GHISALBA SPA has always paid special attention to the prevention of risks that could compromise the responsible and sustainable management of its functions.

GHISALBA SPA, in accordance with the provisions of Legislative Decree no. 24 of 10 March 2023 transposing into Italian law Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law and in line with international best practices, has adopted the ‘whistleblowing’ procedure for the management of reports.

At the same time, we have implemented this IT portal to guarantee the confidentiality of the identity of the whistleblower in the management of the report by entrusting the service to Lumina Fiduciaria SPA, a trust company operating under an authorisation obtained from the Ministry of Economic Development (MISE) as established by Law 1966/39.

Who can make a ‘whistleblowing’ report?

The decree defines a ‘whistleblower’ as a natural person who makes a report or public disclosure of information on violations acquired in the context of his or her work context

The ‘whistleblowing’ persons protected by the decree are:

  • employees of public administrations, independent administrative authorities, public economic entities, bodies governed by private law subject to public control, in-house companies, bodies governed by public law or public service concessionaires;
  • employees of private sector entities, including workers whose employment relationship is governed by Legislative Decree No 81 of 15 June 2015, or by Article 54-bis of Decree-Law No 50 of 24 April 2017, converted, with amendments, by Law No 96 of 21 June 2017;
  • self-employed workers, including those indicated in Chapter I of Law No. 81 of 22 May 2017, as well as holders of a collaboration relationship referred to in Article 409 of the Code of Civil Procedure and Article 2 of Legislative Decree No. 81 of 2015, who carry out their work activity with entities in the public or private sector;
  • workers or collaborators, who carry out their work activities with entities in the public sector or the private sector that provide goods or services or carry out works for third parties;
  • self-employed professionals and consultants working for public sector or private sector entities;
  • volunteers and trainees, whether paid or unpaid, working for public sector or private sector entities;
  • shareholders and persons with administrative, management, control, supervisory or representative functions, even where such functions are exercised on a de facto basis, at entities in the public or private sector.

The protections afforded to the reporting person also apply to

  • to so-called facilitators (those who assist the worker in the reporting process);
  • to persons in the same employment context as the reporting person or the person who made a complaint to the judicial or accounting authorities or the person who made a public disclosure and who are linked to them by a stable emotional or kinship link up to the fourth degree
  • to colleagues of the reporting person or of the person who made a complaint to the judicial or accounting authority or made a public disclosure who work in the same work environment as the reporting person and who have a regular and current relationship with that person
  • the entities owned by the reporting person or the person who made a complaint to the judicial or accounting authority or made a public disclosure, or for which the same persons work, as well as entities working in the same work environment as the aforementioned persons.

What protections are guaranteed to the reporter??

Whistleblowers may not suffer any retaliation; the decree indicates certain cases that may fall within the definition of retaliation, and lays down measures and conditions for the protection of whistleblowers.

The protection also operates:

  • if the legal relationship has not begun (selection and pre-contractual stages);
  • during the probationary period;
  • after termination of the relationship (if the information was acquired during the relationship).

What can be reported?

The decree defines ‘reporting’ as the written or oral communication of information on ‘violations’, defined as conduct, acts or omissions that harm the public interest or the integrity of the public administration or private entity and that consist of

1) administrative, accounting, civil or criminal offences;
2) unlawful conduct relevant under Legislative Decree 231/2001, or violation of organisation and management models;
3) offences falling within the scope of the European Union or national acts indicated in the annex to the decree or national acts constituting implementation of the European Union acts indicated in the annex to Directive 2019/1937, although not indicated in the annex to the decree with regard to the following sectors: public procurement; financial services, products and markets; prevention of money laundering and financing of terrorism; food, feed and animal health and welfare safety; product safety and compliance; transport safety; public health; protection of privacy and protection of personal data; environmental protection; radiation protection and nuclear safety; consumer protection; security of networks and information systems;
4) acts and omissions affecting the financial interests of the European Union (Article 325 TFEU);
5) acts and omissions concerning (Art. 26(2) TFEU) the free movement of goods, persons, services and capital in the internal market, including violations of EU competition, state aid and corporate tax rules.
6) acts or conduct that frustrate the object and purpose of the EU provisions mentioned in points 3,4 and 5.

The decree defines ‘retaliation’ as any conduct, act or omission, even if only attempted or threatened, occurring as a result of the reporting, the complaint to the judicial or accounting authorities or public disclosure and which causes or may cause the reporting person or the person making the complaint, directly or indirectly, unjust damage.

All personal data shall be processed pursuant to the applicable Privacy Regulations (meaning EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (GDPR), Legislative Decree no. 196/2003, Legislative Decree no. 101 /2018 as well as any other legislation on the protection of personal data applicable in Italy, including the provisions of the Garante), in full respect of fundamental rights and freedoms, with particular regard to the confidentiality of the identity of the data subjects and the security of the processing.

For more details, download the PDF Privacy Lumina Fiduciaria

How to Report
Reporting can be done using the dedicated web channel at www.WB24.it which allows both written and verbal reports.

After an initial registration, the portal allows you to upload your report and then consult the progress of your file.


What happens if I report through other channels?
The ‘whistleblowing’ legislation recognises the right of the whistleblower to protection whatever the means of communication, expressly favouring the computerised channel.
The company has set up the computer reporting channel in order to guarantee the anonymity of the whistleblower.
Any reports made to parties other than Lumina Fiduciaria or made through other channels (e.g. e-mail, PEC, regular mail, telephone) are, by their nature, not suitable for guaranteeing the anonymity of the reporter.
All parties involved will in any event treat the report with the utmost care and in accordance with the provisions of the law.
Any reports made to persons not appointed and therefore trained to handle whistleblowing reports could compromise anonymity and make it impossible for the company to guarantee the whistleblower’s rights.

How is the anonymity of the reporter guaranteed?

The reporting process is handled in full outsourcing by Lumina Fiduciaria SPA Società Fiduciaria, which operates under authorisation obtained from the Ministry of Economic Development (MISE) as established by Law 1966/39.

Lumina Fiduciaria collects reports through the dedicated portal www.WB24.it which through the technology of encryption splits the reporting party’s registry.

The report will therefore be treated completely anonymously in accordance with the ‘whistleblowing’ rules, while the whistleblower’s personal details will be kept and secreted by the trust company and accessible only in the specific cases provided for by law.

What happens after the report?

Within seven days of receipt, Lumina Fiduciaria issues an ‘acknowledgement of receipt’.
The ‘report’ in anonymous form is immediately forwarded to the relevant office of the reported company.
In this specific case, the report is forwarded to the following parties

  • Chairman of the Board of Directors
  • Chief Executive Officer
  • Chairman of the Board of Statutory Auditors
  • SB 231
  • Whistleblowing Committee

* depending on the organisational model of the reporting company

Within the peremptory deadline of 3 months of the acknowledgement of receipt, the reporter must receive the outcome of the report.
The reporting party may consult the ‘acknowledgement of receipt’ of the report and any communications from the company by anonymously accessing the website www.WB24.it

What can the reporter do if the reported company does not follow up on my report?

The ‘whistleblowing’ legislation allows the whistleblower to make an external report directly to ANAC (national anti-corruption authority) https://www.anticorruzione.it/-/whistleblowing in case:

  • After 3 months of reporting through the internal channel, the company has not provided any feedback.
  • The internal channel is not active or, if active, does not comply with the decree
  • the reporting person has reasonable grounds to believe on the basis of the concrete circumstances attached and information actually acquired and, therefore, not on mere inferences, that, if he made an internal report
    • it would not be effectively followed up. This is the case when, for example, the person ultimately responsible in the work context is involved in the breach, there is a risk that the breach or the relevant evidence might be concealed or destroyed, the effectiveness of investigations carried out by the competent authorities might otherwise be compromised, or even because it is believed that ANAC would be better placed to deal with the specific breach, especially in matters within its competence;
    • this could give rise to the risk of retaliation (e.g. also as a consequence of the breach of the obligation of confidentiality of the identity of the reporting person).
  • the reporting person has reasonable grounds to believe that the breach may constitute an imminent or obvious danger to the public interest. This is the case, for instance, where the breach requires urgent action to safeguard the health and safety of persons or to protect the environment.

The ‘whistleblowing’ legislation allows the whistleblower to make a public disclosure.

With public disclosure, information on infringements is brought into the public domain through the press or electronic media or in any case through means of dissemination capable of reaching a large number of people. The legislator naturally takes into account the evolution of mass media by including social networks and new communication channels (e.g. facebook, twitter, youtube, instagram) that constitute a rapid and interactive means of transmitting and conveying information and exchanges between networks of persons and organisations.

The public disclosure of violations must take place in compliance with the conditions laid down by the legislator so that the person making it can then benefit from the protections recognised by the decree.

Therefore, protection will be recognised if one of the following conditions is met at the time of disclosure:

  1. an internal report, which has not been acknowledged by the administration/entity with respect to the measures envisaged or adopted to follow up the report within the required timeframe
  2. the person has already directly made an external report to ANAC, which, however, has not replied to the reporter as to the measures envisaged or adopted to follow up the report within a reasonable period of time (three months or, if there are justified and reasoned reasons, six months from the date of receipt of the external report or, in the absence of such notice, from the expiry of seven days from receipt)
  3. the person directly makes a public disclosure because, on the basis of reasonable grounds based on the circumstances of the case, he or she considers that the breach may pose an imminent or obvious danger to the public interest. For example, an emergency situation or the risk of irreversible harm, even to the physical safety of one or more persons, which require that the breach be promptly disclosed and have a wide resonance to prevent its effects;
  4. the person directly makes a public disclosure because, on the basis of reasonable grounds grounded in the circumstances of the specific case, he or she believes that the external report may entail a risk of retaliation or may not be effectively followed up because, for example, he or she fears that evidence may be concealed or destroyed or that the recipient of the report may be in collusion with the infringer or involved in the infringement. Consider, by way of example, the case where the recipient of a report of a breach, in agreement with the person involved in the breach, dismisses the report in the absence of grounds.