Frener & Reifer S.R.L. whistleblower channel

Start

Step 1/5 Categorize concern

To facilitate the further handling of your submission, please help us to categorise it as best as possible.

In which category does your submission best fit?

Competition

Consumer protection

Corporation tax

Environmental Protection

Financial interests of the Union (expenses, income collection and funds)

Food safety

Prevention of money laundering

Product safety

Protection against radiation and nuclear safety

Protection of personal data and privacy

Public health

Public procurement

Security of networks and information systems

Transportation security

Others

Do you suspect any of the following people?

CFO

CIO

Data Protection Officer

Delegate for Occupational Risk Prevention

Director de Servicios Legales

HR Director

Managing Director

Personnel director

Purchasing Manager

Responsible for Internal Audit and Compliance

I am not aware of any involvement of these persons

I have read the Terms of use and agree to them in accordance with the notice.

Information

Step 2/5 Personal information

If you prefer not to give your personal details, you can do so by indicating that you want the report to be anonymous.

What is your relationship with the company being reported?

Do you wish to report anonymously?

Yes

This channel requires the whistleblower's identification data are mandatory.

The selected category requires the identification data to be mandatory

First name

Last name

Following the email validation policy, you must validate this email before filing the report.

Contact telephone number

This channel is confidential. Your personal data will not be shared. If someone from the organisation needs to know your data, they will request it through the channel and they will only be able to see it if you authorise it.

Details

Step 3/5 Detailed information

Describe in as much detail as possible the event you wish to report, giving as much information and attaching evidence, if available.

Indicate which person or persons are the subject of the report

First and last name

Position

Have you discussed this with any member of management?

Yes

I do not remember

Are there any witnesses? Please indicate their names.

First and last name

Position

Tell us what you want to report in detail

Would you like to attach any additional documents?

Image (png, jpg, gif), Audio (wav, mp3), Video (ogg, mp4, mov, avi, wmv, mpg, mpeg) or PDF document up to 20Mb. Attention! If you report anonymously, make sure that the attachments do not include information in the content or metadata that could identify you.

Confirm

Step 4/5 Confirmation

As the last step of the process, you must indicate a secret code that only you will know. This password, together with the identification code that we will give you at the end of the process, will be the only way to follow the progress of your submission

Password

Password confirmation

Email address validation

According to the validation policy of this channel, we must validate the indicated email address. To do so, we will send you an email with a validation email with a code that you must indicate in the following field.

Verification code check received

Finish

Step 5/5 Finalize

You have now entered all the information necessary to start the report management process.

The information is ready to initiate the process of determining accountability. The persons or facts reported will be investigated and the resulting actions will be taken.

The whistleblower undertakes that the information provided in this submission is true. Otherwise, the company reserves the right to take legal action against the whistleblower.

This is the last form in the process. When you click on Send, the investigation will begin and the resolution of your claim will be shown on the platform within a maximum period of 3 months.

I have read the Data Protection and Consent Notice and agree to the processing of my personal data in accordance with the provisions of this notice.

Terms of Use

In compliance with the Law on Services of the Information Society and Electronic Commerce, as well as in compliance with current regulations on data protection, it is reported that the owner of the website ithikios.com and canaldenunciasanonimas.com and all its subdomains ( hereinafter, "the Web") is DIGITAL PRODUCTS DEVELOPMENT SL (hereinafter, ithikios), registered in the Mercantile Registry of Barcelona, with CIF B02767010, and with registered office at c / Mont Blanc 17, Sant Cugat del Valles, Spain.

ithikios is the owner of all rights to the Website. The simple access, navigation and use of the Website attributes the condition of user of the same (hereinafter, the "User") and implies the acceptance of this clause of terms and conditions. The information available through this website is not subject to contract and may be modified without prior notice.

ithikios will not be held responsible for problems arising from the consultation or use of this Website. To this end, access is obliged to comply with this, having to act in accordance with current Law, good faith and public order and, refraining from using the Website in a way that could prevent or impair its proper functioning.

This service can only be used to send complaints or inquiries to companies that have contracted the service with ithikios, guaranteeing confidentiality and anonymity (if the user so chooses), regarding the personal data of the complainant.

Conditions for the user

As a user, you are obliged to make correct and lawful use of the platform.
You will use the platform for the purposes it has been designed for, and in no case will you use it for purposes contrary to the law.
The ithikios channel / canaldenunciasanonimas is not an emergency service. In case of emergency contact local authorities.
You must fill in all the information defined as mandatory in order to be able to send it.
Reflect and review the information you send to ensure that if you do not want it, you do not reveal your identity.
You will be able to choose between sending the communication indicating your contact details or without indicating them. In both cases, the platform will provide you with a unique identification number and a password. It is important that you write them down in a safe place, only with them will you be able to check the status of the communication. If you lose them, you will not be able to access it again. For security reasons, ithikios will not be able to provide access to lost codes.
If the organization proves that there has been bad faith when making the report, it reserves the right to take legal action if the complainant has been identified.
You will be able to download a certificate issued by ithikios in which you will have all the information that has been sent to the company, as well as the result once the investigation is completed.
The Complainant expressly understands and agrees that ithikios will not be responsible for any direct or indirect, anticipated or unforeseen damage, interest or loss, including, among others, moral damage resulting from the use or inability to use this service.
The Complainant is responsible for the veracity of the information communicated, assuming the consequences of having acted in bad faith or sent false information or documentation.
You will be liable for any loss or damage of any kind that ithikios may suffer, directly or indirectly, as a result of improper use of the product, a breach of the terms and conditions of use or a breach of the law in force on your part.

Data protection and consent to Frener & Reifer S.R.L.

INFORMATION ON THE PROCESSING OF PERSONAL DATA

Whistleblowing Information Form REV. 00 of 20/10/2025

With this policy, the Controller , in compliance with Applicable law on the protection of personal data, provides information regarding the processing of personal data carried out within the scope of its organisational model adopted in accordance with Legislative Decree no. 24 of 10 March 2023 and, in particular, all activities and obligations related to the operation of the company's whistleblowing management system ( hereinafter the "Whistleblowing Policy" ). The information is provided pursuant to Articles 13 and 14 of the European Data Protection Regulation (hereinafter also referred to as the "GDPR") and Italian legislation in this area (hereinafter, collectively, the " Applicable law " ).

The following information is provided to "whistleblowers" and all other potentially " data subjects ” , such as, for example, persons indicated as possible perpetrators of unlawful conduct, any "facilitators" (defined as “ facilitatori ” by the applicable Italian law ), as well as any other person involved in the Whistleblowing Policy in any other capacity.

Controller .

The Controller is the company FRENER & REIFER S .r .l . , with registered office in Via Alfred Ammon 31 - 39042 - Bressanone (BZ), tax code and VAT number 00218290211, R.E.A. BZ- 83904, hereinafter also referred to as the " Controller ".

For any clarification, information or to exercise the rights listed in this Policy, you can contact the Controller at the following addresses: tel. +39 0472 270 111 , fax +39 0472 270 170 , e-mail: [email protected] , certified e-mail: [email protected] .

Purposes and legal basis of the processing.

According to the provisions of the regulations in question, personal data may be acquired by the Controller as contained in whistleblowing reports, or in the documents and records attached to them, received by the Controller through the channels provided for in the Whistleblowing Policy.

The receipt and management of such reports may give rise, depending on their content, to the processing of the following categories of personal data:

general personal data, including, for example, personal details (name, surname, date and place of birth), contact details (landline and/or mobile phone number, postal address/e-mail address), role/job title;

'special' personal data as referred to in Article 9 of the GDPR, including, for example, information relating to health conditions, political opinions, religious or philosophical beliefs, sexual orientation or trade union membership.

Regarding the above categories of personal data, it is important to note that reports submitted must not contain information that is manifestly irrelevant for the purposes of the relevant regulations . Reporting parties are asked to refrain from using 'special' personal data unless it is considered necessary and essential for the purposes of the report, in accordance with Article 5 of the GDPR.

	PURPOSE	LEGAL BASIS
a.	To manage the report made pursuant to Legislative Decree No. 24/2023 and, therefore, in general, to carry out the necessary preliminary investigations to verify the validity of the facts reported and to take the appropriate measures.	The processing is necessary to fulfil a legal obligation to which the Controller is subject [Article 6(1)(c) of the GDPR] which , in particular, under the aforementioned legislation , is required to implement and manage information channels dedicated to receiving reports of unlawful conduct that is harmful to the integrity of the Company and/or the public interest. In the cases covered by the same regulations, specific and free consent may be requested from the reporting person [Art. 6, para. 1, letter a) of the GDPR] and where there is a need to disclose their identity, or where the reports collected via the voice messaging system or in any case in oral form, or through direct meetings with the person appointed as the report manager, are to be recorded. The processing of any 'special' personal data that may be included in the reports is based on the fulfilment of obligations and the exercise of specific rights of the Controller and the data subject in the field of labour law, pursuant to Art. 9, para. 2, letter b) of the GDPR.
b.	To comply with the legal obligations to which the Controller is subject, including those under current legislation on the protection of personal data.	The processing is necessary to fulfil a legal obligation to which the Controller is subject [Article 6(1)(c) of the GDPR].
c.	To ascertain, exercise or defend a right in court or out of court and/or whenever the judicial authorities exercise their functions.	The processing is necessary to pursue the legitimate interest of the Controller in establishing, exercising or defending a right in court or in court proceedings or whenever the judicial authorities exercise their functions [Art. 6, para. 1, letter f) of the GDPR]. For the same purpose, the processing of 'special' personal data, if any, is based on Art. 9, para. 2, letter f) of the GDPR.

Data retention period .

Reports received by the Company, together with the attached documents and records, will be retained for the time necessary to manage them and, in any case, as required by law, for a period not exceeding five years from the date of communication of the final results . After this period, the reports will be deleted from the system. However, personal data included in reports that are manifestly irrelevant for the purposes of the reports will be deleted immediately. In the event of disputes, the data may be retained for a longer period, coinciding with the duration of the dispute itself, with such data being manually extracted before the above-mentioned deadline.

Nature of the provision .

The provision of personal data is optional, given the possibility of submitting anonymous reports to the Controller , provided that they contain accurate, consistent and adequately detailed information, without prejudice to the provisions of the law regarding this specific case in terms of measures to protect the reporting party. If provided, personal data will be processed to manage the report in accordance with the limits and with the guarantees of confidentiality imposed by the relevant legislation.

Data processing Methods .

The processing of personal data included in reports submitted in accordance with the Whistleblowing Policy will be based on the principles of fairness, lawfulness and transparency, as set out in Article 5 of the GDPR.

The processing of personal data may be carried out using analogue and/or computerised /telematic methods, for the purposes of storing, managing and transmitting them, in any case in accordance with appropriate physical, technical and organisational measures designed to ensure their security and confidentiality at every stage of the procedure, including the archiving of the report and related documents, without prejudice to the provisions of Article 13 of the GDPR. technical and organisational measures to ensure their security and confidentiality at every stage of the procedure, including the archiving of the report and related documents - without prejudice to the provisions of Article 12 of Legislative Decree No. 24/2023 - with particular reference to the identity of the whistleblower, the persons involved and/or mentioned in the reports, the content of the reports and related documentation.

Recipients of the data.

The processing of personal data included in reports submitted in accordance with the Whistleblowing Policy will be carried out by persons specifically authorised by the Controller , as well as by Data Processors specifically identified in writing, within the scope of their respective functions and in accordance with the instructions given by the Controller , ensuring the use of appropriate measures for the security of the data processed and guaranteeing its confidentiality. The list of Data Processors is available upon request.

Where necessary, personal data may be transmitted to the Judicial Authorities and/or Police Forces that request it in the context of judicial investigations.

Transfers to third countries or international organisations .

The data will not be transferred to countries outside the European Economic Area and/or international organisations .

Rights of the data subject.

Each data subject has the right to exercise the rights referred to in Articles 15 et seq. of the GDPR, in order to obtain from the Controller , for example, access to their personal data, the rectification or erasure of such data or the restriction of processing concerning them, without prejudice to the possibility, in the absence of a satisfactory response, of lodging a complaint with the Data Protection Authority pursuant to Article 77 of the GDPR, or of taking appropriate legal action, if they consider that the processing concerning them violates the GDPR.

To exercise these rights, you must submit a specific request in free form to the addresses indicated in paragraph 1 above, including by using the form available on the website of the italian Data Protection Authority.

In this regard, we inform you that the aforementioned rights of data subjects may be limited pursuant to and for the purposes of Article 2-undecies of Legislative Decree No. 196 of 30 June 2003 ( "Privacy Code ", as amended by Legislative Decree No. 101/2018), for as long as and to the extent that this constitutes a necessary and proportionate measure, if the exercise of these rights could result in concrete and actual prejudice to the confidentiality of the identity of the reporting persons.

In particular, the exercise of these rights:

shall be carried out in accordance with the Italian provisions of law or regulations governing the sector (Legislative Decree 24/2023);

may be delayed, restricted or excluded with a reasoned communication made without delay to the data subject, unless the communication could compromise the purpose of the restriction, for as long as and to the extent that this constitutes a necessary and proportionate measure, taking into account the fundamental rights and legitimate interests of the data subject, in order to safeguard the confidentiality of the identity of the reporting person;

in such cases, the rights of the data subject may also be exercised through the Data Protection Authority in accordance with the procedures set out in Article 160 of the Privacy Code, in which case the Authority shall inform the data subject that it has carried out all the necessary checks or has conducted a review, as well as of the data subject's right to seek judicial remedy.

This policy may be subject to changes and/or additions and/or updates, including as a result of updates to the Applicable Regulations.