Whistleblowing Procedure

1. FOREWORD AND PURPOSE

On 15 March 2023, Legislative Decree No. 24/2023 (hereinafter also referred to as the "Whistleblowing Decree" or just the "Decree") was published in the Official Journal, implementing EU Directive 2019/1937 on the protection of persons who report breaches of Union law and laying down provisions concerning the protection of such persons (the so-called Whistleblowers).

Whistleblowing, in particular, means the reporting of conduct, acts or omissions in breach of the provisions of the Organisation, Management and Control Model pursuant to Legislative Decree 231/2001 or of provisions of national or European Union law that affect the public interest or the integrity of a public administration or a private body, made by a person who becomes aware of it in the course of his or her public or private work-related context.

B&R Automazione Industriale S.r.l. Società Unipersonale (also "B&R" or the "Company"), which is member of the ABB Group, even before the entry into force of the above-mentioned regulation, adopted a system aimed at promoting a corporate culture characterised by proper behaviour and a good Corporate Governance and Integrity system , ensuring a working environment in which employees feel free to report any unlawful conduct.

In the light of the above, B&R intends to use this document (the "Whistleblowing Procedure" or "Procedure") to illustrate the instruments that can be used, within the corporate context, to report unlawful conduct.

Therefore, the Procedure is intended to:

identify the persons who may make reports;
circumscribe the conduct, events or acts that may be reported;
identify the channels to be used to submit reports;
illustrate the operational methods for the submission and handling of reports, as well as for any subsequent investigation activities;
inform the reporting person and the reported person of the forms of protection that are recognised and guaranteed thereto.

2. CONTEXT REFERENCES

Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law;
Data Protection Regulation (EU) 2016/679 ("GDPR");
Legislative Decree No. 24 of 10 March 2023, "Implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law and laying down provisions concerning the protection of persons who report breaches of national laws";
Legislative Decree 231/2001, "Regulations on the administrative liability of legal persons, companies and associations, including those without legal personality";
ABB Code of Conduct.

3. DEFINITIONS

Recipients	B&R's permanent and fixed-term employees (executives, middle management, clerical staff, workers), directors, members of corporate bodies and supervisory bodies, as well as all those who, for various reasons, have employment, collaboration or business relations with the Company, including collaborators, trainees, outsourced workers, consultants, agents, suppliers and business partners, even before their legal relationship with the Company begins or after it is terminated.
Public disclosure	Placing information about violations in the public domain through the press or electronic media or otherwise through means of dissemination capable of reaching a large number of people.
Facilitator	A person assisting the reporting person in the reporting process, operating within the same work-related context and whose assistance is kept confidential.
Reporting person	A natural person who makes an internal or external report or Public disclosure of information on breaches acquired in the context of his or her work-related activities.
Reported person	The person mentioned in the internal or external report, or in the Public Disclosure, this meaning the person to whom the breach is attributed or a person otherwise implicated in the reported or publicly disclosed breach.
Report	The written or oral communication of information on breaches, including reasonable suspicions about breaches committed or likely to be committed at B&R, as well as elements concerning conduct aimed at concealing such breaches.
Anonymous reports	Reports lacking elements with which their author can be identified.
External report	The written or oral communication of information on breaches submitted through the external reporting channel referred to in para. 6.2.
Reporting in bad faith	Any communication received by B&R that proves to be unfounded on the basis of objective elements and that proves, on the basis of objective elements, to have been made for the purpose of causing damage.
Internal reporting	The written or oral communication of information on breaches submitted through the internal reporting channel referred to in para. 6.1.
Not relevant report	Any communication received by B&R concerning conduct that does not amount to a breach. All those communications received by B&R whose vague content prevents the execution of adequate controls are also considered as not relevant reports.
Breaches	Conduct, acts or omissions detrimental to the public interest or the integrity of B&R and consisting of the conduct referred to in para. 4.

4. SCOPE OF REPORTS

Under the combined provisions of Articles 2(1)(a) and 3(2) of the Whistleblowing Decree, the following conduct may be reported:

a conduct or situation contrary to ABB's Code of Conduct, as well as to internal regulations, directives, policies and procedures adopted by the Company and relevant under Legislative Decree 231/2001;
breaches of EU law¹.

Any non-relevant Reports cannot be pursued and will therefore be closed. In particular, Reports are not relevant when:

	they relate to personal interests concerning claims or grievances concerning relations with colleagues;
	they are insulting or contain personal offences or moral judgements and are aimed at offending or damaging the personal and/or professional honour and/or decorum of the person or persons to whom the reported facts refer;
	they are based on mere suspicions or rumours concerning personal facts not amounting to an offence;
	they have purely defamatory or slanderous purposes;
	they are of a discriminatory nature, insofar as they relate to sexual, religious or political orientation or to the racial or ethnic origin of the reported person.

5. REPORTING IN GOOD OR BAD FAITH

5.1 Reporting in good faith

The Reporting person should make Reports as circumstantial as possible and provide as much information as possible, in order to allow due verification and adequate feedback.

After making a Report, the Reporting person who discovers any errors may give immediate notice using the same channel to which the Report was submitted.

5.2 Reporting in bad faith

Reports are deemed to have been made in bad faith if they turn out to be deliberately frivolous, false or unfounded, have defamatory content or otherwise concern deliberately erroneous or misleading information, for the sole purpose of damaging the Company, the Reported person or other persons concerned by the Report.

In this case, the Company reserves the right to take appropriate action - including appropriate disciplinary sanctions - against the Reporting person.

6. HOW TO REPORT

6.1. Internal reporting

In accordance with Article 4 of the Whistleblowing Decree, the Company has set up internal Reporting channels so that Reports can be submitted either in writing or orally.

The Report is submitted via the Business Ethics Helpline and the ABB Group's Business Ethics Hotline.

At the written request of the Reporting person a direct meeting can be arranged with his supervisor or the head of his Local Division (i.e. B&R Country Managing Director) or with the Local Legal Counsel or with the Human Resources department of B&R.

Anyone who receives a Report outside the channels indicated above promptly forwards the original report and any attachments to Local B&R Legal & Integrity function.

6.2. External reporting and Public Disclosure

The Reporting person may submit his Report to ANAC, through the External reporting channel made available by the said Authority, if the Reporting person:

has already made an internal report which has not been followed up;
has reasonable grounds to believe that, if an Internal report were made, the report would not be effectively followed up, or the report itself might cause the risk of retaliation;
has reasonable grounds to believe that the Breach may constitute an imminent or manifest danger to the public interest.

The Reporting person may make a Public disclosure if he:

has already made an Internal and External report which has not been followed up;
has reasonable grounds to believe that, due to the specific circumstances of the case, the External report may entail a risk of retaliation or may not be effectively followed up.

6.3. Anonymous report

Anonymous reports will also be taken into account provided they are properly substantiated and detailed.

Anonymous reports limit B&R's ability to investigate effectively as a smooth information channel cannot be established with the Reporting person. B&R considers, as relevant factors in assessing the Anonymous report, the seriousness of the reported Breach, the credibility of the facts represented and the possibility of verifying the actual occurrence of the Breach from reliable sources.

7. CONTENT OF THE REPORT

Reports must always be substantiated and well-founded, regardless of how they are made, so as to allow for the necessary measures to be taken and the appropriate checks and controls to be carried out, including by conducting investigations and issuing requests for clarifications to the Reporting person, where identified. The Reporting person may allow for his identification by indicating his contact details (e.g. name and surname, email address, phone number).

What should be indicated in the Report?

	a clear and complete description of the Reported facts
	any information and indication that can be used to identify the persons who have committed the Breach
	the nature, context of reference and any useful details to describe the subject of the Report
	the time and place, if known, relating to the subject of the Report
	any further information deemed useful for the investigation of the Report

Appropriate documentation supporting the Report should be attached where available, including the indication of witnesses or persons who may be able to provide information on the Reported facts.

8. HOW THE REPORT IS HANDLED

8.1 Receiving the Report - Preliminary checks

Reporting through the ABB Group's reporting channels referred to in para. 6.1

The Reporting person can make a Report, via the ABB Business Ethics Helpline, either centrally or locally.

If an oral Report is made via the ABB Business Hotline, it is reported within the ABB Business Ethics Helpline.

In any case, the Reporting person receives an automatic message of acknowledgement of the Report together with the identification code of the Report.

a) Central reporting
the Report is taken over by the Integrity Investigations & Monitoring (IIM) team, accounting to the ABB Group's Legal & Integrity department;
the Integrity Investigations & Monitoring (IIM) team, supported by the competent local department depending on the Severity Level assigned to the Report, carries out a preliminary check as to fulfilment of the legal and factual prerequisites, as well as to the relevance and presence of sufficient evidence to investigate the Report;
in any event, the competent local department promptly informs the Local Legal Counsel who, where the Report is relevant within the meaning of Legislative Decree 231/2001, promptly informs the Company Board;
if there is sufficient evidence for further investigation, the IIM, supported by the competent local department, formally opens the investigation (para. 8.2);
if the Report is not relevant or in case of a lack of sufficient evidence for further investigation, the Report is closed (para. 8.4).

b) Local reporting
the Report is forwarded to the competent local department depending on the Severity Level assigned;
in any event, the competent local department promptly informs the Local Legal Counsel who, where the Report is relevant within the meaning of Legislative Decree 231/2001, promptly informs the Company Board;
the competent local department carries out a preliminary check as to fulfilment of the legal and factual prerequisites, as well as to the relevance and presence of sufficient evidence to investigate the Report;
if there is sufficient evidence for further investigation, the competent local department formally opens the investigation (para. 8.2), involving the Integrity Investigations & Monitoring (IIM) team and informing the Reporting person of this involvement, whilst ensuring the confidentiality of the information contained in the Report (para. 9.1);
if the Report is not relevant or in case of a lack of sufficient evidence for further investigation, the Report is closed (para. 8.4).

8.2 Investigation

The investigation involves carrying out targeted checks on the Report, in order to identify, analyse and assess evidence confirming the merits of the facts reported, also by requesting additional information from the Reported person, if identified and if necessary.

The department/body in charge of the investigation may be assisted by internal/ABB Group figures/departments and/or external professionals/technical advisers, depending on the subject of the Report.

The department/body in charge of the investigation ensures that it is carried out in a fair and impartial manner; each person involved in the investigation is informed - once the preliminary assessments have been completed - of the statements made and the evidence obtained against him/her and is put in a position to rebut them.

If, in the course of the investigation, objective evidence arises proving a lack of good faith on the part of the Reporting person, the management body is immediately informed in order to assess possible sanctioning procedures against the Reporting person (para. 5.2). The Report is closed.

If, at the end of the preliminary assessments, it is established that the Report is well-founded, a report summarising the checks carried out and the evidence collected is drawn up, in order to discuss with the management body the adoption of sanctions and/or corrective actions. The Company Board also considers taking action to protect the Company, including in court.

8.3 Closure

The decision to close the Reporting procedure is formalised in specific minutes giving reasons for such closure. Such minutes are shared with the Company Board. The Reporting procedure is closed if:

	the Report is not relevant;
	the Report refers to facts of such general content that they cannot be checked;
	the Report was made in bad faith;
	the preliminary assessments proved that the Report was not well-founded.

8.4 Timing of the Reporting Management Process

An acknowledgement of receipt of the Report is sent to the Reporting person	within 7 days from receipt of the Report
The Report is answered	within 3 months (which may be extended up to 6 months for justified reasons) from the date of acknowledgement of receipt in the absence of an acknowledgement of receipt, within 3 months (which may be extended up to 6 months for justified reasons) from expiry of the 7-day period from submission of the Report
The request for a face-to-face meeting is answered	within and no later than 7 days from receipt of the request for a face-to-face meeting
The face-to-face meeting is scheduled	within and no later than 10 days from receipt of the request for a face-to-face meeting in cases of proven urgency, within 5 days from receipt of the request for a face-to-face meeting

8.5 Storage

How long can documents relating to the Report be stored?

The department/body in charge of the Report is required to document the entire management procedure thereof, by means of computerised and/or paper media, and to keep all the relevant documentation, in order to ensure the complete traceability of the actions undertaken to perform its institutional functions. All documentation must be stored for as long as necessary for Report management and, in any case, no longer than five 5 years from the closing of the Report procedure.

Where should documents relating to the Report be stored?

Electronic documents must be stored in a repository protected by authentication credentials, known only to the department/body in charge of managing Reports or to persons expressly authorised to do so. Paper documents are stored in an identified locked place, access to which is permitted only to the department/body in charge of managing Reports or to persons expressly authorised to do so.

How are oral Reports and Reports made through face-to-face meetings documented?

Where a telephone line is used, the Report is documented in writing by means of a detailed record of the conversation. The Reporting person can verify, rectify and confirm the contents of the transcript by signing it.

If the Report is made orally in the course of a face-to-face meeting, it is documented, subject to the consent of the Reporting person, either by recording it on a device suitable for storage and listening, or by being minuted. In the case of minutes, the Reporting person can verify, rectify and confirm the minutes of the meeting by signing them.

9. PROTECTIONS GRANTED TO THE REPORTING PERSON

The protections granted to the Reporting person can only be guaranteed by the Company if the indications set out in the Procedure are complied with. No protection is granted to the Reporting person who has contributed to the perpetration of the unlawful conduct. The protections granted to the Reporting person are also extended:

to the Facilitator;
to persons in the same work-related context as the Reporting person with a stable emotional or family tie up to the fourth degree;
to the Reporting person's work colleagues with whom the former has a regular and current relationship;
to organisations owned by the Reporting person or for which the Reporting person works, as well as to organisations operating in the same work-related context.

9.1 Confidentiality

In setting up and implementing its internal Reporting channels, the Company ensures the confidentiality of the identity of the Reporting person, of the Reported person and of anyone else involved, as well as of the content of the Report and of the related documentation, also by using encryption tools.

Reports may not be used beyond what is necessary to adequately follow them up.

The Reporting person's identity and any information from which such identity may be inferred, directly or indirectly, may not be disclosed without the Reporting person's express consent to persons other than those competent to receive or follow up Reports and expressly authorised to process such data².

9.2 Prohibition of retaliation. Protection measures

The Company shall not tolerate any kind of threat, retaliation, unjustified sanction or discrimination against the Reporting person, the Reported person and anyone cooperating in the assessment of the merits of the Report. The adoption of discriminatory or retaliatory measures against the Reporting person may give rise to disciplinary proceedings against the person responsible therefor. In the light of the provisions of Article 19(1) of the Whistleblowing Decree, the Reporting person may also report to ANAC any retaliation he believes he has suffered within his work-related context.

Examples of retaliatory conduct include, but not only:

	dismissal, suspension or equivalent measures;
	demotion or non-promotion;
	change of duties, change of workplace, reduction of salary, change of working hours;
	demerits or negative references;
	the adoption of disciplinary measures or other sanctions, including fines;
	coercion, intimidation, harassment or ostracism;
	discrimination or otherwise unfavourable treatment;
	the non-conversion of a fixed-term employment contract into an indefinite-term employment contract, where the employee has a legitimate expectation of such conversion;
	non-renewal or early termination of a fixed-term employment contract;
	damage to a person's reputation, in particular on social media, or economic or financial harm, including loss of economic opportunities and/or loss of income;
	damage to a person's reputation, in particular on social media, or economic or financial harm, including loss of economic opportunities and/or loss of income;
	early termination or cancellation of the contract for the supply of goods or services;
	cancellation of a licence or permit;
	the request to undergo psychiatric or medical examinations.

10. PROTECTIONS GRANTED TO THE REPORTED PERSON

Appropriate protection measures are also granted to the Reported person in order to prevent any discrimination.

The submission and receipt of a Report is not sufficient to initiate any disciplinary proceedings against the Reported person. Should the decision be taken to proceed with the investigation, the Reported person may be contacted and given the opportunity to provide any necessary clarification.

11. DISCIPLINARY SANCTIONS

Effective, proportionate and dissuasive disciplinary sanctions may be applied:

against the Reported person, if the Reports turn out to be well-founded;
against the Reporting person, if the Reports are made in bad faith;
against the person responsible, if the principles of protection provided for in the Procedure are violated or if Reports have been obstructed or attempted to be obstructed.

Disciplinary proceedings are initiated in accordance with the principle of proportionality and based on the correlation between the wrongdoing and the sanction and, in any case, in compliance with the procedures laid down by applicable legislation in force. In order to ensure impartiality and avoid conflicts of interest, any decisions on possible disciplinary measures, reports or other actions to be taken are taken by the relevant corporate organisational departments and otherwise by persons other than the person who investigated the Report.

12. PERSONAL DATA PROCESSING

Any processing of personal data, as set out in the Policy, must be carried out in accordance with Regulation (EU) 2016/679 (GDPR) and Legislative Decree 30 June 2003, No. 196 (as amended and supplemented). Personal data that are manifestly not useful for the processing of a specific Report are not collected or, if accidentally collected, are erased immediately. The rights under Articles 15 to 22 of the GDPR may be exercised within the limits of Article 23 of the GDPR and Article 2-undecies of Legislative Decree 30 June 2003, No. 196. Personal data concerning the receipt and management of reports are processed by the Company in its capacity as data controller, in compliance with the principles set out in Articles 5 and 25 of the GDPR, providing appropriate information to the Reporting person and the persons concerned pursuant to Articles 13 and 14 of the GDPR, as well as adopting appropriate measures to protect the rights and freedoms of data subjects. To this end, the Company provides the data subjects involved in the field covered by this Policy with specific information on the processing of personal data carried out in connection with the acquisition and management of the reports governed by this Policy. The Company has specifically appointed and instructed the persons authorised to process personal data, also pursuant to Articles 5, 24, 29 and 32 of the GDPR and Article 2-quaterdecies of Legislative Decree 30 June 2003, No. 196. Furthermore, the Company, in line with Article 13 of the Whistleblowing Decree, as well as in compliance with Articles 24 and 32 of the GDPR, identifies suitable technical and organisational measures to guarantee a level of security appropriate to the specific risks arising from the processing operations performed thereby, on the basis of a data protection impact assessment, regulating, either by contract or another legal act within the meaning of Article 28 of the GDPR, its relationship with any external suppliers processing personal data on its behalf as a data processor.

13. UPDATE

Company Board periodically reviews, and if necessary updates, the Procedure, to ensure its constant alignment with corporate practice and relevant legislation.

14. INFORMATION AND TRAINING

The Procedure is disseminated by uploading it on the company website, displaying it on company notice boards and any other means deemed appropriate.

The Company promotes communication, information and training activities concerning the Procedure, in order to ensure the most effective application of the Procedure and the widest knowledge of the rules on Whistleblowing, the operation of and access to the channels and instruments available to make Reports and the applicable measures in case of Breaches.

offences falling within the scope of European Union legislation in the following fields:

public procurement;
financial services, products and markets and the prevention of money laundering and terrorist financing;
product safety and conformity;
transport security;
environmental protection;
radiation protection and nuclear safety;
food and feed safety and animal health and welfare;
public health;
consumer protection;
privacy protection, personal data protection and security of information networks and systems.

acts or omissions affecting the financial interests of the European Union, as well as those affecting the internal market, including breaches of EU competition and state aid rules;
acts or conduct that defeat the object or purpose of EU legislation in the fields mentioned above.

express forms of protection of the Reporting person's identity are provided for in criminal proceedings, before the Court of Auditors and in disciplinary proceedings (in the latter case, the Reporting person's identity cannot be disclosed when the allegation of the disciplinary wrongdoing is based on investigations that are separate and additional to the Report, even if consequent thereto);
in disciplinary proceedings, if the allegation is based, in whole or in part, on the Report, and knowledge of the Reporting person's identity is necessary for the Reported person's defence, the Report may be used for the purposes of the disciplinary proceedings only if the Reporting person expressly consents to the disclosure of his identity. In any case, the Company gives written notice to the Reporting person of the reasons why it is necessary to disclose confidential data, or of any case when the disclosure of the Reporting person's identity is necessary for the defence of the person involved in the Report;
the Report file is not covered by the right of access under Article 22 et seq. Law 241/1990, as well as Article 5 et seq. Legislative Decree 33/2013.