Whistleblowing Procedure

NOTICE PROVIDED PURSUANT TO ARTICLES 13 AND 14 OF REG. EU 2016/679

(GDPR - GENERAL DATA PROTECTION REGULATION)

Index

1. Introduction

2. Definitions

3. Recipients

4. Purpose and Scope

5. References

6. Description of the Process and Responsibilities

6.1 Purpose and Description of the Process

6.2 Submission of the Report

6.3 Registration of the Report

6.4 Classification and Preliminary Analysis of the Report

6.5 Conducting the Investigation

6.6 Reporting

6.7 Corrective Actions: Monitoring

6.8 Processing of Personal Data and Document Retention

6.9 Periodic Checks

7. Guarantees and Protections

7.1 Protection of the Whistleblower

7.2 Protection Measures

1. Introduction
This procedure (hereinafter the “Procedure”) is intended to govern the process of transmission, receipt, analysis, and management of Reports (so-called Whistleblowing) regarding properly substantiated information concerning Personnel of H&H Italy S.r.l. (the “Company”) and/or Third Parties relating to violations of laws and regulations, as well as of the system of rules and procedures in force within the Company’s organizational structure.

The Procedure is also aimed at implementing Legislative Decree of 10 March 2023 No. 24, published in the Official Gazette on 15.03.2023, which transposes Directive (EU) 2019/1937 concerning “the protection of persons who report breaches of Union law (so-called Whistleblowing legislation).”

Anything not expressly indicated in this Procedure remains fully governed by the aforementioned Legislative Decree No. 24/2023.

The aforementioned legislation provides, in summary:

- a protection regime for specific categories of individuals who report information acquired in a work-related context regarding violations of national or European Union laws that harm the public interest or the integrity of the organization;

- protective measures, including the prohibition of retaliation, to safeguard the Whistleblower as well as Facilitators, colleagues and relatives of the whistleblower, and legal entities connected to the Whistleblower;

- the establishment of internal reporting channels within the organization (including one electronic) for the transmission of Reports, which ensure the confidentiality of the identity of the Whistleblower, the Involved Person, and/or anyone mentioned in the Report, as well as the content of the Report and its related documentation, also through the use of encryption tools;

- in addition to the possibility of filing a complaint with judicial or accounting authorities, the possibility (if one of the conditions set out in art. 6, paragraph 1, of Legislative Decree no. 24/2023 is met) of making external Reports through the channel managed by the National Anti-Corruption Authority (hereinafter ANAC), as well as making Public Disclosures (if one of the conditions set out in art. 15, paragraph 1, of Legislative Decree no. 24/2023 is met), via press or electronic means or distribution tools capable of reaching a large number of people;

- disciplinary measures and administrative monetary penalties imposed by ANAC in the cases provided for in articles 16 and 21 of Legislative Decree no. 24/2023.

2. Definitions
For the purposes of this Procedure, the following definitions apply:

- Work-related context: work or professional activities, current or past, carried out by Personnel or Third Parties within the legal relationships they have established with the Company;

- Public Disclosure: making information about violations publicly available through the press or electronic means or otherwise through means capable of reaching a large number of people. Pursuant to art. 15, paragraph 1, of Legislative Decree no. 24/2023, the Whistleblower may make a public disclosure if one of the following conditions is met:

i) they have already made both an internal and an external Report, or have made an external Report directly and no response has been given within the required time regarding the measures planned or taken in response to the Reports;

ii) they have reasonable grounds to believe that the violation may pose an imminent or obvious danger to the public interest;

iii) they have reasonable grounds to believe that the external Report may entail the risk of retaliation or may not be effectively addressed due to the specific circumstances of the case, such as where evidence may be concealed or destroyed, or where there is a well-founded fear that the recipient of the Report may be colluding with the perpetrator of the violation or involved in the violation itself;

- Facilitator: the individual who assists the Whistleblower in the reporting process and operates in the same work-related context, and whose assistance must remain confidential;

- Business Function: the business function that may be involved by the Report Manager;

- Report Manager and/or Manager: is the Group Internal Audit & Risk Management Department. This body may also involve other business functions, provided that the confidentiality of the Whistleblower's identity is constantly ensured and that they are expressly authorized to process data in accordance with the GDPR;

- Information on violations: adequately detailed information, including well-founded suspicions, regarding violations resulting from behaviors, acts, or omissions committed or that, based on concrete elements, could be committed, as well as elements relating to conduct, including omissions, aimed at concealing such violations. This also includes information on violations acquired within a legal relationship that has not yet begun or has since ended, if such information was acquired in the work-related context, including during the probationary period, or during the selection or pre-contractual phase;

- Involved Person or Reported: the individual or legal entity mentioned in the Report submitted through the internal or external channel, complaint, or public disclosure, as the subject to whom the violation is attributed or otherwise related;

- Personnel: those who are connected to the Company or its Subsidiaries through an employment or occasional work relationship, as well as company management and members of corporate bodies and the Supervisory Body of the Company;

- Whistleblower: the person who makes a Report through the internal or external reporting channel, complaint, or Public Disclosure;

- Report: the written or oral communication of information relating to Personnel and/or Third Parties on violations of laws and regulations, as well as the system of rules and procedures in force within the Company's organization;

- Anonymous Report: a Report in which the identity of the Whistleblower is not stated or cannot be uniquely identified;

- Detailed Report: a Report in which the information/assertions are characterized by a sufficient level of detail to reveal specific and consistent circumstances and facts related to certain contexts, and to allow the identification of elements useful for verifying the Report's validity (e.g., elements identifying the person who committed the reported acts, context, location and timeframe, value, causes and purposes of the conduct, anomalies in the internal control system, supporting documentation, etc.). Within detailed Reports, the information/assertions are classified as:

i) “verifiable”, when based on the content of the Report, it is concretely possible to carry out verifications within the company on its validity, within the limits and tools available to the Company;

ii) “non-verifiable”, when based on the tools available, it is not possible to conduct verifications on the validity of the Report. Verifications concerning circumstances and evaluations attributable to intentional and/or subjective elements are limited by the powers of the Supervisory Body and its available tools;

- External Report: the written or oral communication of Information on violations made by the Whistleblower through the external channel activated by the National Anti-Corruption Authority (ANAC). Pursuant to art. 6, paragraph 1, of Legislative Decree no. 24/2023, the Whistleblower may submit an external Report if one of the following conditions is met:

i) within their work context, the activation of an internal reporting channel is not mandatory, or, even if mandatory, is not active or is not compliant;

ii) they have already submitted an internal Report and it has not been followed up;

iii) has reasonable grounds to believe that, if they made an internal Report, it would not be effectively followed up or would result in retaliatory conduct; iv) has reasonable grounds to believe that the violation may pose an imminent or obvious danger to the public interest;

- Internal Report: the written or oral communication of Information on violations made by the Whistleblower through the internal channel;

- Report concerning significant facts:

i) A Report concerning Company Executives and members of corporate bodies;

ii) A Report that, even based on preliminary analysis, may involve serious violations that expose the Company to the risk of criminal-administrative liability;

iii) A Report on operational anomalies and/or illegal acts and/or fraud and/or abuses for which, after preliminary checks, a significant qualitative-quantitative impact on the Company’s financial statements can be estimated (in terms of accounting issues, statutory audit, internal controls on financial reporting). The impact is "significant" from a qualitative point of view if the operational anomalies and/or fraud and/or abuses can influence the economic and investment decisions of the potential recipients of the financial information. The significance of the impact from a quantitative point of view is assessed by the Company’s Chief Financial Officer;

- Third Parties: natural or legal persons, other than Staff, who, in various capacities, have employment, collaboration, or business relationships with the Company, including - but not limited to - customers, partners, suppliers (including under contracts/subcontracts), freelancers or those with collaboration agreements, professionals, consultants, agents and intermediaries, volunteers and interns (paid or unpaid), or anyone who has a legitimate interest in the Company’s business activities;

- Company Executives: executive directors and strategic managers, with operational powers and delegated responsibilities in the Company’s management.

3. Recipients
Recipients of the Procedure are:

- the Company Executives.

- employees, former employees, and job applicants, shareholders, Company customers, and - but not limited to - partners, suppliers (including under contracts/subcontracts), consultants, collaborators performing their work activities at the Company

who are in possession of Information on violations as defined in this Procedure.

Also included as Recipients are natural and legal persons not included in the above categories, to whom the protection measures provided by this Procedure apply.

What is set out in this document also applies to anonymous Reports, provided they are sufficiently detailed, as defined in this Procedure.

4. Purpose and Scope
The purpose of the Procedure is to regulate the process of submission, receipt, analysis, and management of Reports, including archiving and subsequent deletion of both the Reports and the related documentation, in the manner indicated in this document.

The Procedure applies to the Company, which ensures its proper and consistent application, as well as maximum internal and external dissemination.

Reports concerning the following are excluded from the scope of the Procedure:

- disputes, claims, or requests linked to the personal interest of the Whistleblower, which exclusively concern the employment relationship or relations with hierarchical superiors, unless they are linked or referable to a violation of rules or internal procedures;

- violations governed mandatorily by European Union or national acts, as indicated in Article 1, paragraph 2, letter b), of Legislative Decree no. 24/2023 (regarding financial services, products and markets and prevention of money laundering and terrorist financing, transport safety and environmental protection);

- facts or circumstances falling within the scope of national or European Union provisions concerning classified information, professional or medical secrecy, and the confidentiality of judicial body deliberations, or within national provisions regarding criminal procedure, independence and autonomy of the judiciary, the functions and responsibilities of the High Council of the Judiciary, national defense and public order and security, as well as the right of workers to consult their representatives or unions, protection against unlawful conduct or acts committed due to such consultations, autonomy of social partners and their right to conclude collective agreements, and repression of anti-union behavior;

- communications regarding conflicts of interest of Company representatives. If such circumstances are also relevant under the 231 Model, they must be reported as provided for in this Procedure;

- requests to exercise rights regarding personal data protection with respect to the Company (so-called privacy rights), pursuant to Regulation (EU) no. 2016/679 (General Data Protection Regulation - GDPR) and Legislative Decree 30 June 2003 no. 196 (Code on the protection of personal data) and Legislative Decree 10 August 2018, no. 101 and subsequent amendments and integrations, for which reference should be made to the Company Data Protection Officer’s contact details and the procedure adopted by the Company for applying data protection regulations in force from time to time.

5. References
· External Legal References
- Legislative Decree 8 June 2001 no. 231 (“Regulation on the administrative liability of legal persons, companies and associations, including those without legal personality, pursuant to Article 11 of Law 29 September 2000, no. 300”);

- Regulation (EU) no. 2016/679 (General Data Protection Regulation - GDPR);

- Legislative Decree 30 June 2003 no. 196 (Code on the protection of personal data) and subsequent amendments and integrations, including Legislative Decree 10 August 2018, no. 101, as well as related legislative provisions;

- Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law (so-called Whistleblowing Directive);

- Legislative Decree 10 March 2023 no. 24, published in the Official Journal on 15.03.2023, implementing Directive (EU) 2019/1937;

· Internal Legal References
- Company Code of Ethics;

- Anti-bribery Procedure

- Definition and Formalization of the Company’s Policies, Procedures, and Operational Instructions.

6. Process Description and Responsibilities
6.1 Purpose and Description of the Process
For Reports concerning the Company, the process owner is the Report Manager.

In order to follow up on the Reports, the Report Manager may use the support of a Company Function chosen by them, in compliance with the principles established by the Company’s Code of Conduct.

The Company Function, as part of its support activities for the Report Manager, also carries out the investigations requested, promptly informing the Manager.

The Company’s departments, if contacted by external Entities, Institutions or Authorities regarding external Reports or Public Disclosures, promptly activate the Report Manager for relevant investigations.

6.2 Submission of the Report
The Company, to pursue the goal stated in paragraph 1 above, has established various communication channels that Whistleblowers may use alternatively:

a) using the whistleblowing platform, also accessible via the Company’s website at www.swisse.it from any browser (including mobile devices) at the following address: https://eu.deloitte-halo.com/HHspeakup/ (the “Whistleblowing Platform”). Reports through the Whistleblowing Platform are operationally managed by the Report Manager and the Company Function possibly appointed for support, with the confidentiality guarantees set forth in this Procedure. This tool offers the highest level of confidentiality for the Whistleblower;

b) by email to the following address: euhalosupport@deloittece.com.

c) by regular or registered mail addressed to the Company’s registered office to the attention of the Report Manager.

d) orally by calling the following toll-free number: 800-143-966

Recipients of this Procedure who become aware of information regarding violations are required to make a Report through the internal reporting channels described above.

Anyone who receives a Report, in any form (oral or written), must promptly forward it, and in any case within 7 days of its receipt, to the Supervisory Body, through the internal reporting channels described above, simultaneously informing the Whistleblower (if known) of the transmission.

They must also transmit the original Report, including any supporting documentation, as well as evidence of communication to the Whistleblower confirming the submission of the Report.

They may not retain a copy of the original and must delete any digital copies, refraining from undertaking any independent initiative of analysis and/or investigation.

They are also required to maintain the confidentiality of the identity of the Whistleblower, the persons involved and/or mentioned in the Report, the content of the Report, and related documentation.

Failure to communicate a received Report and any breach of confidentiality obligations constitute a violation of the Procedure and may result in disciplinary measures.

The Whistleblowing Platform allows, even anonymously, the transmission of a personal Report or a Report received from a third party, after viewing the “Privacy Notice” and this Procedure, both published on the “Whistleblowing” page available on the website www.swisse.it and on the Company’s respective intranet pages.

The aforementioned websites and intranet pages dedicated to Whistleblowing provide information on the requirements for making a Report through the internal channel, as well as on channels, procedures, and requirements for making external Reports and public Disclosures.

At the end of the submission, the Whistleblower must record the date and the Unique Identification Code, called “Disclosure ID” (an alphanumeric ticket that uniquely identifies the Report), automatically generated by the Whistleblowing Platform, which allows tracking of the status of the Report over time while ensuring confidentiality and anonymity.

6.3 Registration of the Report
All Reports, regardless of how they are received, are recorded in the Whistleblowing Platform, which serves as the summary database of the essential data of the Reports and their management (tracked through workflow) and also ensures the storage of all attached documentation, as well as any produced or acquired during the analysis activities.

The consultation of the information on the Whistleblowing Platform, until the investigative activity following the Report is completed, is limited to the Report Manager.

6.4 Classification and preliminary analysis of the Report
The Report Manager designated in this Procedure analyzes and classifies the Reports to determine which fall within the scope of this Procedure.

As part of these preliminary activities, the Report Manager provides the Whistleblower through the Whistleblowing Platform:

- within 7 days from the date of receipt of the Report, an acknowledgment of receipt;

- within 3 months from the acknowledgment of receipt or, if such acknowledgment is not provided, within 3 months from the expiry of the 7-day period following the submission, a response with information on the action taken or intended to be taken regarding the Report, specifying whether the Report falls within the scope of Legislative Decree no. 24/2023.

Reports concerning incidents of gender-based, sexual harassment, and bullying are forwarded by the Report Manager, for appropriate action and anonymously, to the Human Resources Department.

At the end of the Report management process, the Human Resources Department informs the Report Manager of the results of the checks carried out.

The Report Manager also conducts a preliminary assessment, possibly including document analysis, of whether the conditions for initiating the subsequent investigative phase are met, giving priority to well-substantiated Reports.

For the Reports, the Report Manager, based on documentation and considering the results of preliminary analyses, evaluates:

- whether to proceed to the next investigative phase;

- whether to close the Reports, on the grounds that they are: i) generic or insufficiently substantiated; ii) clearly unfounded; iii) referring to facts and/or circumstances previously subject to specific investigative activities already concluded, where no new information emerges from preliminary checks to justify further inquiry; iv) “substantiated but verifiable”, for which, based on preliminary findings, there is no supporting evidence for proceeding to investigation; v) “substantiated but unverifiable”, for which, based on preliminary findings, it is not possible to carry out further inquiry using available tools to verify the legitimacy of the Report.

To gather informational elements, the Report Manager may:

- request from the relevant Corporate Function, without prejudice to the current information flows, the activation of specific audits on the reported facts;

- carry out, even directly and in compliance with any applicable specific regulations, investigations through, for example, formal summons and hearings of the Whistleblower, the Reported Party and/or the Persons involved in the Report and/or otherwise informed of the facts, as well as request from the aforementioned subjects the production of informative reports and/or documents;

- make use of external experts or consultants, if deemed appropriate.

In the event that the Report concerns one or more members of the Board of Directors, the Report Manager informs the Chairpersons of the Board of Directors for joint management of the Report.

6.5 Conducting the Investigation
The investigative phase of the Report aims to:

- proceed, within the limits of the tools available to the Report Manager, with specific investigations and analyses to verify the reasonable validity of the reported factual circumstances;

- reconstruct the management and decision-making processes followed, based on the available documentation and evidence;

- provide any indications regarding the adoption of necessary remedial actions to correct possible control deficiencies, anomalies or irregularities identified in the examined business areas and processes.

The scope of the investigation does not include, except in the case of manifest unreasonableness, merit or opportunity evaluations, discretionary or technical-discretionary, of the decision-making and management aspects carried out from time to time by the involved company structures/positions, as these are the exclusive responsibility of the latter.

During the investigation, the Report Manager may request additional information or clarifications from the Whistleblower.

Furthermore, if deemed useful for the investigation, they may gather information from Persons involved in the Report, who also have the right to request to be heard or to submit written comments or documents. In such cases, and to ensure the right to defense, the involved Person is notified of the existence of the Report, while maintaining confidentiality regarding the identity of the Whistleblower and other involved and/or mentioned Persons.

The Report Manager ensures the investigation is carried out also by collecting the necessary information from the relevant structures, involving the competent Corporate Functions and, if deemed appropriate, external experts or consultants.

The investigative activities are carried out using, by way of example but not limited to:

i) useful corporate data/documents for the investigation (e.g. extractions from corporate systems and/or other specific systems used);

ii) external databases (e.g. info providers/databases on corporate information);

iii) open sources;

iv) documentary evidence obtained from corporate structures;

v) where appropriate, statements made by the subjects concerned or obtained during recorded interviews.

6.6 Reporting
At the end of the investigation activity, the Report Manager decides to close the Report highlighting any violation of rules/procedures, without prejudice to the exclusive prerogatives and competences of the Human Resources Function or otherwise of the Board of Directors regarding the exercise of disciplinary action.

The results of the investigations are summarized in a report or, for Reports “concerning significant facts” and/or with complex analyses, in an investigative note, which includes:

- an assessment of reasonable validity/invalidity of the reported facts;

- the outcome of the activities carried out and the results of any previous investigations on the same facts/reported subjects or on facts similar to those subject to the Report;

- any indications regarding necessary corrective actions on the examined business areas and processes, adopted by the competent management, which is informed of the analysis outcomes.

Furthermore, if the investigation reveals:

- possible instances of criminal relevance or civil liability, the Report Manager may decide to communicate the findings to the Board of Directors for appropriate evaluations;

- cases of rule/procedure violations or facts possibly relevant in terms of disciplinary or employment law, the Report Manager instructs that the findings be communicated to the Human Resources Function for appropriate evaluations, which then promptly informs the Report Manager of the decisions taken.

Reports that are closed as clearly unfounded, unless anonymous, are forwarded to the Human Resources Function so it can assess, with other competent company structures, whether the Report was made solely to damage the reputation or otherwise harm the Reported Person and/or Company, for the purpose of taking any appropriate action against the Whistleblower.

6.7 Corrective actions: monitoring
If the analyses on the examined business areas and processes reveal the need to issue recommendations for the adoption of appropriate remedial actions, it is the responsibility of the management of the verified areas/processes to define a corrective action plan to address the identified issues and ensure its implementation within the established deadlines, notifying the Report Manager also through the Corporate Function responsible for monitoring the implementation status of the actions.

6.8 Processing of personal data and documentation retention
All processing of personal data, including in the context of the Whistleblowing Platform, is carried out in compliance with the confidentiality obligations under Art. 12 of Legislative Decree no. 24/2023 and in accordance with the data protection legislation referred to in Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), Legislative Decree of June 30, 2003 no. 196, and Legislative Decree of May 18, 2018 no. 51.

The protection of personal data is ensured not only for the Whistleblower (for non-anonymous reports), but also for the Facilitator and the Person involved or mentioned in the report.

The data subjects are provided with information on the processing of personal data via publication on the Company's website.

To ensure the management and traceability of Reports and related activities, the Corporate Function is responsible for preparing and updating all information concerning the Reports and ensures, using the Whistleblowing Platform, the retention of all related supporting documentation for the time strictly necessary to their resolution, and in any case not more than 5 years from the date of final outcome communication of the Report to the Supervisory Body.

Personal data that are clearly not useful for handling a specific Report are not collected or, if collected accidentally, are promptly deleted.

Original Reports received in paper form are stored in a specially protected environment.

7. Guarantees and safeguards
7.1 Protection of the Whistleblower
Reports cannot be used beyond what is necessary to adequately follow them up.

Subject to legal obligations, the identity of the Whistleblower and any other information from which their identity can be inferred, directly or indirectly, cannot be disclosed without their express consent, to persons other than those authorized to receive or follow up on the Reports, expressly authorized to process such data under Articles 29 and 32(4) of Regulation (EU) 2016/679 (GDPR) and Article 2-quaterdecies of Legislative Decree June 30, 2003, no. 196 (Personal Data Protection Code).

In particular, the identity of the Whistleblower and any other information from which their identity can be inferred, directly or indirectly, may be disclosed only with their express consent:

- in the context of disciplinary proceedings, if the allegation is based, in whole or in part, on the Report and knowledge of the Whistleblower’s identity is indispensable for the defense of the accused;

- in proceedings initiated as a result of internal or external Reports, if disclosure of the Whistleblower’s identity or of any information from which it can be inferred, directly or indirectly, is also indispensable for the defense of the Person involved.

In such cases, the Whistleblower is given prior written notice of the reasons for disclosing the confidential data.

Company personnel involved in managing the Reports are required to maintain the confidentiality of the identity of the Whistleblower, the Persons involved and/or mentioned in the Report, the content of the Report and the related documentation, as well as the status of the investigation, the elements obtained in this phase, and the outcome.

Confidentiality is also guaranteed to anyone who reports before the beginning or after the termination of the employment relationship, or during the probation period, if such information was acquired within the working context or during the selection or pre-contractual phase.

Confidentiality is also guaranteed with respect to the identity of Persons involved and/or mentioned in the Report, as well as the identity and assistance provided by Facilitators, with the same guarantees as those provided for the Whistleblower.

Violation of the confidentiality obligation, subject to the above exceptions, may result in...