Whistleblowing Policy

(According to Legislative Decree 24, March 10, 2023)

In implementation of Directive (EU) 2019/1937, Legislative Degree n. 24 of March 10, 2023 on “the protection of persons who report breaches of Union law and laying down provisions concerning the protection of persons who report breaches of national laws” was issued. The directive regulates the protection of persons who report acts, offenses or omissions that harm the public interest and the integrity of the public administration or private entity, of which they have become aware in a public or private employment context.

The purpose of this legislation is to incentivize collaboration in order to facilitate the emergence of wrongdoing through systems that guarantee an adequate system of protection for those involved.
In fact, the decree regulates:

  • The prohibition of retaliation through direct or indirect discriminatory acts against the reporter for reasons directly or indirectly related to the report
  • The introduction of financial penalties for failure to comply with the provisions of the regulations 
  • The protection of the confidentiality of the reporter, the whistleblower and the facilitators involved
  • The burden on the employer to adopt an appropriate internal reporting channel that ensures anonymity through encryption and OTP authentication
  • The burden on the employer to inform and train of the presence of an internal reporting channel suitable for the purposes below (para. 3)
  • The burden on the employer, in the event of disputes related to disciplinary sanctions, demotion, dismissal, transfer, or subjecting the reporter to other organizational measures with adverse effects (direct or indirect) subsequent to the report, to demonstrate the reasonableness of such measures regardless of the report itself.

According to Legislative Decree 24, Inca Cosmetici S.r.l. has adopted an internal reporting channel available to whistleblowers, which complies with the provisions of the regulations and is equipped with OTP encryption and authentication systems, in order to ensure the protection and confidentiality of processed data. 

Who’s Whistleblower?

According to Legislative Decree 24, a whistleblower is defined as anyone who reports wrongdoing in the public or private work context. With reference to Inca Cosmetici S.r.l., the recipients of this procedure are:

  • The top management of Inca Cosmetici S.r.l.
  • Employees of Inca Cosmetici S.r.l.
  • Partners, customers, suppliers, consultants, collaborators, associates and anyone who is in a relationship of interest with Inca Cosmetici S.r.l.

What is Whistleblowing?

According to Legislative Decree 24, whistleblowing means any report, submitted to protect the integrity of the Company, of unlawful conduct or violations of the Code of Ethics, Organizational Model 231 and the procedures adopted by Inca Cosmetici S.r.l., based on precise and concordant elements of fact, of which the Recipients have become aware by reason of the functions performed.

Object of Whistleblowing

The following clearly defined items are to be considered reportable offenses:
By way of example only and not exhaustively, the offenses subject to reporting are indicated:

  • Criminally relevant, fraudulent or corrupt acts
  • Acts carried out in violation of the Code of Ethics, the Codes of Conduct, the reference CCNL or other provisions sanctionable by disciplinary action
  • Acts likely to cause harm to the image of Inca Cosmetici S.r.l.
  • Illegal acts, such as theft, damage to property and equipment owned by Inca Cosmetici S.r.l., improper use of company assets
  • Potentially harmful acts to Inca Cosmetici S.r.l. and the safety of its employees
  • Cases of conflict of interest, potential or actual
  • Administrative and accounting offenses
  • Violations of the Organization, Management and Control Model pursuant to Legislative Decree No. 231/2001
  • Violations of internal regulations

What is NOT Whistleblowing

Reports of a personal nature of the reporter and/or claims/claims that fall under the discipline of the employment relationship and reports based on mere suspicions or rumors, which fall outside the established criteria of substantiation and lawfulness, are not to be considered for processing and protection.

Protection and responsibility of the Whistleblower

No act of retaliation, discrimination or failure to protect confidentiality may be in the charge of anyone who makes a report in the manner described by the current regulations, subject to sanction by the reference body (ANAC).
Any person who makes a report with malice or gross negligence or that proves to be false, unfounded, with defamatory content or with the purpose of harming Inca Cosmetici S.r.l., the reported person or other persons affected by the report shall be subject to sanction.
Inca Cosmetici S.r.l. is also authorized in such circumstances to take appropriate action, including legal action.

Protection of the reported person

Inca Cosmetici S.r.l. processes any personal and/or sensitive data of the whistleblower and provides for their protection according to the current Privacy Law (GDPR - EU Regulation 679/2016), with the exception of concrete findings acquired inherent to the whistleblowing for which the management of the whistleblowing requires their disclosure to the competent authorities.

The Whistleblowing Platform

The Qipo Whistleblowing platform adopted by Inca Cosmetici S.r.l. can be reached at the following web address https://app.qipo.it/whistleblowing/

Access to Qipo is subject to the no-log policy in order to prevent the identification of the whistleblower who intends to remain anonymous: the company's IT systems are therefore unable to identify the IP address (access point to the portal) even in cases where access was made from a device connected to the company network.
Whistleblowing by Qipo offers a mobile first web interface to access a public URL made available on the Inca Cosmetici S.r.l. web page.
This platform offers two ways of sending the report, anonymously or with unveiling of personal data (such as name, surname etc.); the data thus collected are subject to encryption and encrypted both during transmission (TLS) and during storage (AES - 256).
Qipo offers security and privacy by design features with named access cn 2FA, transaction logs and enablement only for selected individuals.

How to enter a new report

By clicking to dedicated link referred to Qipo platform, the reporter has the possibility to fill in the following fields:

  1. Enter his or her own data, if he or she opts to manifest personal data, or choose the anonymous mode
  2. Indicate the type of wrongdoing to be reported, choosing from the proposed macrocategories
  3. Indicate the timing of the event
  4. Describe the incident
  5. Make an upload of any attachments
  6. Enter the verification code
  7. View and accept the whistleblowing privacy policy

Once the report has been submitted, in order to track its progress, the whistleblower is required to copy both the link to the report and the PIN code created; this will enable them to monitor updates and interact with the report handler if necessary.

Handling of the report

Reports transmitted through the Qipo whistleblowing platform are taken care of by Dr. Raffaella Buoso (as internal manager) and lawyer Enzo Cosentino (as external manager), appropriately identified by written appointment.
Reports received are subject to the following report handling process:

  • Taking charge of the report, with notification of receipt to the reporter within 7 days of sending the report (changing the status to “received”)
  • Maintenance of interlocutions with the reporter, requesting additions where necessary
  • Carrying out the preliminary investigation necessary to follow up on the report
  • Acknowledgement regarding the handling of the report within 90 days of receipt or, in case of proven reasons, within 6 months from the date of notice of receipt of the report
  • Communication of the final outcome to the reporter about the handling of his report

Data Retention and Privacy Protection

In order to ensure the management and traceability of the reports and the activities to be inherent, Inca Cosmetici S.r.l. takes care of the archiving of the documentation supporting the report for a period of 2 years from the closure of the report and in any case no longer than 5 years.
The personal and sensitive data of the reporter, the reported and/or any other individuals involved are processed in compliance with the current data protection regulation (EU Regulation 679/2016 - GDPR)