Whistleblowing
Last updated: 26 August 2025
1. Legal Framework
In compliance with EU Directive 2019/1937 on the protection of persons who report breaches of Union law, Italian Legislative Decree No. 24 of 10 March 2023 (D.Lgs. 24/2023), Regulation (EU) 2016/679 (GDPR), UK GDPR and the United Kingdom's Public Interest Disclosure Act 1998 (PIDA), Villa Traiano Holding Ltd, together with the Italian group companies VT Hospitality S.r.l. (VAT: 01892000629) and Villa Traiano Management S.r.l., has established an internal reporting channel to enable the disclosure of unlawful conduct in the workplace, guaranteeing the confidentiality of the reporter's identity and protection against any form of retaliation.
2. Who Can Report
The following categories of persons may submit a report:
- Employees and collaborators, including those on fixed-term contracts
- Job candidates, for matters learned during the selection process
- Self-employed workers, consultants and collaborators who carry out their activities at Villa Traiano
- Suppliers and subcontractors
- Volunteers and trainees, whether paid or unpaid
- Persons holding administration, management, control, supervisory or representative functions
- Former employees, for matters learned during the period of employment
3. Reportable Conduct
Reports may concern breaches of European Union, Italian or United Kingdom law that harm the public interest or the integrity of the organisation, of which the reporter became aware in the course of their work. By way of example:
- Breaches of European Union law, Italian legislation and United Kingdom legislation
- Fraud, corruption and conflicts of interest
- Bribery and extortion
- Breaches of occupational health and safety regulations
- Environmental violations
- Breaches of personal data protection regulations
- Conduct aimed at concealing any of the above violations
Disputes relating to individual employment relationships, reports concerning breaches already governed by specific legislative acts, and reports relating to personal matters fall outside the scope of this policy.
4. Reporting Channels
Internal channel
Dedicated email: whistleblowing@villatraiano.com
Anonymous reports are accepted. Reports may also be submitted orally by requesting a direct meeting with the designated officer.
External channels
Where the internal channel is not active, has not followed up on the report, or where there are reasonable grounds to believe that an internal report could result in retaliation, the reporter may use the following external channels:
- Italy: Autorità Nazionale Anticorruzione (ANAC) — www.anticorruzione.it/whistleblowing
- Italy: Garante per la Protezione dei Dati Personali (for data protection breaches) — www.garanteprivacy.it
- United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
5. Whistleblower Protections
Prohibition of retaliation
Any form of retaliation against the reporter is prohibited, including dismissal, demotion, transfer, discrimination and any other unfavourable treatment directly or indirectly linked to the report. These protections also extend to facilitators, the reporter's colleagues and family members.
Confidentiality
The reporter's identity shall not be disclosed to persons other than those authorised to receive or follow up on reports, except with the reporter's explicit consent. Confidentiality is guaranteed even in the case of an anonymous report where the reporter is subsequently identified.
6. Handling Timelines
The designated officer responsible for managing reports undertakes to comply with the following timelines:
- Acknowledgement of receipt: within 7 days of receiving the report
- Response to the reporter: within 3 months from the date of acknowledgement, extendable up to 6 months in particularly complex cases
Throughout the entire handling period, the designated officer maintains communication with the reporter and, where necessary, requests supplementary documentation.
7. Data Processing
Personal data collected in the course of managing reports is processed in accordance with Regulation (EU) 2016/679 (GDPR), Italian Legislative Decree 196/2003 (as amended by D.Lgs. 101/2018), UK GDPR and the Data Protection Act 2018.
- Retention period: data is retained for a maximum period of 5 years from the date of communication of the final outcome of the reporting procedure
- Encryption: all reports and related data are protected by encryption
- Role-based access: access to report data is restricted exclusively to authorised persons, based on the need-to-know principle and a role-based access control (RBAC) system
For detailed information on personal data processing, please refer to our Privacy Policy.