Model 231

ORGANIZATION, MANAGEMENT, AND CONTROL MODEL
(adopted pursuant to Legislative Decree No. 231/2001)
Document approved by the Board of Directors with resolution dated 27.11.2023

1. INTRODUCTION

HIVE S.r.l. (hereinafter also referred to as “the Company” or “the Entity”) is a company within the Assist Group that specializes in the development, production, and commercialization of innovative products or services with high technological value. More specifically, it promotes the national tourism offering through the use of technologies and the development of original software, primarily by providing services to tourism businesses and private individuals.

2. PURPOSE OF THE MODEL

Through this descriptive document of the Organization, Management, and Control Model adopted by the Company pursuant to Legislative Decree No. 231 of June 8, 2001 (hereinafter, “Legislative Decree 231/2001” or “Decree”), the Entity aims to achieve the following objectives:

Comply with the regulations on the administrative liability of entities by analyzing the potential risks of unlawful conduct relevant under Legislative Decree 231/2001, as well as enhancing and integrating the related control mechanisms designed to prevent such conduct;

Promote and increasingly reinforce an ethical culture with a view to fairness and transparency in conducting its activities;

Ensure that all those operating on behalf of the Company in sensitive activities are aware that any violation of the provisions set forth herein may result in disciplinary and/or contractual consequences, as well as criminal and administrative penalties applicable to them;

Reaffirm that such unlawful behavior is strongly condemned, as it is contrary not only to legal provisions but also to the ethical principles the Company intends to uphold in its business operations;

Enable the Company, through monitoring activities in risk-prone areas, to intervene promptly to prevent or counteract the commission of crimes and sanction behaviors that violate the law and corporate rules.

The Organization, Management, and Control Model (hereinafter also referred to as the “Model”) therefore represents a coherent set of principles, procedures, and provisions that influence the internal functioning of the Company, the ways it interacts with external parties, and the diligent management of a control system for sensitive activities aimed at preventing the commission or attempted commission of offenses referred to in Legislative Decree 231/2001.The approval of this Model and its constituent elements is the exclusive prerogative and responsibility of the Company’s Board of Directors.

3. RECIPIENTS OF THE MODEL

The rules and provisions contained in this Model apply to and must be observed by those who, even de facto, perform management, administration, direction, or control functions for the Entity, employees, as well as collaborators, consultants, and, in general, all third parties acting on behalf of the Company in activities identified as “at risk.”

• Therefore, the “Recipients” of this Model include:
• Individuals with formal roles (in management, administration, and control of the Entity or one of its organizational units) that fall under the definition of “top executives”;
• Individuals who perform such functions even de facto;
• All Entity personnel under any type of contractual relationship (including interns, collaborators with fixed-term contracts, project-based collaborators);
• Freelancers formally included in the workforce;
• Members of the Supervisory Body, if appointed;
• All individuals who, while not belonging to the Company, maintain professional, commercial, and/or financial relationships of any nature with it;
• Anyone acting on behalf of the Entity under its direction and supervision, regardless of an employment relationship.

The Company requires external collaborators, consultants, suppliers, freelancers, and other contractual counterparties to comply with the provisions of the Decree and the ethical principles adopted by the Company through the inclusion of specific contractual clauses ensuring the commitment to compliance with Legislative Decree 231/2001 and the principles outlined in the adopted Code of Ethics.

4. STRUCTURE OF THE MODEL

The structure of the Model consists of:

• The Company’s Code of Ethics, which defines the general ethical values and principles that corporate bodies and their members, employees, collaborators, and consultants of the Entity must adhere to in conducting their activities to prevent illicit behavior or misalignment with corporate standards;
• The descriptive document of the “Organization, Management, and Control Model,” divided into:

1. General Part, which describes the contents of the Decree, briefly illustrates the Company’s organization, methods for identifying risks and analyzing control mechanisms, the appointment and functions of the Supervisory Body, references to the disciplinary system, communication and training activities related to the Model, and methods for updating the Model itself;
2. Special Part, which describes, for each business process potentially at “231 risk,” the relevant criminal offenses, exemplary methods by which such offenses may occur, behavioral principles to be followed, and control mechanisms to be implemented to prevent risks.

The following documents are an integral part of this document:

1. Catalog of offenses under Legislative Decree No. 231/2001 (Annex 1).

5. HIVE’S CODE OF ETHICS

HIVE’s Code of Ethics is a primary regulatory source within the Organization, Management, and Control Model pursuant to Legislative Decree 231/2001. Therefore, the principles, values, and rules of conduct contained therein must be considered an integral and essential part of the set of protocols, rules, and procedures applicable to each operational sector of the Entity.

The Code of Ethics is addressed to the Company’s Corporate Bodies and their members, employees, collaborators, medical staff, consultants, suppliers, and any other party acting in the name and on behalf of the Entity.

Failure to comply with the principles and rules of conduct contained in the Code and the Model must be promptly reported to the Supervisory Body and will result in the application of disciplinary sanctions in force, without prejudice to any other civil, criminal, and administrative determinations.

6. THE REGULATORY FRAMEWORK

6.1 The Administrative Liability Regime for Legal Entities
Legislative Decree 231/2001, issued in implementation of the delegation granted to the Government by Article 11 of Law No. 300 of September 29, 2000, regulates the “liability of entities for administrative offenses dependent on crimes.”
This regulation applies to entities with legal personality, as well as to companies and associations, even if lacking legal personality.
Legislative Decree 231/2001 originates from various international and EU conventions ratified by Italy, which require forms of corporate liability for specific offenses.
Under this decree, an entity (hereinafter also referred to as “company”) may be held liable for certain crimes committed or attempted in the interest or to the advantage of the company by:

• Senior executives, meaning those who hold representation, administration, or management functions within the company or one of its financially and functionally autonomous organizational units, as well as those who exercise, even de facto, management and control;
• Individuals under the direction or supervision of senior executives.

Regarding the concept of “interest,” it applies whenever the unlawful conduct is carried out with the sole intent of benefiting the company, regardless of whether this goal is actually achieved. Similarly, liability applies when the offense, even if not intended to benefit the company, nonetheless results in an economic or other type of “advantage” for the legal entity.
The administrative liability of the company is independent of the criminal liability of the individual who committed the offense and exists alongside it.

6.2 Types of Offenses Covered by the Decree
The Decree applies exclusively to certain specific criminal offenses explicitly listed within it. These offenses can be grouped into the following categories:

• Crimes against public administration (Articles 24 and 25 of Legislative Decree 231/2001);
• Cybercrime (Article 24-bis);
• Organized crime (Article 24-ter);
• Counterfeiting crimes (Article 25-bis);
• Crimes affecting industrial and commercial freedom (Article 25-bis.1);
• Corporate crimes (Article 25-ter);
• Terrorism and subversion-related offenses (Article 25-quater);
• Female genital mutilation offenses (Article 25-quater.1);
• Crimes against individual personality (Article 25-quinquies);
• Market manipulation and insider trading (Article 25-sexies);
• Manslaughter and serious or very serious injuries due to safety violations in the workplace (Article 25-septies);
• Transnational crimes (Article 10 of Law No. 146/2006);
• Money laundering, self-laundering, and related offenses (Article 25-octies);
• Payment fraud involving means other than cash (Article 25-octies.1);
• Copyright violations (Article 25-novies);
• Inducement to make false statements to judicial authorities (Article 25-decies);
• Environmental crimes (Article 25-undecies);
• Employment of third-country nationals with irregular status (Article 25-duodecies);
• Racism and xenophobia-related crimes (Article 25-terdecies);
• Sports fraud and illegal gambling (Article 25-quaterdecies);
• Tax-related offenses (Article 25-quinquiesdecies);
• Smuggling offenses (Article 25-sexiesdecies);
• Crimes against cultural heritage (Articles 25-septiesdecies and 25-duodevicies).
  A more detailed description of these offenses and subsequent amendments can be found in Annex 1 of this document.

6.3 Sanctions Provided by the Decree
If a company is found liable under the Decree, the following penalties may apply:

• Financial penalties, calculated using a quota system defined by the judge within legally established limits;
• Disqualification sanctions, which may include:
  • Prohibition from conducting business activities;
  • Suspension or revocation of permits, licenses, or concessions related to the offense;
  • Ban on contracting with public administration;
  • Exclusion from public grants, subsidies, and financial incentives;
  • Ban on advertising goods or services;
• Confiscation of proceeds or profits from the crime;
• Publication of the conviction in one or more newspapers.

6.4 The Exempting Condition: Organization, Management, and Control Models
A distinctive feature of Legislative Decree 231/2001 is the possibility for companies to avoid liability by adopting an effective organizational, management, and control model.
A company is not liable for offenses committed in its interest or advantage if it can demonstrate that:

• The governing body has adopted and effectively implemented an appropriate organizational model to prevent such crimes;
• A supervisory body with autonomous powers of initiative and control has been appointed to oversee the model’s application;
• Individuals committed the crime by fraudulently circumventing the organizational model;
• The crime occurred without any omission or insufficient oversight by the supervisory body.

In cases where offenses are committed by individuals under supervision, the company is liable if the offense resulted from a failure in oversight and control obligations.

However, according to Article 5, paragraph 2 of Legislative Decree 231/2001, the company is not liable if the senior executives or their subordinates acted in their exclusive personal interest or in the interest of third parties.

7. ORGANIZATION OF THE COMPANY

7.1 The Company’s Organizational Structure
HIVE S.r.l. is an innovative startup under Article 25 of Decree-Law No. 179/2012 and is registered in the special business registry section. It is part of the Assist Group, with its entire share capital held by the parent company Assist Group S.r.l.

HIVE focuses on the development, production, and commercialization of innovative, high-tech products and services, particularly in promoting national tourism through technology and original software solutions.

The company serves entities within the national tourism sector, including both public (ministries, regions, municipalities, associations) and private (hospitality, catering, logistics, transportation, and cultural institutions) stakeholders.

HIVE benefits from legal and corporate support from its parent company, Assist Group S.r.l., under a service contract. 

Additionally, IT services are provided by VIDIERRE S.r.l., another group company, through service agreements.

HIVE’s governance structure includes a Board of Directors, with a President elected among its members. 

The President, along with the Vice President (appointed as CEO within delegated powers), represents the company.

7.2 Corporate Governance and Internal Control Instruments
The main governance and internal control instruments adopted by the company include:

• The company’s bylaws, which ensure compliance with legal provisions and proper business management;
• The corporate organizational chart outlining the company’s structure;
• Delegations of authority issued by the Board of Directors and/or notarized acts;
• Internal organizational documentation;
• The Code of Ethics, which outlines ethical principles and guidelines for responsible conduct and crime prevention in accordance with Legislative Decree 231/2001, forming an integral part of this Model.

7.3 The Development of the Organization, Management, and Control Model The process of developing the Model was structured through the following design phases:

1. Identification of activities and processes that could potentially present conditions, opportunities, and/or means for committing the offenses outlined in the Decree (“sensitive activities”), as well as the Business Areas/Functions involved in carrying out such activities.
2. Analysis of sensitive activities and processes, identifying existing organizational and control mechanisms or those requiring adaptation. The control system is examined by considering the following standard prevention measures:

• The existence of a system of powers and authorization levels consistent with assigned organizational responsibilities and applicable regulations;
• Compliance with the principle of segregation of duties;
• The presence of formalized rules (e.g., policies and procedures);
• The existence of adequate specific control mechanisms;
• Traceability of activities and controls; with the aim of assessing their ability to prevent or detect risk situations relevant under the Decree.

3. Identification of necessary improvement actions (Gap Analysis) in cases of deficiencies in the Internal Control System.
4. Preparation of the Organization, Management, and Control Model pursuant to Legislative Decree 231/2001, structured in accordance with the guidelines issued by Confindustria, based on the findings from the risk area mapping.

7.4 Risk Area Mapping The “sensitive activities” identified during the Model development process are as follows:

Sensitive Activity	Special Section Reference
1. Selection, hiring, and management of personnel2. Administrative management of personnel3. Management of incentive systems, employee development, and evaluation4. Training activities management5. Management of benefits and corporate equipment6. Management of gifts and discounts for employees	A – Human Resources Management
7. Procurement of goods, services, and consultancy	B – Procurement Management
8. Management of relationships with Public Administration (including inspections)	C – Public Administration Relations Management
9. Accounting and financial statement preparation10. Tax management11. Management of relationships with shareholders and supervisory bodies12. Management of intra-group relationships (including service contract management with Group companies)13. Legal and corporate affairs management14. Cash flow and financial management15. Management of expense reports and representation expenses	D – Administration, Finance, and Control
16. IT systems management	E – IT Systems Management
17. Communication and marketing management18. Management of events, trade fairs, and sponsorships19. Management of gifts and corporate giveaways	F – Marketing, Events, and Sponsorship Management
20. Sales activities management	G – Sales
21. Compliance with occupational health and safety regulations22. Compliance with environmental regulations	H – Occupational Health, Safety, and Environmental Compliance

Some of the sensitive activities identified in the “Special Sections” may be carried out by Business Functions belonging to other Group Companies under intra-group agreements. When conducting these intra-group relationships, the service-providing company must:

• Adhere to the ethical and behavioral principles uniformly defined at the Group level and adopted by each Group Company through the adoption of the Code of Ethics;
• In accordance with the Code of Ethics, implement an internal control system that mitigates the risk of committing offenses under the Decree;
• Commit to complying with the Company’s Model, particularly concerning the applicable behavioral and control principles related to the sensitive activity performed on behalf of the Company.

7.5 Model Updates The Board of Directors deliberates on updating and adapting the Model in response to changes and/or additions that may become necessary due to:

• Significant changes in the organizational structure or operations of the Entity;
• Significant violations of the Model and/or results from effectiveness assessments or sector-specific experiences of public relevance;
• Specific events (e.g., legislative changes, Board of Directors’ requests, etc.) that require extending the Model’s application to new risk scenarios. The Model undergoes periodic review by the Board of Directors and the Supervisory Body to ensure its ongoing effectiveness in line with emerging needs. Any occurrences necessitating Model amendments or updates must be reported in writing by the Supervisory Body to the Board of Directors, which will make the appropriate decisions. Changes to company rules and procedures required for Model implementation are carried out by the Entity’s structures. The Supervisory Body is continuously informed about updates and the implementation of new operational procedures and may express its opinion on proposed changes.

8. THE SUPERVISORY BODY 

The assignment of tasks to oversee the Model’s operation, compliance, and updates to an independent entity within the organization, with autonomous initiative and control powers, is a fundamental requirement for exemption from liability under Legislative Decree 231/2001. 

The main requirements of the Supervisory Body, as proposed by the Confindustria Guidelines and recognized by judicial rulings, are:

• Autonomy and independence;
• Professionalism;
• Continuity of action.

8.1 Establishment and Appointment of the Supervisory Body

The autonomy and independence of the Supervisory Body translate into the autonomy of its control initiative, free from any form of interference or influence by any representative of the legal entity, and in particular, the administrative body.

The requirement of professionalism is reflected in the technical capabilities of the Supervisory Body to fulfill its functions concerning the monitoring of the Model, as well as in the necessary qualities to ensure the dynamism of the Model itself, through proposals for updates to be addressed to the company’s top management.

Finally, regarding continuity of action, the Supervisory Body must constantly monitor compliance with the Model, verify its effectiveness and efficiency, promote its continuous updating, and serve as a constant point of reference for anyone performing work activities for the Company.

Legislative Decree 231/2001 does not provide specific guidelines regarding the composition of the Supervisory Body. In the absence of such guidelines, the Company has opted for a solution that, taking into account the objectives pursued by the law and the directions derived from published case law, ensures the effectiveness of the controls entrusted to the Supervisory Body in relation to the Company’s size and organizational complexity.

The Company has opted for a single-member composition of its Supervisory Body, whose appointment was decided by the Board of Directors in conjunction with the adoption of this Model.

The Supervisory Body of the Company is established by resolution of the Board of Directors. The Supervisory Body remains in office for a duration of three years and is always eligible for reappointment.

The Supervisory Body ceases its function upon the expiration of the term established at the time of appointment, while continuing to perform its duties on an interim basis until a new appointment is made, which must occur at the next available Board of Directors meeting.

If the Supervisory Body ceases its role during the term, the Board of Directors shall replace it by resolution.

The compensation of the Supervisory Body is determined by the Board of Directors.

The appointment of the Supervisory Body is subject to the presence of subjective eligibility requirements.

Specifically, upon appointment, the designated individual must submit a declaration attesting to the absence of grounds for ineligibility, including, by way of example:

• Conflicts of interest, even potential, with the Company that could compromise the independence required for the role and duties of the Supervisory Body. Examples of conflicts of interest may include:
  • Engaging in significant business relationships with the Company, its parent company, or its subsidiaries or affiliates, except for an employment relationship.
  • Maintaining significant business relationships with the Chairman or delegated directors (executive directors).
  • Having relationships with or being part of the family unit of the Chairman or executive directors, where the family unit includes a legally non-separated spouse, relatives, and in-laws up to the third degree.
  • Directly (or indirectly) holding shares in the Company’s capital to an extent that allows a significant influence over the Company.
  • Holding administrative positions—within the three fiscal years preceding the appointment as the Supervisory Body or the establishment of a consultancy/collaboration relationship with it—in companies subjected to bankruptcy, compulsory administrative liquidation, or other insolvency proceedings.
  • Being temporarily disqualified or suspended from holding public office or managerial positions in legal entities and businesses.
  • Being subject to one of the conditions of ineligibility or disqualification under Article 2382 of the Civil Code.
  • Being subject to preventive measures under Law No. 1423 of December 27, 1956, or Law No. 575 of May 31, 1965, and subsequent amendments and additions, unless rehabilitated.
  • Having a criminal conviction, in Italy or abroad, even if not yet final and even if with a suspended sentence, or having accepted a plea bargain under Article 444 of the Code of Criminal Procedure (so-called “plea bargaining”), unless rehabilitated, for offenses referred to in Legislative Decree 231/2001 or offenses affecting professional integrity.
  • Having a conviction, even if not final and even if with a suspended sentence, or having accepted a plea bargain under Article 444 of the Code of Criminal Procedure (so-called “plea bargaining”), unless rehabilitated:
    • To imprisonment for a period not less than one year for crimes under Royal Decree No. 267 of March 16, 1942.
    • To imprisonment for a period not less than one year for crimes related to banking, financial, securities, insurance activities, and regulations governing financial markets and payment instruments.
    • To imprisonment for a period not less than one year for crimes against Public Administration, public faith, property, the public economy, or for tax crimes.
    • To imprisonment for a period not less than one year for any intentional crime.
    • For one of the offenses under Title XI of Book V of the Civil Code as redefined by Legislative Decree 61/2002.

Should any of the above ineligibility conditions apply to an appointed individual, they shall automatically forfeit their position.

In the case of Company employees serving as members of the Supervisory Body, termination of their employment also results in the termination of their role in the Supervisory Body.

The Supervisory Body may, under its direct supervision and responsibility, make use of the collaboration of all functions and structures of the Company or the Group, as well as external consultants, leveraging their respective skills and expertise. This faculty allows the Supervisory Body to ensure a high level of professionalism and the necessary continuity of action.

To this end, the Board of Directors allocates a budget to the Supervisory Body based on its formally submitted requests.

The allocation of a budget enables the Supervisory Body to operate autonomously and with the appropriate tools to effectively fulfill the tasks assigned by this Model, in accordance with Legislative Decree 231/2001. In case of necessity, the Supervisory Body may request additional funds from the Board of Directors, providing appropriate subsequent accounting.

To ensure the necessary stability of the Supervisory Body, the revocation of its powers and their transfer to another entity can only occur for just cause, including organizational restructuring of the Company, through a specific resolution of the Board of Directors.

8.1 Grounds for revocation of the powers associated with the position of the Supervisory Body

In this regard, “just cause” for the revocation of the powers associated with the position of the Supervisory Body may include, by way of example:

• a final conviction of the Company pursuant to the Decree or a conviction by plea bargaining, where the documents show “failure or insufficient supervision” by the Supervisory Body, as provided for in Article 6, paragraph 1, letter d) of the Decree;
• a conviction or plea bargaining sentence issued against the Supervisory Body for having committed one of the crimes or administrative offenses foreseen by the Decree (or crimes/administrative offenses of the same nature);
• the violation of the confidentiality obligations to which the Supervisory Body is bound;
• failure to attend more than two consecutive meetings without justified reason;
• gross negligence in performing its duties, such as, for example, failure to draft the semi-annual report to the Board of Directors on activities carried out;
• assignment of functions and operational responsibilities within the organizational structure that are incompatible with the requirements of “autonomy and independence” and “continuity of action” inherent to the Supervisory Body.

In cases of particular gravity, the Board of Directors may, however, decide to suspend the powers of the Supervisory Body and appoint an interim Supervisory Body.

8.2 Functions and powers of the Supervisory Body

The Supervisory Body is granted the powers of initiative and control necessary to ensure effective and efficient supervision of the functioning and compliance with the Model, as set out in Article 6 of Legislative Decree 231/2001.

In particular, the Supervisory Body must supervise:

• the actual adequacy and effectiveness of the Model in relation to the need to prevent the commission of the crimes covered by Legislative Decree 231/2001, taking into account the size and organizational and operational complexity of the Company;
• the continued adequacy and effectiveness of the Model over time;
• the compliance with the provisions of the Model by the Addressees, identifying any violations and proposing the relevant corrective and/or sanctioning measures to the competent corporate bodies;
• the updating of the Model if the need for adjustments arises in relation to changed company or regulatory conditions, proposing the potential adjustments to the competent corporate bodies and verifying their implementation.

To carry out its duties, the Supervisory Body is entrusted with the tasks and powers to:

• access all Company structures and all relevant corporate documentation to verify the adequacy and compliance of the Model;
• periodically carry out sample checks on specific high-risk activities/operations and on the adherence to the control and behavior measures adopted and referred to by the Model and corporate procedures;
• promote the updating of the risk mapping in case of significant organizational changes or the expansion of the types of crimes considered under Legislative Decree 231/2001;
• coordinate with the relevant corporate functions to assess the adequacy of the adopted internal regulatory framework and propose any necessary adjustments and improvements (internal rules, procedures, operational and control methods), subsequently verifying their implementation;
• monitor the information/training initiatives aimed at spreading knowledge and understanding of the Model within the company;
• request information from company managers, particularly those operating in high-risk areas, in order to verify the adequacy and effectiveness of the Model;
• collect any reports from any Addressee of the Model regarding: i) any critical issues in the measures provided by the Model; ii) violations of the Model; iii) any situation that could expose the Entity to the risk of crime;
• periodically report to the Director and the heads of the relevant Areas/Functions any violations of control measures mentioned by the Model and/or corporate procedures or deficiencies detected during the checks, so that they can take the necessary corrective actions, involving the Board of Directors when necessary;
• supervise the consistent application of the sanctions provided for by internal regulations in the event of violations of the Model, without prejudice to the competence of the governing body for the application of disciplinary measures;
• identify any behavioral deviations that may emerge from the analysis of information flows and reports made by the Addressees of the Model.

The training activity on Legislative Decree 231 and the contents of the adopted Organizational Model is promoted and supervised by the Supervisory Body of the Company, which may rely on the operational support of the relevant corporate functions or external consultants.
The Supervisory Body annually requests a budget, for exclusive use, to carry out its activities.
The Supervisory Body is bound to confidentiality regarding all information it becomes aware of during the execution of its duties.
Such information may only be disclosed to the subjects and in the manner provided by this Model.

8.3 Information flows to be made in the event of particular occurrences and Whistleblowing

The Supervisory Body must be promptly informed by the Addressees of the Model, through specific reports, about acts, behaviors, or events that may lead to a violation of the Model or that are otherwise relevant for the purposes of Legislative Decree 231/2001.

More precisely, all Addressees of this Model are required to promptly report to the Supervisory Body the following information (so-called “reports”):

• the commission, attempt to commit, or reasonable risk of committing the crimes provided for by the Decree;
• any alleged violations of the behavioral and operational methods defined in the Code of Ethics, the Model, and/or the internal regulatory and procedural framework, of which they have directly or indirectly become aware;
• in any case, any act, fact, event, or omission detected or observed in the exercise of assigned responsibilities and duties, with a critical profile concerning the rules of the Decree.

Each report must be substantiated, based on precise and consistent facts, and must provide a comprehensive description of the subject of the report, the parties involved, the period during which the violation occurred, attaching, if available, any supporting documentation.

Written reports may be sent via ordinary mail to the following address: HIVE S.r.l. – San Polo D’Enza (RE) 42020 – Via Ermete Conti n. 7.
Alternatively, they may be submitted in the manner indicated in the procedures, which will be updated, adopted, and duly communicated.

The possibility of requesting a direct meeting with the Supervisory Body to make an oral report is also guaranteed.
Reports received from other company individuals must be forwarded (with original documents and any attachments), within seven days of receipt, to the Supervisory Body. The transmission must be made respecting the utmost confidentiality and in a manner suitable to protect the whistleblower and the identity of the reported parties, without prejudice to the effectiveness of subsequent verification activities.

The Supervisory Body will analyze all the reports received, verifying their truthfulness and validity, and ensuring traceability of the analyses performed. If deemed appropriate, the Supervisory Body may contact the author of the report to request further clarification, as well as seek support from the relevant corporate functions or external specialized consultants.
Any measures resulting from the investigations will be defined and applied in accordance with the Disciplinary and Sanctioning System (cf. chapter 9).
The Company, at every stage of the process, ensures compliance with the current regulations concerning the making of reports in the private sector.

Each report received is managed with confidentiality regarding its existence and content, as well as the identity of the reporting individuals (if disclosed), subject to legal obligations and the protection of the Company’s rights or the rights of individuals accused falsely or in bad faith.

The Company expressly prohibits any act of retaliation or discrimination, direct or indirect, against whistleblowers for reasons related, directly or indirectly, to the reports. Such protections apply not only to HIVE employees but also to all individuals who, in various capacities, come into contact with the Company (e.g. self-employed workers, consultants, suppliers, trainees, volunteers, etc.), as well as so-called facilitators and third parties connected to the whistleblower (e.g. colleagues and family members).

Finally, behaviors that violate the protections of the whistleblower and related individuals as defined by the Company, as well as the making of reports that prove to be unfounded with malicious intent or gross negligence, are subject to sanctions in line with the provisions of the Disciplinary and Sanctioning System (cf. chapter 9).

8.4 Periodic Information Flows

In addition to the reports mentioned in the previous section, the relevant Business Areas/Functions must obligatorily transmit to the Supervisory Body, within the terms it sets, information concerning (so-called “general information”):

• Actions and/or news from judicial police authorities or any other authorities indicating the conduct of investigations or criminal proceedings, even against unknown persons, relating to matters of interest or that could involve the Entity (related to Legislative Decree 231/2001 or not);
• Actions and/or news concerning the existence of significant administrative or civil proceedings related to requests or initiatives by public authorities;
• Any document or summons to testify involving individuals from the Entity or collaborators with it;
• Requests for legal assistance submitted by employees in case of initiation of criminal or civil proceedings against them (not only in relation to crimes under Legislative Decree 231/2001);
• Information concerning any inspections conducted by public administration officials and communicated by all Business Areas/Functions;
• News concerning disciplinary proceedings conducted and any sanctions imposed or decisions to archive such proceedings with the corresponding reasons;
• Communications concerning organizational and corporate changes;
• Anomalies or issues reported by responsible parties during the performance of sensitive activities for the application of Legislative Decree 231/2001.

Each Area/Function Manager of the Entity, as the person responsible for the complete and correct adoption of corporate rules to monitor identified risks in their areas of competence, is also required to periodically transmit to the Supervisory Body the data and information necessary for the performance of the monitoring functions carried out by the latter.
The general and specific information must be sent to the Supervisory Body in writing using the dedicated email address: odv@trueitalianexperience.it
Any information or report provided is stored by the Supervisory Body in a special confidential archive (either electronic or paper).

8.5 Reporting of the Supervisory Body to Other Corporate Bodies

To ensure its full autonomy and independence in performing its functions, the Supervisory Body reports directly to the Board of Directors of the Entity.
In particular, the Supervisory Body produces and makes available to the Board of Directors:

• A biannual informational report concerning the activities performed;
• In case of confirmed violations of the Model, with the presumed commission of crimes, a communication as appropriate.
The Supervisory Body also has the right to request an audience with the Board of Directors if it deems necessary.
Similarly, the Board of Directors may convene the Supervisory Body if they consider it appropriate.
In the context of the biannual reporting, the following aspects are addressed:

• Controls and verifications carried out by the Supervisory Body and their outcomes;
• Any critical issues that have arisen;
• The status of progress regarding any corrective and improvement interventions to the Model;
• Any legislative innovations or organizational changes requiring updates in risk identification or changes to the Model;
• Any disciplinary sanctions imposed by the competent bodies following violations of the Model;
• Any reports received from internal and external parties during the period regarding suspected violations of the Model or Code of Conduct;
• The activity plan for the next semester;
• Other significant information.
The Supervisory Body can promote coordination meetings with various corporate bodies, including the Control Body.
Meetings with corporate bodies to which the Supervisory Body reports must be documented. The Supervisory Body is responsible for archiving the related documentation.

9. DISCIPLINARY AND SANCTIONING SYSTEM

9.1 Function of the System

The definition of a sanctioning system, applicable in the event of violations of the provisions of this Model, is a necessary condition to ensure the effective implementation of the Model itself and an indispensable premise to allow the Company to benefit from exemption from administrative liability.
The application of disciplinary sanctions is independent of the outcome of any criminal proceedings, as the conduct rules and internal procedures are binding for both Senior and Subordinate subjects, regardless of whether a crime was actually committed as a result of the behavior.
The exercise of disciplinary power by the Company must conform to the following principles:

• Proportionality, adjusting the sanction to the extent of the violation committed;
• Contradictory, ensuring the involvement of the person concerned, providing them with the opportunity to present justifications in defense of their conduct.

Violations of the rules and prescriptions provided by the Model, including the conduct rules contained in the Code of Ethics, are assessed for the application of disciplinary sanctions, to be implemented in accordance with legal provisions and the corresponding provisions derived from the Collective Labor Agreements for the type of personnel involved.
The Disciplinary and Sanctioning System of this Model also provides sanctions in the event of violations of measures protecting the whistleblower and associated individuals, and against those making false reports with intent or gross negligence, as well as, in general, in case of failure to comply with the provisions related to Whistleblowing under Legislative Decree No. 24/2023 of March 10, 2023, implementing EU Directive No. 2019/1937 concerning the protection of individuals reporting breaches of EU law and national regulations.

9.2 General Criteria for Imposing Sanctions

The sanctioning system is differentiated based on:

• The category of recipients under Article 2095 of the Civil Code, as well as the possible autonomous or parasubordinate nature of the relationship between the violator and the Company;
• The severity of the violation and the role and responsibility of the violator, considering the following general criteria:

o Subjective element of conduct (intent or negligence, the latter due to imprudence, negligence, or lack of skill, also considering whether the event was foreseeable);
o Relevance of the violated obligations;
o Severity of the exposure to risk caused;
o Extent of damage potentially caused to the Company by the application of the sanctions provided by the Decree and subsequent amendments and integrations;
o Functional position and level of responsibility and autonomy of the individuals involved in the facts constituting the violation;
o Presence of aggravating or mitigating circumstances;
o Recidivism;
o Possible shared responsibility with other individuals who contributed to the violation.

Therefore, concerning the Recipients, in case of confirmed violation, the Company, in relation to the business position held by the individual responsible for the relevant commission or omission:

• Imposes disciplinary sanctions on its employees as outlined in Sections 9.3 and 9.4, in accordance with legal provisions, the applicable Collective Labor Agreement, and the Code of Ethics;
• Takes actions against members of the Board of Directors based on the severity of the violations committed, as further detailed in Section 9.5 below.

Additionally, the Company adopts provisions against third parties as further specified in Section 9.6.
The actions mentioned above are taken in accordance with law and/or contract in line with the provisions set out in this Model 231.

9.3 Sanctions Against Employees (Non-Executives)
The individual behavioral rules outlined in this Model constitute “instructions for the execution and regulation of work given by the employer,” which, pursuant to Article 2104 of the Civil Code, every employee is required to follow. Therefore, failure to comply with the Model by an employee constitutes a contractual breach, for which the employer may impose the disciplinary sanctions provided by law and collective bargaining agreements.
If a violation of the Model attributable to the employee is identified, taking into account the provisions of Article 7 of Law 300/1970 and the applicable National Collective Labor Agreement (CCNL)[9], the following disciplinary measures may be applied:

• Oral warning;
• Written warning;
• Fine not exceeding the amount of three hours’ wages;
• Suspension from work and salary for a period not exceeding 10 days of actual work;
• Individual dismissal.

The procedure for contesting the charges will be initiated promptly, within no more than 10 days from when the employer becomes aware of the facts and/or breaches relevant to disciplinary action.
The disciplinary measure cannot be imposed before five days from the contestation, during which the employee may submit written defenses and justifications or request to be heard in defense, possibly with the assistance of a representative from the trade union to which they belong or have given a mandate. The disciplinary action will be communicated in writing.
The employee wishing to challenge the disciplinary action may use the conciliation procedures under Article 7 of Law No. 300/1970 or those provided by the applicable CCNL.
Sanctions are imposed according to the powers assigned within the Company. Any act related to the disciplinary procedure must be communicated to the Supervisory Body for evaluation and monitoring of its responsibilities.

9.4 Sanctions Against Executives
In the event of a proven breach of the Model by an Executive, or if it is proven that an Executive allowed subordinate employees to engage in actions that violate the Model, the Company will assess the most appropriate actions based on the severity of the Executive’s conduct, the applicable collective agreement, and the relevant legal provisions, including the termination of the employment relationship[10].

9.5 Sanctions Against Directors
In the case where the conduct subject to sanction under the Model is carried out by one or more members of the Board of Directors, the Supervisory Body will promptly inform the entire Board of Directors so that, excluding the concerned Director, it may take or promote the most appropriate actions in relation to the seriousness of the violation detected and in accordance with the powers provided by the current law and the Company’s Articles of Association.
The Director(s) of the Board who are charged with the violation have the right to present their defense promptly before any sanctions are imposed.

9.6 Sanctions Against Third Parties
The adoption of behaviors by third parties with contractual relationships with the Company (e.g., suppliers, consultants, collaborators, etc.) that conflict with Legislative Decree 231/2001, the ethical principles adopted by the Company, as well as – for those operating in the name and on behalf of the Company – the provisions of this Model (as applicable according to the activities performed within the mandate received from the Company), and with the specific procedures and/or prescriptions that may be applicable to them, is sanctioned according to the specific clauses included in the respective contracts/letters of appointment.
The adoption of such behaviors may be considered a breach of contractual obligations and lead to the termination of the contract by the Company.

10. COMMUNICATION AND TRAINING
The Company promotes the widest dissemination and knowledge of the Model and encourages its observance through publications, communications, educational activities, and any other means deemed suitable for this purpose, also based on the annual training plans differentiated according to the role and responsibilities of the different recipients.
Training initiatives are generally organized and managed by the competent internal structures. The training programs and the content of the information prepared by these structures are shared with the Supervisory Body.

[1] As amended by Law 190/2012 and the more recent Legislative Decree 75/2020, relating to the introduction in Articles 24 and 25 of the following offenses: (i) fraud in public procurement (Article 356 of the Criminal Code); (ii) fraud in agriculture (Article 2 of Law 898/1986); (iii) embezzlement (Article 314, paragraph 1); (iv) embezzlement through the profit of another’s error (Article 316 of the Criminal Code); (v) abuse of office (Article 323 of the Criminal Code).
[2] As amended by Law 190/2012 regarding the introduction of the crime of “Private Corruption” (Article 2635 of the Civil Code) and the more recent Law of May 21, 2015, No. 69 (Law 69/2015) concerning the new formulation of crimes related to “false corporate communications” (Article 2621 of the Civil Code), “false corporate communications by listed companies” (Article 2622 of the Civil Code), and the new “false corporate communications of minor significance” (Article 2621-bis of the Civil Code), with the related redefinition of sanctions.
[3] As amended by Law December 15, 2014, No. 186 (Law 186/2014) with the introduction into the list of 231 crimes of the offense referred to in Article 648-ter.1, self-money laundering, and by the more recent Legislative Decree 195/2021, which made changes to the crimes listed in Article 25-octies of Legislative Decree 231/2001. This amendment first extended the range of money laundering, recycling, reemployment, and self-money laundering offenses to include contraventions, providing new and autonomous sentencing frameworks for such cases. Furthermore, the Decree extended the applicability of money laundering and self-money laundering crimes to goods derived from “even negligent” offenses, introduced/modified the circumstantial hypotheses, and adapted the related sentencing frameworks.
[4] As integrated by Law May 19, 2015, No. 68 (Law 68/2015), which introduced eight new offenses under Title VI-bis (Book II) “Crimes Against the Environment,” indicating their relevance under Legislative Decree 231/2001 and the related sanctions.
[5] As amended by the recent Legislative Decree 75/2020, regarding the introduction in Articles 25-quinquiesdecies of the following offenses: (i) false declaration (Article 4, Legislative Decree 74/2000); (ii) failure to declare (Article 5, Legislative Decree 74/2000); (iii) undue compensation (Article 10-quater, Legislative Decree 74/2000).
[6] The personal data of the whistleblower, the accused, and all individuals involved in the report are processed in accordance with current personal data protection regulations under Regulation (EU) 2016/679 (“GDPR”) and Legislative Decree 196/2003, as amended by Legislative Decree 101/2018.
[7] On March 16, 2023, Legislative Decree No. 24 of March 10, 2023, was published in the Official Gazette, which implements EU Directive 2019/1937 of the European Parliament and Council on the protection of whistleblowers in EU law. The provisions of this Decree apply starting from July 15, 2023. Reports made before the entry into force of the Decree, as well as those made until July 14, 2023, continue to be governed by the provisions of Article 54-bis of Legislative Decree No. 165/2001, Article 6, paragraphs 2-bis, 2-ter, and 2-quater of Legislative Decree 231/2001, and Article 3 of Law No. 179/2017.
For private sector entities that employed, in the last year, an average of up to 249 employees, the obligations under the new regulations will take effect from December 17, 2023, and until then, the provisions of Article 6, paragraph 2-bis, letters a) and b) of Legislative Decree No. 231/2001, as in effect before the entry into force of Legislative Decree 24/2023, will continue to apply. Following the entry into force of the provisions of Legislative Decree 24/2023, Article 6, paragraph 2-bis, of Legislative Decree No. 231/2001 is replaced with the following: “2-bis. The models under paragraph 1, letter a), shall provide, in accordance with the implementing legislative decree of EU Directive 2019/1937 of the European Parliament and Council of October 23, 2019, internal reporting channels, a retaliation ban, and the disciplinary system, adopted in accordance with paragraph 2, letter e).”
[8] That is, those who may have assisted the whistleblower during the reporting process in the workplace.
[9] National Collective Labor Agreement for Commerce, Services, Distribution, and Services.
[10] If the Executive is granted powers to represent the Company externally, the imposition of the disciplinary expulsion sanction will also result in the revocation of such power.