WHISTLEBLOWING

WHISTLEBLOWING PROCEDURE MANAGING THE BREACH REPORTING SYSTEM

DEFINITIONS

For the purposes of this procedure, unless otherwise specified, the following terms shall have the meanings given to each of them below:

  • External Reporting Channels: specific channels dedicated to the transmission of external Reports pursuant to art. 7 co. 1 Lgs. Decree 24/2023;

  • Internal Reporting Channels: specific channels dedicated to the transmission of internal Reports pursuant to art. 4 co. 1 Lgs. Decree 24/2023;

  • Work Context: the work or professional activities, present or past, carried out in the context of the relationships with the Company through which, regardless of the nature of such activities, a person acquires Information on Violations and in the context of which he or she may risk suffering Retaliation in the event of a Report, Public Disclosure or complaint to the judicial or accounting authority;

  • Public Disclosure: making Information on Violations publicly available through the press or electronic means or otherwise through means of dissemination capable of reaching a large number of people (p. 4.4);

  • Facilitator: a natural person who assists a Whistleblower in the Reporting process, operating within the same Work Context and whose assistance must be kept confidential;

  • GDPR: Regulation (EU) 679/2016 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which repealed Directive 95/46/EC.

  • Reporting Manager: person(s) responsible for receiving and managing Internal Reports for the purposes of this procedure, appointed in accordance with art. 4 para. 2 of Lgs. Decree 24/2023; the Company has identified the Chief Executive Officer (CEO) and the Head of the Legal Department as Reporting Managers;

  • Privacy policy: privacy policy provided pursuant to art. 13 of the GDPR to the data subjects, i.e., the Concerned Person and the Whistleblower;

  • Information on Violations: information, written/oral, including reasonable suspicions, regarding Violations committed or which, on the basis of concrete evidence, may be committed, as well as circumstantial evidence of conduct intended to conceal such Violations;

  • Organisational Model: Organisation and Management Model adopted by the Company, as provided for in Articles 6 and 7 of Legislative Decree no. 231/2001, as an organic set of principles, rules, provisions, organizational schemes and related tasks and responsibilities, aimed at preventing the crimes referred to in the same Legislative Decree no. 231/2001;

  • Retaliation: any conduct, act or omission, even if only attempted or threatened, carried out by reason of the Report, the complaint to the judicial or accounting authority or the Public Disclosure and which causes or may cause the Whistleblower, directly or indirectly, unjust damage;

  • Concerned Person: the person or entity named in the Report or Public Disclosure as the person to whom the Violation is attributed or as a person otherwise implicated in the Violation reported or publicly disclosed;

  • Whistleblower: persons referred to in p. 4 below, including employees of Auriel Investment SA and the Company's branches;

  • Wrongdoing: communication of Violation Information, submitted through the Reporting Channels (both internal and external); in particular, the Reports are divided into:

  1. Internal Reporting: Disclosure of Violation Information, submitted via the Internal Reporting Channels (p. 4.2);

  2. External Reporting: Disclosure of Information on Violations, submitted via the External Reporting Channels (p. 4.3);

  • Disciplinary System: set of sanctioning measures against those who do not comply with the provisions of this procedure, as better specified in p.7 below;

  • Third Parties: all parties "external" to the Company who have contractual relationships with the Company (for example, consultants, suppliers, customers and partners);

  • Evaluation (Triage): evaluation ofthe Report for the purposes of classification, adoption of investigative measures, prioritization and related management.

  • Violation: all conducts, acts and omissions identified in p.4.1 below.

Terms defined in the singular are also understood in the plural where the context requires it and vice versa.

1. PURPOSE

For the purposes of the application of Legislative Decree no. 24/2023, this procedure defines, as part of the activity carried out by Roberto Cavalli S.p.A. (hereinafter also referred to as "Roberto Cavalli" or the "Company"), the general principles set, in particular, to safeguard Whistleblowers, the operating procedures to be observed in the management of Internal Reports, the procedures for submitting a Public Disclosure or an External Report, the protection measures as well as the Disciplinary system.

2. TERMS OF VALIDITY

This procedure is valid from the date of its issue indicated on the cover.

Any subsequent update cancels and replaces, from the date of its issue, all versions previously issued.

3. LEGAL AND REGULATORY REFERENCES

  • Lgs. Decree 24/2023 'Implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law and on provisions for the protection of persons who report breaches of national laws'

  • Lgs. Decree 231/2001 "Regulation of the administrative liability of legal persons, companies and associations, including those without legal personality, pursuant to Article 11 of Law 29 September 2000, n. 300

  • "Guidelines on the protection of persons who report breaches of Union law and protection of persons who report breaches of national laws. Procedure for the submission and management of external reports" of the National Anti-Corruption Authority (ANAC) approved by Resolution no. 311 of 12 July 2023

  • Confindustria Operational Guide for Private Entities on the new "whistleblowing" disciplineEU Regulation no. 679/2016 of the European Parliament and of the Council of 27 April 2016

4. OPERATING MODES

The following persons may make Internal Reports, External Reports (under the conditions set out in p. 4.3 below), Public Disclosure (under the conditions set out in p. 4.4 below), or complaints to the judicial or accounting authorities:

  • the Company's employees, including workers whose employment relationship is governed by Legislative Decree of 15 June 2015, no. 81, or Article 54-bis of Decree-Law 24 April 2017, no. 50, converted, with amendments, by Law 21 June 2017, no. 96;

  • self-employed persons, including those referred to in Chapter I of Law of 22 May 2017, no. 81, as well as the holders of a collaboration relationship referred to in Article 409 of the Code of Civil Procedure and Article 2 of Legislative Decree no. 81 of 2015, who carry out their work at the Company;

  • workers or collaborators who work for public or private sector entities that provide goods or services that carry out works for third parties;

  • freelancers and consultants who work for the Company;

  • volunteers and trainees, both paid and unpaid, who work for the Company;

  • shareholders and persons with administrative, managerial, control, supervisory or representative functions, even if such functions are exercised on a purely de facto basis, at the Company.

4.1 SUBJECT OF REPORTS / COMPLAINTS / PUBLIC DISCLOSURES

Notwithstanding the general prohibition to make Reports, complaints to the judicial or accounting authorities or Public Disclosures that are manifestly unfounded and/or made with malicious intent (e.g., for defamatory purposes) or with gross negligence, the Violations, which may be the subject of Reports, complaints to the judicial or accounting authorities or Public Disclosures, concern the following types of which one has become aware in the context of one's own Work context, in particular:

  1. Significant unlawful conduct pursuant to Legislative Decree 8 June 2001, no. 231, or violations of the Organizational Model provided for therein;

  2. offences that fall within the scope of the European Union or national acts indicated in the annex to Legislative Decree no. 24/2023 or national acts that constitute implementation of the European Union acts indicated in the annex to Directive (EU) 2019/1937, although not indicated in the annex to Legislative Decree no. 24/2023, relating to the following areas: public procurement; financial services, products and markets and prevention of money laundering and terrorist financing; product safety and compliance; transport safety; environmental protection; radiation protection and nuclear safety; food and feed safety and animal health and welfare; public health; consumer protection; privacy and personal data protection and security of networks and information systems;

  3. acts or omissions affecting the financial interests of the Union as referred to in Article 325 of the Treaty on the Functioning of the European Union as specified in the relevant secondary legislation of the European Union;

  4. acts or omissions relating to the internal market, as referred to in Article 26(2) of the Treaty on the Functioning of the European Union, including infringements of EU competition and State aid rules, as well as infringements concerning the internal market related to acts in breach of corporate tax rules or mechanisms whose purpose is to obtain a tax advantage that frustrates the object or purpose of the applicable corporate tax law;

  5. acts or conduct which frustrate the object or purpose of the provisions of Union acts in the areas referred to in the preceding paragraphs;

Internal Reports that do not fall within the scope and subject of this procedure will not be taken into consideration in any way.

4.2 INTERNAL REPORTING

4.2.1 CONTENT OF THE REPORT

The Whistleblower is required to provide all the elements necessary to allow the due and appropriate checks to verify the validity of the facts of the Internal Report. To this end, the Internal Report should contain concrete, documented and/or verifiable circumstances and information that reasonably suggest that the acts/facts or omissions reported constitute a Violation. Preferably it should include the following:

  • the personal details of the person making the Internal Report with an indication of the position or function performed within the Company;

  • a clear and complete description of the facts covered by the Internal Report;

  • if known, the circumstances of the time and place in which the acts were committed;

  • if known, the personal details or other elements (such as the position and the service in which the activity is carried out) that make it possible to identify the person who carried out the facts subject to the Internal Report;

  • the indication of any other subjects who may report on the facts subject to the Internal Report;

  • an indication of any documents that may confirm the validity of these facts;

  • any other information that may provide useful feedback on the existence of the reported facts.

In the case of anonymous Internal Reports, the Reporting Manager reserves the right to take them into consideration on the basis of the seriousness of the reported facts and in relation to the level of detail and precision of the content of the Internal Report.

4.2.2 INTERNAL REPORTING CHANNELS

Internal reports can be made in the following ways:

  • through the IT platform: EQS Integrity Line https://robertocavalli.integrityline.com

  • in oral form: a. Voice messaging system available on the platform at the following link: https://robertocavalli.integrityline.com b. by means of a request to arrange a direct meeting with the Reporting Manager sent through the IT platform or by any suitable means to ensure receipt. The request must not indicate the reasons or other references related to the subject of the report. The meeting must be arranged within a reasonable time.

The Reporting Manager is the person responsible for receiving internal Reports, which will be managed by the parties indicated below (hereinafter referred to as the "Reporting Manager"). In particular, without prejudice to the provisions of § 4.2.4 below, the Reporting Manager is the only person appointed to access the Internal Reporting Channels as well as to view the content of the Internal Reports, subject to written authorisation by the Company pursuant to art. 29 of the GDPR, and shall adopt appropriate procedures to prevent the loss, destruction and unauthorized access to Internal Reports.

If the Reporting Manager is a collegial body, each member must be provided with personal authentication credentials for access to the IT platform dedicated to sending Internal Reports.

An Internal report submitted to a party other than the Reporting Manager shall be forwarded to the Reporting Manager within seven days of receipt.

Upon receipt of the Internal Report, the Reporting Manager shall:

  • in the event of a Report received through a direct meeting, promptly proceed to enter the same in the IT platform by filling in the fields/attachment of the report of the Internal Report, taking care to indicate the Whistleblower's desire to remain anonymous;

  • within seven days from the date of receipt, issue the Whistleblower with acknowledgement of receipt of the Internal Report.

4.2.3 PHASES OF INTERNAL REPORTS MANAGEMENT

Below are the phases of management of internal reports:

  • Reception Reports 1. Framework 2. Adoption of investigative measures 3. Prioritization

  • Triage and evaluation Eligibility Assessment If "No": Feedback - archiving without remarks If "Yes": Continue to the next valuation Substantiation Assessment If "No": Feedback - archiving without remarks If "Yes": Continue to Feedback e Recommendation

  • Closing Feedback and Recommendation Archiving

The management of Internal Reports is carried out in accordance with the steps described below:

  • Reception and Triage (§4.2.4);

  • Assessment (§4.2.5);

  • Closure (§4.2.7).

At each stage of the management of the Internal Report, the Reporting Manager:

  • where necessary, inform the Whistleblower of the status of the Internal Report and of any subsequent steps related to it and/or consequential;

  • guarantees the confidentiality of the identity of the Whistleblower and of the information contained in the Internal Reports (Protection) to the extent that anonymity and confidentiality are enforceable under the law and to the persons competent to receive or follow up expressly authorised Internal reports;

  • operates in compliance with the duties of independence and professionalism (Impartiality);

  • guarantees the accurate and efficient management of all Internal Reports.

4.2.4 RECEPTION AND TRIAGE

All Internal Reports are subject to a preliminary analysis by the Reporting Manager, who assesses the subject matter and proceeds as follows:

  • in the event of an internal report concerning significant unlawful conduct pursuant to Legislative Decree 8 June 2001, no. 231, or violations of the Organisational Model provided for therein, the Reporting Manager transmits the internal Report to the Supervisory Body which, assuming the role of Whistleblowing Officer, carries out the activity of verifying completeness and substantiation, assigning a higher degree of priority to the Internal Reports concerning the hypothetical commission of crimes as they are most at risk for the Company, and proceeds with the Assessment of the admissibility of the Internal Reporting (§4.2.5). If the Internal Report refers to one or more members of the Supervisory Body, the Internal Report will be forwarded to the management body or to another person identified for appropriate assessments;

  • in the event of an Internal Report concerning a Violation other than those indicated above, for the purposes of this procedure, the Reporting Manager is also the Whistleblowing Officer and therefore carries out the activity of verifying completeness and substantiation by assigning a higher degree of priority to Internal Reports concerning Information on Violations concerning a serious harm to the public interest or the lesson of principles of constitutional rank or European Union law, proceeding with the Assessment of the admissibility of the Internal Reporting (§4.2.5). In order to ensure the impartiality of the assessment, if the Report refers to one or more members of the Reporting Manager, the Internal Report will be forwarded to the management body or to another person identified for the appropriate assessments.

If the Internal Reporting is the responsibility of several Whistleblowing Officers, the latter will coordinate for the management of the Internal Reports in compliance with the relevant legislation.

4.2.5 ASSESSMENT OF THE ADMISSIBILITY OF INTERNAL REPORTING

The Whistleblowing Officer carries out an initial examination of the Internal Report in order to immediately assess whether the Internal Report is:

  • manifestly inadmissible;

  • not regarding Violations.

In such cases, the Whistleblowing Officer shall notify the Reporting Manager of the inadmissibility and shall proceed to notify the Whistleblower of the circumstance within three months from the date of the acknowledgement of receipt or, in the absence of such notice, within three months from the expiry of the seven-day period from the submission of the Internal Report and to archive the Internal Report.

4.2.6 ASSESSMENT OF THE VALIDITY OF THE INTERNAL REPORTING

If, from an initial examination, the Internal Report is not manifestly unfounded, the Whistleblowing Officer will proceed with the investigation and investigation. In order to carry out all the necessary checks on the Internal Report received, the Whistleblowing Officer can:

  1. acquire from the Whistleblower further information and/or documentation in support of the reported facts (also by means of a paper-based procedure through the acquisition of written observations and documents);

  2. proceed with the hearing of the Concerned Person or, at his/her request, to hear him/her through a paper-based procedure through the acquisition of written observations and documents;

  3. consider suggesting to the management body the adoption of preliminary measures suitable to contain any risks (e.g., suspension of the Concerned Person, measures to avoid suppression of evidence);

  4. avail themselves of the support of the Manager of specific Company Functions or – if deemed appropriate – also of external consultants whose involvement is functional to the verification and assessment activity, without prejudice to compliance with the provisions on the processing of personal data.

In all cases:

  • if the Whistleblower comes into possession of additional information or documents in support of facts that are the subject of an Internal Report, he/she may communicate them through the Internal Reporting Channels indicated in § 4.2.2 above;

  • the Reporting Manager will respond to the Internal Report within three months from the date of the acknowledgment of receipt or, in the absence of such notice, within three months from the expiry of the period of seven days from the submission of the Internal Report.

4.2.7 CLOSING THE INTERNAL REPORT

The preliminary and assessment activities must be completed within an appropriate period of time according to the scope and complexity of the investigation and assessment activities to be carried out.

If, at the end of the analysis phase, it emerges:

  • the absence of sufficiently substantiated facts or the groundlessness of the Internal Report, the Whistleblowing Officer will give written notice of the outcome of the investigation to the Reporting Manager, who will archive the Internal Report, informing the Whistleblower (filing without remarks);

  • the definitive validity of the Internal Report, the Whistleblowing Officer will give written notice of the outcome of the investigation to the Reporting Manager who, in relation to the nature of the Internal Report, in compliance with the provisions on the processing of personal data and after verifying the provision of consent by the Whistleblower), will inform about the results of the investigation: 1. the holder of disciplinary power, for the possible adoption of any appropriate initiative; 2. the Whistleblower, to whom he or she shall provide feedback within three months from the date of transmission of the acknowledgement of receipt of the Report, or in the absence of such notice, within three months from the expiry of the period of seven days from the submission of the Report.

If the Violation is of particular gravity or concerns one or more members of the management body, the Reporting Manager informs the other members of the management body and/or the Board of Statutory Auditors, where appointed, and, if necessary, informs the Company's shareholders.

4.2.8 MONITORING AND CORRECTIVE ACTIONS

It is the responsibility of the hierarchical superior of the Concerned Person (if any, otherwise of the governing body) to supervise the implementation of the corrective action recommendations issued.

The Reporting Manager monitors the implementation of the recommendations for corrective action and informs the management body of related developments.

The Reporting Manager, in compliance with the provisions on the processing of personal data, reports at least annually to the management body information relating to the management of Internal Reports as well as on the general functioning of this procedure, so as to allow it to assess the effectiveness of the Internal Report management system.

4.2.9 PROCESSING AND MANAGEMENT OF PERSONAL DATA

Personal data – including special categories of data and judicial data – communicated as part of the Internal Reports will be processed in compliance with the provisions of the GDPR as better described in the Privacy Policy on Reporting and Concerned Person (Annex A "Ann. A_ Cavalli_Segnalante e Persona Coinvolta_Informativa privacy Whistleblowing”) referred to via links and made available on the website in the dedicated "Privacy Policy" area at https://robertocavalli.integrityline.com.

Internal Reports may not be used beyond what is necessary to adequately follow up on them.

The identity of the Whistleblower and any other information from which such identity may be inferred, directly or indirectly, may not be revealed, without the express consent of the Whistleblower:

  • to persons other than the Reporting Manager / Whistleblowing Officer and other persons specifically authorised by the Data Controller (this consent must be requested before proceeding with the communication to any person other than the persons authorised to manage the reports);

  • in disciplinary proceedings where the charge is based, in whole or in part, on the Report and knowledge of the identity of the Whistleblower is indispensable for the accused person's defence.

In particular, the Reporting Manager and/or the Whistleblowing Officer must deliver to the Whistleblower or verify that the Privacy Policy has been delivered on behalf of the Data Controller and obtain consent in the cases of Internal Reports listed below:

  • in the case of oral Internal reports by means of a meeting;

  • in the case of Internal reports via a registered voice messaging system.

In these cases, the Reporting Manager and/or the Whistleblowing Officer must obtain the following consents:

  • the disclosure of the identity of the Whistleblower and any other information from which such identity may be inferred, directly or indirectly, to persons other than those competent to receive or follow up on the Internal Reports;

  • the disclosure of the identity of the Whistleblower in the context of disciplinary proceedings where the dispute is based, in whole or in part, on the Internal Report and knowledge of the identity of the Whistleblower is essential for the defence of the accused;

  • to the documentation of the Internal Reports.

In the event that the Reporting Manager and/or the Whistleblowing Officer has received consent to the documentation of the Report referred to in letter c) above, he/she must document the Internal Report in the following ways.

  • If a registered voice messaging system was used for Internal Report, the Internal Report is documented by recording on a device suitable for storage and listening or by full transcription. In the event of a transcript, the Whistleblower may verify, rectify or confirm the content of the transcript by means of his/her signature.

  • If the Internal Report was made orally during a meeting with the Reporting Manager and/or the Whistleblowing Officer, the Internal Report is documented by recording on a device suitable for storage and listening or by means of a report. The Whistleblower may verify, rectify and confirm the minutes of the meeting by signing it.

The protection of the identity of the Whistleblower and the Concerned Persons is guaranteed until the conclusion of the proceedings initiated due to the Internal Report.

Personal data that is manifestly not useful for the processing of a specific Internal Report, where possible, is not collected or, if collected accidentally, is deleted immediately.

The Concerned Person may not exercise the rights referred to in art. 15-22 of the GDPR if this may result in an actual and concrete prejudice to the confidentiality of the identity of the Whistleblower.

4.2.10 ARCHIVING AND STORAGE OF DOCUMENTS

The objective of the preservation and archiving of the documentation is to allow the correct traceability of the entire process and to facilitate any subsequent checks.

The Reporting Manager and/or the Whistleblowing Officer is required to keep all documentation supporting the Internal Report for the time necessary to carry out the assessment activities in a computer and/or paper archive using suitable methods to prevent loss, destruction and unauthorized access.

The Internal Reports and the related documentation are kept for the time necessary for the processing of the Internal Report and in any case no longer than five years from the date of communication of the final outcome of the Internal Report procedure, in compliance with the confidentiality obligations referred to in Article 12 of Legislative Decree no. 24/2023 and the principle of storage limitation referred to in the privacy legislation.

4.3 EXTERNAL REPORT

In the event that the Whistleblower:

  • should report that the Internal Reporting Channel implemented by the Company is not active or, even if activated, does not comply with the provisions of art. 4 of Legislative Decree no. 24/2023;

  • has already made an Internal Report and this has not been followed up within the deadlines provided; or

  • has reasonable grounds to believe that, if you submit an Internal Report, it would not be followed up effectively or that the Internal Report could result in the risk of Retaliation;

  • has reasonable grounds to believe that the Violation may represent an imminent or obvious danger to the public interest;

  • has reasonable grounds to believe that the Reporting Manager has a conflict of interest (for example, in the event that the Report relates to a Violation committed by the Manager;

  • is the Reporting Manager,

the Whistleblower may make an External Report to the National Anti-Corruption Authority for Italy (ANAC), in written form, through the IT platforms or other means implemented by ANAC, or orally, through the telephone line and/or the recorded voice messaging system implemented by the national body/authority. ANAC must guarantee the utmost confidentiality of the identity of the Whistleblower, the Concerned Person and the one otherwise mentioned in the Report, as well as the content of the Report and the related documentation.

The provisions of this paragraph shall not apply in the case of Reports concerning violations other than those indicated in letters b) – e) of § 4.1.

In any case, those who have suffered a Retaliation have the right to notify the National Anti-Corruption Authority (ANAC), which, pursuant to art. 19 Lgs. Decree 24/2023, is required to inform the National Labour Inspectorate for the measures within its competence.

4.4 PUBLIC DISCLOSURES

A Public Disclosure may be made by the Whistleblower who:

  • has previously made an internal report and an External report or has directly made an External report under the conditions and in the manner provided for by art. 4 and 7 of Legislative Decree no. 24/2023 to which no response was given within the terms provided for by art. 5 and 8 of Legislative Decree no. 24/2023 (i.e. within three months from the date of the acknowledgment of receipt or, in the absence of such acknowledgement, within three months from the expiry of the period of seven days from the submission of the Report, or within six months in the case of an External Report, if there are justified and reasoned reasons); or

  • has reasonable grounds to believe that the Violation may constitute an imminent or obvious danger to the public interest;

  • has reasonable grounds to believe that the External Report may involve the risk of Retaliation or may not be effectively followed up due to the specific circumstances of the specific case, such as those in which evidence may be concealed or destroyed or where there is a well-founded fear that the recipient of the External Report may be colluding with the Infringer or involved in the Violation.

The provisions of this paragraph shall not apply in the case of reports concerning violations other than those indicated in letters b) – e) of § 4.1.

5. PROTECTIVE MEASURES

5.1 CONDITIONS FOR THE PROTECTION OF THE WHISTLEBLOWER (PROTECTION)

The protective measures apply in the following cases:

  • if, at the time of the Report or complaint to the judicial or accounting authority or the Public Disclosure, the Whistleblower (or complainant) had reasonable grounds to believe that the Information on Violations reported, publicly disclosed or denounced was true and within the objective scope (§ 4.1);

  • if the Report or Public Disclosure has been made in the manner indicated in this procedure;

  • in the case of a Report, a complaint to the judicial or accounting authority oran anonymous Public Disclosure, if the Whistleblower has been subsequently identified and/or has suffered Retaliation.

Prohibition of retaliatory acts (Measure): The prohibition is provided for by art. 17 of Legislative Decree no. 24/2023, which is intended to be referred to in its entirety herein.

Acts taken in violation of this prohibition are null and void.

Retaliation Protection (Measure): That said, those who believe they have suffered Retaliation for having made a Report, a complaint to the judicial or accounting authority ora Public Disclosure must notify the Reporting Manager who, having assessed the existence of the elements, reports the hypothesis of discrimination to the management body or other identified body.

The management body or other body identified shall promptly assess the opportunity/need to adopt acts or measures to restore the situation and/or to remedy the negative effects of the Retaliation and the existence of the grounds for initiating disciplinary proceedings against the person who perpetrated the Retaliation.

The management body or other identified body, possibly with the help of the Human Resources Function and the consultant in charge, assesses the existence of the grounds for initiating disciplinary proceedings against the person who carried out the Retaliation, and promptly informs the Reporting Manager. In the event that the (presumed or ascertained) Retaliation is alleged against one or more members of the management body or other identified entity, the Reporting Manager informs the entire management body and/or the Board of Statutory Auditors.

In any case, those who have suffered retaliation have the right to notify ANAC.

Confidentiality obligations (Measure): The obligation of confidentiality is provided for by art. 12 of Legislative Decree no. 24/2023, which is intended to be referred to in its entirety herein.

5.2 PROTECTION OF THE CONCERNED PERSON

The Concerned Persons are protected with regard to the confidentiality of the Reports, complaints to the judicial or accounting authorities or Public Disclosure concerning them and any investigations carried out and they have the same protection from any Reports, complaints to the judicial or accounting authorities or retaliatory and/or defamatory Public Disclosures (Protection).To this end, as indicated in §7 below, Reports, complaints to judicial or accounting authorities or defamatory or slanderous Public Disclosures that could give rise to civil and/or criminal liability of the Whistleblower are strictly prohibited.

6. TRAINING AND INFORMATION

In accordance with the provisions of art. 4 paragraph 2 and art. 5 paragraph 1 letter e) of Legislative Decree no. 24/2023, the Company promotes and guarantees the dissemination and knowledge of this Procedure by publication on the Company's institutional website and by affixing it to the notice board and/or publication on the IT platform and, as soon as available, on the company intranet site.

In addition, in accordance with the provisions of the Organizational Model:

  • this Procedure is communicated to all company resources as an integral part of the Organizational Model;

  • in order to create an appropriate awareness of the purposes and protections recognized by Legislative Decree no. 24/2023, as well as a culture of integrity and responsibility within the Company, the latter organizes training sessions for staff also aimed at disseminating knowledge of the regulations referred to in this Procedure, and in particular on the issues exposed to all internal staff (including the regulations on the processing of personal data).

In addition, periodically, or in the event of regulatory updates regarding the relevant and applicable provisions relating to the management of Reports, the Company carries out specific training activities for the Reporting Manager/ Whistleblowing Officer and any other parties involved, to ensure that the Reports received are treated adequately and in accordance with the applicable provisions and will concern, among other topics, those relating to:

  • regulatory aspects;

  • procedures and assumptions;

  • general principles and behaviour.

7. DISCIPLINARY SYSTEM

Disciplinary proceedings may be instituted against the person responsible in the event of a breach of this procedure and, pursuant to art. 21 of Legislative Decree no. 24/2023, when the Company ascertains that:

  • a Violation has been committed;

  • Retaliation has been committed;

  • the Report has been obstructed or attempted to be obstructed;

  • There has been a violation of the confidentiality obligation referred to in the art. 12 of Legislative Decree no. 24/2023;

  • the Whistleblower has submitted a Report, Public Disclosure or complaint to the judicial authority with intent or gross negligence;

  • the verification and analysis of the Internal Reports received was not carried out.

In the event of a violation for significant unlawful conduct pursuant to Legislative Decree 8 June 2001, n. 231, or violations of the Organizational Model, the disciplinary proceedings initiated will follow the provisions of the Organizational Model.

This is without prejudice to the criminal and civil liability of the Whistleblower or complainant who makes unfounded Reports, Public Disclosure or reports to the judicial authorities with intent or gross negligence.

In particular, when the criminal liability of the Whistleblower or Complainant for the crimes of defamation or slander or his/her civil liability, for the same reason, in cases of wilful misconduct or gross negligence, is ascertained, the protection measures are not guaranteed and a disciplinary sanction is imposed on the Whistleblower or Complainant for the protection of the Company and the Concerned Person, as well as compensation initiatives.

A Whistleblower or Complainant who discloses or disseminates Information on Violations covered by the obligation of secrecy relating to the protection of copyright or the protection of personal data, or discloses or disseminates Information on Violations that offend the reputation of the Concerned Person, shall not be punishable - and shall not be held liable either civilly or administratively - when, at the time of disclosure or dissemination, there were reasonable grounds to believe that the disclosure or dissemination of the same information was necessary to disclose the Violation; all limited to the conduct, acts or omissions strictly necessary to disclose the Violation.

Within the framework of disciplinary proceedings, the identity of the Whistleblower may not be disclosed, if the allegation of the disciplinary charge is based on separate investigations additional to the Report, even if consequent to it. If the dispute is based, in whole or in part, on the Report and knowledge of the identity of the Whistleblower is essential for the defence of the accused person, the Report will be used for the purposes of disciplinary proceedings only in the presence of the Whistleblower's express consent to the disclosure of his/her identity. The Reporting Manager will be required to:

  • verify the presence of the Whistleblower's consent/obtain the written consent using the form attached to the Privacy policy on the Whistleblower, Annex A "Ann. A_Cavalli_Segnalante e Persona Coinvolta_Informativa privacy Whistleblowing”.

  • communicate in writing to the Whistleblower the reasons for the disclosure of confidential data.

The Company, through the bodies and functions specifically appointed for this purpose, shall ensure that sanctions proportionate to the respective violations of this procedure are imposed consistently, impartially and uniformly.

7.1.1 EMPLOYEES & ADMINISTRATORS

Failure to comply with and/or violate the rules of conduct indicated in this procedure by the Company's employees/directors constitutes non-compliance with the obligations arising from the employment relationship and gives rise to the application of disciplinary sanctions.

The sanctions will be applied in compliance with the provisions of the law and collective bargaining and will be proportionate to the seriousness and nature of the facts.

The ascertainment of the aforementioned infringements, the management of disciplinary proceedings and the imposition of sanctions remain the responsibility of the company functions in charge and delegated to this purpose.

Violations of this procedure by the members of the Company's corporate bodies must be communicated to the Reporting Manager /management body, which will take the appropriate steps in accordance with the law.

7.1.2 THIRD PARTIES

Any conduct carried out by Third Parties in violation of the provisions of this procedure may also result in the termination of the contractual relationship, without prejudice to any request for compensation by the Company if such conduct results in damages.

REPORT MANAGEMENT

INFORMATION ON THE PROCESSING OF PERSONAL DATA

ART. 13 OF EU REGULATION 679/2016

FOR THE REPORTER

Roberto Cavalli SpA(hereinafter, “Cavalli ” or the “Owner”), as part of the process of managing reports of violations pursuant to Legislative Decree 10 March 2023, n. 24 on “Implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 concerning the protection of persons reporting breaches of Union law and laying down provisions concerning the protection of persons reporting breaches of the provisions national regulations” (hereinafter “Whistleblowing Report” or “Report”) , processes your personal data as a reporting person (hereinafter the “Reporter”).

We, therefore, provide you with information relating to the processing of your personal data, pursuant to and for the purposes of art. 13 of EU Regulation no. 679/2016 (hereinafter "GDPR").

DATA CONTROLLER

Roberto Cavalli SpA with registered office in Piazza San Babila n. 3, Milan (MI), in the person of the legal representative pro tempore domiciled at the Data Controller's headquarters.

You can contact the Data Controller at the following addresses:

The Data Controller may appoint other subjects responsible for processing (hereinafter the "Managers"), as well as persons authorized to carry out processing operations (hereinafter the "Authorized Persons"). A complete and updated list of Managers and Authorized Persons is available by contacting the Owner at the addresses indicated above.

DATA PROTECTION OFFICER – “DPO”

Pursuant to art. 37 of the GDPR, the Company has also appointed a Data Protection Officer (DPO).

You can contact the DPO at the following addresses:

TYPE OF DATA PROCESSED

As part of the management of Whistleblowing Reports, the Data Controller, only if he decides to reveal your identity, can process personal data and in particular identification and personal data (including, by way of example and not limited to, name, surname, address and -email, images, voice, etc.) of the Reporter as well as the data contained in the Report and the elements collected in the related verification. The Data Controller may also process particular categories of personal data (i.e. data capable of revealing racial and ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade union data, as well as personal data suitable for revealing the state of health and sexual life) and so-called "judicial" data (i.e. data relating to criminal convictions and crimes). We invite you to provide only the data necessary for the management of Whistleblowing Reports.

Personal data that is clearly not useful for the processing of a specific Report, where possible, is not collected or, if collected accidentally, is deleted immediately.

PURPOSE OF THE PROCESSING

Your personal data will be processed, within the limits indicated above, for the purpose of receiving, analyzing, documenting and managing the Whistleblowing Report,ascertain the facts covered by the same and adopt the consequent measures.

If the Whistleblowing Report is deemed to be well founded, its content will be used by the Data Controller in order to continue its investigations in order to ascertain the facts.

TREATMENT METHODS

The processing of your personal data takes place by means of personnel duly trained in the processing of personal data, specifically appointed as Authorized or Responsible Persons by the Data Controller within the scope of their respective functions or professional assignment conferred. The processing of your personal data takes place also with the aid of electronic or, in any case, automated, IT and telematic tools, and in any case with logic strictly related to the purposes mentioned above, in order to guarantee the confidentiality and security of the data personal.

The Company processes the data in compliance with the principles of lawfulness, correctness, transparency, accuracy, integrity and non-excess, relevance and necessity with respect to the purposes pursued, guaranteeing the protection of your privacy and your rights.

The documentation of the Report occurs in the following ways:

  • IT platform is used for the Report , the documentation takes place through the use of the platform itself;

  • registered voice messaging system is used for the Report , the Report, with your consent, is documented by the Authorized Persons by recording on a device suitable for storage and listening or by full transcription . In the case of transcription, you may verify, rectify or confirm the content of the transcription by signing;

  • when the Report is made orally during a meeting with the Authorized Persons , it, with your consent, is documented by the Authorized Persons by recording on a device suitable for storage and listening or by verbal means . In the case of minutes, you can verify, rectify and confirm the minutes of the meeting by signing them.

STORAGE TIMES

The Reports and the related documentation are kept for the time necessary to process the Report itself and in any case no longer than five years from the date of communication of the final outcome of the Report procedure.

After these deadlines, the data will be deleted or anonymized.

NATURE OF THE PROVISION AND CONSEQUENCES OF ANY REFUSAL

When you send a Report, the provision of your personal data is absolutely optional.

If you have expressly decided to reveal your identity when sending the Report, your personal data will be processed only for the management of the Whistleblowing Report and any consequent actions.

The disclosure of your identity and any other information from which such identity can be deduced directly or indirectly, to persons other than those competent to receive or follow up on the Reports, even in the context of disciplinary proceedings, is only possible with your prior consent.

Furthermore, proceeding with the documentation of the Report when this is made via a recorded voice messaging system or is made orally during a meeting with the Authorized Persons, is only possible with your prior consent.

LEGAL BASIS OF THE PROCESSING

The legal basis for the processing of data, including judicial data, for the purposes of receiving, analyzing and managing the Whistleblowing Report, as well as for ascertaining the facts covered by the Report and adopting the consequent measures, is the fulfillment of the provisions of which to Legislative Decree 10 March 2023, n. 24 “ Implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons reporting breaches of Union law and laying down provisions concerning the protection of persons reporting breaches of regulatory provisions national ” and subsequent amendments pursuant to art. 6(1)© of the GDPR.

The legal basis of the processing operations indicated below, however, is consent pursuant to art. 6(1)(a) of the GDPR; and, in particular, for:

  • the revelation of your identity and any other information from which such identity can be deduced directly or indirectly, to persons other than those competent to receive or follow up on the Reports;

  • the revelation of your identity in the disciplinary proceedings where the dispute is based, in whole or in part, on the Report and knowledge of your identity is indispensable for the defense of the accused;

  • the documentation of the Report when it is made via a recorded telephone line or another recorded voice messaging system or is made orally during a meeting with the Authorized Persons.

CATEGORIES OF RECIPIENTS

Your personal data and, more generally, all personal data communicated with the Whistleblowing Report, together with the documentation supporting the same, may be shared, to the extent strictly necessary, with the following parties obliged to confidentiality:

  • Reports Manager: i.e. the person(s) responsible for receiving and managing the Reports, appointed in accordance with the art. 4 co.2 of Legislative Decree 24/2023;

  • Persons competent to follow up on Reports;

  • any external legal consultants who can provide consultancy to the Company in relation to the management of the Whistleblowing Report;

  • third party who, as Data Controller pursuant to art. 28 of the GDPR, will provide the cloud application (EQS – Integrity Line) used by the Company for the management of Reports and will retain the documentation uploaded therein, as well as the Whistleblowing Report;

  • subjects, bodies or authorities - independent data controllers - to whom it is mandatory to communicate your personal data pursuant to legal provisions or orders from the authorities.

TRANSFER OF DATA TO THIRD COUNTRIES

The data processed are transferred outside the EEA. Specifically, the data will be transferred to Switzerland, a country considered adequate by the European Commission, and to the United Arab Emirates via Standard Contractual Clauses.

RIGHTS OF INTERESTED PARTIES

As required by the art. 13 of the GDPR, you may at any time:

  • ask the Data Controller to access personal data and to rectify or delete them or limit the processing that concerns them;

  • oppose the processing of your personal data based on legitimate interest, specifying the reasons connected to your specific personal situation which justify the opposition to the processing pursuant to art. 21 of the GDPR;

  • revoke consent at any time without prejudice to the lawfulness of the Processing based on the consent given before the revocation;

  • lodge a complaint with a supervisory authority. The rights described above can be exercised with a request addressed without formalities to the Data Controller at the following addresses: 1. via e-mail: privacy@robertocavalli.com 2. by post: Milan (MI), Piazza San Babila n. 3

It is specified that the rights referred to in articles 15 to 22 of the GDPR cannot be exercised with a request to the Data Controller or with a complaint pursuant to article 77 of the GDPR if the exercise of these rights could result in actual and concrete prejudice:

  • to carry out defensive investigations or to exercise a right in court;

  • to the confidentiality of the identity of the person making a Report pursuant to Legislative Decree. n. 24/2023 and subsequent amendments.