English Courtesy Translation
Uber Italy S.r.l.
Organisational management and control model under Legislative Decree No. 231/2001
GENERAL PART
September 2020
To all Corporate Bodies, Employees, management, and Associated Parties (as defined below) of Uber Italy S.r.l.
All the companies of the Uber Group, their executives, the management and all the employees are committed to carry out any action falling their remit with loyalty, fairness, transparency and honesty and in compliance with the law.
We are all unconditionally committed to ethical integrity, compliance with the law and the behavioural guidelines.
For this reason, in addition to Uber Business Conduct Guide and Uber Policies- which must be followed, at all times, by the employees of any Group company- in Italy we have also implemented the present Organisational, Management and Control Model (hereinafter also referred to as “Model” or “Model 231”), in compliance with the provisions of Legislative Decree No. 231/2001.
The role of the Model 231 is extremely important because it aims to guide your actions and to ensure that the conduct of all those who act on behalf or in the interest of Uber Italy S.r.l. complies with local laws and regulations at all times and is consistent with the principles of fairness and transparency when carrying out business transactions and performing corporate actions.
The Company condemns and sanctions any conduct that violates the ethical principles, laws and provisions of the Model, even when carried out on the assumption that it pursues, even in part, the Company’s interest or with the aim of bringing an advantage to the Company. In line with our “Stand Up, Speak Up” compliance motto, each of us must promptly report any conduct engaged in by anyone that does not comply with the Model, including colleagues and independent third parties, as well as the Company’s management. We remind you that this can be done anonymously by contacting Uber’s Integrity Helpline (which can be reached 24/7/365) or by reporting the suspected misconduct directly to the Supervisory Body appointed in compliance with this Model 231 or in any such other manner which the company may indicate. As mentioned in this Model, Uber protects the confidentiality of those who file these reports in good faith and prohibits any retaliation against them.
We rely on everybody’s utmost collaboration to continue to “do the right thing”, ensure compliance with the law and transparency and protect our teams, our business and the communities we serve, to set a positive example in our business sector in Italy which can be taken as a model.
Thank you for your efforts.
SECTION 1: THE RULES GOVERNING CORPORATE LIABILITY OF LEGAL ENTITIES, COMPANIES AND ASSOCIATIONS
1.1 Legislative Decree No. 231/2001 and the relevant framework
SECTION 2: THE COMPANY, THE GROUP, THE GOVERNANCE AND THE ORGANISATIONAL STRUCTURE
2.1 The Company and the Uber Group
2.2 The Group Governance and Compliance
2.3 The Group decision-making structure
2.4 The Company’s organisational structure
SECTION 3: THE IMPLEMENTATION OF THE MODEL BY UBER
3.1 Objectives pursued by Uber with the implementation of the Model
3.3 The Model’s key aspects and fundamental principles
3.5 The “acceptable risk” approach
3.6 Model preparation criteria
3.8 Concerned Parties under the Model
SECTION 4: THE SUPERVISORY BODY
4.1 Appointment of the Supervisory Body
4.4 Function of the Supervisory Body
4.5 Powers of the Supervisory Body
4.6 Rules for Convening and conducting meetings
4.7 Reports of the Supervisory Body
4.8 Information flows to the Supervisory Body
4.9 Reporting and communications to the Supervisory Body
4.10 Confidentiality obligations
4.11 Collection and storage of information
SECTION 5: SELECTION AND TRAINING OF HUMAN RESOURCES AND DISTRIBUTION OF THE MODEL
5.2 Training and informing Employees
5.3 Engaging and information of Associated Parties
SECTION 6: THE DISCIPLINARY SYSTEM
6.1 Function of the disciplinary system
6.2 Violations of the Model and related sanctions
6.3 Disciplinary action against Employees
6.4 Disciplinary action against managers
6.5 Disciplinary action against the governing body
6.6 Disciplinary action against Statutory Auditors
6.7 Disciplinary action against members of the Supervisory Body
6.8 Disciplinary action against Associated Parties
SECTION 7: CHECKS ON THE EFFECTIVENESS OF THE MODEL
SECTION 8: THE MODEL AND UBER BUSINESS CONDUCT GUIDE
SECTION 9: COMPONENTS OF THE MODEL
9.1 The components of the Model
9.2 Organisational components of the Model
DEFINITIONS
- “At-Risk Activities”: the activities carried out by Uber involving the risk of commission of Offences.
- “CCNL”: the National Collective Bargaining Agreement currently in force and complied with by Uber.
- “Employees”: all employees hired by Uber (including managers).
- “Concerned Parties”: those indicated in paragraph 3.8 of this document.
- “Legislative Decree No. 231/2001” or “Decree”: Legislative Decree No. 231 of 8 June 2001, as subsequently amended and supplemented.
- “Suppliers”: suppliers of goods and services to the Company, including professional, such as financial services.
- “Confindustria Guidelines”: the guidelines for preparing the organisational, management and control models under Legislative Decree No. 231/2001 approved by Confindustria, as last updated in March 2014 and published in July 2014.
- “Model”: the organisational, management and control model provided for by Legislative Decree No. 231/2001.
- “Corporate Bodies”: the Sole Director and the Statutory Auditor of Uber.
- “Supervisory Body” or “SB”: internal body responsible for supervising the implementation and compliance with the Model and its updating.
- “P.A.” or “Public Administration”: the Public Administration, including its officials and public service representatives, including, by way of example, the Judicial Authority, Italian and foreign Institutions and Public Administrations, whether national or local, Consob [Italian Financial Market Authority], the Italian Competition Authority, the Italian Data Protection Authority, Borsa Italiana S.r.l., the Italian Regulatory Authority for Electricity, Gas and Water and other Italian and foreign supervisory authorities or corporations carrying out similar duties, as well as their officials and internal bodies.
- “Associated Parties”: the independent third parties that carry out their activity providing goods and/or performing services also in the interest of the Company and in relation to the At-Risk Activities regulated by this Model. The Associated Parties include first of all the Couriers and the Restaurants, as specifically indicated in paragraph 3.8 of this document. Furthermore, the Associated Parties include also the consultants, the contractors, the Suppliers, any intermediaries and/or agents and the Partners that carry out their activity in the interest of the Company and in relation to one or more At-Risk Activities.
- “Partners”: any party contracting with Uber, including both natural and legal persons, with whom the Company enters into any form of arrangement governing collaboration with the same (temporary business association – ATI, joint ventures, consortia, etc.), when these parties interact with the Company for the purpose of carrying out At-Risk Activities.
- “Public Officials.” (i) any person performing a public function within the legislative, or judicial branch or within an administration; (ii) any person acting in an official capacity in the name or on behalf of (i) a National Public Administration, whether local, national or federal, (ii) an agency, office or body of the European Union or of a National Public Administration, (iii) where provided for by any governing laws, a company owned, controlled or held by a National Public Administration, unless such company operates at arm’s length in the relevant market, i.e., under terms substantially equivalent to those applied by a private company, (iv) an international public organisation, such as the European Bank for Reconstruction and Development, the International Bank for Reconstruction and Development, the International Monetary Fund, the World Bank, the United Nations or the World Trade Organisation or (v) a political party, a member of a political party or a political candidate running for office, whether Italian or foreign; (iii) public service representatives, to be understood as any party who performs, on any grounds, a public service (i.e., an activity which is subject to the same rules governing a public function but without the powers typically vested in a public authority). The performance of simple tidy tasks and the performance of purely material work are excluded.
- “Offences”: the offences subject to the provisions set out in Legislative Decree No. 231/2001.
- “System for Delegating Authority”: all the proxies and powers of attorney conferred within the Company, as well as any powers of representation conferred on Associated Parties.
- “Subsidiaries”: any subsidiaries of the Company for purposes of Article 2359 of the Italian Civil Code.
- “Uber” or the “Company”: Uber Italy S.r.l., with registered office in Milan, at Via Vincenzo Forcella no. 13, Milan.
SECTION 1: THE RULES GOVERNING CORPORATE LIABILITY OF LEGAL ENTITIES, COMPANIES AND ASSOCIATIONS
1.1 Legislative Decree No. 231/2001 and the relevant framework
1.1.1 The liability under Legislative Decree No. 231/2001
On 4 July 2001, Legislative Decree No. 231 of 8 June 2001, laying down the “Provisions on the corporate liability of legal entities, companies and associations, including without legal personality”, came into force.
The Decree aimed at adapting the domestic regulations on the liability of legal entities to ensure compliance with certain international conventions which Italy had signed quite some time before, such as the Brussels Convention of 26 July 1995 on the protection of the financial interests of the European Communities, the Convention on 26 May 1997 on the fight against corruption involving officials of the European Community or member states,
which was also signed in Brussels, and the OECD Convention of 17 December 1997 on combating bribery of foreign public officials in economic business transaction.
Article 5 of Legislative Decree No. 231/2001 establishes the company’s liability in those cases in which certain Offences (known as ‘predicate offences’) have been committed in its interest or to its advantage by:
(a) “top management”, i.e., individuals who hold representation, direction or management roles within the company or a financially and functionally autonomous organisational unit thereof, or individuals who are entrusted with management or audit powers over the same, including on a de facto basis (e.g., directors and general managers);
(b) individuals subject to the management or supervision of one of the above-mentioned persons (including employees other than the management and Associated Parties).
Therefore, in the event that one of the predicate offences is committed, the corporate liability is in addition to that of the natural person who actually committed the criminal offence – if and to the extent that all the other legal requirements are satisfied.
The aim of these provisions, therefore, is to impose penalties on entities when Offences are committed in their interest (in line with the business policy adopted) or to their advantage (in order to gain profit from the commission of the Offence). Regarding the nature of the sanctions that may be imposed, the company is subject to a pecuniary sanction for any Offence committed; for most serious Offences, disqualification sanctions are also imposed, such as a ban on engaging in business activities, the suspension or revocation of licenses and concessions, the prohibition to contract with the Public Administration, the exclusion from entitlements to or revocation of funds and contributions, a ban on advertising goods and services.
The liability provided for in the Decree also applies when Offences are committed abroad when the authorities of the place where the Offence was committed are not prosecuting it.
Furthermore, the company is liable under the Decree for all the Offences listed under the same, including when their commission is only attempted. More specifically, Article 26, paragraph 1 of the Decree establishes that, when commission of those offences is attempted, monetary sanctions (in terms of the amount) and disqualification sanctions (in terms of time) are reduced from one third to half, while they are not imposed in those cases in which the company “voluntarily prevents the performance of the Offence or the occurrence of the [harmful] event” under Article 26, paragraph 1, of the Decree.
1.1.2 The Offences
Various types of predicate offences are listed, including the following:
(i) Offences committed against the Public Administration (Articles 24 and 25 of Legislative Decree No. 231/2001);
(ii) cyber offences and unlawful processing of data (Article 24 bis of Legislative Decree no 231/2001);
(iii) criminal association under Article 24-ter of Legislative Decree No. 231/2001);
(iv) counterfeiting money, legal tender and revenue stamps and other identifying signs (Article 25 bis of Legislative Decree No. 231/2001);
(v) offences against industry and trade (Article 25 bis1 of Legislative Decree No. 231/2001);
(vi) corporate offences (Article 25 ter of Legislative Decree No. 231/2001). 231/2001);
(vii) corruption in transactions between private parties and solicitation to commit corruption in transactions between private parties (Article 25 ter, paragraph 2, par. s) bis of Legislative Decree No. 231/2001);
(viii) terrorist acts and offences aimed at subverting the democratic order (Article 25 quater of Legislative Decree No. 231/2001);
(ix) offences involving female genital mutilation (Article 25 quater 1 of Legislative Decree No. 231/2001);
(x) offences against individuals (Article 25 quinquies of Legislative Decree No. 231/2001));
(xi) market abuse offences and administrative offences (Article 25 sexies of Legislative Decree No. 231/2001);
(xii) transnational offences (Article 10 of Law No. 146 of 16 March 2006);
(xiii) manslaughter and serious or very serious bodily harm committed in violation of the rules on workplace health and safety regulations (Article 25 septies of Legislative Decree No. 231/2001));
(xiv) receiving stolen goods, money laundering and use of money, property, or benefits of illegal origin, as well as self-laundering (Article 25 octies of Legislative Decree No. 231/2001));
(xv) offences involving copyright infringements (Article 25 novies of Legislative Decree No . 231/2001));
(xvi) solicitation not to issue statements or to issue false statements to the judicial authority (Article 25 decies of Legislative Decree No. 231/2001);
(xvii) environmental offences (Article 25 undecies of Legislative Decree No. 231/2001);
(xviii) employment of illegally staying third-country nationals (Article 25 duodecies of Legislative Decree No. 231/2001);
(xix) offences of racism and xenophobia (Article 25 terdecies of Legislative Decree No. 231/2001); and
(xx) fraud in sports competitions, illegal gaming or gambling and gambling using illegal devices (Article 25 quaterdecies of Legislative Decree No. 231/2001).
With respect to the “predicate offences” listed in this Model, we have taken into consideration the new provisions introduced under Legislative Decree 231/2001 on or before 31 July 2020, including:
- The new predicate offence of “Breach of National Cybernetic Security Perimeter rules” added to the list of Offences listed under Article 24 bis of Legislative Decree No. 231/2001 by Law Decree No. 105 of 21 September 2019;
- The tax offences punished by Legislative Decree No. 74 of 10 March 2000, which have been added to the predicate offences by Law No. 157 of 19 December 2019 (Article 25 quinquiesdecies of Legislative Decree No. 231/2001);
- New offences against the Public Administration and tax Offences, as well as the offences of smuggling provided for by Presidential Decree No. 43 of 23 January 1973, introduced by Legislative Decree No. 75 of 14 July 2020, which implemented Directive (EU) 2017/1371 (known as PIF Directive) (Article 25 sexiesdecies of Legislative Decree 231/2001.
Annex A to this Model 231 provides a brief overview of the Offences covered by the Model which have been taken into account for purposes of conducting the risk assessment described in more detail in paragraph 3.5 below and implementing the Model, having been considered potentially relevant to the operations carried out by the Company and therefore taken into account when implementing the Model.
The list under Annex A does not include the following groups of offences covered by Legislative Decree No. 231.2001 because it appears that no concrete risk may arise for the Company in relation to the same.
a) female genital mutilation (Article 25-quater.1 of Legislative Decree No. 231/2001);
b) fraud in sports competitions, illegal gaming or gambling and gambling using illegal devices (Article 25 quaterdecies under Legislative Decree No. 231/2001). 231/2001.
1.2 The adoption of the “organisational, management and control model” as possible grounds for exemption from corporate liability
Article 6 of the Decree specifically provides for grounds for exemption from the liability in question if the company provides evidence that:
(a) it has adopted and successfully implemented through its governing body, before commission of the offence, an organisational and control model capable of preventing the type of offences committed;
(b) it has tasked an internal body vested with autonomous decision-making and monitoring powers with supervising the implementation of and compliance with the model, as well as with updating the same;
(c) the individuals who committed the offence acted by fraudulently circumventing the [application of] the above-mentioned model; and
(d) the body referred to in (b) above did not fail to take action or did not carry out inadequate monitoring.
The Decree also provides that the organisational and control model – in case of further delegation of powers and the risk of commission of the Offences – must meet the following requirements:
1. identify the activities in relation to which a risk of commission of the Offences is identified (referred to as “At-Risk Activities”);
2. provide for or incorporate specific protocols that regulate the formation and implementation of corporate decisions concerning Offence prevention;
3. allocate adequate financial resources to implement an organisational structure capable of preventing the commission of the Offences;
4. impose the duty to provide information to the body responsible for supervising the implementation of and compliance with the Model;
5. set up an internal disciplinary system capable of sanctioning any non-compliance with the measures indicated in the Model;
6. provide for one or more reporting channels through which the Company’s Employees can file detailed reports of any significant unlawful conduct relevant for purposes of Legislative Decree No. 231/2001 or any violations of this Model that they have become aware of while carrying out their duties; these reporting channels must keep the identity of the whistle-blower confidential in all stages of the reporting process;
7. provide at least one alternative reporting channel capable of keeping, through electronic means, the identity of the whistle-blower confidential;
8. prohibit retaliatory or discriminatory actions against the whistle-blower for reasons directly or indirectly related to the report;
9. within the disciplinary system referred to in point 5 above, punish those who violate the measures implemented to protect the whistle-blower, as well as those who file, in an intentional or grossly negligent manner, reports that prove to be unfounded*.
*The requirements referred to in numbers 6 to 9 were introduced by Law No. 179 of 30 November 2017 containing “Provisions for the protection of whistle-blowers reporting Offences or irregularities of which they have become aware in connection with a public or private employment relationship” (referred to as “Whistleblowing”).
SECTION 2: THE COMPANY, THE GROUP, THE GOVERNANCE AND THE ORGANISATIONAL STRUCTURE
2.1 The Company and the Uber Group
Uber Italy S.r.l. and Uber Eats Italy S.r.l. are the Italian companies of the Uber Group. The corporate structure of these companies is shown below.
All the companies belong to a group which, either directly or indirectly, is controlled by Uber Technologies Inc (the “Group”).
The Group provides its services worldwide through its technology platform and Uber’s network, including the delivery of products or people transportation, developing and managing technological applications supporting a range of offerings through Uber platform. The aim is to connect consumers with independent drivers who provide ride-sharing services, as well as with restaurants and food delivery service providers for meal preparation and delivery services. The Group also connects consumers with public transportation networks, electric bikes and scooters and other micro-mobility devices; it also connects couriers with freight carriers. The Group’s technology is available in 69 countries worldwide, mainly in the United States and Canada, Latin America, Europe, the Middle East, Africa and Asia (excluding China and Southeast Asia*, within five operating segments: Mobility, Delivery, Freight, Other Bets, and Advanced Technologies Group (“ATG”), focused on the development and marketing of autonomous vehicles and ridesharing technologies (such as Uber Elevate) and other technology programs.
In Italy, too, the Group provides its services through the global platform ‘Uber’. Therefore, in Italy, the Company’s structure is smaller and has a streamlined organisation. It only provides assistance and support in connection with the services operated by other Group’s entities through the Group’s platform within two business lines: (a) “Mobility” for the NCC application; (b) “Delivery” for the meal delivery application. In particular, the Company does not operate those mentioned business lines and its activity is limited to provide assistance and support in relation to specific areas to the other Group’s companies which operates the business in Italy.
The Company’s corporate functions which are not carried out by its personnel are outsourced to Group companies.
*The Group does not operate directly in Southeast Asia; however it has a stake in the company Grab, which does operate in Southeast Asia (Singapore and Malaysia).
2.2 The Group Governance and Compliance
At the Group level, the Board of Directors of Uber Technologies Inc. oversees risk management, including compliance with the applicable laws and regulations. The management reports regularly to the Board and its committees on such topics as risk sustainability, risk assessment and risk reduction.
The Audit Committee is a Board committee which supervises risk management procedures and processes.
The role of the Audit Committee is to assist the Board in fulfilling its supervisory duties in relation to the Company’s accounting, reporting and auditing and certain key corporate governance functions. The main functions of the Committee are to (i) assess suitability and truthfulness of the Company’s financial statements and accounting and financial reporting processes, the internal control systems and auditing of the Company’s financial statements by the Company’s independent auditors, (ii) oversee the independence and assess the performance of the Independent Auditors and the Company’s internal audit function, (iii) ensure risk management and governance oversight, and (iv) ensure the Company’s compliance with legal and regulatory requirements.
Within the Group organisation, the Global Compliance function is responsible for assisting other business functions to ensure compliance with applicable laws and regulations. A Global Compliance function is present in all geographical areas of operation of the Group companies. In Europe, such presence is ensured through the EMEA Compliance structure.
In Europe, EMEA Internal Audit function is responsible for internal audit activities in the EMEA area.
As part of this Group organisation, the Company has vested the EMEA Compliance and EMEA Internal Audit functions with the duties in relation to the Legislative Decree No. 231/2001 described in paragraph 2.5.
2.3 The Group decision-making structure
Strategies and decisions are generally adopted , at Group level, by the HQ in San Francisco in a centralised manner and then communicated in downward in the Netherlands (Amsterdam) – EMEA level, subsequently at the Sub-Regions level, and finally in individual countries, including Italy.
Uber Italy’s employees report to the Regional General Manager for South Western Europe, located in Madrid. The Regional General Manager for South Western Europe reports to the Regional General Manager for Western Europe, who is based in Paris. The latter reports to the EMEA Head of Operations of Uber BV in the Netherlands.
With specific reference to the Delivery business line, Uber Italy employees report to the European General Manager of Uber Delivery for Spain and Italy, based in Madrid, Spain. The latter reports to the Regional General Manager for Uber Delivery in the EMEA region, based in Amsterdam, who in turn reports to the Vice President of Uber Delivery, who is also based in Amsterdam, the Netherlands.
2.4 The Company’s organisational structure
The entire share capital of Uber Italy S.r.l. is held by Uber International Holding B.V.
It is a limited liability company under Italian law [società a responsabilità limitata] and its governance system comprises a Shareholders’ Meeting, a Sole Director, a Statutory Auditor and an independent auditing firm which is entrusted with reviewing and auditing the accounts.
2.4.1 The Shareholders’ Meeting
The Shareholders’ Meeting is competent to pass ordinary and extraordinary resolutions on matters reserved for the same by the law and by the Articles of Association. The Shareholders’ Meeting is chaired by the Sole Director.
2.4.2 The Sole Director
The Sole Director is vested with the broadest powers for the ordinary and extraordinary administration of the Company and for the implementation and achievement of the corporate purpose, within the limits established by the law and the Articles of Association.
Under the Articles of Association, the Sole Director is appointed by the Shareholders’ Meeting and represents the Company.
2.4.3 The Sole Statutory Auditor
The Shareholders’ Meeting appointed a single Statutory Auditor who will remain in office for three years.
The Sole Statutory Auditor is vested with the rights and duties provided for by the law and is entrusted with the auditing responsibilities as per Article 2403 of the Italian Civil Code.
2.4.4 The independent auditing firm
Under Articles 2409-bis and ff. of the Italian Civil Code, the Shareholders’ Meeting appointed an independent auditing firm which will hold office for three years. The firm is registered in the register kept by the Ministry of Justice and is tasked with auditing the accounts.
2.5 The responsibilities entrusted to the EMEA Compliance and EMEA Internal Audit functions at Group level. Role of the Global Compliance function
As mentioned, the Company has instructed the EMEA Compliance and EMEA Internal Audit functions to perform the following tasks for the purposes of ensuring compliance with Legislative Decree No. 231/2001.
2.5.1 EMEA Compliance function – Uber BV
The EMEA Compliance function, which operates within the company Uber BV, has been instructed to carry out, on behalf and in the interest of Uber Italy S.r.l., the following tasks:
(i) update the list of At-Risk activities in relation to which non-compliance with the Legislative Decree No. 231/2001 may occur (“Risk Assessment”);
(ii) support the competent corporate functions for the purpose of continuously updating the Risk Assessment;
(iii) monitor changes in the applicable laws, in the corporate organisation and other relevant internal and external factors affecting the Model;
(iv) update the Model based on the results of the Risk Assessment;
(v) structure, analyse, check, and monitor the information flows to the SB;
(vi) support the SB in providing assurance on the adequacy of the Model and regarding the assessment of its effective implementation;
(vii) provide support in the drafting and analysis of company procedures;
(viii) provide support to employees in relation to specific facts and circumstances requiring clarifications with respect to the provisions of the Model;
(ix) manage employee communication/information and supervise their training (providing support to the relevant company’s departments) to improve awareness and accountability on issues concerning corporate liability under Decree No. 231;
(x) propose actions to strengthen corporate governance by introducing processes and tools for monitoring and managing compliance risks on an ongoing basis, both at an organisational and operational level;
(xi) take charge of the reports received through the Uber Integrity Helpline, identify any reports relevant for the purposes of the Model, and inform the Supervisory Body and the Compliance Champion of these reports;
(xii) support the Supervisory Body in examining and assessing reports of violations, helping to identify possible violations of the Model;
(xiii) report regularly to the Supervisory Body providing a summary of the actions carried out and highlighting any specific aspects and concerns;
(xiv) inform the top management of any serious concerns and irregularities that have emerged while carrying out its duties or that the function has become aware of;
(xv) in carrying out its duties, share with the other functions that are part of the internal control and risk management system information on and outcomes of the actions taken, taking into account any complementarity thereof; and
(xvi) prepare further reports and memorandums on especially relevant issues and events concerning any non-compliance with the law and management of the same.
The EMEA Compliance function prepares a periodic report, which is submitted to the Governing Body and the SB for its evaluation, in which it:
(a) reports on the actions carried out and the relevant main outcomes, the implementation of action plans, the update (if any) of the Model and its adequacy and effective implementation; and
(b) presents the action plan for the following year.
2.5.2 EMEA Internal Audit Function - Uber BV
The EMEA Internal Audit Function, which operates within the company Uber BV, will carry out the following tasks on behalf and in the interest of Uber Italy S.r.l:
(i) carry out and/or instruct eligible third-parties to carry out compliance audits concerning the suitability, effectiveness, implementation and/or application of the Model;
(ii) support the company’s SB and the EMEA Compliance function in the periodic planning of these compliance audits;
(iii) ensure that the findings of these compliance audits are notified to the EMEA Compliance function and the SB;
(iv) provide suggestions and recommendations for the periodic review of the Model based on the findings of the compliance audits;
(v) report any serious concern and irregularities that have emerged while carrying out the compliance audits concerning the Model and support the SB and the EMEA Compliance Function in auditing the reports received through the Uber Integrity Helpline that are relevant for the purposes of the Model, and perform any follow-up
actions.
The EMEA Internal Audit Function prepares a periodic report, which is submitted to the Governing body and the SB for its evaluation, in which it:
(a) reports on the actions carried out and the relevant main outcomes, and particularly the findings of any audits conducted; and
(b) presents the auditing plan for the following year.
The Managers of the EMEA Compliance function and of the EMEA Internal Audit function, or any such other parties which they may designate, can contact directly and without delay the top management and the corporate bodies of Uber Italy S.r.l., sending specific notifications, whenever they consider so appropriate and in the event that concerns must be raised in relation to the Model or any non-compliance with the same.
2.5.3 Global Compliance function - Uber Technologies Inc
In addition to the above, the Global Compliance function, which operates within the company Uber Technologies Inc, will provide:
(i) support to the EMEA Compliance function; and
(ii) executive leadership with regard to global compliance, sharing key compliance topics with the Leadership Team and the Audit Committee.
2.6 The Compliance Champion
To ensure full operational coordination with Group functions for compliance purposes, the Company has identified, in Italy, a coordinator inside the organisation vested with adequate powers to represent the Company. The Compliance Champion is the manager which may be contacted by the Company’s employees and auditing bodies and by the Group’s EMEA Compliance, EMEA Internal Audit and Global Compliance functions, as well as by any Italian third parties and authorities.
The Compliance Champion is independent from the Company’s management and is entitled to liaise directly with the Sole Director, the Statutory Auditor, and the SB.
SECTION 3: THE IMPLEMENTATION OF THE MODEL BY UBER
3.1 Objectives pursued by Uber with the implementation of the Model
Uber is aware of the importance which an internal control system capable to prevent the commission of Offences by its Employees, Corporate Bodies, Associated Parties, can take on. Furthermore, the Company is aware of the fact that the approval and effective implementation of the Model improves the Corporate Governance system as it limits the risk of commission of the Offences, thus benefiting from the grounds for exemption from liability provided for by Legislative Decree No. 231/2001.
The preparation and implementation of the Model have been carried out on the assumption that the same – irrespective of the provisions of the Decree, under which the Model is implemented on a voluntary basis and is not mandatory – may constitute a fundamental tool to raise the awareness of all the parties acting in the name and on behalf of Uber, so that they behave, when performing their duties, in a lawful and straightforward manner, so as to prevent the risk of commission of the Offences. This is in addition to the fact that implementing a Model may constitute grounds for exemption under the Italian regulations on corporate liability arising from the commission of the Offences referred to in Legislative Decree No. 231/2001.
Therefore, the purpose of this Model is to set up a well-defined and organic system for prevention, deterrence and control to reduce the risk of commission of the Offences through the identification of At-Risk Activities carried out by Uber, of the principles of conduct that must be followed by the Concerned Parties under the Model, as well as of specific auditing activities, which are all aimed at preventing the commission of the Offences.
More specifically, through the identification of the At-Risk Activities and the laying down of procedures applicable to the same, the Model pursues the following purposes:
− raise the awareness of all the parties carrying out At-Risk Activities on behalf of Uber concerning their ability to commit – by engaging in conduct that does not comply with the provisions of the Model and other company policies and procedures (as well as the law) – offences from which criminally relevant consequences arise not only on the their part, but also vis-à-vis the Company;
− reiterate that Uber strongly condemns these types of unlawful conduct because (even if Uber was seemingly in a position to gain some advantage from them) they violate not only the law provisions, but also the ethical and social principles which it intends to follow in pursuing its corporate purpose;
− enable Uber to take prompt action to prevent or contrast the commission of Offences by monitoring At-Risk Activities.
3.2 Model’s scope of work
This Model 231 covers all the activities carried out by the Company which have been identified as subject to the potential risk of commission of criminal offences contplated by Decre 231 (i.e. the At Risk Activities).
It’s very important to outline that the Model covers also At Risks Activities which are managed by the Company on behalf of other Group’s entity and therefore are not part of a business operated by the Company. These activities are mainly assistance and support services that the Company provides to the other Group’s entities which operate the business in Italy.
To this purpose, specifically, the At Risks Activities of the Company include the management of the relationships with Couriers and Restaurants even if those relationships refer to Uber Eats Italy S.r.l. which operates the “Delivery” business line in Italy, while the Company only provides assistance and support services to Uber Eats Italy S.r.l. regarding the management of the Couriers and Restaurants.
In this way the Model address to need to regulate and control the At Risk Activities also to the benefit of Uber Eats Italy S.r.l.
3.3 The Model’s key aspects and fundamental principles
The following must be considered the keystones of the Model:
• awareness-raising and dissemination of the rules of conduct and established procedures at all company’s levels;
• the map of Uber’s At-Risk Activities;
• risk prevention through the implementation of specific procedural principles aimed at regulating the formation and correct implementation of corporate decisions in relation to the offences to be prevented;
• the safeguards aimed at preventing the risk of commission of Offences (including the auditing and recording of the transactions carried out in relation to At-Risk Activities, compliance with the principle of separation of roles involved in the corporate processes established and in the management of financial resources, the delegation of authority in a manner consistent with the responsibilities assigned and the auditing of corporate actions, as well as the implementation of the Model and regular updating of the same (ex-post control);
• the assignment to the Supervisory Body of specific tasks to supervise the effective and correct implementation of the Model.
More specifically, in the preparation of this Model, account was taken of the existing procedures and safeguards already in place within the Group, which were identified during the review of the At-Risk Activities, to the extent that they were considered suitable measures to prevent Offences and oversee the processes involved in the At-Risk Activities.
Model 231 is: (i) effective, i.e., the overall control system established to prevent the commission of predicate offences is appropriate; (ii) specific, i.e., it takes into account the Company’s features, size, type of business engaged in and history ; (iii) up to date, i.e., it is constantly reviewed.
The preparation of the Model 231 was also based on the proportionality principle, under which rules and safeguards were established that are in line with the size and the Company’s organisational structure.
3.4 Approval of the Model
This General Part of the Model was firstly approved by the Company’s sole shareholder’s decision through written procedure of 2 September 2020. By the same decision, the
Supervisory Body was appointed to supervise the implementation and effectiveness of the Model, as well as compliance with the same, encouraging its updating.
Substantive changes and supplements to the Model are subject to approval by the Shareholders’ Meeting.
3.5 The “acceptable risk” approach
The concept of “acceptable risk” is essential in the preparation of a preventive control system. Specifically, for the purposes of Legislative Decree No. 231/2001, it is essential that an effective threshold risk is defined so as to place a limit on the number and types of prevention measures to be adopted and implemented to prevent the commission of the predicate offences. Absent a pre-existing definition of acceptable risk, a virtually indefinite number/types of preventive control measures could be implemented, thus impacting, for obvious reasons, on the business operations. The general principle of a ‘reasonable standard of conduct’, which comes into consideration also under criminal law, is key in this regard.
As highlighted in the “Guidelines for preparing organisational, management and control models under Legislative Decree No. 231 of 8 June 2001” issued by Confindustria with reference to the preventive control system to be set up to avoid the risk of commission of the predicate offences, with respect to wilful misconduct, the concept of acceptable risk translates into a preventive system which can only be circumvented fraudulently, in line with the logic of “fraudulent circumvention” of Model 231 as grounds for exemption from corporate liability (see Article 6, paragraph 1, letter c, of Legislative Decree No. 231/2001:
“individuals committed the Offence by fraudulently circumventing the application of the models...”).
As highlighted by the courts, the “fraud” referred to in Legislative Decree No. 231/2001 does not actually require tricks and deceptions; at the same time, however, fraud may not consist in the mere violation of the provisions contained in the Model 231. Rather, it must entail a violation of the Model 231 that is the result of circumventing the security measures in a manner suitable to undermine its effectiveness.
With regard to offences involving negligence (such as involuntary manslaughter and involuntary bodily harm committed in violation of workplace health and safety regulations and negligence-based environmental offences), the “acceptable risk” threshold must be identified differently, since the fraudulent circumvention of the 231 Model appears incompatible with the subjective element required for negligence-based offences, in relation to which the intent to cause the harmful event is lacking. In these cases, the “acceptable risk” threshold is represented by engaging in conduct that violates the organisational model for the prevention of offences (while in case of offences committed in violation of workplace health and safety regulations, conduct that violates the underlying mandatory obligations established in the accident prevention regulations), irrespective of whether the Supervisory Body fulfilled its supervisory duties under Legislative Decree No. 231/2001.
In accordance with these principles, for all At-Risk Activities in relation to which a risk of commission of predicate offences was established, the Model 231 was implemented by the Company with the aim of defining protocols which: 1) are reasonably capable of preventing wilful conduct, except in case of fraudulent circumvention, and 2) provide for an adequate
set of safeguards to detect any potential non-fulfilment of obligations which could result in the commission of negligent offences.
3.6 Model preparation criteria
3.6.1 Phases
In preparing this Model, the Company followed the Guidelines drawn up by Confindustria. In line with these Guidelines, the preparation of the Model involved:
• identification of At-Risk Activities to assess in which company’s area/department the Offences may be committed; and
• preparation of a control system capable of preventing the risks identified through the adoption of specific protocols.
The preparation of this Model (as well as any subsequent updates, when substantive changes are made concerning the identification of new At-Risk Activities or the drafting of new Special Parts) involves carrying out a number of preparatory activities, which are organised in different phases, as described below.
3.6.1.1 Mapping of At-Risk Activities
During this phase, a context analysis is carried out in order to map all the activities carried out by the Company and, among these, identify those in relation to which the Offences may be committed (referred to as ‘At-Risk Activities’).
The identification of At-Risk Activities is carried out through a preliminary review of relevant corporate documentation – including, by way of example: organisation chart, proxies and company procedures – and the collection of information from the top management, the employees and the Group functions.
Together with the identification of potential risks, an analysis of the control system adopted by the Company and capable of preventing the risks of commission of specific Offences is carried out.
3.6.1.2 “Gap analysis”
Based on the findings of the analysis described above, the Company has identified, with respect to the current corporate context, the At-Risk Activities and the actions to be implemented in relation to the same (gap analysis), which include existing internal procedures and controls, as well as organisational requirements that are relevant for purposes of preparing the Model.
3.6.1.3 Model Preparation
Upon completing the phases described above, the Model was then prepared. 3.6.1.4 Modifications, updating and continuous improvement of the Model
All substantive amendments and additions to the Model are the responsibility of Uber Shareholders’ Meeting.
The Sole Director of Uber is also vested with the power to make non-substantive changes or additions to the document.
In both cases, the above amendments must be submitted in advance to the Supervisory Body.
More specifically, action will be taken promptly to: (a) modify the Model where material violations or circumventions of the same are established which prove that the same is not capable, even if only in part, of ensuring effective prevention of the predicate offences; (b) update the Model 231, including upon a proposal by the Supervisory Body, in case of material changes or modifications in the applicable laws or regulations, including domestic ones, regulating the Company’s operation and/or its structure, organisation or business.
For the above purposes, the Supervisory Body must notify the governing body in writing of the circumstances showing the need or mere opportunity to amend or update the Model 231.
3.6.2 Procedure followed to prepare the Model
To prepare the Model, the following procedure was followed:
• upon a careful review of the relevant corporate documentation and after opening a dialogue within the Company, the Company’s main business Activities were identified and mapped, which were subsequently matched with the main at-risk areas, thus identifying At-Risk Activities 231;
• for each At-Risk Activity 231, the groups of offences referred to under Legislative Decree No. 231/2001 were identified which could be committed while performing those activities. For each group of offences identified in relation to a At-Risk Activity 231, an example was provided of the possible manners in which the predicate offences, included in the groups of offences identified, could be committed;
• in order to assess the risk arising from each At-Risk Activity 231, a risk assessment matrix was prepared containing the formulas for assessing the “inherent risk” (produced by the combination of probability and impact) and the “residual risk”, which is the remaining risk after the Company has implemented horizontal and vertical control measures in relation to each At-Risk Activity 231;
• workshop sessions were organised with the Company, in which the risk assessment and the relevant criteria applied were illustrated, and participants were asked to fill in a questionnaire concerning the activities that they carry out, so as to define the risk inherent in the At-Risk Activities 231 under consideration and to formulate specific questions aimed at assessing any possible “gaps”;
• the findings of risk assessment were processed, finalising the mapping of risks, the safeguards and any “gaps”.
3.7 Structure of the Model
The Model 231, the contents of which are organised by groups of offences, comprises:
(a) this General Part, which illustrates the overall structure of the Model 231 and the set of rules and general principles laid down therein;
(b) the Special Part, which illustrates the different Groups of Offences identified in relation to the At-Risk Activities which characterise the various business processes and the relevant Compliance Protocols.
3.8 Concerned Parties under the Model
The rules contained in this Model apply to all the people who are part of the Company’s organization and specifically to:
(a) individuals who hold representation, direction or management roles within the Company;
(b) individuals who are entrusted with management or control powers over the Company;
(c) all Company’s Employees subject to the direction or supervision by the individuals referred to above, including contract workers hired through licensed employment agencies, who are considered Employees for purposes of this Model.
In addition, the principles of conduct contained in the Model and certain specific rules apply also to independent third parties that carry out their activity providing goods and/or performing services also in the interest of the Company and in relation to the At Risk Activities regulated by this Model. All those independent third parties are collectively referred to as the “Associated Parties”.
The Associated Parties include first of all:
• the couriers that deliver orders placed by users with the restaurants through the Uber platform (the “Couriers”); and
• the restaurants that use the Uber platform (the “Restaurants”).
It must be pointed out that Couriers and Restaurants, even if they have entered into an agreement with Uber Eats Italy S.r.l. and operate their services in the interest of such company, are in any case Associated Parties for purposes of the Model, as the Company carries out its compliance oversight with respect to these parties in the context of the assistance and support services that it provides to Uber Eats Italy S.r.l.. For this reason, the Compliance Protocols applicable to Couriers and Restaurants are included in the Special Part of this Model, and any breach of these controls by Couriers and Restaurants will result in the sanctions provided for in SECTION 6 below being imposed.
Furthermore, the Associated Parties include also the consultants, the contractors, the Suppliers, any intermediaries and/or agents and the Partners that carry out their activity in the interest of the Company and in relation to one or more At-Risk Activities.
The Company’s Model 231 represents a collection of principles and a reference point for all Subsidiaries in preparing a Model 231, although they all have autonomous powers in the preparation, implementation and revision of their own Model 231, based on each specific corporate context. Without prejudice to the foregoing, in the preparation and review of its Model 231, each Subsidiary will also consider the indications and implementation procedures established by the Company according to the Group’s organisational and operational structure. Each Subsidiary must establish an autonomous and independent Supervisory Body.
The Company has instructed its representatives within the corporate bodies of the subsidiaries, consortia and joint ventures to promote the principles and contents of Model 231 in their respective areas of competence. The Company’s Supervisory Body monitors proper fulfilment of their duties.
SECTION 4: THE SUPERVISORY BODY
4.1 Appointment of the Supervisory Body
In implementing the provisions of the Decree – which, in Article 6, first paragraph, letter b) sets out, as grounds for exemption from corporate liability, that a corporate body entrusted with autonomous decision-making and oversight powers, is tasked with supervising the implementation of and compliance with the models as well as updating the Model – Uber has appointed a body (the “Supervisory Body” or “SB”) to oversee the implementation of and compliance of the Model, as well as its updating.
Regarding the composition of Uber Supervisory Body, both external and internal members may be appointed, for a total number of not less than three and not more than five, the majority of which must be external.
The Shareholders’ Meeting approves the resolutions concerning the actual number of members of Uber Supervisory Body, the selection and appointment of the members and the compensation payable to external members.
The Supervisory Body is appointed by a Shareholders’ Meeting’s resolution: at the time of appointment, adequate clarifications must be provided during the related meeting regarding the professionalism of its members, whose curriculum vitae must be attached to the relevant minutes.
The appointment of the SB is notified to all the Company’s Representatives on the company’s Intranet site.
4.2 Eligibility Requirements
The members of Uber SB must satisfy adequate requirements, such as autonomy, independence, professionalism, continuity of action, as well as integrity and absence of conflicts of interest.
We will analyse the specific requirements of the Supervisory Body here below, pointing out the following.
4.2.1 High degree of autonomy and independence.
The autonomy and independence requirement entails that the Supervisory Body, in carrying out its duties, reports only to the top management (corporate governance body).
Autonomy and independence must be substantive, that is, the SB must be vested with the power to carry out inspections and audits and be able to access relevant corporate information on its own initiative, must have adequate resources and be able to rely on tools, support and expert [advice] in carrying out its monitoring activities.
More specifically, this requirement is ensured by the obligation of the governing body to approve an adequate annual budget, including on a proposal by the Supervisory Body, to be allocated to the same to serve any need arising from the proper performance of its duties (e.g., specialist advice, travel, etc.).
Independence also means that the members of the Supervisory Body must not have any conflict of interest with the Company, not even potential, nor hold executive level positions within the Company that would undermine their fair judgement in assessing compliance with the Model.
Finally, to satisfy the independence and autonomy requirements, from the time of appointment and for the entire term of office, the members of the Body:
(a) must not serve as directors;
(b) must not hold, directly or indirectly, any shareholdings in the Company’s capital nor hold, directly or indirectly, any shareholdings in other companies that allow them to exercise control or significant influence over the Company;
(c) external members must not have any financial relationship with the Company, its subsidiaries or related companies capable of affecting their independent judgement, having regard – among other things – to their personal financial situation, nor must they engage in material business relations with the directors entrusted with managing powers (executive directors) and with the Company’s majority shareholders;
(d) internal members must hold a non-executive position and not be directly engaged in business activities, such as parties carrying out compliance and/or internal audit functions;
(e) may serve as Statutory Auditor;
(f) must not have relations with or be a family member of the executive directors, provided that family member means non-legally separated spouses or persons related within the fourth degree of consanguinity or affinity;
(g) must not have any relationship of consanguinity or affinity within the fourth degree with, nor be married to, the Sole Director, individuals who hold representation, direction or management roles within the Company, individuals who are entrusted with management or audit powers over the same, including on a de facto basis, the Statutory Auditors of the Company and representatives of the Independent Auditing Firm, as well as any other parties indicated by the law;
(h) must satisfy and continue to satisfy the integrity requirements specified in paragraph 4.2.2.
4.2.2 Integrity and cases of ineligibility.
A person is ineligible to be a member of the Supervisory Body, and if appointed, is removed from office, in the following cases:
(i) the cases referred to under Article 2382 of the Italian Civil Code, i.e., a person has been disqualified, incapacitated, declared bankrupt or convicted of an offence as a result of which he/she may not hold, including temporarily, public offices or may not be appointed as an executive;
(ii) a preventive measure has been issued by the courts under Law No. 1423 of 27 December 1956 (Law on preventive measures against individuals that may harm public safety and morality) or Law No. 575 of 31 May 1965 (Anti-mafia Law);
(iii) a conviction has been entered, including with a decision that is not final or that has been suspended, or a penalty has been requested under Article 444 of the Italian Code of Criminal Procedure, unless criminal rehabilitation has been granted:
1) for one of the offences provided for in Section XI of Chapter V of the Italian Civil Code (Criminal Provisions on Companies and Consortia) and in Royal Decree No. 267 of 16 March 1942, as subsequently amended and supplemented (Provisions on bankruptcy, pre-bankruptcy arrangements with creditors, receivership and compulsory administrative liquidation);
2) for an offence against the public administration, or imprisonment for a period of not less than one year for an offence concerning falsification of documents or forgery, against property, against public order, against the public economy or for an offence in tax matters;
3) as a result of which he was sentenced to at least two years in prison for any offence committed with intent;
4) when convicted of one or more of the offences listed under Legislative Decree No. 231/01, regardless of the sanction imposed;
(iv) has been disqualified, incapacitated, subject to bankruptcy proceedings or has been convicted with a decision involving disqualification from public offices, the prohibition to hold executive roles within companies and other legal entities, a ban from engaging in a certain profession or business, and/or the prohibition to contract with the Public Administration;
(v) have served on the SB in companies against which the sanctions provided for in Article 9 of Legislative Decree No. 231/01 have been imposed, unless 5 years have elapsed since a final decision imposed the sanctions and a conviction has not been entered, including with a final decision, against the member;
Likewise, a person is ineligible to be a member of the Supervisory Body, and if appointed, is removed from office, if the accessory administrative sanctions provided for by Article 187- quater of the Italian Consolidated Law on Finance (Legislative Decree No. 58/1998) have been imposed against him or if he has been convicted of offences involving disqualification, including temporary, from public offices or temporary disqualification from the holding executive roles within any legal entity.
4.2.3 Proven professionalism and specific skills including in the auditing and consulting field.
The Supervisory Body must possess technical and professional skills appropriate to the duties which it is required to perform. These requirements, together with its independence, ensure impartial judgement; it is, therefore, necessary, that individuals with adequate professional skills in the legal field and in monitoring and managing business risks are among the Supervisory Body’s members; moreover, the Supervisory Body’s external members must be chosen from among professional that have expertise in the legal field, business organisation, auditing, accounting, finance, and workplace safety.
In addition, the Supervisory Body may rely on resources that have expertise in the legal field, business organisation, auditing, accounting and finance, including through the assistance of external consultants.
4.2.4 Continuity of action.
The Supervisory Body carries out the actions required to monitor compliance with the Model on an ongoing basis, with adequate commitment and the necessary investigative powers; it is a corporate body so as to ensure ongoing monitoring; it takes care of the implementation
of the Model, ensuring continuous updating of the same; it does not perform operational tasks that may affect and influence its organic vision of the corporate business, as is required.
In compliance with the provisions of the Decree, and considering all the above, the Company’s Shareholders’ Meeting found that the composition of the Supervisory Body that best meets the requirements of the Decree is as follows: an external professional expert in criminal law, corporate governance, control and management of corporate risks, the Sole Statutory Auditor or a member of the Company’s Board of Statutory Auditors and the Compliance Champion.
This choice was based on the fact that the above professionals were recognised as the most suitable to make up the Supervisory Body because, in addition to the requirements of independence, professionalism, integrity and ongoing service that are required to be a member, and the specific skills in terms of review and consulting activities, they also possess those subjective requirements that further ensure the autonomy and independence required to carry out the function entrusted to them, such as integrity, absence of conflicts of interest and a family relationship with corporate bodies and top management.
Adequate information on the possession of the above requirements will be provided at the Shareholders’ Meeting at the time of appointment of the members of the Supervisory Body, together with the curriculum vitae of the individuals concerned.
4.3 Term of Office
The members of the Supervisory Body are appointed for a term of 3 (three) years, unless otherwise determined at the Shareholders’ Meeting appointing them.
When the term of office expires, the Supervisory Body may continue to carry out its functions and exercise its powers, as further specified below, until the appointment of new members at the Shareholders’ Meeting.
The members of the Supervisory Body are required to sign, at the time of appointment and subsequently on an annual basis, a declaration certifying the existence and subsequent persistence of the independence requirements referred to above and, in any case, to immediately inform the Sole Director and the other members of the Supervisory Body of the occurrence of any impeding conditions.
The members of the Supervisory Body may only be removed at the Shareholders’ Meeting for just cause, and supported by a resolution stating the reasons for removal, or, only in the case of the internal members of the Supervisory Body, based on documented business needs.
In such cases, the Shareholders’ Meeting shall replace the appoint substitutes of the removed members of the Supervisory Body.
Lastly, the internal members of the Supervisory Body are disqualified from office if they are assigned to a department in the company other than the one held by them at the time of their appointment. In such cases, a replacement for the outgoing members of the Supervisory Body is to be appointed at the Shareholders’ Meeting.
The following are just cause for removal:
(a) violations of this Model;
(b) the occurrence of one of the incompatibility grounds referred to in paragraph 4.2;
(c) an adverse judgement affecting the Company under to the Decree or a plea-bargained sentence, which has become final, where it appears from the documents concerned that the Supervisory Body has “failed to act or acted negligently”, in accordance with the provisions of Art. 6, paragraph 1, subparagraph d) of the Decree;
(d) failure to attend more than three consecutive meetings without justification; (e) negligence in the performance of one’s duties;
(f) in the case of individuals with an internal position in the company structure, any resignation or dismissal or termination of employment of any kind;
(g) a change in the equity structure involving a change in the person who has the majority of the votes that may be cast at the Ordinary Shareholders’ Meeting.
In the event of resignation or automatic disqualification of a member of the Supervisory Body, the latter shall promptly notify the Sole Director, who shall make the appropriate decisions without delay.
The Supervisory Body is considered dissolved if the majority of its members resign or they cease from office for other reasons. In such case, new members are to be appointed at the Shareholders’ Meeting.
The members may resign at any time, by giving written notice, and stating the reasons for the resignation, to the other members of the Supervisory Body, to the Shareholders’ Meeting, to the Sole Director and to the Statutory Auditor. In the event of the resignation of one or more members, the resignation is not effective until it is accepted or the replacement member(s) is/are appointed at the Shareholders’ Meeting.
4.4 Function of the Supervisory Body
The Supervisory Body is in charge of oversight regarding:
(a) the effectiveness and adequacy of the Model in relation to the company structure and the actual ability to prevent the commission of the Offences;
(b) compliance with the Model on the part of Employees, Corporate Bodies, Associated Parties;
(c) whether the Model should be updated, where there is a need to adapt it in relation to changed company and/or regulatory conditions.
On a more operational level, the Supervisory Body is entrusted with:
(i) Updates, regulatory authority, reporting:
a. propose the preparation of the internal organisational documents necessary for the implementation of the Model, containing directives, clarifications or updates, suggest and promote the issuing of procedural directives implementing the principles and rules contained in the Model;
b. interpret relevant regulations and verify the adequacy of the Model to the regulatory requirements, reporting to the Sole Director on possible action areas;
c. verify that the measures provided for in the individual Special Parts of the Model for the prevention of the various types of offences (adoption of standard clauses, performance of procedures, etc.) are adequate and meet the requirements of compliance as provided in the Decree, and if not, propose an update of the measures;
d. analyse the company’s activities with a view to updating the mapping of activities at risk under Legislative Decree No. 231/2001;
e. promote the review and any updating of Model 231 in relation to (a) finding violations of the provisions of Model 231, (b) significant changes to the Company’s internal structure, business activities or related procedures and/or (c) regulatory changes (e.g. the additions of new predicate offences under Legislative Decree 231/2001), reporting to the Sole Director on any action areas;
f. promote, if it appears that implementation of the provisions of Model 231 is deficient in some way, all the necessary actions to bring conduct in line with the provisions of the Model;
g. indicate in the annual report referred to in paragraph 4.7 the appropriate additions to the system for managing financial resources (both inbound and outbound) to introduce measures to detect the existence of any unusual cash flows having greater margins of discretion than normally envisaged;
h. indicate in the annual report referred to in paragraph the 4.7 the advisability of instituting particular procedural directives implementing the principles contained in the Model, which may not be consistent with those currently in force in the Company, and also ensuring their coordination with the existing ones;
i. coordinate with the heads of the other company departments on the various aspects concerning the Model’s implementation (adopting standard clauses, personnel training, disciplinary measures, etc.);
j. periodically verify - with the support of the other responsible company departments - the authorisation system in effect, recommending changes if the management authority and/or qualification is not included in the management authority granted;
k. promptly report to the Sole Director and the Statutory Auditor in relation to any serious violations of Model 231, requesting the support of the company departments able to assist in verifying the activity and identifying the appropriate actions to prevent the situation in question from being repeated;
(ii) Verifications and checks:
a. conduct checks of the company’s activities to update the mapping of At-Risk Activities;
b. in compliance with the provisions of the Supervisory Body’s annual calendar of activities, carry out periodic targeted tests on certain transactions or specific actions carried out by Uber, especially in the context of At-Risk Activities, the results of which must be summarised in a special report to be reported to the appointed Corporate Bodies;
c. collect, process and store relevant information regarding compliance with the Model, as well as update the list of information that must be transmitted to or kept by it;
d. coordinate with the company departments (including through special meetings) for the best monitoring of activities related to At-Risk Activities and the related procedures established in the Model. To this end, the Supervisory Body has free access to all company documentation (both hard copy and electronic) that it considers relevant and must be constantly informed by the management: a) on the aspects of the company business that may expose Uber to the risk of committing one of the Offences; b) on business relationships with Associated Parties;
e. activate and carry out internal investigations, liaising from time to time with the business departments concerned to acquire further investigation information;
f. request the implementation of the control procedures provided for by the Model including by issuing or proposing internal (regulatory and/or informative) directives;
g. collect, process and store the relevant information (including the reports referred to in paragraph 4.9 below regarding compliance with the Model, and update the list of information that must be sent to or kept by them (see paragraph 4.9 below);
h. check whether the required documents exist, are regularly maintained and are in effect in accordance with the provisions of the individual Special Parts of the Model. More specifically, the Supervisory Body must be notified of the most significant activities or transactions covered by the Special Parts, and the data updating documents must be provided to it to allow the relevant checks to be carried out;
i. promptly verify any issue found by the responsible Company Representatives with regard to the company’s financial cash flow, proposing the appropriate operational solutions;
j. verify that the corrective actions necessary to make Model 231 adequate and effective are promptly implemented.
(iii) Training
a. promote suitable measures for spreading knowledge and understanding of the Model;
b. participate in establishing training programs for personnel and the content of periodic notifications to be given to Employees and Corporate Bodies, aimed at providing them with the necessary awareness and basic knowledge of the regulations under Legislative Decree no. 231/2001;
c. monitor measures for spreading knowledge and understanding of the Model and prepare internal documents required for its effective implementation, containing instructions for use, clarifications or updates of the same;
d. have the space on the Company’s Intranet and website, containing all the information relating to Legislative Decree No. 231/2001 and the Model, prepared and continuously updated;
(iv) Violations of the Model and Sanctions:
a. conduct internal investigations to ascertain alleged violations of the provisions of this Model, enlisting the assistance, where considered necessary, of any Company Representative;
b. coordinate with company management to assess or propose the adoption of any sanctions or measures, subject to the responsibility area of the latter - and more specifically of those in charge of human resources management - with regard to the decision to be made and imposition of the same (please refer to Section 6 of this General Section on this point);
c. periodically verify, with the support of the other responsible departments, the validity of the standard clauses aimed at implementing sanctioning means (such as contract withdrawal in the case of Associated Parties) if violations of requirements are ascertained and the effective application of such sanctioning means.
4.5 Powers of the Supervisory Body
The Supervisory Body has independent powers of initiative and monitoring to supervise the implementation of and compliance with the Model, but does not have enforcement powers or powers to take part in the company structure or to impose sanctions; these powers are delegated to the responsible Corporate Bodies or to the responsible company departments.
For purposes of working with the departments of the Company and the Group, the Supervisory Body may enlist the support of the Compliance Champion.
The Supervisory Body must be constantly supported in any way by the Company’s management in carrying out its supervisory and monitoring tasks, considering the specific powers and the specific professional content required.
The management, within the scope of the respective functions and within the limits of the powers delegated to it, is primarily responsible for: 1) monitoring the activities and areas of responsibility; 2) compliance with the Model by the Employees it manages; 3) timely and proper reporting to the Supervisory Body on any unusual events, problems encountered and/or serious issues identified.
The Supervisory Body may request the Compliance Champion and, through it, the departments of the Company or Group to conduct specific monitoring activities on the correct and complete implementation of the Model.
In addition, the EMEA Compliance and EMEA Internal Audit functions provide the Supervisory Body with all the assistance and support required by the instructions referred to in paragraph 2.5.
All individuals with an internal role in the company structure are required to monitor and report to the Supervisory Body on the correct application of this Model, each within the scope of his or her own area of operational responsibility.
The Supervisory Body may enlist, whenever it considers it necessary for the performance of its supervisory activities and all the provisions of this Model, the support of additional company resources when considered necessary from time to time, chosen from within the various company departments, without time and number limitations. These resources may also constitute a dedicated full-time or part-time staff, should the need arise.
Moreover, in cases where activities involving specialised assistance not available within Uber are required, the SB may engage external consultants.
The autonomy and independence that must necessarily characterise the activities of the SB have made it necessary to take certain measures for its protection, to guarantee the Model’s effectiveness and to prevent its monitoring activities from generating forms of retaliation to its detriment. Therefore, decisions concerning relocations or sanctions relating to the SB and its members, when they are employees of the Company, are to be made only by the Sole Director, after seeking an opinion as to same at the Shareholders’ Meeting.
Therefore, the Supervisory Body is vested with the following powers:
• power to access all documents and information relating to the Company;
• power to enlist the support of all the Company’s departments, which must provide the requested support, of auditors and external consultants;
• power to collect information from all the Concerned Parties under this Model, including the auditing firm and the Associated Parties, in relation to all the Company’s activities;
• power to request, through the appropriate channels and individuals, a meeting with the Sole Director and the Statutory Auditor to deal with urgent matters;
• power to request that company officers participate, without decision-making power, in the meetings of the Supervisory Body;
• power to use external consultants engaged for specific areas of inquiry. In this regard, the Sole Director must approve an annual budget for the Supervisory Body, which it may use without restriction in relation to its activities, subject to making requests for additional funds for any needs that may arise.
4.6 Rules for Convening and conducting meetings
The Supervisory Body may establish specific rules for the way in which it operates, based on the principles set out below:
• the Supervisory Body is to meet quarterly and the relevant documents are to be distributed at least 3 days before the meeting;
• the meetings are to be held in person, by video or tele-conferencing (or a combination thereof);
• the governing body or the control body may request that the Supervisory Body meet at any time;
• a majority of members is required for meetings to be validly held;.
• ad hoc meetings may be held and all decisions made during these meetings must be reported to the next quarterly meeting;
• decisions made are to be unanimous; in case of lack of unanimity, the majority decision prevails and is immediately reported to the Sole Director;
• the minutes of the meetings are to report all the decisions made by the Supervisory Body and reflect the main items taken into consideration to reach the decision; the minutes are kept by the Supervisory Body in its files.
4.7 Reports of the Supervisory Body
The Supervisory Body reports on the Model’s implementation and on any serious issues that arise.
The following two lines of reporting are assigned to Uber’s Supervisory Body: • first, directly to the Sole Director on an ongoing basis,;
• second, to the Shareholders’ Meeting and to the Statutory Auditor on a periodic basis at least every six months.
Included in these information flows are:
1) the activity carried out by the Supervisory Body office;
2) any serious issues (and ideas for improvement) that have arisen in terms of conduct or internal events at Uber, as well as in terms of the Model’s effectiveness. If the Supervisory Body learns of serious issues relating to one of the reporting parties, the corresponding report should be promptly sent to one of the other parties identified above.
Additionally, each year the Uber Supervisory Body is to send a written report to the Sole Director on the Model’s implementation at the Company containing:
(a) a summary analysis of all the activities carried out during the year (indicating more specifically the specific verifications and checks carried out and their outcome, any updating on the mapping of At-Risk Activities, etc.);
(b) the draft business plan for the coming year.
Meetings with the bodies to which the Supervisory Body reports must be recorded in minutes and copies of the minutes must be kept by the Supervisory Body.
The Shareholders’ Meeting and the Sole Director have the right to convene a meeting of the Supervisory Body at any time, which, in turn, may convene, through the responsible departments or parties, a meeting of the aforementioned bodies for urgent reasons.
The Supervisory Body must also coordinate with the Company’s relevant departments, or with any other companies to which departments have been outsourced, for various specific matters, such as, for example:
• with the legal department for company obligations that may be relevant to the commission of corporate offences; and
• with the head of the administration and finance department regarding the management of financial cash flows.
4.8 Information flows to the Supervisory Body
The Supervisory Body is to exercise its verification and supervisory responsibilities through the analysis of systematic information flows.
The above information and the documents to be sent and/or provided to the Supervisory Body, within the respective time frame and through the information channels to be used, is identified in the individual Special Parts and/or in the operational procedures/directives adopted by the Company.
In addition, the Supervisory Body is to define and identify:
• on a periodic basis, the information flows to be provided by the Company’s operating departments, including on matters outsourced to other Group companies, and the parties responsible for providing such information; the information must be provided within the timeline and in the manner instructed in this regard;
• if necessary, any other information of any kind, including from third parties and relating to the Model’s implementation in relation to At-Risk Activities and/or compliance with the provisions of Legislative Decree 231/2001, which may be considered useful for the performance of the Supervisory Body’s tasks.
More specifically, any information considered useful for the activity of the Supervisory Body must be provided in writing to the Supervisory Body by the parties concerned, including, by way of example:
(i) results of the checks performed in implementing Model 231, which reveal serious issues/anomalies;
(ii) the results of internal audits showing liability;
(iii) significant or unusual transactions that may constitute an offence; (iv) deviations from the application of the internal rules adopted by the Company and in force;
(v) news about organisational changes;
(vi) upgrades to the System for Delegating Authority;
(vii) requests for legal assistance made by the Personnel on the basis of which a judicial inquiry is made for possible offences;
(viii) significant violations of workplace health and safety regulations, as well as workplace accidents and illnesses that have occurred;
(ix) any communication from the auditing firm concerning aspects that may indicate weaknesses in the internal control system, comments on the financial statements and/or wrongdoings.
In addition to the information flows indicated above, the Corporate Bodies and Employees must immediately provide to the Supervisory Body information concerning:
• measures and/or information coming from police authorities, or from any other authority, showing that investigations or proceedings, even against unknown parties, are being carried out for the Offences when such investigations involve Uber or its Employees, Corporate Bodies, Associated Parties;
• any sort of inspection by public authorities (judiciary, Italian Tax Police, other authorities, etc.);
• the reports prepared by the heads of the various Company Departments as part of their supervisory activities and which show serious facts, acts, events or omissions arisen with regard to compliance with the provisions of the Decree;
• information relating to the effective implementation of the Model, at all levels of the Company, with evidence of the sanctioning procedures carried out and any sanctions imposed (including measures against Employees) or the dismissal of such procedures with the related reasons, if they are connected to the commission of Offences or violation of the Model’s rules of conduct or procedures.
In addition, the Supervisory Body receives from the EMEA Compliance and EMEA Internal Audit functions the information flows provided for in the instructions provided to these departments referred to in paragraph 2.5.
The Supervisory Body may, in any case, request, with full autonomy, further information issued periodically or information concerning specific situations from any company department or office. It must be the responsibility of the company units to ensure that all documentation is kept related to the information sent to the Supervisory Body, as required by current operating practices.
The EMEA Compliance department and the Compliance Champion must provide the Supervisory Body with the support required for defining, collecting, managing and analysing information flows, including supervising and coordinating the sending of these flows by the company departments.
4.9 Reporting and communications to the Supervisory Body
In addition to the information flows referred to in § 4.8 above, the Supervisory Body must be informed, by means of specific reporting by Employees, Corporate Bodies, Associated Parties about (i) possible offences and/or violation of the rules and the safeguards provided for in the Model, (ii) events that could expose Uber to liability under Legislative Decree 231/2001 or (iii) areas for improvement in the definition and/or application of Compliance Protocols.
Employees and Corporate Bodies must report to the Supervisory Body detailed reports of conduct that does not comply with the principles and provisions of Model 231. More specifically, any illegal conduct relevant under Legislative Decree 231/2001 must be reported, and based on specific and relevant facts, as well as any violation of this Model 231, which the whistle-blower has become aware of by reason of the employment tasks performed by him/her.
Reports must be made in writing, and submitted through the channels provided by the
Group Integrity Helpline, or alternatively by sending the reports to the email address odv@uber.com.
The confidentiality of the whistle-blower’s identity is to be protected, both during the notification phase and in all subsequent activities involved in managing the report, subject to the legal obligations and the protection of the rights of the Company and of individuals accused wrongly and/or in bad faith.
The Sole Director, supported by the Compliance Champion, verifies and ensures that anyone making a report is not subject to any form of retaliation, discrimination or penalisation, directly or indirectly, for reasons related to the report. More specifically, no one may be dismissed, demoted, suspended, threatened, harassed or discriminated against in any way in the workplace for reports made, subject to the provisions of paragraph 6.2 below concerning reports made with wrongful intent or gross negligence.
The EMEA Compliance department and the Supervisory Body both perform supervisory and oversight functions in relation to: (i) the absence of retaliatory or discriminatory measures against the whistle-blower and (ii) protecting the confidentiality of the whistle blower’s identity.
If the report is not provided directly to the Supervisory Body, the recipients of the report shall promptly forward the original report to the Supervisory Body, using appropriate confidentiality criteria to ensure the effectiveness of the investigations and the integrity of the individuals concerned.
More specifically, the EMEA Compliance function, following the instructions set out in paragraph 2.5, is tasked with taking charge of the reports received through the Uber Integrity Helpline, identifying any reports relevant for the purposes of the Model, and informing the Supervisory Body and the Compliance Champion of these reports. The EMEA Internal Audit function, following the instructions set out in paragraph 2.5, is tasked with supporting the Supervisory Body and the EMEA Compliance Function in auditing these reports, and performing any follow-up actions.
Reports lacking any substantive evidence to support them, that are excessively vague or unsubstantiated or are obviously defamatory or slanderous will not be taken into consideration.
The Associated Parties, regarding their business conducted with Uber, also report directly to the Supervisory Body sending the reports to the email address odv@uber.com.
These parties do not have access to the Uber Integrity Helpline, which is reserved for Employees.
For Couriers, an additional reporting channel is activated via the App used by them. This channel allows EMEA Compliance to be notified directly via “chat”. In turn, EMEA Compliance will promptly inform the Supervisory Body of any reports falling within the scope of the Supervisory Body’s area of responsibility as specified in the first paragraph of this section.
The Supervisory Body evaluates the reports received and adopts any measures taken as a result at its reasonable discretion and under its responsibility, and may take a statement from the whistle-blower and/or the individual responsible for the alleged violation, and carries out investigation activities, giving reasons in writing for any refusal to proceed with an internal investigation.
It is understood that the disciplinary system adopted under Article 6, paragraph 2, subparagraph e) of Legislative Decree 231/2001 provides for specific sanctions against anyone who violates the measures for protecting the whistle-blower, as well as anyone who makes reports with wrongful intent or gross negligence that prove to be unfounded.
4.10 Confidentiality obligations
The members of the Supervisory Body ensure the confidentiality of the information in their possession, more specifically if it concerns reports they received of alleged violations of the Model.
The members of the Supervisory Body are also to refrain from using confidential information for purposes other than those referred to in paragraph 4.3 above and in any case for purposes that do not comply with the tasks required of a supervisory body, except in the case of express and informed consent.
Failure to comply with these obligations shall constitute grounds for removal.
4.11 Collection and storage of information
All information gathered and all reports received or prepared by the Supervisory Body are to be kept for 10 years in a special file held by the Supervisory Body in hard copy or electronic form.
SECTION 5: SELECTION AND TRAINING OF HUMAN RESOURCES AND DISTRIBUTION OF THE MODEL
5.1 Employee Hiring
Uber’s Supervisory Body assists the Company in evaluating personnel during the hiring phase, verifying that the hiring processes are conducted according to principles of merit, which have always been ensured at the company level.
5.2 Training and informing Employees
The training of personnel, managed by Uber working closely with the Supervisory Body, aims to make the Model adopted by the Company known and to adequately support anyone involved in carrying out At-risk Activities.
For purposes of this Model’s effectiveness, it is therefore Uber’s objective to ensure that human resources already employed in the Company as well as future employees are duly aware of the rules of conduct contained therein.
The level of awareness is achieved with differing degrees of depth in relation to the differing level of involvement of the human resources in At-Risk Activities.
In this regard, a training plan will be periodically prepared, with the collaboration of the Supervisory Body, that considers the many variables present in this context; more specifically:
• the targets (e.g. the recipients of the training, their level and organisational role, etc.); • the content (e.g. relevant topics in relation to the recipients, etc.);
• delivery tools (e.g. classroom courses, e-learning, etc.);
• delivery and completion times (e.g. training preparation and duration, etc.); • the commitment required of the recipients (e.g. time to complete, etc.); • specific needs arising in relation to the specific business operations concerned. The plan must include:
5.2.1 The initial notification
All Employees in the company are notified of the adoption of this Model at the time of its adoption.
New hires, on the other hand, are given an information set (e.g. CCNL, Organisational Model, Legislative Decree 231/2001, etc.), to ensure that they are made aware of matters considered of primary importance.
5.2.2 Training
The training activity aimed at spreading awareness of the regulations under Legislative Decree 231/2001 is tailored, in terms of content and delivery methods, according to the qualifications of the Concerned Parties, the level of risk in the area in which they operate, whether or not the representation of the Company is entrusted to the Concerned Parties. More specifically, specific classroom training must be provided for individuals working in the departments where there is a greater risk of illegal conduct, as well as meetings set up with management and members of the Supervisory Body.
It must have broad coverage, be effective, authoritative and clear, and must provide proper details and be repeated at regular intervals.
More specifically, Uber ensures the adoption and implementation of an adequate level of training through appropriate distribution tools, and specifically through:
− business meetings; and
− institutional courses (classroom or web-based) on specific At-Risk Activities under the Decree, with personnel assessments made based on testing.
The training content is updated as changes in the regulations and the Model dictate: therefore, if significant changes occur (e.g. extension of the Company’s corporate liability to new types of offences), the content is updated accordingly, and its completion ensured.
The training courses prepared for Employees must have a mandatory frequency, and Uber’s Supervisory Body must be informed about the results - in terms of participation and satisfaction - of such courses.
The information and training system is supervised and made up of the activity carried out regarding same by the Supervisory Body in collaboration with the Compliance Champion, human resources management staff and/or external consultants.
Failure by the Employees to participate in training activities without justification constitutes a violation of the principles contained in this Model and, therefore, it warrants disciplinary action in accordance as provided in chapter 6 below.
The Supervisory Body periodically verifies the status of the training plan’s implementation and may request periodic checks on the level of awareness that Employees have of the Decree, the Model and its operational implications. These checks will be commensurate with the type of training provided for each target.
5.3 Engaging and information of Associated Parties
Specific criteria – whose adequacy is periodically assessed – are adopted for the engaging of Associated Parties.
The adoption of the Model and Uber Business Conduct Guide by Uber must be made known to these subjects at the time of signing the respective contract, also through the provision of specific contractual clauses.
The same may also be provided with specific information on the policies and procedures adopted by the Uber Group based on this Model.
SECTION 6: THE DISCIPLINARY SYSTEM
6.1 Function of the disciplinary system
Establishing a system of sanctions (commensurate with the violation and with adequate deterrent effect) applicable in the event that rules set out in this Model are violated, makes the Supervisory Body’s supervisory action effective and aims to ensure its effective implementation.
Establishing this system of sanctions constitutes, in fact, under Article 6, paragraph 1, subparagraph e), of Legislative Decree 231/2001, an essential requirement of the Model itself for purposes of limiting the Company’s liability exposure.
The application of the disciplinary system and related measures is independent of the prosecution and outcome of any criminal proceedings that may be started in the courts in the event that the conduct to be punished also constitutes an offence established under Legislative Decree 231/2001, as the rules of conduct imposed by the Model are adopted by the Company with full autonomy, regardless of whether the conduct may constitute an offence.
Furthermore, awareness of this disciplinary system must be adequately spread as an integral part of the Model’s implementation, through adequate information and training activities provided to the Company’s Employees.
This section contains the description of the disciplinary measures adopted by the Company in case the Model is violated by the Concerned Parties, in coordination with the disciplinary system of the National Collective Bargaining that Uber is subject to, in compliance with the procedures provided for by Article 7 of Law No. 300 of 30 May 1970 (Workers Statute).
More specifically, in fact, Uber adopts:
(i) for Employees, the disciplinary measures listed in paragraph 6.3 below;
(ii) for Corporate Bodies, the members of the Supervisory Body and the Associated Parties the disciplinary system established by applicable contractual provisions and laws, as further described in paragraphs 6.4, 6.5 and 6.6 below, respectively.
6.2 Violations of the Model and related sanctions
The following conduct constitutes violations that are relevant for purposes of disciplinary evaluation and may warrant disciplinary action:
− violation/partial application/avoidance of the rules of conduct set out in Model 231 and/or Uber Business Conduct Guide;
− violations of internal procedures provided for in this Model or engaging in, while performing activities related to At-Risk Activities, conduct that does not comply with the provisions of the Model whether or not it exposes the company to objective risk of commission of one of the Offences;
− repeated failure to participate, without proper excuse, in training on Model 231 and Uber Business Conduct Guide;
− failure to cooperate, when requested, with the Supervisory Body;
− failure to send information flows/reports in accordance with Model 231, when repeated and aimed at hindering the functions of the Supervisory Body;
− violation of the measures for whistle-blower protections provided for by Model 231, or reports that prove to be unfounded which are made with wrongful intent or gross negligence.
The disciplinary system is subject to constant verification and evaluation by the Supervisory Body and the head of the human resources management department, with the latter being responsible for the specific application of the disciplinary measures outlined herein on any report of the Supervisory Body and after consulting with the supervisor of the individual committing the conduct warranting disciplinary action.
If the conduct in question may constitute a criminal offence established under Legislative Decree 231/2001, action is taken under the disciplinary system independently of the prosecution and outcome of any related criminal proceedings.
6.3 Disciplinary action against Employees
The conduct of Employees in violation of the individual rules of conduct set out in this Model is defined as misconduct warranting disciplinary action.
Workers are subject to the measures - in compliance with the procedures established by the special regulations applicable under Article 7 of Law no. 300 of 30 May 1970 (Workers’ Statute) and any special applicable regulations - provided for by the sanctioning provisions of the CCNL, and more specifically:
− a verbal warning;
− a written warning;
− a fine;
− suspension from work without pay for a maximum of three days; − dismissal for misconduct under Article 25.
All the provisions of the National Collective Bargaining Agreement are unaffected, and are incorporated herein, including, among others:
− the obligation - in relation to the application of any disciplinary measure - to give the employee concerned advance notice of the alleged misconduct and provide the employee an opportunity to be heard and to offer a defence against it;
− the obligation - except for a verbal warning - that notice of the alleged misconduct be made in writing and that the measure not be handed down until 5 days after the notice of misconduct has been given to the employee concerned (during which time the employee may present his or her position);
− the obligation to provide reasons to the employee and to provide a written explanation of the measure;
− the relevance, for the purposes of increased sanctions, of previous disciplinary precedents against the employee and the intentional nature of the conduct.
The type and extent of each of the sanctions referred to above shall be applied, in relation to:
• the intentional nature of the conduct or degree of negligence, imprudence or inexperience with regard also to the foreseeability of the event;
• the overall conduct of the worker with particular regard to the existence or not of previous disciplinary action taken concerning the worker, to the extent permitted by law;
• the worker’s duties;
• the company position of the individuals involved in the events constituting misconduct;
• the other special circumstances involved in the misconduct warranting disciplinary action.
As regards the determination of the misconduct, disciplinary proceedings and the imposition of sanctions, the powers granted to company management are not affected, subject only to the limits of their respective areas of responsibility.
More specifically, the task of determining the misconduct and imposing sanctions on the Employees is assigned to the Sole Director, which may enlist the support of the Supervisory Body, which will be called upon to express a non-binding opinion.
6.4 Disciplinary action against managers
In the event of a violation, by Employees holding management positions, of the procedures provided for in this Model or of engaging, while performing activities connected to At-Risk Activities, in a conduct that does not comply with the provisions of the Model, the Company imposes the most appropriate measures against the responsible parties in accordance with the provisions of the law and the applicable Collective Bargaining Agreement.
The minimum sanction will be a verbal or written notification of misconduct to the Manager.
In more serious cases, such as the commission of an Offence, the possibility of dismissal will be assessed.
The Company may take the violation committed into account in setting the remuneration provided to the managers.
Sanctions are always commensurate with the level of responsibility and independence of the manager, the intentional nature of the conduct and the seriousness of the same, in terms of the importance of the obligations violated as well as the consequences to which the Company may be reasonably exposed (including under Legislative Decree no. 231/2001) as a result of the misconduct.
If several violations are committed with one act and that are subject to different sanctions, the most serious sanction shall apply.
As regards the determination of misconduct, disciplinary proceedings and the imposition of sanctions, the powers granted to company management are not affected, subject only to the limits of their respective areas of responsibility.
More specifically, the task of determining misconduct and imposing sanctions on Employees is assigned to the Sole Director, which may enlist the support of the Supervisory Body, which will be called upon to express a non-binding opinion.
6.5 Disciplinary action against the governing body
In the event of a violation of the Model by the Sole Director, the Supervisory Body informs the Statutory Auditor so that the appropriate measures are taken, including, for example, calling a Shareholders’ Meeting to take the most appropriate measures provided for by law.
In addition, upon the appointment of the new Sole Director, he or she must sign a unilateral commitment to comply with the obligations set out in the Model, as well as a commitment to resign, waiving his or her compensation for the fiscal year concerned, in the event of a conviction, including at in the court of first instance, for the commission of one of the Offences.
6.6 Disciplinary action against Statutory Auditors
In the event of a violation of this Model by the Statutory Auditor, the Supervisory Body informs the Sole Director so that the appropriate measures are taken, including, for example, calling a Shareholders’ Meeting to take the most appropriate measures provided for by law.
6.7 Disciplinary action against members of the Supervisory Body
In the event of a violation of this Model by one or more members of the Supervisory Body, the other members of the Supervisory Body will inform the Statutory Auditor and the Sole Director, who will take the appropriate measures including, for example, the removal of the members of the Supervisory Body who have violated the Model and the subsequent appointment of new members to replace them, or the dismissal of the entire body and the subsequent appointment of a new Supervisory Body.
6.8 Disciplinary action against Associated Parties
Contracts with Associated Parties must contain a specific clause governing the consequences of their violation of the rules established under the Decree (for example, termination of the contractual relationship or any other contractual sanction specifically stipulated, in addition to any claim for compensation, if such conduct causes specific damages to the Company, as in the case of the court’s imposition of the measures provided for in the Decree).
Any violation by Associated Parties of the rules set out in this Model applicable to them or the commission of the Offences is sanctioned in accordance with the provisions of the specific contractual clauses included in the relevant contracts.
This is without prejudice to any claim for compensation if such conduct results in specific damages to the Company, as in the case of the court imposing the measures provided for by Legislative Decree no. 231/2001 against the Company .
The imposition of sanctions against Associated Parties is entrusted to the department that manages the contract concerned.
It must be pointed out that the Couriers and the Restaurants (which, as mentioned above, are Associated Parties for the purposes of this Model) using the Uber platform and that are subject to the Compliance Protocols of the Special Part are also subject to the treatment described in this paragraph, as the Company manages compliance concerning these parties as part of the support services that it provides to Uber Eats Italy S.r.l.
Accordingly, in the event of violations attributable to such parties, the Company will promptly inform Uber Eats Italy S.r.l., which, being the contracting party in the contractual relationship with couriers and restaurants, will sanction the violations in accordance with the specific contractual clauses included in the relevant contracts.
SECTION 7: CHECKS ON THE EFFECTIVENESS OF THE MODEL
The effective application of the Model and its effective implementation must be subject to adequate monitoring and review activities.
These activities are primarily carried out by the EMEA Compliance function, in accordance with the instructions set out in paragraph 2.5.
In addition, the Supervisory Body - in addition to the supervisory activities carried out on an ongoing basis on the Model’s effectiveness (and which consist specifically of verifying that the actual conduct of the Concerned Parties is consistent with the Model) - periodically carries out specific checks on the Model’s suitability to prevent the commission of the Offences and on its alignment with the regulations on the corporate liability of entities, as part of the periodic updating of the Model. For these reviews, the Supervisory Body is supported by EMEA Compliance and the Compliance Champion, and also any third parties able to ensure an external evaluation of the activity carried out.
Finally, the Supervisory Body, with the support of EMEA Compliance and the Compliance Champion, conducts a review of all reports received during the year and of the events considered to produce exposure, of the actions taken by the Supervisory Body and of the awareness of Employees and Company Bodies with regard to the issue of the company’ criminal liability through random checks.
The Supervisory Body normally enlists the support of the Compliance Champion and the EMEA Compliance department, as well as any internal departments that may be necessary for this purpose.
The reviews and their outcomes are reported annually to the Sole Director. More specifically, in the event of a negative outcome, the Supervisory Body will specify the improvements to be implemented in the plan for the year.
Uber’s Supervisory Body will evaluate the advisability of periodically engaging an external consultant for “quality assurance” activity.
SECTION 8: THE MODEL AND UBER BUSINESS CONDUCT GUIDE
The rules of conduct contained in this Model are supplemented by those in Uber Business Conduct Guide. However, the Model’s scope, with its intended purposes in implementing the provisions set out in the Decree, is different from Uber Business Conduct Guide’s scope.
In that respect, in fact:
• The Uber Business Conduct Guide is an instrument adopted independently and generally applicable to the Companies to express ethical principles that Uber recognises as its own and which it calls on all the Concerned Parties to follow;
• the Model, on the other hand, implements specific requirements contained in the Decree, aimed at preventing the commission of the Offences (for acts which, if committed in the interest or to the benefit of the Company, may give rise to the Company’s corporate liability in accordance with the provisions of the Decree).
SECTION 9: COMPONENTS OF THE MODEL
9.1 The components of the Model
This Model 231 is divided into three parts: (1) Organisation, (2) General Compliance Safeguards and (3) Specific Compliance Protocols.
9.2 Organisational components of the Model
The organisational components of the Company’s Model 231 consist of the following:
- Internal rules: the Uber Business Conduct Guide, Group Policies, rules contained in this Model, including the Compliance Protocols in the Special Part of the Model;
- Organisational Structure: a company organisation consistent with the company’s activities, suitable for ensuring appropriate conduct, as well as to ensure a clear and organic allocation of tasks and appropriate separation of functions, ensuring that the organisational structure envisioned is actually implemented and subject to internal control, through (i) an organisation chart formally defined and including individual job descriptions or descriptions for similar groups; (ii) organisational communications clearly indicating the responsibilities assigned, the areas of activity, the connection between the various organisational units, the lines of organisational and operational reporting; (iii) service contracts with Group companies, for outsourcing entire or individual portions of company processes; (iv) a formalised system of granting powers (delegations of authority and powers of attorney), which is an integral and essential component of the Model;
- Supervisory Body: this is the body created under the Model, endowed with autonomy, independence, continuity of action and professionalism, which has the task of supervising the implementation of and compliance with the Model and proposing updates to it; it has spending authority, is supported by company and Group departments and has the power to access company information.
9.3 General safeguards
The following are the general safeguards which are envisaged as an essential part of the Model, and must always be applied and followed regarding all At-Risk Activities taken into consideration by the Special Part of Model 231:
9.3.1 System for granting powers and delegating authority
The Company adopts and keeps updated over time a system for delegating authority based on formalised delegations of authority and granting of powers.
More specifically, a delegation of authority is an internal act of granting functions, tasks and responsibilities. An authorised power is closely connected to the delegation of authority and is understood as the power of approval for internal purposes and related to the exercise of a delegation of authority.
A power of attorney (also intended as a power of “signature/representation”) consists, on the other hand, of a unilateral legal act by which the Company grants specific powers of representation; this act permits the appointed party to act vis-à-vis third parties.
Powers are closely connected and consistent with assigned organisational and management responsibilities and, where appropriate, are limited to specific amounts.
The granting of delegations of authority and powers must comply with the following mandatory principles:
- definition of roles, responsibilities and protections in the process of granting, updating and revoking delegations of authority and powers of attorney;
- granting, updating and revocation of delegations of authority and powers consistent with the roles performed in the organisation, and adjusted in the event of changes in the organisation or changes in individual roles and responsibilities or the exit/entry of individuals;
- timely and ongoing distribution of information on possessing the powers granted and related changes;
- tracking and filing of all documents relating to delegations of authority and powers of attorney granted and the related changes;
- periodic verification that powers of representation are exercised in a manner consistent with the powers of attorney granted;
- periodic monitoring of the adequacy of the system for granting powers and its updating, considering any changes in the Company’s activities.
The Supervisory Body periodically conducts, with the support of the Compliance Champion and the departments concerned, checks on the compliance with the system for delegating authority and granting powers of attorney carried out by the Company and their consistency with the principles and general rules indicated above. At the same time, as a result of the checks, the Supervisory Body recommends any changes or additions.
9.3.2 Separation
At-Risk Activities must be carried out based on the principle of separation of roles: the individual making the decision, the individual authorising it, the individual implementing it and the individual in charge of monitoring the process must be different to the extent possible. The separation of tasks must be ensured by the participation of several individuals in the same process and may be implemented using IT systems that allow only specific identified and authorised individuals to perform certain operations. Where the separation of tasks cannot be fully ensured, secondary checks are to be performed.
The objective of this monitoring system is to prevent an Employee from being able to hide errors or irregularities relating to an operation completed in the performance of his or her duties, without other colleagues involved in the same operation finding the error or irregularity. The fundamental result of this is that an irregularity could only occur in the event of collusion between two or more responsible individuals.
9.3.3 Tracking and filing
All At-Risk Activities must be organised in such a way as to ensure document tracking and after the fact verification of each relevant step in the process, as well as the appropriate and documented filing and hard copy and/or electronic storage of relevant documentation concerning each process..
This protection measure is intended to ensure that all company operations are authorised in advance and that they are supported by adequate documentation, to ensure the transparency of the operations and facilitate their verification at all times.
9.3.4 Outsourced process management system
The Company, as a member of a global group, extensively outsources activities to Group companies that carry out centralised process management.
The outsourced processes were mapped during the Risk Assessment and are identified in detail in the Special Part of the Model.
The use of outsourcing of functions brings significant benefits to the Company which, given its small business size and lower revenues, could not otherwise have an internal structure capable of adequately managing all processes. At the same time, however, the Model requires outsourced activities to be adequately supervised and monitored. To this end, activities are governed by contractual provisions which must provide:
- that the outsourced activities, the manner in which they are to be carried out and the consideration paid for them are adequately defined;
- that the supplier is committed to the proper performance of the outsourced activities in compliance with regulations in force and the Company’s rules;
- that the supplier shall promptly inform the Company of any event that may materially affect its ability to perform the outsourced activities in accordance with the contract;
- that the supplier assures continuity of service, security and confidentiality of data relating to the Company;
- that the Company’s bodies have access to and the right to monitor the supplier’s activity and review its documentation;
- that the Company may withdraw from the contract without disproportionate charges or that could prejudice, specifically, exercising the right of withdrawal;
- that the contract provides adequate remedies to protect the Company in case of breach of contract;
- that the activities may only be sub-contracted to third parties if there are adequate assurances of compliance with the above principles;
- that the supplier undertakes to ensure compliance with Model 231 and other Group policies and that to carry out all activities in compliance with applicable laws;
9.3.5 Financial cash flow management and auditing system
Consistent with the Group’s organisation, the Company adopts a management control system and a cash flow auditing system.
The management of financial cash flow is carried out in compliance with the principles of tracking and documentation of transactions carried out, as well as consistency with assigned powers and responsibilities.
The management control system is divided into various phases of preparing budget forecasts, monitoring budget compliance and periodic review and auditing of the corresponding budgets.
The system ensures:
- the participation of several parties, with appropriate separation of roles for the processing and transmission of information, so as to ensure that all disbursements are requested, authorised, carried out and monitored by independent departments or by parties as distinct as possible, or however managed through IT systems that ensure such separation;
- that there are specific levels of authorisation for using cash in amounts in excess of pre-set levels;
- the ability to timely report when critical situations arise through a system providing adequate and timely information flows and reporting.
9.3.6 Remuneration system
The system of remuneration and incentives for all the Employees of the Company and for those who, although not employees, act on behalf the Company must be:
- designed and managed with the objective of remunerating the position held, taking into account assigned responsibilities and demonstrated skills and abilities, as well as a detailed risk assessment, both in the short and medium-long term;
- aimed at rewarding results obtained by taking into account actions taken to achieve them, which are informed as to full compliance with the regulations in force, Uber Business Conduct Guide, the Model and the Group Policies.
9.3.7 Checks and monitoring
The Model provides for the performance of verification activities (periodic or ad hoc) in relation to each At-Risk Activity and the monitoring of the performance of activities in compliance with the provisions of the Model (in coordination with various Company Offices).
9.3.8 Information flows and reports
Under sections 4.8 and 4.9, the Company’s Supervisory Body receives a flow of information and reports which, due to its breadth and analytical nature, is suitable for promptly alerting the Supervisory Body to facts and circumstances for purposes of monitoring the Model 231.
9.3.9 Contractual clauses
Each contract of the Company that establishes rules concerning the performance of a At Risk Activity must contain specific clauses that provide for: i) a statement by the party signing the contract that he/she is aware of and agrees to comply with the principles contained in the Uber Business Conduct Guide and Model 231; ii) the right of the Company to terminate the contracts in question in the event of violation of these obligations.
9.3.10 Workplace health and safety compliance system
Together with the Model, the Company has adopted, manages and updates an adequate workplace health and safety management system in compliance with the provisions of Legislative Decree no. 81/2008 and other applicable rules.
9.4 Compliance Protocols
The Compliance Protocols include special provisions aimed at establishing rules and internal compliance measures for each of the At-Risk Activities and are contained in the Special Part of Model 231, to which reference is made.
About