via dedicated telephone contact;
• direct and confidential meeting with the Whistleblowing Officer.

Whistleblowing Officer:

Avv. Enrico Cairo

Via Bertolotti 2 – 10121 Turin

Tel. +39 333 3920306

Written reports may be sent by confidential letter addressed to the Whistleblowing Officer.

Oral reports and direct meetings are documented by the Whistleblowing Officer through minutes or a summary, which may be verified, confirmed, or corrected by the Whistleblower.

The Company guarantees the utmost confidentiality of the identity of the Whistleblower, the persons involved, and the information contained in the report.

The Whistleblowing Officer:

• issues confirmation of receipt within 7 days;
• maintains communication with the Whistleblower;
• conducts necessary verifications;
• requests any additional information;
• provides feedback within 3 months of receiving the report.

In the cases provided for in Article 6 of Legislative Decree 24/2023, the Whistleblower may make an external report through the channels made available by ANAC.

This is permitted, in particular, when:

• the internal channel is not active or does not meet legal requirements;
• a previous internal report has not been followed up;
• there is reasonable ground to believe that the internal report may not be handled effectively or may expose the Whistleblower to retaliation;
• the violation constitutes an imminent or evident danger to the public interest.

The Company prohibits any form of retaliation, discrimination, or penalization against anyone who makes a report in good faith.

The identity of the Whistleblower is protected within the limits and according to the procedures provided by the Legislative Decree. 24/2023.

Personal data collected in connection with the handling of reports are processed by Mattioli Brand S.r.l., as Data Controller, exclusively for purposes related to the receipt, handling, and verification of reports and compliance with legal obligations.

Identifying data of the Whistleblower, the persons involved, and any third parties mentioned in the report may be processed.

In the context of handling reports, special categories of personal data and data relating to criminal convictions or offenses may be processed, where relevant and strictly necessary. Such data will be used exclusively for purposes related to the verification of the report and in compliance with applicable data protection regulations.

Data are processed using paper and electronic tools in compliance with the principles of lawfulness, fairness, transparency, security, and confidentiality provided by the GDPR.

Data may be disclosed exclusively to authorized persons involved in handling the report, such as:

• Whistleblowing Officer;
• appointed consultants and professionals;
• technical service providers potentially involved;
• competent Authorities in cases provided by law.

Data will not be disseminated.

Documentation relating to reports is retained for the time necessary to handle the proceedings and in any case no longer than five years from the conclusion thereof, unless retention is necessary for the handling of judicial proceedings, inspection activities, requests from competent Authorities, or other legal obligations.

After the retention period, data will be deleted or rendered irreversibly anonymous.

Data subjects may exercise the rights provided by Articles 15 and following of the GDPR, including access, rectification, erasure, restriction of processing, objection, and, where applicable, data portability.

The exercise of such rights may be limited, delayed, or excluded in cases provided by applicable regulations, including those governed by Article 2-undecies of Legislative Decree 196/2003, where it may result in actual and concrete prejudice to the confidentiality of the Whistleblower’s identity or to the proper conduct of verification activities.

The right to lodge a complaint with the Italian Data Protection Authority remains in any case.

Data Controller:

Mattioli Brand S.r.l.

Via Bologna 220 – 10154 Turin

E-mail: privacy@mattioli.it

For any information regarding the Whistleblowing system, the processing of personal data, or the exercise of rights provided by applicable regulations, please contact the Data Controller at the above contact details.