1) On 25 May 2018, REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the Regulation or ‘GDPR’) became fully operational;

2) Article 4(1)(7) of the GDPR defines the controller as ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’;

3) pursuant to Article 26(1) of the GDPR, "Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner, by means of an internal agreement, determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercise of the rights of the data subject, and their respective duties to communicate the information referred to in Articles 13 and 14, unless and insofar as their respective responsibilities are determined by Union or Member State law to which the controllers are subject. Such an agreement may designate a contact point for data subjects";

4) pursuant to Article 13(5) of Legislative Decree No. 24 of 10 March 2023, private sector entities that share resources for the receipt and management of reports, pursuant to Article 4(4), shall determine in a transparent manner, by means of an internal agreement, their respective responsibilities with regard to compliance with personal data protection obligations, pursuant to Article 26 of Regulation (EU) 2016/679 or Article 23 of Legislative Decree No. 51 of 2018.

5) It is the intention of the Contracting Parties to regulate in a transparent manner their mutual rights and obligations arising from strict compliance with the rules and principles contained in the GDPR, with particular regard to the exercise of the rights of the data subject, as well as their respective roles in communicating information to data subjects, by signing this agreement.

6) It is the intention of the Parties to use an information platform concerning the protection of persons who report breaches of Union law and containing provisions concerning the protection of persons who report breaches of national regulatory provisions (whistleblowing rules).

7) by signing this agreement, the Parties intend to regulate the joint controllership relationship in the processing of personal data, as described in more detail below, and in particular their respective roles and responsibilities towards data subjects;

Article 1 – Preliminary agreements

1. Within the scope of their respective responsibilities as determined by this Agreement, the Joint Controllers shall at all times fulfil their obligations in accordance with it and in such a way as to process the data without violating the provisions of the law in force and in full compliance with the applicable guidelines and codes of conduct, as approved from time to time by the Supervisory Authority.

2. It is understood between the Parties, in accordance with the provisions of Article 26, paragraph 3 of the Regulation and regardless of the provisions of this Agreement, that the data subject may exercise their rights in relation to and against each Joint Controller.

3. In line with their mission and values, the Joint Controllers mutually undertake to protect the personal data of any natural person who comes into contact or operates with them, respecting the identity and dignity of every human being and the fundamental freedoms guaranteed by the Constitution, in compliance with the provisions of the GDPR and the provisions of Legislative Decree No. 24 of 10 March 2023 with regard to the processing of personal data and the free movement thereof, and in compliance with any other applicable national or European legislation.

4. Omissis.

5. Omissis.

6. Omissis.

7. An extract of this agreement is made available to interested parties on the website of each individual Joint Controller in the section dedicated to whistleblowing.

Article 2 - Subject matter of the agreement.

1) This agreement sets out the respective responsibilities of the Parties with regard to compliance with the obligations arising from the Regulation, as well as from the provisions of law in force from time to time with regard to the processing of personal data. This agreement also establishes the respective obligations with regard to the exercise of the rights of data subjects and the respective roles for each regulatory obligation in force.

2) With this agreement, the Joint Controllers agree that the processing of personal data, as defined in Article 4.2 of the Regulation, shall be carried out through the shared use of the application as provided for by Legislative Decree 24/23, known as the Whistleblowing Decree.

3) The activities underlying this agreement involve the processing of the following categories of personal data: Personal data of a common nature (e.g. name, surname, type of relationship with the Company, position, role, qualification, telephone number, email address, etc.), of a particular nature (formerly “sensitive data” Art. 9 of the GDPR) and judicial data (such as criminal convictions and offences Art. 10 GDPR), which may be contained in the report and in the documents attached to it, relating to all natural persons - identified or identifiable - involved in various capacities in the reported events (whistleblower, reported person, facilitator, any other third parties), known as data subjects.

Article 3 – Duration and effects following termination of the Agreement

1. This agreement, adopted by resolution of the respective Boards of Directors ...omissis... shall be valid for an indefinite period, with the parties having the right to terminate it with six (6) months' notice to be sent by registered letter with return receipt or certified email to the other Joint Controllers.

2. Omissis.

3. Omissis.

Article 4 – Obligations between the parties

1. The protection of personal data is based on compliance with the principles set out in this document, which the Joint Controllers undertake to disseminate, respect and enforce among their directors, employees and collaborators and third parties with whom they collaborate in the performance of their activities. In particular, the Joint Controllers are committed to ensuring that the legislation on personal data protection, and all that it entails, is understood, implemented and supported by all internal and external parties involved in the activities of the Joint Controllers, taking into account their specific circumstances, their capabilities, including economic capabilities, and their values.

2. The Joint Controllers undertake to maintain and guarantee the confidentiality and protection of personal data collected, processed and used by virtue of the joint controllership. In particular, they undertake, even separately from each other, to: a) process personal data in a lawful, fair and transparent manner in line with constitutional principles and current legislation, in particular the GDPR, and only for the time strictly necessary for the purposes envisaged, including those for complying with legal obligations; b) collect personal data limited to that which is essential for carrying out the activities constituting the joint project (relevant and limited personal data); c) process personal data only for the specific purposes expressed in their privacy policies; d) adopt processes for updating and rectifying the personal data processed to ensure that personal data is, as far as possible, accurate and up to date; e) store and protect the personal data in their possession using the best preservation techniques available; f) ensure the continuous updating of personal data protection measures. This commitment will be constantly monitored in accordance with the principle of accountability by consistently implementing appropriate technical and organisational measures and suitable policies to ensure and be able to demonstrate that the processing is carried out in accordance with the GDPR, taking into account the state of the art, the nature of the personal data stored and the risks to which they are exposed. Each Joint Controller shall periodically monitor the level of security achieved in order to ensure that it is always adequate for the risk; g) ensure the timely recovery of personal data availability in the event of a physical or technical incident h) make the methods of processing personal data and their storage clear, transparent and relevant in order to ensure adequate security; i) promote the development of a sense of responsibility and awareness of the entire organisation towards personal data; l) prevent and minimise, compatibly with the available resources, the impact of potential violations or unlawful and/or harmful processing of personal data; m) ensure that its employees receive adequate training on whistleblowing regulations and the concept of “reporting”, on the correct use of the channel and on penalties in the event of a breach; n) promote the inclusion of personal data protection in the continuous improvement plan that the Joint Controller pursues with its management systems.

3. Omissis.

Article 5 – Data retention period

Internal reports and related documentation are retained for the time necessary to process the report for the purposes for which they were collected, in accordance with legal obligations or in any case to allow the Company to protect its own rights and interests or those of third parties (e.g. legal defence). The data is deleted from the platform 5 years after the report is closed. Personal data that is clearly not useful for the processing of a specific report is not collected or, if accidentally collected, is deleted immediately. It remains understood that, should the Data Controller decide to initiate disciplinary proceedings or bring legal or administrative proceedings or arbitration or conciliation proceedings, the personal data of the data subjects will be retained for a period equal to the duration of the proceedings or the limitation period for the rights for which the processing is necessary for the establishment, exercise or defence of such rights, even if this exceeds the retention periods indicated above.

Article 6 - Persons authorised to process data (and Designated Persons)

1. The Parent Company, Gruppo Concorde S.p.A., has been entrusted with the task of managing reports concerning the other Joint Controllers. These companies have appointed the Parent Company as Data Processor pursuant to Article 28 of the GDPR. The Parent Company has designated the members of the Whistleblowing Committee, composed of the Head of Human Resources, the Head of Information Systems and the Head of Finance of Gruppo Concorde, as authorised to process data. The Managing Director of the Parent Company has also been designated as the manager of reports made to the members of the Whistleblowing Committee, who are specifically authorised to perform this role and have been specially trained.

2. Omissis.

3. Omissis.

Article 7 - Data processors - Omissis

Article 8 - Impact assessment and personal data breaches

1. In the cases provided for in Article 35 of the GDPR, the impact assessment on the protection of personal data and its possible review, as well as the prior consultation referred to in Article 36 of the GDPR, are the responsibility of the Parent Company, which informs the other Joint Controllers, by signing this agreement, that it has carried out this assessment, which has highlighted a “low” residual risk.

2. Omissis.

3. Omissis.

4. Omissis.

Article 9 - Decisions regarding international transfers of personal data

1. This agreement stipulates that personal data will be processed within the territory of the European Union.

2. Omissis.

Article 10 - Procedure for exercising the rights of the data subject Requests to exercise rights and any complaints submitted by data subjects will be handled by the Parent Company, it being understood in any case that data subjects may exercise their rights vis-à-vis each Joint Controller.

Article 11 - Verification of compliance with personal data protection rules - Omissis

Article 12 - Liability for breach of provisions - Omissis

Article 13 - Null and void or ineffective clauses - Omissis

Article 14 - Communications - Omissis

Article 15 - Final provisions For anything not expressly indicated in this agreement, reference should be made to the GDPR, the provisions of current legislation, and the measures of the Supervisory Authority.

Fiorano Modenese (MO) on 23/12/2025