Disclosure on the processing of personal data

pursuant to Articles 13 and 14 of the Regulation (EU) 2016/679 (GDPR)

- Processing of personal data related to reports, pursuant to Legislative Decree March 10, 2023, No. 24 implementing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 - (Whistleblowing) -

Dear Data Subject,

pursuant to Articles 13 and 14 of the Regulation (EU) 2016/679 of the European Parliament and the Council of Europe 'on the protection of natural persons with regard to the processing of personal data and on the free movement of such data' (hereinafter referred to as GDPR), Sogin S.p.A. wants to inform you on the modalities in use for the processing of your personal data for whistleblowing.

DATA CONTROLLER AND DPO (Data protection Officer)

The Data Controller is Società di Gestione Impianti Nucleari – Sogin S.p.A., in the person of its legal pro tempore representative, with registered office in via Marsala 51/C – 00185 Rome, VAT no. and Fiscal Code 05779721009, which appointed the Data Protection Officer, or DPO, available via e-mail and/or Certified Electronic mail at the following address dpo@pec.sogin.it or by sending a message to:

Data Protection Officer (DPO)

c/o Sogin S.p.A. - Via Marsala 51/C - 00185 Rome (RM) - Tel: +39 06 830401

TYPES OF DATA PROCESSED

In the context of reports of misconduct (whistleblowing), personal data of the reporting person, facilitator, person involved or mentioned in the report, as well as personal data contained in the reports themselves and related documentation, will be processed. Therefore, these personal data may include common data, special categories of data, and data relating to offenses and irregularities.

PURPOSE OF DATA PROCESSING

Personal data will be processed by Sogin for the following purposes:

- Receiving, analyzing, and managing reports related to illicit activities or non-compliant behaviors with current regulations or Sogin's internal policies.

- Conducting internal investigations or collaborating with competent authorities to assess the received reports.

- Implementing corrective and disciplinary measures when illicit activities or non-compliant behaviors are confirmed.

- Maintaining confidentiality and protecting the interests of individuals involved in the reports.

- Ensuring compliance with legal and regulatory obligations.

LEGAL BASIS FOR PROCESSING

Personal data, with reference to the purposes mentioned above, will be processed:

• to comply with a legal obligation to which the data controller is subject (Article 6, paragraph 1, letter c);

• to establish, exercise, or defend a legal claim when necessary (Article 9, paragraph 2, letter f of the GDPR).

METHODS OF PROCESSING

Personal data will be processed manually and/or with the support of computer or telematic means, in accordance with the principles of fairness, lawfulness, and transparency provided for by the applicable legislation on the protection of personal data (GDPR), which the Company adheres to, and by protecting confidentiality through technical and organizational security measures to ensure an adequate level of security.

DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES

Subject to the safeguards provided for by Legislative Decree No. 24/2023 concerning confidentiality, personal data related to reports of misconduct may be disclosed to third parties only if necessary to fulfill legal obligations or for the purposes indicated in this notice. These third parties may include competent authorities, supervisory bodies, or expressly authorized entities processing such data in accordance with Articles 29 and 32(4) of Regulation (EU) 2016/679 and Article 2-quaterdecies of the Personal Data Protection Code under Legislative Decree No. 196 of 30 June 2003.

TRANSFER OF PERSONAL DATA TO NON-EU COUNTRIES

Personal data will not be transferred to non-EU countries.

RETENTION OF PERSONAL DATA

Personal data will be stored in the databases of the data controller for the time necessary for the processing of the report and, in any case, no later than five years from the date of communication of the final outcome of the reporting procedure, without prejudice to the need to establish, exercise, or defend a legal claim in court when necessary.

RIGHTS OF DATA SUBJECTS

Sogin informs you that, within the limits provided for by Article 2-undecies of Legislative Decree No. 196 of 30 June 2003, you may exercise the following rights:

• Right of access (Article 15, GDPR) - you have the right to obtain confirmation of whether or not your data is being processed and to receive information regarding such processing;
• Right to rectification (Article 16, GDPR) - you have the right to have your data corrected if it is incomplete or inaccurate;
• Right to erasure (Article 17, GDPR) - you have the right to have your data erased from our records, only in cases provided for by law;
• Right to restriction of processing (Article 18, GDPR) - you have the right to obtain restriction of processing concerning your data;
• Right to data portability (Article 20, GDPR) - you have the right to receive your data held by us and transfer it to another data controller;
• Right to object (Article 21, GDPR) - you have the right to object to the processing of your data.

You can exercise the above-mentioned rights by sending a suitable communication to the email address dpo@pec.sogin.it .

Furthermore, if you believe that the processing of personal data carried out by the data controller is in violation of Regulation (EU) 2016/679, you can lodge a complaint with the Italian Data Protection Authority, following the procedures and instructions published on the official website of the Authority: www.garanteprivacy.it , within the limits provided for by Article 2-undecies of Legislative Decree No. 196 of 30 June 2003.