Agriplast has fulfilled its whistleblowing obligations.

All the processing of personal data resulting from the reporting of wrongdoing shall be subject to mandatory regulations on personal data processing, and no derogation is provided for. The goal of confidentiality of reports is achieved through the use of software and dedicated platforms, already available on the IT services market, since the obligations in terms of whistleblowing had already been introduced for the public sector since 2001. Agriplast has chosen the WhistleblowingSoftware platform, which guarantees the confidentiality of the reports and the preservation of any text or multimedia document that the whistleblower transmits to the OdV (Supervisory Body), which is the sole administrator of the software platform. The platform also allows and stores any communication with encrypted chat message exchange between the OdV and the whistleblower. The data controller of Agriplast Spa's data is Rag. Salvatore Cascone in the capacity of legal representative of Agriplast. The DPO (Data Protection Officer) is Dr. Giuseppe Ridolfo, as per a specific resolution of the Board of Directors. The processor of whistleblowing data pursuant to Article 28 of the GDPR, as also specified by paragraph 6 of Article 13 of the Decree, is the provider of the WhistleblowerSoftware, i.e., the platform that the company uses for the dual purpose of allowing written and oral reports. The data processor is also Prof. Avv. Antonio Barone in the capacity of administrator of the platform as data manager of the whistleblowing reports and limited to the aspects of his direct competence. The data processed are digital files of multimedia and text type. The type of data is sensitive.

In light of this and in compliance with the accountability principle set forth by the GDPR, the company has organized internally and has adopted the security measures provided for:

Ensuring the confidentiality and security of the data processed within the collected reports. Therefore, primarily the data of the whistleblower, but also the data of the subjects of the reports and of any third parties involved, providing adequate information about the processing they are subject to, as explicitly indicated in paragraph 4.

Ensuring that the data controller, in developing its own internal organizational model aimed at the correct management of reports, adopts all organizational, IT, and physical measures to ensure that the personal data processed are not subject to unauthorized access, loss, or illicit processing, referring to the provisions of the GDPR and, in particular, to those prescribed by Article 32.

Furthermore, in compliance with the norms of paragraph 6 of the Decree under examination, Agriplast has carried out an impact assessment (with specific European software), to verify the impact of these activities on data protection regulated by Article 35 of the regulation. The assessment was conducted by the DPO on a notebook for the exclusive use of the DPO. The software platform chosen by Agriplast complies with the norms of Article 14 of the Decree, regarding the rules in terms of conservation of reports and therefore also of conservation of the personal data contained therein. It is indicated as a parameter the time necessary for the processing of the report and in any case not beyond 5 years from the date of communication of the outcome of the report. The forecast is consistent with the principle of privacy by default and the minimization of the processing of personal data, which does not admit perpetual conservation. The Data Controller has already planned within the software platform chosen by Agriplast, the parameterization for the management of reports including the internal policies of deletion of the personal data processed, managed, recorded, and preserved, it is remembered in digital format.

The personal details of the whistleblower can be known by the OdV, and the platform chosen by Agriplast allows reporting anonymously. The data are not disclosed externally and can be communicated to third parties only in the cases provided for by Article 12 of the cited decree. The whistleblower may exercise the right of access to personal data, as well as other rights recognized by law, towards the Data Controller – Agriplast Spa – President and CEO - via F.Bonetta 35 – 97019 VITTORIA (RG), email amministrazione@agriplast.com. The whistleblower will be informed and must give consent to data processing in a specific section of the whistleblowing platform, during the reporting process.