PRIVACY POLICY

Pursuant to Articles 13 and 14 of EU Regulation 2016/679 of 27 April 2016 (hereinafter the "Privacy Regulation"), the following information is provided to data subjects regarding the processing of personal data carried out in the context of whistleblowing reports.

1. Identity of the Data Controller

The Data Controller of any processing of personal data necessary to pursue the purposes indicated below is the company De Agostini S.p.A., with registered office in Novara, Via Giovanni Da Verrazano no. 15 in the person of the Chair of the Board of Directors.

2. Personal data subject to processing

As part of the management of Whistleblowing Reports, the data of the reporting party ("Whistleblower") will be processed.

It should be noted, by way of example, that the following categories of personal data may be processed:

• personal data (e.g. name, surname, tax code, address, date and place of birth);
• contact details (e.g. telephone, landline and/or mobile numbers, email address);
• data of a professional nature (e.g. hierarchical grade, corporate division of which they are a member, company role, type of relationship with the Company or other third parties, profession);
• image data and/or voice data;
• any information that refers to the reported person, or to other concerned persons, that the Whistleblower decides to share in the report in order to better substantiate it;
• the information that the reported party, or other concerned parties, share with the Data Controller in the context of the management of the report;
• special data (e.g. data relating to political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data intended to uniquely identify a natural person, data relating to the person's health or sex life or sexual orientation);
• judicial data;
• any other data relating to the report whether included or not in the categories indicated above.

Please provide only the data necessary for the management of Whistleblowing Reports. Personal data that are manifestly not useful for the processing of the report are not collected or, if collected accidentally, are deleted immediately.

3. Purpose

The personal data of the Whistleblower, the person involved and of the person in any event referred to in the report will be processed, within the limits indicated above, in order to:

• receive, analyse and manage, through the communication channels used, reports – also made anonymously – relating to alleged irregularities and/or illegal conduct (so-called whistleblowing reports) perpetrated by persons who, for various reasons, interact with the Data Controller and of which the Whistleblower has become aware;
• carry out all the further activities related to the management of the report and consequent on the need for their comprehensive management (e.g. conducting interviews, collecting information useful for the purpose of investigating the case examined, etc.) by the competent persons, designated as authorised to process them;
• respond to any requests from the competent Authorities and bodies, etc.

4. Legal basis

The fulfilment of a legal obligation deriving from the provisions of Legislative Decree no. 231/2001, from Law 179/2017 and Legislative Decree 24/2023 regarding the protection of persons who report crimes, irregularities or violations of domestic regulatory provisions.

5. Processing methods

The processing will be carried out by staff who are authorized and specifically trained in the management of reports, who need to have knowledge of the information in the performance of their activities, with or without the aid of electronic instruments, according to principles of lawfulness and fairness, in order to protect at all times the confidentiality and rights of the concerned parties in compliance with the legislation.

The reports can be sent through the communication channels specifically established in different formats, in order to simplify and optimize the reporting procedure; it is also possible for the Whistleblower to attach files and documentation instrumental to certifying the validity of the report.

In order to protect confidentiality, appropriate technical and organisational measures have been implemented.

Data subjects may be asked for specific authorisation, as required by Legislative Decree 24/2023, in the following cases:

• any disclosure of the identity of the Whistleblower to persons other than those competent to receive or follow up reports;
• a report made orally during a meeting with the appropriate member of staff, for the purposes of documentation by recording on a device suitable for storage and listening or in the form of minutes.

Data subjects may be asked for specific authorisation accompanied by a specific communication, containing the reasons for revealing their identity, in the following cases:

• in disciplinary proceedings, if the charge is based in whole or in part on the report, where the disclosure of the identity of the Whistleblower is essential for the defence of the person subject to the challenged disciplinary charge;
• in proceedings instituted following internal or external reports, where such disclosure is also essential for the defence of the person involved.

6. Recipients

The personal data of the Whistleblower, or other data subjects, may be made available:

• to IT service companies appointed as Data Processors;
• to Public Authorities and other persons in compliance with legal obligations (e.g. Judicial Authority, Court of Auditors, ANAC), as Data Controllers.

The data of the concerned persons will not be disclosed (that is, made available to indeterminate subjects).

The Report will be received and managed by the Manager for the Receipt, Examination and Assessment of the Report and by the Head of the Internal Reporting System, expressly authorised to process the data.

The personal data communicated with the Whistleblowing Report, together with the documentation supporting it, may be shared, to the extent strictly necessary, with the following persons who are subject to an obligation of confidentiality:

• Supervisory Body;
• Any support staff of the Supervisory Body, expressly authorised to process data pursuant to Article 29 of the GDPR;
• any external advisors who may perform advisory services for the Company on management of the Whistleblowing Report.

The above persons shall guarantee the confidentiality of the identity of the Reporting User, the person involved and the person in any event referred to in the report, as well as the content of the report and the related documentation.

7. Data storage times

The Data Controller will retain the data relating to Whistleblowing Reports for 5 years from the date of communication of the final outcome of the Reporting procedure itself, without prejudice to any legal obligations, disciplinary proceedings or litigation in progress. In the event of disciplinary proceedings or litigation, the data will be kept for the entire duration of the proceedings until the deadlines for appeal proceedings have expired.

After said deadlines, the data will be deleted or anonymised.

8. Data source

The data is provided voluntarily by the concerned parties. The refusal to communicate the data may make it impossible to correctly manage the report or to manage any challenges submitted concerning the report.

9. Rights of data subjects

Data subjects have the right to ask the Data Controller:

• for confirmation that the processing of their personal data is or is not in progress and, in this case, to obtain access to it (Article 15 - right of access);
• for the rectification of inaccurate personal data or the completion of incomplete personal data (Article 16 - right of rectification);
• for the deletion of the data given the existence of one of the reasons provided for by the Privacy Regulation (Article 17 - right to be forgotten);
• for the restriction of processing when one of the hypotheses provided for by the Privacy Regulation applies (Article 18 - right of restriction);
• to receive in a structured, commonly used and machine-readable format the personal data provided to the Data Controller and to transfer such data to another Data Controller (Article 19 - right to portability).

Right to object (Article 21). If processing based on the legitimate interest of the Data Controller is carried out, the data subjects are henceforth informed that they can object to such processing. In this case, the Data Controller will refrain from further processing the personal data of the data subjects, unless there are compelling legitimate reasons to proceed with the processing or to ascertain, exercise or defend a right in court

Data subjects may exercise their rights by writing to the Data Controller at the registered office of the Company or at the email address pcy.expert@deagostini.it, specifying the subject of the request, the right to be exercised and attaching a photocopy of an identity document certifying the legitimacy of the request.

Without prejudice to any other administrative or judicial appeal, data subjects have the right to lodge a complaint with the Italian Data Protection Authority for the protection of personal data, if they consider that the processing concerning them violates the Privacy Regulation (Article 77).

10. Limitation on the rights of the data subject.

The rights referred to in Articles 15 to 21 of the Privacy Regulation listed above cannot be exercised with a request to the Data Controller or with a complaint pursuant to Article 77 of the Privacy Regulation if the exercise of these rights may result in an actual tangible and concrete threat to the confidentiality of the identity of the person who reports violations of which they have become aware by reason of their employment relationship or the functions performed.

In particular, the concerned parties are informed that the exercise of these rights:

• may be carried out in accordance with the provisions of law or regulation governing the sector (in both Law no. 179/2017 and Legislative Decree 24/2023);
• may be delayed, restricted or excluded subject to notification stating the reasons and sent promptly to the data subject at the time and within the limits in which this constitutes a necessary and proportionate measure, taking into account the fundamental rights and legitimate interests of the data subject, in order to safeguard the confidentiality of the identity of the Whistleblower; in such cases, the rights of the data subject may also be exercised through the Italian Data Protection Authority in the manner referred to in Article 160 of Legislative Decree 196/2003 (the Privacy Code), in which case the Data Protection Authority informs the concerned party that it has carried out all the necessary checks or has conducted a review, as well as of the right of the concerned party to file a judicial appeal.

Date:

The Data Controller