Privacy policy on the protection of personal data in accordance with Article 13 of Regulation (EU) No. 679 of 2016

This is an English translation of the original document titled “Whistleblowing | Informativa privacy sulla protezione dei dati personali in conformità all’articolo 13 del Regolamento (UE) n. 679 del 2016”. For any interpretation and legal purpose, the original version in Italian of this document is the only one with legal effect.

Pursuant to Art. 13 Regulation (EU) 2016/679 (hereinafter, also “GDPR”), we inform you that the personal data (hereinafter, the “Data”) you provide in the whistleblowing procedure, will be processed by the Company (hereinafter, the “Company” or Data Controller) as the Data Controller.

1. Purpose and legal basis of the Processing 

The purpose of the processing is the receipt, analysis, investigation and management of reports and any consequent actions, and in particular the ascertainment of the reported facts and the adoption of any measures. 

Pursuant to Article 6, paragraph 1, letter f) of the European Regulation No. 679/2016 (hereinafter also “Regulation”), all personal data collected under this processing are strictly functional and necessary for the pursuit of the provisions of Legislative Decree No. 24/2023, as well as for any internal control needs, monitoring of business risks, defense of a right in court or for further legitimate interests of the Data Controller.

The processing in question involves the provision, through the completion of a form on the special computer platform Whistlelink.com, of: personal data, tax code, contact data and additional data and information related to the reported misconduct.

The aforementioned IT platform, based on the secure software and capable of respecting absolute anonymity, is equipped with a protected multi-factor authentication system and an encryption protocol that guarantees the segregation of the identity of the reporter from the content of the report. Only where strictly necessary for the purposes of verification activities or at the request of the external investigating bodies, the Head of the Company may, reporting adequate reasons, make the association of the report with the identity of the reporter.

The provision of Personal Data is mandatory, since without it the Company would be unable to fulfill the specific legal obligations related to the management of Reports and, consequently, could not guarantee the protection measures provided by the Decree in favor of the Interested Parties.

Anonymous Reports, in fact, will be taken into consideration only where they are adequately substantiated and made with a wealth of details, so as to bring out facts and situations related to specific contexts.

Modalities of processing 

The processing is carried out in a lawful, transparent and correct manner, by means of paper, computer and/or telematic tools, with organizational methods and logics strictly related to the indicated purposes and only by appointed and adequately trained personnel. 

The company has taken appropriate and adequate security measures to prevent unauthorized access, disclosure, modification or destruction of data. 

Organizational (distribution of roles and responsibilities in the execution of the activity and controls), procedural and technical measures (firewalls, antivirus and other advanced technologies) appropriate and adequate to protect the data have been adopted.

2. Recipients of the Data

For the pursuit of the above purposes, the personal data provided are made accessible only to those within the Company who are competent to receive or follow up on the activities of analysis, investigation and management of reports and any consequent actions.

These individuals are appropriately instructed in order to avoid loss, access to the data by unauthorized parties or unauthorized processing of the data themselves and, more generally, in relation to personal data protection obligations. The data may also be processed by External Consultants and Third Parties with technical functions (e.g., the IT platform provider), who act as Data Processors/Sub-Processors and have signed a special contract that punctually regulates the processing entrusted to them and the obligations regarding data protection and security of processing pursuant to Article 28, paragraph 3 of the Regulations.

Personal Data will be processed within the European Economic Area (EEA) and stored in servers located within it.

Finally, Personal Data may also be transmitted to other autonomous data controllers, based on legal or regulatory requirements (e.g. Public Authorities, Judicial Authorities, etc.).

The identity of the reporting person and any other information from which such identity may be inferred, directly or indirectly, may be disclosed to persons other than those competent to receive or follow up on reports only with the express consent of the reporting person in accordance with the provisions of Legislative Decree No. 24/2023.

3. Term of Data Retention

Personal Data contained in the Report will be retained no longer than 5 years from the date of communication of the final outcome of the reporting procedure. Personal Data that are manifestly not useful for the processing of a specific Report shall not be collected or, if accidentally collected, shall be deleted immediately.

Rights of the data subject

The data subject may exercise at any time the rights recognized by Article 15 et seq. of EU Regulation 679/2016, listed below, by sending an email to privacy@lattanziokibs.com specifying the subject of his/her request, the right he/she intends to exercise and attaching a photocopy of an identity document:

  • right to access the personal data being processed and to request a copy of the same (ex art. 15 of the European Regulation no. 679 of 2016)
  • right to rectification and integration of inaccurate and incomplete personal data (ex art. 16 of European Regulation No. 679 of 2016)
  • right to the deletion of personal data, when by way of example, among other reasons, personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed (ex Art. 17 of European Regulation No. 679 of 2016)
  • right to restriction of the processing of personal data, when by way of example, among other reasons, the processing is unlawful and the data subject objects to the deletion of the personal data and instead requests that its use be restricted (ex Art. 18 of European Regulation No. 679 of 2016)
  • right to data portability, i.e., to receive in a structured, commonly used, machine-readable format the personal data provided (ex Art. 20 of European Regulation No. 679 of 2016)
  • right to object at any time, to the processing of personal data, when by way of example, the data are processed for direct marketing purposes (ex art. 21 of European Regulation No. 679 of 2016)
  • right to object to automated decision-making, including profiling, which produces legal effects concerning him/her or significantly affects him/her (ex art. 22 of European Regulation No. 679 of 2016)

4. Making a Complaint 

The data subject is free to make Complaint to the Supervisory Authority (Art. 77): Without prejudice to any other administrative or judicial remedy, a data subject who considers that the processing concerning him or her violates the EU Regulation has the right to lodge a complaint with a supervisory authority (Privacy Guarantor)