ESG / Sustainability Report / 2022 ESG / Sustainability Report / 2022 In the Supplier Register (PAGE) enrollment phase, 100% of • guarantees the progressive implementation of a suppliers are required to view them and be familiar with The new Privacy Organizational Model structured and organic system of procedures and their terms. (POM) control activities (ex ante and ex post) aimed at preventing as well as overseeing any data protection Engineering takes all necessary measures to combat and in October 2022. In the anti-corruption compliance risks; prevent corruption, prohibiting any action that may promote improvement program, the prevention policy was extended Engineering Ingegneria Informatica S.p.A. and with it or favor interests and advantages by third parties, or harm to all Italian and foreign companies. the subsidiaries of the Engineering Group, in light of the • governs, through the positions introduced by the impartiality and autonomy of judgment. changed management structure and substantial changes in POM, every aspect of processes linked to personal In compliance with the standard, in 2019 the “Anti- governance, laid the basis in 2022 for a project, which was data processing in compliance with applicable In 2019, the Parent Company earned, and subsequently Corruption Compliance Function” was established, which fully launched in the first half of 2023, for further analysis regulations, also by implementing a system for the renewed in 2022, the certification of its Anti-Bribery reports directly to the Chief Executive Officer and in the and investigation of the personal data processing activities constant monitoring of the company’s activities, which Management System according to the ISO 37001 course of 2020 was also extended to Municipia. carried out in the Group and the existing organizational, is capable of preventing the commission of privacy international standard, issued by the certification body DNV To spread the tools adopted for preventing and fighting management and control tools, in order to perfect that offenses and/or discouraging any reiteration of – Italia. This standard is applicable to any type of public or against corruption, the company dedicates specific training structure with a view to better responding to the evolution conduct in breach of sector regulations. private organization and describes the requirements for sessions to its employees which address topics such as of privacy regulations. implementing a management system aimed at preventing the Organization and Management Model adopted by The new POM was accompanied by the formation of corruption, oriented towards continuous improvement and Engineering in compliance with Italian Legislative Decree In particular, EII recently adopted a new Privacy internal thematic working groups aimed at: the adoption of measures to discourage the risk of offenses 231/2001 and in general the company’s anti-corruption Organizational Model (“POM”) whereby the company • redefining the mapping of the personal data in a reasonable manner proportional to the business approach: in 2022, the “Anti-corruption course” was taken pursues the goal of renewing and refining its governance processing carried out at EII and the subsidiaries. segment, size and complexity of the organization. The in Web Based Training (WBT) mode by 3,169 employees system on the processing of personal data, in order to To this end, the adoption of a new tool is under Ethics and governance system is not meant to overlap with the tools established belonging to the Group’s Italian companies. allow for the widespread application, constant assessment way which will enable all Group companies to (i) by law (corruption prevention plans pursuant to Law 190 or and necessary updating of the organizational and security manage the Processing Register in a uniform manner Organization Models pursuant to Italian Legislative Decree measures required by the privacy regulation. through the adoption of naming conventions and (ii) 231), but only to best coordinate the overall system in order Data privacy and cybersecurity integrate privacy impact assessments on processing to effectively prevent corruption in a manner integrated In particular, the POM identifies a new organizational (Data Protection Impact Assessment – DPIA) starting with other company management systems. model for privacy & data protection activities, with a view from the initial entry of processing operations in the Privacy: a continuously evolving regulation to: (i) assigning roles and responsibilities to those with Register; In 2021, the subsidiary Municipia obtained the certification, The European General Data Protection Regulation (GDPR) knowledge and/or proximity to the processes from which • centralizing HR processes of all of the subsidiaries while the subsidiary D.HUB earned the certification became effective in May 2018 and contains a complex set data processing originates or where the data reside; (ii) at global level, with a view to uniformity, while Ethics and governance of rules on the protection of the data of natural persons. optimizing the fulfillment of obligations, also facilitating guaranteeing the security of international transfers of Subsequent to the adoption of the GDPR, the regulator, discussions between the business, the legal function and personal data; the European Data Protection Board (European Board that the DPO; (iii) guaranteeing a uniform approach transversal • structuring flows aimed at ensuring the compliance brings together representatives of the Privacy Authorities to all of Engineering in the analysis and identification of of international data transfers, also with regard to the of the Member States) and the Supervisory Authorities processes that require personal data processing. services rendered to customers through subsidiaries took action multiple times, expressing opinions and issuing falling within the scope of near shoring, but in any guidelines to clarify its content and ensure its operational To this end, the POM: event outside the European Economic Area; effectiveness, introducing additional regulations and • addresses privacy roles, allocating the relative • reviewing and updating procedures on data breaches preparing projects for further regulations on the matter. responsibilities to: i) Executive Data Managers (i.e. and on the rights of data subjects with a view to paying directly reporting to the CEO); ii) Data Managers the utmost attention to their protection; In other words, it is evident that the (personal and other) (second line of reporting to the CEO); iii) Privacy • adopting a methodology for balancing interests data protection regulation is extremely dynamic and in Contact Points (who organizationally report to the Data (Legitimate Interest Assessment – LIA). continuous development due to both the evolution of the Managers and act as a point of functional connection interpretation of regulations in force and the constant issue with the DPO Office); of new rules, in an attempt to “keep up with” the evolution In the course of 2022, training on privacy and data of technology and, as a result, of services. • defines an organizational, governance and rules protection was provided through a compulsory online Consider for example: system aimed at guaranteeing the widespread course for the entire company population and thematic • the NIS II for cyber security; application, constant assessment and necessary courses for specific professional positions (for example, on • the proposal on the Cyber Resilience Act on the security updating of the measures required by the Privacy procurement). of processed data; Regulation; • the proposed European Regulation on Artificial Intelligence; • the proposed European Regulation on the European health data space. 64 Engineering © Engineering © 65