The Company considers it fundamental that all stakeholders respect the ethical principles that underpin its operations, as identified in the Code of Ethics approved by the Board of Directors and, likewise, that they comply with all applicable regulatory provisions.
The Company has therefore introduced a system to manage the reporting of any acts that are illegal or which go against its ethical principles (“whistleblowing”). This was most recently updated in line with the provisions of Legislative Decree No. 24 of March 10, 2023, “Implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council of October 23, 2019, on the protection of persons who report breaches of EU law and on provisions concerning the protection of persons who report breaches of national laws”.
Substantiated reports are important because they allow the Company to detect and remedy illegal or irregular behaviour that harms the Company and/or Third Parties.
Information on reporting is provided below.
Anyone may make a report, including the following parties specifically:
- Company employees, members of the Company’s Board of Directors and control boards;
- third parties, i.e. those persons who, in various capacities, carry out/have carried out or intend to carry out employment, collaboration or business relations with the Company.
The Company considers reports from named parties and also anonymous reports.
The Company guarantees whistleblowers the protections provided by law.
Click here to view the list of Subjects protected by Decree No. 24/2023
- Alleged violations (including valid suspicions) of rules of law, rules of professional conduct, and/or ethical principles set out in the Code of Ethics, in the Organisation and Management Model pursuant to Legislative Decree No. 231/2001, or in company procedures in general, including elements regarding conduct designed to conceal such violations,
- alleged conflicts of interest (including valid suspicions), including elements regarding conduct designed to conceal such violations,
by employees, members of corporate bodies or other third parties (customers, suppliers, consultants, contractors) that may directly or indirectly cause financial/equity and/or reputational damage to the Company.
Click here to see the list of violations pursuant to Legislative Decree No. 24/2023
It is important that the report is described as fully as possible and that it is based on facts of which the reporter has become aware as part of his/her work in order to allow the bodies responsible for receiving and handling reports to verify the facts. Specifically, the following must be clear:
- the description of the event being reported;
- the time and place when the event occurred;
- the personal information or other elements required to identify the person - where relevant - responsiblefor the event reported.
It is also useful to attach any documents providing elements to enable further investigation of the facts being reported.
The following do not qualify as "whistleblowing" reports
- disputes, requests of a personal nature relating exclusively to individual labour relations (e.g. reports relating to labour disputes, allocation of duties, etc.);
- commercial or operational communications (e.g. complaints, commercial information etc.): for this type of report, the other dedicated channels are available on the Company's website.
The Company reserves the right to take any and all action to protect its direct and indirect interests in the event of defamatory reports and/or those made in bad faith that may harm or prejudice its employees, members of its corporate bodies, or commercial or industrial partners of the the Company.
The Company’s disciplinary system provides for sanctions for anyone making a report with malice or gross negligence which proves to be unfounded. In such event, in addition to the sanctions provided for by the Company’s disciplinary system, the “exclusion clause” from the protections provided by the law also applies, in the event that the first judicial instance finds liability for malice or gross negligence or for libel or slander for conduct carried out in bad faith by the reporter.
The report should be sent to the “competent bodies” who receive and handle reports. Depending on the subject of the report, these are:
- the Ethics Committee, for reports involving alleged incidents of corruption or violations of the Code of Ethics;
- the Supervisory Board, for reports involving the violation or suspected violation of the Organisation and Management Model pursuant to Legislative Decree No. 231/2001;
- SEA’s Auditing Department for reports that do not fall under the areas of responsibility of the other bodies;
- The Chairperson of the Control, Risks and Sustainability Committee, for any reports involving members of the Auditing Department by activating the whole Committee.
In carrying out the operational activities of handling reports, the relevant bodies are supported by the Auditing Department.
Reports that are not under the responsibility of the body receiving them shall be sent to the relevant body with respect for the confidentiality of the information, of personal data of the reporter and the reported person(s), and in accordance with privacy law.
If a member of one of the competent bodies is involved in a report, s/he will not be allowed to join the related management activities.
For the submission of reports, the Company uses an IT platform which can be accessed via a webpage.
The platform uses secure protocols for data transport over the network and uses encryption tools to protect the content of the report and any attached documentation. It is accessible exclusively to those authorised to verify reports.
The platform is located at a site outside the Company and the reporter’s access is not tracked. The platform is accessible from the most widely used browsers in the updated versions, from both PCs and mobile devices (smartphones, tablets).
How to make a report on the platform
The reporter may make a report by indicating which of the relevant bodies s/he intends to send it to in the following ways:
- confidential mode
This mode is activated by registering using a special form on the platform. All required fields must be completed, including the first and last name and email address of the reporter, who then receives credentials (username and password) allowing him/her to access to the platform to make the report.
The credentials are for the exclusive use of the reporter and allow him/her to consult the reports sent and/or to interact with the competent bodies through the platform, to enable any further investigation deemed necessary and to receive feedback on the outcomes of the verifications.
Important: The reporter’s name and surname entered during registration are automatically encrypted by the system and therefore will not be visible either during any interactions with the competent bodies or upon verification of the reports.
The competent bodies may request that the reporter’s name is revealed in the following cases only:
- as part of disciplinary proceedings in cases where the charge is based, in whole or in part, on the report and knowledge of the reporter’s identity is essential for the defence of the accused. In such cases, the report will be usable for disciplinary proceedings only if the reporter consents to the disclosure of his or her identity;
- in the event of reports that prove unfounded or which are submitted maliciously or negligently;
- in those cases in which the reporter is found to be criminally liable for the offences of slander or defamation, including by a first instance judgement.
The decryption key is held by the platform provider - which does not have access to the reports - and may only be requested from the provider through:
- SEA’s Director of Auditing: for reports whose competent body is the Supervisory Board or the Ethics Committee; in such case the decision of decryption is taken collegially by the competent body; if the competent body is the Auditing Department the decryption request is jointly approved by the Auditing Department and the Director of Legal and Corporate Affairs;
- The Chairperson of the Control, Risks and Sustainability for reports sent into the relevant channel: the decision to request the decryption key is collegially taken by the whole Committee.
Decryption requests to the provider may only be made from the inquiry stage, i.e. at the time when the reporter’s identity is decisive in the three cases described above.
Upon receiving the request, the provider begins decryption to decrypt the reporter’s name on the platform. This process concludes only after the competent body enters the reason for decryption in the platform.
After registering, the reporter can make his/her report in the following ways:
a- in writing, by filling out the form provided by the system and attaching any supporting documentation (files, photos, etc.)
b- by recording a message in the voicemail box provided on the platform, which renders the reporter’s voice unrecognisable and therefore prevents his/her identification. The report recorded will be stored on the platform and - if it is transcribed by the competent Body - will be sent through the platform to the reporter; for verification, for any changes and approval, in accordance with the regulations. Any supporting documentation (files, photos, etc.) may also be attached through the voice channel.
- anonimous mode
Unlike the confidential mode, this mode does not require initial registration or entry of personal details. The reporter logs in to the platform directly and makes the report in his/her chosen mode - written or oral - following the same instructions as described above in points (a) and (b) of the “confidential mode.” Once the report is completed, the IT platform assigns the reporter a unique code - which the reporter must retain - to allow him/her future access to his or her report.
- other reporting channels
ordinary post - specifying the competent body - to the address SEA - Società per Azioni Esercizi Aeroportuali Aeroporto Milano Linate - 20054 Segrate Milano c/o Auditing Department - personal and confidential.
In the event of a report sent through channels other than those indicated above, it is recommended to indicate that the report is confidential.
In addition to the “whistleblowing platform” and “ordinary post” channels, the whistleblower can schedule a direct meeting with the relevant bodies through SEA’s Auditing Department. Only if the whistleblower wants to request a meeting with the Chairperson of the Control, Risks and Sustainability Committee can s/he use the IT platform to directly arrange the meeting. Reports made verbally during a face-to-face meeting are transcribed and entered into the platform, along with any documentation provided by the reporter, by the appropriate body, subject to the reporter’s consent, which is covered by the protections provided for other reporting methods.
The operational process to handle reports consists of the following steps:
- Receipt and preliminary verification;
- Definition of an action plan;
Click here to learn more about the operational process for handling reports.
Data relating to the reporter’s identity (where available) and that of any persons reported and the contents of the report are always treated with the utmost confidentiality and exclusively by the competent bodies and, where support is requested, by SEA’s Auditing Department and/or other corporate functions specifically delegated ad hoc by the competent bodies. This process is carried out in accordance with the principles of necessity, proportionality and confidentiality and in compliance with privacy regulations. Such information may not be disseminated, either outside or inside the Company, and must be communicated to the minimum extent necessary to achieve the purposes of the process.
That said, a reporter may always make a report with complete anonymity, including through the IT platform.
The Company guarantees that the reporter’s identity shall not be disclosed without the reporter’s consent, except in the event that:
- the report has been made to harm or prejudice the reported person and there is legal liability for libel or slander;
- confidentiality of the reporter’s identity is not enforceable by law (e.g. in criminal investigations);
- the reports contain facts and/or events that, while outside the corporate sphere, make it appropriate and/or necessary to report to the judicial authorities.
Protection from retaliatory acts
In line with the provisions of Legislative Decree No. 24/2023, the Company prohibits any form of retaliation against anyone who has made a report and third parties connected to the reporter.
Click here to learn more about protection from retaliatory acts.
Processing of personal data
As part of the reporting process, personal data are processed in compliance with the relevant legislation in force (EU Regulation 679/2016 and Legislative Decree No. 196/2003, as amended by Legislative Decree No. 101/2018).
In addition to internal reporting through the channels prepared by the Company, Legislative Decree No. 24/2023 provides for the possibility to make reports through external channels if certain conditions are met taking advantage of the protection provided by tre Decree.
Click here to learn more about external reporting channels.