INTRODUCTION

For CRIF S.p.A. and any other companies controlled by it (“CRIF Group” or only “Group” or “CRIF”), respect for social, human and business values is of primary importance. Operating with full transparency in a healthy and competitive market, through qualified professionals who work according to corporate values, is essential to offer the highest quality services. To meet these fundamental standards, CRIF Group has adopted a Code of Conduct, applicable to all CRIF Group stakeholders.

In continuity with the policy of transparency and safeguarding of the social and economic context adopted by CRIF Group, as well as the safeguarding of every employee from a work and human point of view, the Group has decided to implement and adopt a business ethics policy in compliance with local legislation in order to guarantee the transparency and protection already mentioned in the Group Code of Conduct.

Therefore, CRIF Group has issued a Business Ethics Policy (“Policy”) in compliance with legal requirements and CRIF Group regulations, which have been taken into consideration regarding the application of the basic principles contained herein and, above all, in the design of the overall structure of this Policy. Should any rules within this Policy conflict with any existing or future CRIF Group regulations and/or mandatory national and international legal requirements, the latter shall always prevail.

If the local mandatory provisions have a significant impact, the relevant subsidiary shall issue a Country Annex containing the specific applicable clauses; if there are any differences between the rules provided at a Group level as contained in the Policy and the Country Annex, the latter shall prevail.

1 APPLICABILITY

The Policy applies to the entire CRIF Group, with the sole exception of CRIF entities without employees, in the absence of a unit/person in charge of managing the activities set out in the Policy.

2REPORTING PERSON

For the purposes of this Policy, reporting person means any employee, contractor, consultant, shareholder or person belonging to the administrative, management or supervisory body, volunteers and trainees; any person working under the supervision and direction of contractors, subcontractors and suppliers, even when the workbased relationship has ended or is yet to begin; or stakeholder in general (hereinafter the “Reporting Person”) who discloses or provides evidence of an unethical activity or any conduct that may constitute a breach of the Group’s Code of Conduct or Group Values (hereinafter “Report”). The protection provided under this Policy is also extended to those assisting or connected to the Reporting Person, as well as colleagues and relatives.

3REPORTABLE BREACHES
  • For the purposes of this Policy, reportable breaches include any crimes and violations of the law applicable to each CRIF S.p.A. subsidiary having relevance pursuant to the so-called Whistleblowing legislation as for example corruption, fraud, financial crimes, harassment and discrimination, conflict of interest (together defined as “Reportable Breaches”).

    It is understood that any disputes, claims or requests related to a personal interest of the Reporting Person, as defined below, which relate exclusively to that person’s individual work relationships (including the employment relationships with higher-level figures) or the Reporting Person’s own business relationship with CRIF Group, are not included in the definition of Reportable Breaches. Furthermore i) Reports having vulgar, offensive or unethical content shall not be processed; as well as ii) Reports sent in mala fides and with the sole intent to damage rights of others, even if anonymous, could be prosecuted by law and used by competent authorities to determine responsibility.

  • Reports can also be made anonymously, provided that each CRIF Group company manages the anonymous Report based on the local applicable legislation as well as in consideration of the adequate and detailed elements of the relevant Report, as mentioned hereafter. However, CRIF S.p.A. recommends that the Report includes the Reporting Person's name, so that the people managing the report can operate more effectively, while in any case applying the necessary protections.

    Even if anonymous, the Report must be detailed and documented, so as to provide useful and appropriate information to effectively verify the validity of the events reported therein.

    Where this information is known to the Reporting Person, it is particularly important for the Report to include:

    • a detailed description of the events that occurred and how the Reporting Person became aware of them;
    • The date and place of the event;
    • The names and job positions of the people involved, or information that enables their identification;
    • Reference to any documents that could confirm that the reported actions did occur.
4BUSINESS ETHICS COMMITTEE
  • In order to deal with each Report correctly and confidentially, a Business Ethics Committee has been set up and is responsible for investigating each Report impartially and diligently and for providing a response within a reasonable time.

  • The Business Ethics Committee comprises:

    • at a central level, as permanent members:
      1. the CRIF S.p.A. Legal Director together with 2 members within the Legal, Corporate & Compliance Department;
      2. the CRIF S.p.A. HR Director together with 2 members within the HR Department; and at a local level, as a temporary member:
      3. a Regional Managing Director of the relevant CRIF S.p.A. subsidiary or another comparable figure.

    The functions of the Business Ethics Committee are contained in the Business Ethics Committee Guidelines.

5PROCEDURE
  • When one of the subjects authorized to report a breach as indicated in section 2 has well-founded reasons regarding the existence of a Reportable Breach, it must be immediately reported by the Reporting Person using the communication channels provided by CRIF S.p.A. within the Group, as specified in Annex 1. The content of the communication or any element related to the alleged violation must not be disclosed to third parties or to any person who is not part of the Business Ethics Committee.

  • As soon as the Business Ethics Committee receives the Report, it will meet to discuss the case, the result of which may be:

    • filing of the case;
    • initiation of an investigation, as better specified in the Business Ethics Committee Guidelines. In any case, the Reporting Person will receive a confirmation of receipt within 7 (seven) days from when the Report was received.
  • Whether the Report is filed or an investigation is carried out, the Reporting Person will receive a final response on the decision of the Business Ethics Committee within 3 (three) months from the confirmation of receipt.
6PROTECTION OF REPORTING PERSON AND REPORTED PERSON
  • The Reporting Person shall be fully protected from any negative effects arising from the Report; in particular, CRIF S.p.A. and each CRIF S.p.A. subsidiary undertakes to protect the Reporting Person from any retaliation and/or any financial impact and/or any harm in terms of career path directly connected to the Report, by way of example, in the form of suspension, dismissal or equivalent measures; withholding of promotion; coercion, intimidation, harassment or ostracism; harm, including to the person's reputation, particularly on social media, or financial loss, including loss of business and loss of income; or cancellation of licenses or permits.

    Furthermore, if the Reporting Person suffers, or reasonably believes he/she may suffer, retaliation following his/her Report, the Reporting Person must immediately notify the Business Ethics Committee, which will immediately take any action necessary to protect the Reporting Person.

  • During the entire investigation phase, the person to whom the investigation procedure concerns (hereinafter the "Reported Person") will be entitled to the same degree of protection guaranteed to the Reporting Person. The Reported Person also has the right to be heard by the Business Ethics Committee, which will consider the statements and evidence presented in support of his/her innocence in consideration of the outcome of the procedure.

  • Without prejudice to any legal obligations, CRIF Group guarantees the total confidentiality of the identity of the Reporting Person and of the data relating to the Reporting Person and any other parties involved that is obtained while handling the Report, ensuring that the entire procedure will be treated as "strictly confidential" (pursuant to the policy "POL 0701 - Information Security") and only authorized persons will be able to process the information relating to the procedure for the period provided for by law, in compliance with the applicable local data protection and retention provisions.

  • CRIF Group confirms that it shall comply with all applicable data protection laws and relevant implementing legislation when processing the personal data relating to the Reporting Person, the Reported Person and all parties involved for the purpose of managing the Report.

7RESPONSIBILITY OF THE REPORTING PERSON AND THE REPORTED PERSON
  • CRIF Group expects the Reporting Person to act in good faith. In the case of a Report whose outcome is negative but whose circumstances suggest that it was made in good faith, the Reporting Person will not be sanctioned. Any Reporting Person who has submitted a false report in a manner that is untruthful, misleading or otherwise not in good faith will be sanctioned through the appropriate disciplinary procedure.

  • Any Reported Person who, following the investigation procedure, is found guilty of the breach will be sanctioned as decided by the Business Ethics Committee and, if necessary, reported to the competent local authorities.

  • It is understood that CRIF Group may also take appropriate legal measures to protect its rights, assets and reputation against anyone who, in bad faith, has made false, unfounded or opportunistic Reports and/or has made Reports for the sole purpose of defaming, slandering or causing damage to the Reported Person or to other parties mentioned in the Report.

 
 
ANNEX 1 – BUSINESS ETHICS REPORTING CHANNEL

Reports within CRIF Group will be received and managed through the EQS Integrity Line software, accessible via a link published on each CRIF corporate website.

Please find below the link to access the CRIF Business Ethics System platform:

https://crif.integrityline.com/

The platform allows a report to be filed i) in writing; ii) verbally via a voice messaging system or iii) via a request for a face-to-face meeting to be scheduled within a reasonable timeframe, in all cases ensuring the confidentiality of the identity of the Reporting Person.

In the case of a request for a face-to-face meeting, the member of the Business Ethics Committee responsible for receiving the verbal report will produce a formal report signed by the Reporting Person and uploaded to the platform.

Further details and operating provisions are formalized in the Business Ethics Committee Guidelines.

ANNEX 2 – COUNTRY ANNEX

Each CRIF entities, if deemed necessary, adopts a Country Annex containing the applicable local provisions, where additional to or in contrast with the Group one contained in the main Policy text.

APPROVAL AND OWNERSHIP
Owner Role
Legal & Corporate Affairs
Human Resources & Organizational Process
Compliance Regulatory Litigation
Labour Law & Global Mobility
Checked by Role
Legal & Corporate Affairs
Human Resources & Organizational Process
Compliance Regulatory Litigation
Labour Law & Global Mobility
Approved by Role
Legal & Corporate Affairs
Human Resources & Organizational Process
Compliance Regulatory Litigation
Labour Law & Global Mobility
APPROVAL AND OWNERSHIP
Version Revision Date Description Approver Name
1.0 01/06/2023 First release Marco Berti – Group General Counsel
Loretta Chiusoli - Group Chief HR and Organization Officer
crif GULF DWC LLC operates snb logo in the U.A.E territory.