This digital platform allows anyone (employees and collaborators, suppliers and any other person who has had or intends to have business relations with CHIMAR S.P.A. and / or CBM S.R.L. (hereinafter collectively identified as the "Company") to report - through an online guided path (of which the compilation procedures below are reported) - hypotheses of illegal conduct or irregularities, violations of rules, violations of Model 231, violations of the Code of Ethics, violations of the Anti-Corruption Policy and in any case violations of company procedures and provisions in general.
The platform is managed by a specialized, third party and independent entity. The system allows the sending of reports without the obligation to register or declare their personal details. If the Whistleblower chooses to indicate his/her personal details, confidentiality is guaranteed.

The Company has always been attentive to the prevention of risks that could compromise the responsible and sustainable management of its business. For this reason, the Company has adopted an Organization, Management and Control Model pursuant to d.lgs. n. 231/2001 ("Model 231"), including a Code of Ethics and a procedure on Whistleblowing.
The Company has also entrusted a Supervisory Body ("SB") – a body with autonomy and independence – with the task of supervising compliance with the provisions of Model 231, verifying their real effectiveness and assessing the need for any updates.
In this context, with Law no. 179/2017 on "Provisions for the protection of authors of reports of crimes or irregularities of which they have become aware in the context of a public or private employment relationship", the instrument of the so-called "whistleblowing" was introduced.
The Italian legislator with Law no. 2022/127 delegated the Government for the transposition of Directive (EU) of 2019/1937 on the protection of persons in the public and private sectors who report violations of Union law with the possibility of extension to other acts / sectors by the Member States. On 10 March 2023, the Council of Ministers approved Legislative Decree no. 24 on the adaptation of the EU Directive.
This is a tool, placed to protect the integrity of the Company, through which it is possible to report, even confidentially, to the Supervisory Body any conduct – learned by reason of the functions carried out within the Company – that may integrate violations of Model 231, or significant illegal conduct pursuant to Legislative Decree. No 231/2001, as well as breaches of Community legislation in a very wide range of areas expressly listed in the Annex to Directive (EU) 2019/1937 (including: public procurement, financial services, product and transport safety, environment, food, public health, privacy, network security, competition).
To this end, the Company has structured a whistleblowing procedure capable of guaranteeing two confidential channels of reporting to the SB on potential non-compliance with Model 231, ethical principles, or applicable laws and regulations, or with respect to the other sectors indicated by law.
The usability of this procedure is limited to cases in which the whistleblower – who has learned the news as part of his duties – is in good faith and the report is based on precise and consistent factual elements .
The Company encourages you to report any irregularities in good faith, but does not allow false or vexatious statements, mere suspicions or rumors, personal complaints or claims.
In this case, disciplinary action will be imposed against those who abuse the whistleblowing.
The Company has adopted (i) a web IT platform ; (ii) a messaging channel dedicated exclusively to whistleblowing reporting. Both channels are able to guarantee compliance with the regulations protecting the confidentiality of the identity of the whistleblower, the reported, any third parties / witnesses cited and the facts reported in the report.
Depending on the matter of interest for which you intend to proceed with the forwarding of the whistleblowing report, the following two types of procedures must be followed, namely:

• PROCEDURE A ("Reports 231") for violations of Model 231, Code of Ethics or relevant unlawful conduct pursuant to Legislative Decree no. 231/2001;
Other reports") for other breaches of Community law in a very wide range of areas expressly listed in the Annex to Directive (EU) 2019/1937 (including: public procurement, financial services, product and transport safety, environment, food, public health, privacy, network security, competition).

PROCEDURE A: Reports 231

What you can report
You can submit reports when you see a risk that a subject:

• is about to conduct that may constitute a crime or a relevant offense pursuant to Legislative Decree no. 231/2001;
• is about to violate the Code of Ethics or Model 231;
• is about to behave in any case irregularly that may cause damage to the Company's assets or image

In any case, it is still invited, to protect the integrity of the institution, to confront this person as soon as possible, making him aware of the risk identified, reminding him of the importance of the safeguards referred to in d.lgs. No 231/2001, the procedure or instruction likely to be violated and, where appropriate, involving the person responsible for the business process concerned in the discussion.

Who can report
Those who are broadly connected to the organisation in which the breach occurred, who may fear retaliation in view of the economically vulnerable situation in which they find themselves, namely:

Employee
• Self-employed
• External collaborator
• Freelancers and consultants < / them>
• Person who carries out an internship (paid or not) < / them>
• Volunteer (paid or not)
• Person whose employment relationship has ended or has not yet begun (former employee or candidate) < them>
• Anyone who works under the supervision and direction of contractors, sub-contractors and suppliers < / them>
• Shareholders and persons with administrative, management, supervisory or representation functions

The person making the report is in any case responsible for the content contained in the same
The whistleblower is aware of the responsibilities and consequences, on a civil, criminal and even disciplinary level, in the event of reports made with intent or gross negligence that prove to be unfounded.

Privacy Info
The confidentiality of the content of the report is guaranteed .
The internal report submitted to a person other than the one indicated shall be transmitted, within seven days of its receipt, to the competent subject, giving simultaneous notice of the transmission to the reporting person.

FIELDS TO FILL IN OR INFORMATION TO BE RELEASED IN THE AUDIO

Section 1 – Privacy Policy
The whistleblower is required to declare that he has read the information on the processing of personal data for whistleblowing reports pursuant to European Regulation no. 2016/679 concerning the protection of individuals with regard to the processing of personal data.
Section 2 – Fill out your report

1. Period in which the event occurred (*)
2. Possible person who committed the act (in particular, please define: a) Qualification and job function of the reported (s) at the time of the reported facts; b) Company organizational area to which the fact can be referred (e.g.: "administration / purchasing / commercial / technical offices / human resources / production / quality / safety and health in the workplace / environmental protection / other") c) Physical place where the event occurred; d) how the fact became known.
3. Any other parties involved, even if external to the company who may report information, data and important circumstances concerning the fact.
4. Detailed description of the facts (in particular to define:
   because the conduct you want to report has been deemed illegal by choosing from the following options: a) violates the Code of Ethics, Model 231 or other company procedures; b) causes damage to the company or other third party person/entity.
   • If the Company has benefited from the incident, or otherwise had an interest.
   • If the incident has already been reported to other company functions and if so, with what feedback.)
5. Attach files relevant to the report describing their contents

Section 3 – "Unencrypted" or "confidential" reporting
The user will have the right to make a report "in clear" or "confidential" by selecting one of the two options as part of the whistleblowing procedure.

PROCEDURE B: Other reports

Other violations provided for by law mean all reports that are made outside the perimeter of d.lgs. 231/01 and in particular, by way of example, the following sectors are reported:

• public procurement;
• financial services;
safety of products and transport; environment; food;
• public health;
• privacy;
• security of the network;
competition.

What can I report
It is possible to send reports when it is considered the risk that a person of the Company or the one who has relations with the same:

• is about to engage in conduct that may constitute a crime or misdemeanour, within the areas indicated above;
to violate an organizational provision – to be understood as procedure, regulation, operating instructions and / or any other document in use - within the scope of the sectors indicated above;
• is about to behave in any case irregularly that may cause financial damage or image to the Company, within the sectors indicated above.

In any case, it is however invited, to protect the integrity of the institution, to confront this person as soon as possible, making him aware of the risk identified and, if necessary, involving the manager of the company organizational area concerned in the comparison.

Who can report
Who is broadly connected to the organization in which the breach occurred, who may fear retaliation in view of the economically vulnerable situation in which they find themselves:

• Employee
• Self-employed
• External collaborator
• Freelancers and consultants < / them>
• Person who carries out an internship (paid or not) < / them>
• Volunteer (paid or not)
• Person whose employment relationship has ended or has not yet begun (former employee or candidate) < them>
• Anyone who works under the supervision and direction of contractors, sub-contractors and suppliers < / them>
• Shareholders and persons with administrative, management, supervisory or representation functions

The person making the report is in any case responsible for the content contained in the same.
The whistleblower is aware of the responsibilities and consequences, on a civil, criminal and even disciplinary level, in the event of reports made with willful misconduct or gross negligence that prove to be unfounded.
Privacy Info The internal report submitted to a person other than the one indicated shall be transmitted, within seven days of its receipt, to the competent subject, giving simultaneous notice of the transmission to the reporting person.

FIELDS TO FILL IN OR INFORMATION TO BE RELEASED IN THE AUDIO

Section 1 – Privacy Policy
The whistleblower is required to declare that he has read the information on the processing of personal data for whistleblowing reports pursuant to European Regulation no. 2016/679 concerning the protection of individuals with regard to the processing of personal data.

Section 2 – Fill out your report

1. Period in which the event occurred .
2. Possible person who committed the act (in particular, please define: a) Qualification and job function of the reported (s) at the time of the reported facts; b) Company organizational area to which the fact can be referred (e.g.: "administration / purchasing / commercial / technical offices / human resources / production / quality / safety and health in the workplace / environmental protection / other") c) Physical place where the event occurred; d) how the fact became known.
3. Any other parties involved, even if external to the company who may report information, data and important circumstances concerning the fact.
4. Detailed description of the facts (in particular to define:
   • because the conduct to be reported has been deemed illegal by choosing from the following options: a) violates Community legislation in a very wide range of areas expressly indicated in the Annex to Directive (EU) 2019/1937 (In particular, specify the sector by choosing among these: public procurement, financial services, product and transport safety, environment, food, public health, privacy, network security, competition); b) causes damage to the company or other third party person/entity.
   • If the Company has benefited from the incident, or otherwise had an interest.
   • If the incident has already been reported to other company functions and if so, with what feedback.)
5. Attach files relevant to the report describing their contents