Privacy Notice

This privacy notice is provided by BIBIONE TERME S.p.A., located at Via delle Colonie 3 – San Michele al Tagliamento (VE), 30028 - Fraz. Bibione (VE) (hereinafter “BIBIONE TERME” or “Company”), as data controller, in accordance with Article 13 of Regulation (EU) 2016/679 (hereinafter “Regulation”), to individuals other than employees who make reports pursuant to Legislative Decree 24/2023, implementing Directive (EU) 2019/1937 regarding the protection of individuals who report breaches of Union law.

This notice explains the purposes and methods by which BIBIONE TERME collects and processes your personal data, which categories of data are processed, the rights of data subjects, and how these rights can be exercised.

Categories of Data Processed

The Company will process the data you provide in the context of the report; specifically, BIBIONE TERME will process the following personal data: a) first and last name; b) address through which the report is made; c) the role under which the report is made.

Providing the data is necessary for the submission of the report; without it, the report cannot be processed.

Purpose and Legal Basis of Processing

In the context of managing the whistleblowing procedure, BIBIONE TERME will process your personal data, pursuant to Article 6, letter c) of the Regulation, in compliance with a legal obligation, and specifically in accordance with Legislative Decree 24/2023, which requires the implementation of a reporting system to identify any unlawful conduct related to:

Categories of Recipients of Personal Data and Purposes of Communication

BIBIONE TERME may disclose your personal data to third parties that it uses for activities related to the management of the whistleblowing system. Specifically, your data may be shared with external companies providing IT services to BIBIONE TERME and external consultants.

These companies will process your personal data as data processors under Article 28 of the Regulation (hereinafter, also “Data Processors”), in accordance with Article 13, paragraph 6 of Legislative Decree 24/2023.

To obtain a list of Data Processors, please contact BIBIONE TERME by writing to info@bibioneterme.it.

Furthermore, BIBIONE TERME may disclose your data to entities to whom disclosure is required by law once the validity of the report has been verified; such entities will process your data as independent data controllers.

Duration of Processing and Data Retention Period

Your data will be processed for the time strictly necessary for analyzing the report you made through the whistleblowing system, as well as for any subsequent actions that may be required. In any case, according to Article 14, paragraph 1 of Legislative Decree 24/2023, data will not be kept for more than five years from the notification of the final outcome of the report.

Transfer of Data Outside the European Union

Your data may be transferred outside the European Union by service providers used by BIBIONE TERME for activities related to managing the report you submitted. Such transfers, if applicable, will be governed by standard contractual clauses adopted by the European Commission in Decision 2021/914/EU and any subsequent amendments, or alternatively, based on an adequacy decision by the Commission, binding corporate rules, and/or any other instrument permitted by the relevant regulations. You can obtain information about where your data has been transferred and a copy of such data by writing to info@bibioneterme.it.

Rights of Data Subjects

We inform you that, in accordance with applicable regulations, you may exercise the following rights:

These requests may be addressed to BIBIONE TERME by regular mail to the Company’s address.

We also inform you that BIBIONE TERME S.p.A. has appointed a Data Protection Officer: Eng. Nicola Occari, who can be reached at the addresses provided above.

Finally, we inform you that, under current regulations, you may file any complaints regarding the processing of your personal data with the Data Protection Authority.

1. Definitions

Code of Ethics: Adopted pursuant to Legislative Decree No. 231/01, it is a document through which the Company outlines the set of rights, duties, and responsibilities of the Company in relation to all parties with whom it interacts to achieve its corporate objectives. The Code of Ethics aims to establish ethical standards and behavioral norms that the recipients of the Code must adhere to in their dealings with the Company, with the goal of preventing and repressing unlawful conduct.

Collaborators: Those who act on behalf of or for the Company based on a mandate or other collaborative relationship (e.g., financial promoters, interns, contract and project workers, temporary workers).

Consultants: Individuals who perform their activities for the company based on a contractual relationship.

GDPR: General Data Protection Regulation (EU) 2016/679 concerning the protection of personal data.

Legislative Decree 231/01 or Decree: Legislative Decree No. 231 of June 8, 2001, regarding “Regulations on the administrative liability of legal entities, companies, and associations, including those without legal personality” and subsequent amendments and additions.

Recipients of the Code of Ethics: Shareholders, members of governing bodies, employees, as well as anyone who, although external to the Company, operates directly or indirectly for or with TERME BIBIONE (e.g., collaborators of any kind, consultants, suppliers, clients).

Recipients of the Model: Members of governing bodies, the auditing firm, employees, as well as those who, while not falling under the category of employees, work for TERME BIBIONE and are under the control and direction of the Company (e.g., financial promoters, interns, contract and project workers, temporary workers).

Subordinate or Employee Workers: Subordinate or employee workers, i.e., all employees of the Company (staff in the first, second, and third professional areas; managers; executives).

Law 146/2006: Law No. 146 of March 16, 2006 (Ratification and implementation of the United Nations Convention and Protocols against Transnational Organized Crime, adopted by the General Assembly on November 15, 2000, and May 31, 2001).

Model / MOG: Organizational, management, and control model pursuant to Articles 6 and 7 of the Decree.

O.d.V. (Supervisory Body): Supervisory Body established by Articles 6, paragraph 1, letter b) and 7 of Legislative Decree 231/2001, tasked with overseeing the functioning and adherence to the Model and ensuring its updates.

Report: Any information concerning alleged violations, irregularities, breaches, reprehensible behaviors, or any practices not compliant with the Code of Ethics and/or the Organizational, Management, and Control Model.

Anonymous Report: When the identity of the reporter is not disclosed or otherwise identifiable.

Open Report: When the reporter openly raises an issue without limitations related to their confidentiality.

Confidential Report: When the reporter’s identity is not disclosed, but it is possible to trace it in specific and determined cases indicated below.

Bad Faith Report: A report made solely to damage or otherwise harm a Recipient of the Code of Ethics and/or the Model. Reports made with intent or gross negligence that are found to be unfounded.

Company: BIBIONE TERME S.p.A.

Reporters: Recipients of the Code of Ethics and/or the Model, as well as any other party interacting with the Company to make the report.

Reported Parties: Recipients of the Code of Ethics and/or the Model who have committed alleged violations, irregularities, breaches, reprehensible behaviors, or any practices not compliant with the Code of Ethics and/or the Organizational, Management, and Control Model.

Third Parties: Contractual counterparts of TERME BIBIONE, both individuals and legal entities (e.g., suppliers, consultants, etc.) with whom the Company engages in any form of contractually regulated collaboration and who are intended to cooperate with the company in risk-related activities.

Subordinates: Persons under the direction or supervision of a senior person as per Article 5, paragraph 1, letter b) of the Decree.

2. Purpose

The purpose of this procedure is to establish clear and identified information channels suitable for ensuring the receipt, analysis, and handling of reports – open, anonymous, and confidential – related to allegations of unlawful conduct relevant under Legislative Decree No. 231/2001 and/or violations of the Model and/or Code, and to define the necessary activities for their correct management by the Supervisory Body.

Additionally, this procedure aims to:

a) Ensure the confidentiality of the personal data of the reporter and the alleged violator, subject to the rules governing investigations or proceedings initiated by the judicial authority concerning the facts subject to the report, or disciplinary proceedings in the case of reports made in bad faith;

b) Adequately protect the reporter against retaliatory and/or discriminatory conduct, whether direct or indirect, related "directly or indirectly" to the report;

c) Ensure a specific, independent, and autonomous channel for reporting.

3. Scope

This regulation applies to Recipients of the Model and/or the Code of Ethics, namely:

• Shareholders;
• Members of the Board of Directors;
• Members of the Board of Auditors;
• Members of the Supervisory Body;
• Employees;
• Auditing Firm;
• Those who, while not falling under the category of employees, work for BIBIONE TERME S.p.A. and are under the control and direction of the Company (e.g., interns, contract and project workers, temporary workers);
• Those who, although external to the Company, operate directly or indirectly, in a stable manner, for BIBIONE TERME or with TERME BIBIONE (e.g., continuous collaborators; strategic suppliers).

4. Responsibility and Dissemination

This procedure, as an attachment to the manual, is approved in content by the Company’s Board of Directors, which, upon possible proposal by the Supervisory Body, is also responsible for updating and integrating it. It is accessible online to employees. The same dissemination methods outlined above are adopted for subsequent revisions and integrations of the procedure.

5. Reference Principles

The individuals involved in this procedure must operate in compliance with the regulatory system, organizational structure, and internal powers and delegations. They are required to adhere to current legal regulations and guidelines and respect the following principles:

KNOWLEDGE AND AWARENESS: This reporting procedure is a fundamental element for ensuring full awareness in effectively managing risks and their interrelationships, and for guiding changes in strategy and organizational context.

GUARANTEE OF CONFIDENTIALITY OF PERSONAL DATA AND PROTECTION OF THE REPORTING AND REPORTED PARTIES: All individuals who receive, examine, and evaluate reports, and any other person involved in the management process of reports, must ensure the highest confidentiality regarding the reported facts, the identity of the reported and the reporting parties, who are protected from retaliatory, discriminatory, or otherwise unfair conduct.

PROTECTION OF THE REPORTED PARTY FROM "BAD FAITH" REPORTS: All individuals must respect each person’s dignity, honor, and reputation. The reporting party is required to disclose if they have a private interest related to the report. The company guarantees adequate protection against "bad faith" reports, condemning such conduct and informing that reports made to damage or harm, as well as any other abuse of this document, are a source of liability, both in disciplinary proceedings and other competent forums.

IMPARTIALITY, AUTONOMY, AND INDEPENDENCE OF JUDGMENT: All individuals who receive, examine, and evaluate reports must possess the necessary moral and professional requirements and ensure the maintenance of conditions of independence, objectivity, competence, and diligence in carrying out their activities.

6. Involved Parties

The reporting system can be activated by the following parties:

• Employees (of any type of contract) who operate based on relationships that place them within the organizational structure, even if not in an employment relationship.
• Members of corporate bodies.
• Third parties having stable business relationships with the company (e.g., ongoing collaborators, strategic suppliers).

7. Subject of the Report

The subject of the report is the commission or attempted commission of one of the offenses provided for by Legislative Decree 231/2001, or the violation or fraudulent evasion of the principles and requirements of the Organizational and Management Model and/or the ethical values and behavioral rules of the company’s Code of Ethics, of which they have become aware due to their functions.

Reports may concern, by way of example and not limited to:

• Violations related to worker protection, including occupational safety regulations.
• Alleged offenses, as provided by the company’s Model 231, committed by company representatives in the interest or advantage of the company.
• Violations of the Code of Ethics, Model 231, and company procedures.

Reports considered are only those relating to facts directly verified by the reporting party and not based on hearsay. Furthermore, the report must not concern personal grievances. The reporting party must not use the institution for purely personal purposes, claims, or retaliations, which fall under the discipline of the employment/partnership relationship or relations with the hierarchical superior or colleagues, for which company procedures should be referred to.

8. Report Management Procedure

8.1. Reporting

Internal Reports

A reporting party, if they have reasonable suspicion that a violation as indicated in the previous paragraph 7 has occurred or may occur, can make a report in the following ways:

• Using an external internet portal, such as a portal that allows for anonymous reporting. Specifically, the reporting party will use the portal to address the report to the Supervisory Body of BIBIONE TERME S.p.A. (odv-spa@bibioneterme.it).
• By sending an email (odv-spa@bibioneterme.it) or postal mail to the Supervisory Body at BIBIONE TERME S.p.A. - via delle Colonie, 3 – 30028 Bibione (VE). In both cases, the identity of the reporting party will be known to the ODV, which will ensure its confidentiality, unless legally unavoidable.
• By sending a physical letter via postal service to: BIBIONE TERME S.p.A., Supervisory Body at BIBIONE TERME S.p.A. - via delle Colonie, 3 – 30028 Bibione (VE). In this case, to ensure confidentiality, the report must be placed in a sealed envelope marked “personal and confidential.” The physical report received by mail must be immediately delivered by the recipient to the designated parties, who are obliged to refrain from undertaking any independent analysis or further investigation. This method is also prescribed for anonymous reports.
• Verbally, through a statement recorded by one of the authorized persons for their receipt, such as the internal contact person for BIBIONE TERME S.p.A. for the Organizational and Management Model under Legislative Decree 231/01, or the ODV during on-site audits.

Once the report is submitted as described, the reporting party will be informed by the designated receivers about when the report is taken in charge, whether additional details are needed for evaluation and examination, and when the verification is concluded. The reporting party can request an update or feedback on their report and provide additional information if the reported issue has continued, stopped, or worsened.

Legislative Decree 24/2023 stipulates that regarding the management of internal reports:

• After the report is made by the whistleblower and within seven days of its receipt, the entity must provide an acknowledgment of receipt.
• The person managing the channel must maintain communication with the reporting party, diligently follow up on the report, and provide feedback to the whistleblower within three months of the receipt date.
• Decree 24/2023 has expanded the channels available to reporters, providing for an external reporting channel managed by ANAC if other internal reporting channels are not available.

External Reports

Decree 24/2023 provides for an external reporting channel managed by ANAC if no other internal reporting channels are available. Access to ANAC’s external channel is permitted in the following cases:

• The reporting party operates in a work context where the mandatory activation of the channel is not provided or where its preparation does not meet regulatory requirements.
• The reporting party has already made a report to which no action has been taken.
• The reporting party has reasonable grounds to believe that the internal reporting system cannot guarantee confidentiality or may suffer from retaliatory actions.
• The report concerns the potential omission of obligations related to the reporting system.

8.2. Reception

The report is received by the designated person (usually the Supervisory Body or another indicated person), who must:

• Ensure the confidentiality of the reporting party’s identity, unless such confidentiality cannot be legally ensured.
• Evaluate the validity of the report, verify the reported facts, and gather additional information and documentation if necessary.
• Inform the reporting party within seven days of receiving the report.

8.3. Examination and Evaluation

The person responsible for examining and evaluating the report must:

• Verify the reported facts and assess whether there are elements of responsibility.
• Determine the actions to be taken and adopt corrective measures if necessary.
• Document each phase of the report management process.

8.4. Feedback

The responsible person must:

• Provide feedback to the reporting party within three months of receiving the report, indicating the actions taken and results obtained.
• Inform the reporting party if the report cannot be processed or if sufficient elements for corrective measures have not been found.

9. Protection of the Whistleblower

The Company ensures the protection of the whistleblower against retaliation and discrimination that may arise from making a report. All reports are treated with the utmost confidentiality, and all necessary measures are taken to ensure a safe environment for whistleblowers.

10. Disciplinary Measures

Any violations of this procedure or abuse of the reporting system may result in disciplinary measures against employees, collaborators, and third parties involved.

11. Monitoring and Updates

The reporting system is subject to continuous monitoring and periodic reviews to ensure it remains effective and compliant with current regulations. Any changes to the procedure will be communicated to all involved parties.