Information pursuant to Articles 13 and 14 of the European Regulation 2016/679 on the Processing of Personal Data within the framework of the Whistleblowing System

According to the current legislation on the reporting of alleged wrongdoing in the workplace (Legislative Decree 24/2023 - "Implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law and on the protection of persons who report breaches of national laws"), RAV Raccordo Autostradale Valle d'Aosta S.p.A. has implemented its own "internal reporting channel" for the receipt and management of reports of alleged offences and/or violations of national and/or European Union and/or internal regulations (such as: the Code of Ethics, the Anticorruption Guidelines, the 231 Model) committed by workers and/or external parties in the context of their work environment (the so-called "Whistleblowing system").

In particular, RAV Raccordo Autostradale Valle d'Aosta S.p.A., has set up its own 'internal reporting channel', dedicated and segregated, which guarantees exclusive access to reports of its own, made in written or oral form, or anonymously.

Pursuant to Articles 13 and 14 of the European Regulation 679/2016 (hereinafter "GDPR"), RAV Raccordo Autostradale Valle d'Aosta S.p.A., as Data Controller, hereby provides information on the processing of personal data/information ("Data") acquired directly or indirectly through the report made by its employee and/or third party (hereinafter " Whistleblower ").

This privacy statement is made available and known to Data Subjects and potential Data Subjects by means of publication on the institutional website of RAV Raccordo Autostradale Valle d'Aosta S.p.A.

Data Controller reserves the right, at its discretion, to change, amend, add or remove any part of this Policy at any time. In order to facilitate the verification of any changes, this Policy will contain at the bottom an indication of the date it was updated.

1. DATA CONTROLLER

The Company:

• RAV Raccordo Autostradale Valle d'Aosta S.p.A., subject to the direction and coordination of Autostrade per l’Italia S.p.A., with registered office in Loc. Les Iles Saint Pierre, (AO) – Tax Code 05995720587 VAT No. 01475961007; which will process the personal data of the Whis- tleblower and/or of the other persons concerned by the report, as Data Controller pursuant to Article 13(4) of Legislative Decree 24/23 - 'Decree'.
• The Data Controller has appointed its own Data Protection Officer ('DPO') pursuant to Art. 37 et seq. of the GDPR, domiciled for the purpose at the respective office indicated above, whom data subjects may contact for matters relating to the processing of their personal data at the e-mail address dpo@pec.ravspa.it.

2. TYPES OF DATA PROCESSED

The personal data and/or information (hereinafter 'Data'), subject to processing, include the Data of the Whistleblower, of the reported person and of the natural persons - identified or identifiable in various ways - involved in and/or connected to the facts that are the subject of the report, such as, for instance, the Data of any witnesses (hereinafter 'Data Subjects').

Such Data, collected and processed by the Data Controller, may include 'common' personal data (personal details, job position held, contact details such as: email address, postal address, telephone number), and/or data belonging to special categories pursuant to Art. 9 GDPR, and/or data relating to criminal convictions and offences pursuant to Art. 10 GDPR, contained in the report and/or in the acts and documents attached thereto, in compliance with the provisions of the relevant legislation and the Opinion of the Italian Data Protection Authority, prov. 10 GDPR, contained in the report

and/or in the acts and documents annexed thereto, in compliance with the provisions of the relevant legislation and the Opinion of the Italian Data Protection Authority, prov. 6 Jul. 2023, no. 304 ("Favourable opinion on the Draft Guidelines on the protection of persons who report breaches of Union law and protection of persons who report breaches of national laws - procedures for the submission and management of external reports prepared by ANAC").

Data may be collected, either directly from the Data Subject or through other persons involved in the reporting, through the 'internal reporting channel' indicated above, in the manner set out in Section 4 below.

The data are provided voluntarily by the Whistleblower, also in anonymous form, to the Data Controller, which shall not process Data that are not strictly necessary for the purposes set out in point 3 below. By way of example but not limited to, the "report" may be made by: employees of the Data Controller, freelancers/consultants/self-employed workers, including those with a collaborative relationship, who have a working and/or collaborative relationship with the Data Controller.

3. PURPOSE AND LEGAL BASIS OF PROCESSING

The Data are processed exclusively for the purposes of receiving, managing and resolving on the report and, in particular, to carry out the investigation and ascertainment of the facts that are the subject of the report, as well as the adoption of any consequent measures, in accordance with the provisions of Legislative Decree 24/2023.

Personal Data collected are only those necessary and relevant for the achievement of the above- mentioned purposes, on the basis of the 'principle of minimisation', pursuant to Art. 5.1 lett. c) GDPR.

With respect to this Data, its provision is voluntary and the Data Subject is requested to provide only the data necessary to describe the facts that are the subject of the report without communicating redundant and additional personal data to those necessary for the purposes indicated above. If such Data are provided, the Data Controller shall refrain from using them and shall delete them.

The Personal Data are processed on the legal basis of the legal obligation, ex art. 6, co.1 lett. c) and co. 2 and 3 (Legislative Decree 24/2023 - Legislative Decree 231/01), ex art. 9, co. 2 lett. b) and ex art. 10 and 88 (see above mentioned Opinion of the Privacy the Italian Data Protection Authority, prov. 6 Jul. 2023, no. 304).

4. MODE OF TREATMENT

Data are collected and processed, in compliance with the regulations in force, by means of computerised, electronic/telematic tools, with logics strictly related to the above-mentioned purposes, so as to guarantee the security and confidentiality of the data.

In particular, the Data received with reports made in written form are collected and processed in computerised mode through an online platform, on which a dedicated and segregated channel is set up. This platform is provided to RAV Raccordo Autostradale Valle d'Aosta S.p.A. by Autostrade per l'Italia S.p.A., on the basis of a service contract.

Data included in reports made orally are collected and processed electronically through the same platform, in accordance with the provisions of Article 14(2) of Legislative Decree 24/2023, subject to the consent of the reporter to the recording; the recording takes place within the platform itself, suitable for storage and listening.

Data collected by means of this IT tool will not be subject to fully automated processing as specified in Article 22 GDPR.

Specific security measures are observed to prevent loss of data, unlawful or incorrect use and unauthorised access.

Moreover, specific technical-organisational measures, such as encryption, are taken, pursuant to Article 32 GDPR, to ensure the protection of the identity of the persons concerned, as well as the possible anonymity of the reporter and complete anonymity in accessing the platform (no log).

5. DATA RETENTION PERIODS

Personal data will be kept only for the time necessary for the purposes for which they are collected in compliance with the principle of minimisation pursuant to Article 5.1.c) GDPR and, in particular, for the purposes of managing the preliminary investigation, the conclusion of the activity of defining the report and the adoption of the relative measures, in the event of an assessment, and in any case no longer than 5 years from the date of communication of the final outcome of the reporting procedure, in accordance with the provisions of Article 14, paragraph 1 of Legislative Decree 24/2023 and Article 5, paragraph 1 of the GDPR.

6. RECIPIENTS OF DATA

Within the Data Controller, only those persons entrusted with the processing by the Data Controller, who have been instructed on the "whistleblowing" legislation and on the correct use of the "internal whistleblowing channel", and who are authorised to carry out the processing operations within the scope of the aforesaid activities in accordance with Article 4(2) of Legislative Decree 24/2023, may become aware of the Personal Data provided.

The aforesaid Data may be disclosed to third parties (such as IT service providers) who enable the operation and maintenance of the IT tool on which the report can be entered, as indicated in point 4, obliged to process the data for the same purposes as indicated in point 3 above, who are, for this purpose, appointed "Data Processors", pursuant to Article 28 GDPR.

Under of a specific assignment, in particular:

1. the assistance and IT management activities of the internal channel provided on the online platform referred to in point 4 above shall be carried out on behalf of RAV Raccordo Autostradale Valle d'Aosta S.p.A. by the Data Processor under Article 28 GDPR;
2. the activities of handling reports will be carried out by the Reporting Management Body whose employees have been specifically authorised to process them, pursuant to Article 29 GDPR.

Such Data may also be disclosed to the Supervisory Body, the Anti-Corruption Manager, the Antitrust Manager and Autostrade per l'Italia's Internal Audit Department, for the performance of their Whistleblowing activities, as well as to the ANAC, the Judicial Authority and other competent Bodies/Bodies in relation to the reported case, pursuant to art. 13 of Legislative Decree 24/2023.

In order to carry out some of the operations relating to the management of the report, and again for the purposes set out in point 3, the Data Controller may communicate such data to other companies belonging to the Autostrade Group. In this case, the companies, to which the Data of third parties and/or their employees and/or collaborators and/or suppliers may be communicated, shall act as autonomous Data Controllers, for the purposes of managing the activity of defining the report falling within the competence of the aforementioned Data Controller or of initiating the management of a report falling within its competence for the adoption of the relevant measures, in the event of an investigation.

Report addressed by mistake to a Data Controller other than the competent Data Controller will be addressed to the competent Data Controller without any further processing other than for the above- mentioned dispatch.

The full list of persons appointed as Data Processors by the Controller is available from the Controller.