Our Commitment

At Medov, we are committed to conducting our activities with honesty and integrity, and we expect anyone working with us to act with the same high standards toward our team, clients, business partners and the wider community.
We encourage our staff and business partners to report suspected wrongdoing as early as possible, with the assurance that concerns will be taken seriously, investigated appropriately, kept confidential and protected from retaliation.

Speak up!

At Medov, we believe that open and honest communication is the solid foundation of informed and constructive decision-making. For this reason, we encourage every member of our staff to speak up freely, even in the face of any situation of non-compliance, such as, for example, harassment, discrimination, abuse of power, bullying, fraud, corruption, or conflicts of interest. Situations of non-compliance include all events and behaviors that are contrary to our values, our Code of Conduct, as well as the laws and regulations of the countries in which we operate.

If you do not feel comfortable contacting your Line Manager, the HR team, or the Compliance Manager, you can always submit a report confidentially through our Whistleblowing system.

Whistleblowing is the disclosure of information relating to suspected misconduct or workplace hazards that have occurred or may occur. This may include (but is not limited to) criminal activities, failure to comply with any legal obligation or regulatory requirement, including EU legislation, corruption, the existence or occurrence of risks related to serious violations of human rights or fundamental freedoms, threats to health and safety, environmental damage; violations of Medov’s Code of Conduct, internal policies and procedures, or the deliberate concealment of any of the above[1]

If you are aware of ethical violations concerning Medov’s activities, we invite you to report your concerns confidentially and anonymously (if you wish) through our Whistleblowing platform, which includes a reporting website and a free telephone service. Within the same platform, Medov’s Whistleblowing Policy, including the privacy notice, is available for consultation.Your support will help us live up to our aspirations as a responsible business partner.

[1] As provided for by Legislative Decree No. 24/2023, through which Italy implemented Directive (EU) 1937/2019 on the protection of persons who report breaches of Union law, and laying down provisions concerning the protection of persons who report violations of national regulatory provisions.

The following individuals (“Users”), who have become aware of violations within their work context, may submit reports under the Whistleblowing procedure:

  • Medov employees with permanent, part-time, intermittent, fixed-term, agency, apprenticeship or occasional employment contracts.
  • Individuals working under self-employed contracts;
  • Holders of collaboration agreements;
  • Business partners working as freelancers or consultants;
  • Volunteers and interns, whether paid or unpaid;
  • Shareholders and individuals with administrative, managerial, supervisory, control, or representative functions within the Company, even if such functions are exercised de facto.

Reports may also be submitted:

  • when the legal relationship has not yet begun, if the information on violations was obtained during the recruitment process or other pre-contractual phases;
  • during the probationary period;
  • after the termination of the legal relationship, if the information on violations was obtained during that relationship.

Any alleged violation or attempted violation of the public interest or of the integrity of the company may be reported, provided that the individuals listed above became aware of it in the work context or in connection with their relationship with Medov.

In general, reports may concern:

  • Violations of national and European regulations consisting of unlawful acts in specific areas (public procurement; financial services, products and markets, and prevention of money laundering and terrorist financing; product safety and compliance; environmental protection; consumer protection; privacy and personal data protection; and security of networks and information systems).
  • Violations of national regulations consisting of administrative, accounting, civil, or criminal offenses; unlawful conduct relevant under Legislative Decree 231/2001 or violations of organizational and management models.
  • Violations of European regulations (acts or omissions that harm the financial interests of the European Union; acts and behaviors affecting the internal market that undermine the purpose or objectives of EU legislation in the areas mentioned above).

Specifically, any event or behavior may be reported if it is believed that it could cause damage of any kind to the company or other companies within the group (e.g., financial, reputational, image-related, environmental damage, or harm to the safety of employees or third parties).

Reports Not Eligible for Protection

The following reports are not eligible for protection under this policy, for example those based on:

  • suspicions or rumors without evidence;
  • personal grievances of the reporting person;
  • claims relating to employment or collaboration relationships;
  • claims relating to relationships with supervisors or colleagues.

Medov’s Whistleblowing reporting channels are available 24 hours a day, 7 days a week, 365 days a year. To ensure maximum confidentiality, Medov’s Whistleblowing reporting system is hosted by an independent external operator (“External Provider”). The Whistleblowing channel is available at the following link: Compliance hotline.

In addition to the above method, it is also possible to submit a report directly to the competent local body by sending a letter marked “confidential” to: Compliance Office – I.L. Investimenti, Via A. Cantore 8G/121 – 16149 Genoa, Italy.We also encourage third parties who work with us to report any non-compliance issues through our Whistleblowing system.

  1. Submit your report via the web form, choosing whether to remain anonymous.
  2. Include a detailed description of the event you believe to be non-compliant (who, what, when, how) and add supporting evidence, such as copies of documents or names of witnesses who can substantiate your report. General reports may also be investigated.
  3. Once the report is submitted, you will receive an individual case number, which will be required to access the system again.

We will review all non-compliance reports, take appropriate measures, and provide you with relevant information on the progress of the case.

You can monitor the progress of the reporting procedure by accessing the website using your individual case number.

  1. Acknowledgment of receipt: We will confirm receipt of your report within five working days. If the report does not contain sufficient information or usable evidence, you will be asked to provide additional details.
  2. Assessment: Each report is carefully examined. An internal investigation will be opened if the report includes a minimum level of information and usable evidence. In the absence of conflicts of interest, the investigation will be conducted by the Compliance Manager, with HR providing support throughout the process.
  3. Escalation: If the allegations are serious and require escalation, the Group HR Manager and the relevant legal office will be involved.
  4. Confidentiality of investigations: To ensure confidentiality, only strictly necessary individuals will be involved. The Compliance Manager and HR may conduct confidential interviews with internal staff, customers, business partners, third parties, or anyone deemed relevant to the investigation.

As a general rule, the completion of an investigation takes approximately 90 days, although more time may be required depending on the complexity of the report.

Feedback: After reviewing all investigation findings, we will decide whether further action is required. You will be kept informed of progress and will receive final feedback outlining the outcome of the investigation

Possible outcomes that may be communicated to the reporting person include:

  • Correction of internal processes;
  • initiation of disciplinary proceedings
  • referral of investigation findings to the Public Prosecutor’s Office (and/or the Court of Auditors in the event of financial damage to public funds);
  • dismissal of the report due to lack of evidence.

A report mistakenly sent to a direct supervisor may not be treated as a Whistleblowing report, as it does not entail the same confidentiality obligations for the recipient.

Medov does not allow or tolerate any form of retaliation or discriminatory measure, direct or indirect, affecting working conditions, against any User who submits a report under this procedure for reasons directly or indirectly related to the report.

For reports falling within the scope of Legislative Decree No. 24/2023, where (i) the report has not been followed up, (ii) the reporting person has reasonable grounds to believe that an internal report would not be followed up or would lead to retaliation, or (iii) the reporting person has reasonable grounds to believe that the violation may pose an imminent or obvious danger to the public interest, the reporting person may use the reporting channel established by the National Anti-Corruption Authority (ANAC), available on its website.

Criminal and disciplinary liability of the whistleblower remains applicable in cases of malicious or defamatory reporting, pursuant to the Criminal Code and Article 2043 of the Civil Code.

Abuse of this procedure may also give rise to disciplinary and other forms of liability, including reports that are manifestly opportunistic and/or made solely to harm the reported person or others, as well as any other improper or intentional misuse of the Whistleblowing procedure.

ANAC may impose an administrative fine ranging from €500.00 to €2,500.00 in cases where whistleblower protections are lost, unless the reporting person has been convicted, even at first instance, of defamation or false accusations, or of the same offenses committed through a report to judicial or accounting authorities.

Medov may impose financial and/or disciplinary sanctions in accordance with its disciplinary system and the requirements set out in the applicable National Collective Labor Agreement (CCNL) and current legislation.

Confidentiality
All offices responsible for handling reports will keep confidential the identity of (i) the person providing the information, (ii) the person who is the subject of the report, and (iii) any other person mentioned in the report. However, there may be exceptions to this principle of confidentiality, for example if the reporting person intentionally or through gross negligence provides incorrect information, or if the information must be disclosed upon request or order of law enforcement authorities, in an administrative proceeding, or pursuant to a court decision.
You are invited to identify yourself so that we may respond to your questions; however, anonymous reports will also be accepted (unless this is not permitted under local laws).

Data Protection Notice
As the company contacted and the recipient of the report, Medov Srl, with registered office at L.go San Giuseppe, 3/36 – 16121 Genoa, is the Data Controller of the personal data.
If the non-compliance is reported through the Medov Whistleblowing channel, please note that the website through which it is possible to submit a report is managed by an External Provider. In this case, the Data Controller of the personal data remains Medov Srl, and the External Provider will act as Data Processor.
In this notice, when we refer to personal data, we mean any information relating to an identified or identifiable person—in this case, you or any other individual—whose personal data are processed as part of a report submitted through Medov’s Whistleblowing system.
All personal data processed through Medov’s Whistleblowing system will be handled in accordance with applicable law, including the EU General Data Protection Regulation (“GDPR”). The User is required to read this notice in order to be aware of the personal data that Medov may collect, how Medov may use them, and how to exercise their rights in relation thereto. It is also necessary to read any other privacy notice provided by Medov, which may apply from time to time to the use of the User’s personal data in specific circumstances.

Medov may collect and use some or all of the following information for the purposes described below:
• Personal data such as name, title, and contact details;
• Personal data such as names, titles, and contact details of the persons mentioned in the report;
• A description of the alleged violation, as well as the circumstances involved (including relevant dates and locations); and
• Any other relevant information.
Medov will process the above information, including personal data, for the purpose of ensuring compliance with applicable laws and internal policies, defending legal claims, and safeguarding the well-being of Medov personnel. In addition, we may request the User’s personal data to fulfill our regulatory monitoring and reporting obligations.

The legal basis for the collection and use of the personal data described above is our legitimate interest in investigating the submitted report. In some cases, we may also process personal data to comply with a legal obligation. Furthermore, we assume that the User has submitted a report on a voluntary basis and that the related processing may lawfully be based on their consent.

The information provided by the User will be treated confidentially and shared only on a strict need-to-know basis. Personal data submitted as part of a report may be processed by competent Medov personnel, including authorized recipients and, depending on the nature of the report, members of the HR, Finance, and Compliance departments. Personal data may also be shared with third parties, such as the external provider managing Medov’s Whistleblowing channels and external advisors (e.g., legal advisors) to assist in investigating any submitted report.
Furthermore, the User’s personal data may be shared with competent law enforcement authorities, business associations and regulatory authorities, government agencies, courts, or other third parties, where we believe disclosure is necessary (i) under applicable laws or regulations, (ii) to exercise, establish, or defend our legal rights, or (iii) to protect your vital interests or those of any other person.
Personal data may also be accessed, for strictly technical purposes related to the management and administration of the information and data received, by service providers managing the reporting service, who will act as data processors on the basis of specific instructions provided by the controller (designated External Processor: I.L. INVESTIMENTI Srl).
Finally, we also share information relating to the use of the Whistleblowing channels with Medov’s management and other companies within the group; however, such information will never contain personal data and will be limited to statistical or aggregated data.

We retain personal data for as long as necessary where we have a legitimate need to do so (e.g., to comply with applicable legal requirements).
Information relating to a report submitted through Medov’s Whistleblowing system will be archived or deleted based on the following criteria: when the investigation has been closed and no further action is required; when the limitation period for any relevant dispute has expired; and when our obligations to retain documentation relating to investigations have expired.
In any case, personal data are retained in a form that allows the identification of the data subjects for no longer than is necessary to achieve the purposes for which they are processed, and reports and related documentation will be retained for the time necessary to handle the report and, in any event, no longer than five (5) years from the communication of the final outcome of the procedure.

The User has the following rights in relation to the personal data processed by Medov, which may apply depending on the circumstances:

1. Right to be informed
The User has the right to receive clear, transparent, and easily understandable information about how their information is used and about their rights. This information is contained in this Notice.
2. Right of access
The User has the right to obtain access to their information (if an organization is processing it) and to certain other information (similar to that provided in this Notice).
3. Right of rectification
The User has the right to have their information corrected if it is inaccurate or incomplete.
4. Right to erasure
Also known as the “right to be forgotten,” this right allows the User to request the deletion or removal of their information where there is no valid reason for an organization to continue using it. This is not a general right to erasure, as exceptions apply (for example, where the User has provided consent to processing, this applies only if the User decides to withdraw that consent).
5. Right to restrict processing
Right to restrict processing – The User has the right to “block” or suppress the further use of their information in certain circumstances. When processing is restricted, the relevant organization may still store the information but may not use it further. Note that the right to restrict processing applies only in certain situations; for example, where we process personal data collected from you with your consent, you may request restriction only on the grounds of data inaccuracy or where our processing is unlawful and you do not want your personal data to be erased or you need them for a legal claim. This right does not apply where we are processing your personal data to comply with the law.
6. Right to data portability
The User has the right to obtain and reuse their personal data in a structured, commonly used, and machine-readable format in certain circumstances, which do not include cases where processing is carried out on the basis of legitimate interests or to comply with the law.
7. Right to object
The User has the right to object to certain types of processing in certain circumstances, for example where we rely on our legitimate interests

Medov has entered into a contract with an external provider to protect the confidentiality and security of your personal data. We use appropriate technical and organizational measures to protect the personal data we collect and process about you. The measures used are designed to provide a level of security appropriate to the categories of personal data processed.

If you have any questions about the protection of personal data or wish to exercise your legal rights, please submit your request or contact Medov by sending an email to: privacy@ilinvestimenti.com.