Compliance models

The Acea Group has developed and implemented over time specific compliance models and controls designed to prevent risks pertaining to behaviours, during the performance of business activities, that are unlawful and not in keeping with the company’s ethical values. 

As part of a common framework, the Parent Company delivers guidelines for the implementation of its Models to the subsidiaries which, within the scope of their respective autonomy and independence, maintain responsibility for the correct adoption and execution of the same.

 

The Acea Group operates in essential services and infrastructures, guaranteeing high standards in terms of service quality and continuity. In this context, compliance assumes a fundamental relevance not only to ensure compliance and observance of the rules, but also as a useful means of assuring the achievement of business objectives. 

 

This approach is applied, in particular, in the 231 Organisation Model, the Anti-corruption Framework, the Antitrust and Consumer Protection Compliance Programme and the Privacy Governance Framework. These compliance models, alongside Enterprise Risk Management, constitute essential elements of the Internal Control and Risk Management System. 

 

 

 

Training and communication initiatives

 

Internal and external stakeholders play a leading role in the creation of a shared culture of compliance and risk management. Acea organises training and communication initiatives on a regular basis for its employees, and third parties where appropriate, to maximise dissemination of the Group’s values and rules. These initiatives are aimed at promoting diffusion of the risk culture and guaranteeing knowledge and observance of compliance principles and rules, as well as the recipients’ in-depth understanding of the risks associated with their activities. 

 

 

 

Reporting of violations

 

 

Whenever internal or external recipients believe that a breach of the 231 Organisation Model, the Code of Ethics, the regulations concerning Anti-corruption, Antitrust or Privacy, as well as the compliance programmes and internal guidelines, may have occurred, they can report it using the “Comunicate Whistleblowing” IT Platform, dedicated to the receipt, management, analysis and handling of reports.

 

The Platform ensures the privacy of the reporting party’s identity, the safe archiving of documents transmitted and uploaded and the confidential handling of the analysis and management processes; it guarantees the protections set forth by Legislative Decree no. 24/2023 and is therefore considered preferable to any other channel that might be used.

 

Click here for more information on Whistleblowing and the handling of reports

231/01 Model and the Supervisory Body

 

Since 2004 Acea has adopted an Organisation, Management and Control Model, pursuant to Legislative Decree dated 8 June 2001, designed to prevent the committing of conceptually feasible administrative crimes and offences within the scope of company business. 

 

The Code of Ethics is an integral part of the 231 Organisation Model, which is one of the fundamental elements of Acea’s wider control system.

 

The Model is subject to constant revision and enhancement in keeping with jurisprudential and theoretical developments, regulatory changes in the Decree and company organisational changes. The last revision was carried out in 2024. 

 

Acea SpA’s Model constitutes the reference framework for the Models of Group companies.

 

 

231 Model Addressees

 

Addressees of the Model, include:

 

  • those who – even factually – perform the Company’s operational, administrative, management and control functions

     

  • employed persons – under any form of contractual relationship – even if seconded abroad to carry out the activity;

     

  • those people who, although not part of the Company, operate for whatsoever reason on behalf of the same;

     

  • associates and contractual counterparts in general.

     

The Model, the Code of Ethics and the Anti-Corruption Guideline are essential references for all those who contribute to the development of the various activities — such as suppliers of materials, services and works, consultants, partners in temporary associations, or companies with which Acea operates.

 

All recipients of Model 231/01 must collaborate in the full implementation of the principles and provisions of the Model, in such a way as to direct everyone's behaviour and mitigate the risks associated with company activities and processes. The company sanctions any behaviour in violation (in addition to current legislation) of the provisions of Model 231/01, of the Code of Ethics, the Anti-Corruption Guideline, and in general of the principles of conduct defined by the company, even when the conduct is based on the belief that it pursues the company's interest or advantage.

 

 

Supervisory Body and reporting

 

In accordance with the provisions set forth in the Decree and the 231 Organisation Model, Acea has established a Supervisory Body, that guarantees the requisites of autonomy, independence and professionalism. The Supervisory Body has full, independent powers of initiative, intervention and control over the effective functioning and observance of the Model.

More specifically, the Supervisory Body:

 

  • verifies the effective suitability of the Model for preventing the crimes envisaged in the Decree;

     

  • monitors the validity of the Model over time and prepares proposals for updating the Model to be submitted to the Board of Directors, wherever the need arises based on changes in company and legislative conditions;

     

  • reports to the competent authorities any breaches of the Model, whether ascertained or undergoing verification, that could give rise to a liability for the Company.

     

The Supervisory Body, through dedicated channels, must be promptly informed regarding behaviours, acts or events which could lead to a violation or circumvention of the Model (or reference regulatory system), as well as of potentially relevant news relating to Acea's activities, in case these may expose the company to the risk of crimes and offences such as to give rise to Acea's liability pursuant to the Decree.

 

  • the IT platform Comunica Whistleblowing (which allows to submit reports, also anonymously, both in written or verbal form);

     

  • Direct meeting (after a written or verbal request submitted through the Comunica Whistleblowing platform by the reporting person).

     

For further details on the reports and the related guarantees and safety measures implemented for the reporting person, the person involved or subject of the report, as well as for the additional "subjects" to whom the protection is extended (as provided for by Legislative Decree no. 24/2023), please refer to the page dedicated to Whistleblowing.

 

Please note: for issues which are not related to “231 Organisational Model reports”, it is also possible to contact the Supervisory Body writing at organismodivigilanza231@pec.aceaspa.it.

 

 

231 compliance and the supervisory bodies of Group companies

 

Acea supports the adoption and effective implementation by the Group Companies of their own 231 Organisation Model, consistent with the principles set out in the Parent Company's Model, as well as the appointment of their own Supervisory Body. 

 

Anti-corruption framework

 

The Acea Group has set up a structured system of rules, controls and organisational monitoring designed to prevent the risk of unlawful conduct in carrying out business activities, particularly insofar as concerns those more exposed to the risk of corruption, promoting a corporate culture based on the observance of values and behavioural correctness.

 

The Acea Group: 

 

  • undertakes to prevent and combat unlawful practices on the part of all persons acting, for whatsoever reason, in the name and on behalf and for the benefit of the Group;

     

  • rejects all forms of corruption and forbids any behaviour that is liable to facilitate or encourage corruptive phenomena;

     

  • is committed to the constant implementation of a “sustainable” business that combines results and performance with the observance of rules and values, with a view to rendering the Group ethically upright on the assumption that any “unlawful” gain does not constitute acceptable profit.

     

     

Anti-Corruption Guidelines

 

In March 2023, Acea’s Board of Directors adopted the Anti-Corruption Guidelines, which standardise and integrate all the compliance controls contained in the internal regulatory system (Code of Ethics, 231 Model, related procedures etc…), with a view to defining an organic system of rules and principles intended to prevent and combat risks associated with unlawful practices.

 

The guidelines are designed to regulate the roles and responsibilities of the parties involved and the monitoring activities pertaining to anti-corruption.

 

More specifically, the guidelines make it possible:

 

  • to define and revise the Acea Group anti-corruption framework (namely the main pillars used by the Group to prevent and combat corruption)

     

  • to identify sensitive areas potentially more exposed to the risk of corruption, the behavioural principals to be observed and some applicable controls

     

  • to define information and reporting flows with regard to the framework’s implementation and monitoring. 

     

The guidelines apply: 

 

  • to Acea and to Acea’s direct and Indirect subsidiaries (as regards investee companies the document should be considered a support instrument for the definition of their respective regulatory tools)

     

  • to suppliers, partners, business associates and, more generally, all those acting in the name and on behalf of Acea or the Group companies, or with whom the same come into contact in the course of their business.  

     

     

The corruption prevention Management System and Acea’s Anti-Corruption Policy

 

The voluntary implementation of a Corruption Prevention Management System (CPMS), according to the requirements set forth by standard UNI ISO 37001:2016, forms part of a virtuous circle for combating and preventing corruption phenomena.

 

The system’s “manifesto” is the Anti-Corruption Policy, approved by the Board of Directors in March 2023, which sets out the general principles and engagements pertaining to Acea S.p.A.

 

This document is intended not only for Acea personnel, but also suppliers, partners and everyone acting in the name and on behalf of Acea or with whom Acea comes into contact in the course of its business. It specifically represents the commitment vis-à-vis the principles and requirements laid down by standard ISO 37001:2016.

 

In September 2023, Acea S.p.A. was awarded ISO 37001:2016 certification for their CPMS.

 

 

Anti-Corruption Manager

 

Acea’s Anti-Corruption Manager (ACM) oversees compliance for corruption prevention purposes and has the responsibilities defined in the Anti-Corruption Guidelines.

 

In particular, the ACM:

 

  • monitors and coordinates activities connected with the adopted anti-corruption framework;  

     

  • coordinates, develops, monitors and maintains the Corruption Prevention Management System in accordance with standard UNI ISO 37001:2016.

     

A similar function has been created at the Group companies.

 

 

Antitrust & Consumer Protection Compliance Programme

 

Acea believes that competition and consumer protection is a core value for business activities. Consistent with the principles set out in the Code of Ethics, the Group specifically abstains from collusive, anticompetitive, exploitive and abusive practices and, more generally, from any conduct that might impede the correct functioning of market mechanisms and imply detriment to consumers.

 

 

The Antitrust Compliance Programme

 

The Acea Group has adopted an extensive Antitrust & Consumer Protection Compliance Programme, aligned with domestic and international best practices, defining organisational policies, rules, measures and control units designed to ensure the conformity of its actions with legislation and promote the development of a business culture oriented towards respect for principles of fair competition and correct behaviour vis-à-vis consumers. 

 

During the last few years, the Programme, which is also implemented by the subsidiaries, has been revised and updated. More specifically, in 2022 the Board of Directors approved the “Antitrust and Consumer Protection Compliance Guidelines”, valorising the experience gained during the first years of application and implementation of the Programme at Group level.

 

The Guidelines describe the main components of the Antitrust Programme, namely:

 

  • commitment and involvement on the part of senior management as regards the implementation and monitoring of the Programme; 

     

  • appointment of the Antitrust Contact Person; 

     

  • identification and assessment of the company’s specific Antitrust Risk (Risk Assessment); 

     

  • definition of rules and development of management procedures capable of reducing Antitrust Risks (Risk Management); 

     

  • promotion of specific, periodic and mandatory training sessions (Training) and updating of staff, alongside initiatives aimed at communicating and disseminating the Programme (Communication); 

     

  • definition of a suitable system of disciplinary measures and incentives aimed at supporting compliance with the Programme; 

     

  • periodic updating and monitoring of the Programme by way of systematic actions to evaluate the efficacy of its various components (Monitoring).

     

     

The Antitrust and consumer protection regulatory compliance handbook

 

Moreover, in December 2023, Acea SpA’s Board of Directors approved an update of the “Antitrust and Consumer Protection regulatory compliance Handbook”, the Antitrust Compliance Programme’s main regulatory tool. 

 

More specifically, the Handbook:

 

  • sets out the main points of the legislation laid down for the protection of Competition and Consumers

     

  • explains the relevant circumstances and actions and the most important behavioural rules to be observed by all addressees of the Antitrust Compliance Programme, failure to comply with which gives rise to appropriate disciplinary sanctions and/or contractual remedies. The rules set forth in the Manual are complemented by the provisions contained in the internal regulations, which form an integral part thereof.

 

The Manual is addressed to:

 

  • Acea and its Subsidiaries,

     

  • all managers, employees and other parties (natural persons and legal entities) operating on behalf and/or under the management and/or subject to the determining influence of Acea or the Subsidiaries, for whatsoever reason, directly or indirectly, on a permanent or provisional basis, in Italy or abroad.

     

     

The Antitrust contact person

 

Acea’s Antitrust Contact person is responsible for the design, implementation and monitoring of the Acea SpA Antitrust Compliance Programme. His/her duties are set out in the Antitrust and Consumer Protection Compliance Guidelines and Regulations.

 

In particular, the Contact person takes care of the following:

 

  • the adoption of the Compliance Programme;

     

  • the implementation of all Programme components;

     

  • the Programme’s periodic monitoring and update;

     

  • activities for preventing and combating prohibited behaviours.

     

He/she also defines the guidelines with regard to Antitrust Compliance at Group level.

 

A similar figure has been set up in the Group companies. 

 

 

Privacy Governance Framework

 

The Acea Group pays the utmost attention to the protection of personal data, guaranteeing the observance of regulations for all processing of personal information carried out and the adequacy of technical and organisational measures as regards the risks associated with processing. 

 

The Group is constantly engaged in developing and implementing effective protection policies for the personal data of all parties concerned: employees, customers, suppliers, shareholders, stakeholders, partners, as well as any persons whose personal data, for whatsoever reason, are processed. With this in mind, the Group has adopted a Privacy Governance Guideline which, from a risk-based approach perspective, describes the principles indicated in Regulation (EU) 2016/679 (General data protection regulation - GDPR) and the modalities regarding their execution.

 

The Group also takes into consideration the sector standards and applicable best practices, together with the guidelines of the Personal Data Protection Authority and the European Data Protection Board.

 

Data protection checks on third parties are periodically carried out with a view to fulfilling obligations arising from the Data Processing Agreements entered into with suppliers handling personal data controlled by Acea Group companies. A second-level governance and monitoring system has also been developed, comprising a series of information flows.

 

 

Privacy Governance guidelines

 

On 14 March 2022 Acea SpA’s Board of Directors adopted the Privacy Governance Guideline, setting out the essential elements of the Acea Privacy Governance Model, together with the related interpretation, within the Group, of the compliance framework.

 

The Guideline forms part of the integrated framework adopted by the Acea Group for the application of Regulation (EU) 2016/679 (“General Data Protection Regulation”, hereinafter “GDPR”) regarding the protection of natural persons and the processing of personal data.

 

The objectives of the Guideline are as follows:

 

  • to regulate Acea SpA’s direction and control initiatives and explain objectives, principles and activities pertaining to Privacy issues;

     

  • to define the general rules for transverse actions involving the Privacy Governance Model.

     

 

More specifically, the Group’s Privacy Governance framework pursues the following purposes:

 

  • to ensure observance of current legislation with regard to data processing;

     

  • to define roles and responsibilities of the persons involved in the application of Acea’s “Privacy Organisational Model” as shown below, and to explain the latter’s role of direction and control within the Group;

     

  • to define the data protection principles that must be implemented and effectively enforced;

     

  • to define the framework of security controls that must be analysed and explained in the dealings with parties (legal entities or natural persons) who process data on behalf of Acea;

     

  • to define the activities to be carried out in order to analyse areas that may potentially impact data protection;

     

  • to assess the risk and impact on the rights and freedoms of natural persons in connection with the processing of personal data;

     

  • to explain disclosure requirements;

     

  • to implement the actions necessary for protecting the rights of the parties concerned, ensuring the correctness of the handling process and response to their requests;

     

  • to define the requirements of privacy reports and personal data processing registers;

     

  • to describe the functional architecture of the automatic privacy system management tools in the companies.

     

 

Furthermore, the Acea Group always pays attention to the various issues emerging that have an impact on personal data protection, such as the safe handling of data with respect to new technologies and the new work tools.