The following information shall be provided for the purpose of transparency with regard to the Whistleblower, in order to make him aware of the terms and conditions of the processing of the data, including the exercise of related rights and the limits to the exercise thereof.
The Data Controller is Servizi Industriali S.r.l., with registered office in Via Marie Curie 19, 40064, Ozzano Emilia (BO) Italy.
In compliance with the independence and autonomy in fulfilling the obligations provided, the Company has appointed Interpump Group S.p.A. as Personal Data Processor pursuant to Article 28 GDPR. In particular, the Data Processor is entrusted with the task of managing reports in accordance with the procedures set out in the "Procedure for the Management of Whistleblowing Reports" and processing personal data on behalf of the Data Controller.
DATA PROTECTION OFFICER
The Data Protection Officer for all matters concerning the processing of personal data and the exercise of the data subject's rights, can be contacted at the following email address: email@example.com.
CATEGORY OF PERSONAL DATA
The personal data of the Whistleblower, and those of other persons who may be involved and/or connected to the facts that are the subject of the Report (or also the "Reported" or the "Third Party"), acquired in connection with the management of the Reports, will be processed in full compliance with the provisions of article 13 of the GDPR and with the provisions of the "Procedure for the Management of Whistleblowing Reports”.
The personal data collected and processed by the Company include (i) identification data of the Whistleblower (personal details, contact details,..); (ii) identification data of the Reported and/or of the Third Party provided by the Whistleblower and/or further acquired in the course of the ensuing inquiry and investigation activities; (iii) other data that will be entered by the Whistleblower in filling in the reporting form/supplied orally or subsequently acquired by the Persons in Charge of the Management of Whistleblowing Reports in the course of the preliminary investigation activities, including any reference to data on the Whistleblower and/or Third Parties and reported by the Whistleblower itself or acquired in the course of the subsequent preliminary investigation activities.
With reference to point (iii) above, the Company cannot exclude that the content of the Report also includes special data pursuant to article 9 of the GDPR. In this case, the Data Controller will process the data, for the purposes set out in this Notice, in accordance with the provisions of article 9, para. 2, lett. b), of the GDPR.
PURPOSE OF PROCESSING
The personal data of the Whistleblower, the Reported and/or the Third Party, shall be collected and processed, within the Whistleblowing procedure, exclusively for the purposes of investigating and ascertaining the facts that are the subject of the Report and of adopting any consequent measures. In particular, the personal data collected will be only those necessary and pertinent for the achievement of the purposes indicated above, on the basis of the principle of minimisation.
Personal data that will not be useful for processing a specific Report will not be collected or, if accidentally collected, will be deleted immediately.
LEGAL BASIS FOR PROCESSING
The legal basis for the processing of the personal data of the Whistleblower, the Reported and/or the Third Party, provided in connection with reports concerning alleged irregularities, offences and/or omissive conduct detrimental to the public interest or the integrity of the Company and of which they have become aware by reason of the employment relationship, i.e. because of or on the occasion of the same, is to be found in the fulfilment of the legal obligation pursuant to article 6, para. 1, lett. c) and article 9, para. 2, lett. b) of the GDPR.
Such data may also be processed to comply with requests by the competent administrative or judicial authorities and, more generally, by requesting public bodies, in compliance with the formalities laid down by law.
The Data Controller may also process personal data for:
(i) internal control and business risk monitoring needs, as well as for the optimisation and streamlining of internal business and administrative processes that might imply a longer retention of the Report than the mere management and resolution of the Report in question;
(ii) ascertain, exercise or defend a right or legitimate interest of the Data Controller (including other companies of the Interpump Group) in any competent forum.
The legal basis of the processing referred to in points (i) and (ii) above is to be found, respectively, in the legitimate interest of the Data Controller in ensuring the efficiency of the company's organisation, also with a view to preventing and effectively combating fraudulent and unlawful or irregular conduct, and in the exercise by the same of the right to defend its own reasons in the appropriate fora.
The provision of data is not compulsory, as anonymous reports are possible, but a refusal to provide such data could make it more difficult to ascertain whether the Report is well-founded, if it is not substantiated, based on precise and concordant elements, does not concern verifiable facts and/or does not contain all the elements necessary to carry out the aforementioned ascertainment.
The data provided within the framework of the Reports are subject to processing by the "Persons in Charge of the Management of Whistleblowing Reports" in compliance with the methods established by the Data Controller and in compliance with the Privacy Regulations, with a guarantee of the principles of lawfulness, correctness, transparency and relevance.
In any case, the identity and personal data of the Reported, of the Whistleblower and/or of any Third Parties involved in the Report, will be processed in compliance with the principle of confidentiality, also through the use of encrypted systems, and with all the technical and organisational measures appropriate to guarantee the security of the processing.
RECIPIENTS/CATEGORIES OF RECIPIENTS OF PERSONAL DATA
The Recipients of the personal data of the Whistleblower, the Reported and/or Third Parties are the Persons in Charge of the Management of Whistleblowing Reports who, in compliance with the provisions of the Privacy Regulations and the "Procedure for the Management of Whistleblowing Reports" adopted by the Company, are required to guarantee the confidentiality of the identity of the Whistleblower.
The Persons in Charge of the Management of Whistleblowing Reports are authorised to process the data and have received specific training on the Whistleblowing legislation and on the protection of personal data, with specific reference to security measures and protection of the confidentiality of the persons involved and of the information contained in the Reports. Moreover, in cases where it is necessary for the purposes of ascertaining the grounds of the fact which is the subject of the Report, of the relevant investigative activities and of the adoption of the consequent measures, as well as for the initiation of any disciplinary measures, the recipients of the personal data of the persons concerned may be other functions of the Company and any consultants.
It is in any case understood that the identity of the Whistleblower may not be disclosed without his consent, which the Persons in Charge of the Management of Whistleblowing Reports shall request in the cases specifically provided for in the Whistleblowing Regulations.
The Company also ensures the confidentiality of information relating to (i) the identity of the Reported (the so-called involved person); (ii) the facilitator (both with reference to the identity and to the activity in which the assistance takes place); (iii) persons other than the Reported, but nevertheless implicated as mentioned in the report (e.g. witnesses, Third Parties), until the conclusion of the proceedings initiated on account of the report and in compliance with the same guarantees provided for in favour of the Whistleblower.
If necessary, the data of the persons concerned may also be communicated to the judicial Authorities and investigative bodies for the purposes of activating the procedures necessary to ensure appropriate protection as a consequence of the Report, as well as for any investigations that may be necessary.
In any case, all necessary measures to protect personal data against accidental or unlawful destruction, loss and unauthorised disclosure shall be taken in the course of the activities aimed at verifying the validity of the Report.
DATA TRANSFER TO NON-EU COUNTRIES
Personal data processed for the above-mentioned purposes are not transferred to third countries outside the European Union or the European Economic Area (EEA) or to international organisations.
If necessary, the Data Controller shall be entitled to move the location of the archives and servers to Italy and/or the European Union and/or countries outside the EU. In the latter case, it is assured, as of now, that the transfer of data outside the EU will take place in compliance with the applicable legal provisions, stipulating, where necessary, agreements that guarantee an adequate level of protection and/or adopting the standard contractual clauses provided for by the European Commission.
RETENTION PERIOD OF COLLECTED DATA
The personal data collected for the above-mentioned purposes will be kept by us for as long as necessary for the performance of the activities of ascertaining the merits and of the management of the Reports and, in any case, no longer than five years from the date of the communication of the final outcome of the Whistleblowing procedure.
RIGHTS OF THE DATA SUBJECT
Pursuant to articles 15 et seq. of the GDPR, data subjects are granted certain rights, which can be exercised within the limits of their compatibility with the legislation on Whistleblowing and the provisions of article 2-undecies of Legislative Decree no. 193/2003, namely:
- Right of access: the right to obtain, without undue delay, information concerning (i) the purposes of the processing; (ii) the categories of personal data processed; (iii) the recipients or categories thereof to whom the data may be disclosed, in particular if located in non-EU countries, and the means for exercising your rights to such persons; (iv) when possible the storage period or the criteria for determining it; (v) the updating, rectification or, where interested therein, the integration of personal data as well as the origin of data collected from third parties;
- Right of rectification: the right to obtain without undue delay the rectification of inaccurate personal data and, taking into account the purposes of the processing, to obtain the integration of incomplete personal data, including by providing a supplementary declaration;
- Right to erasure: the right to obtain, without undue delay, the erasure of personal data where one of the grounds listed in article 17, para. 1, of the GDPR applies - such as where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed - unless the processing is necessary on the basis of the provisions of paragraph 3 of that article 1 of the GDPR - such as where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed - unless the processing is necessary according to the provisions of paragraph 3 of the same article, including (a) compliance with a legal obligation requiring the processing as provided for by Union or Member State law to which the Controller is subject, or (b) the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, or (c) the establishment, exercise or defence of legal claims;
- Right to restriction: the right to obtain the restriction of processing where one of the cases referred to in article 18, para. 1 of the GDPR applies: if processing is restricted, personal data will be processed - except for storage - only with the consent of the data subject or for the establishment, exercise or defence of legal claims or to protect the rights of another natural or legal person or for reasons of substantial public interest of the Union or a Member State.