INFORMATION ON THE PROCESSING OF PERSONAL DATA PURSUANT TO ART. 13 OF REGULATION (EU) 2016/679 FOR REPORTING MADE UNDER LAW CONCERNING THE SO-CALLED “WHISTLEBLOWING”
We hereby inform you that, pursuant to Art. 13 of Regulation (EU) 2016/679 (hereinafter “GDPR”), your personal data may be collected and processed as part of activities reporting unlawful events and suspicious behaviour that may constitute a breach of the rules regulating the activities of Trevi Finanziaria Industriale S.p.A., as well as the rules of conduct established in the Code of Ethics and in the Organisation, Management and Control Model pursuant to Italian Legislative Decree 231/2001 (hereinafter “Whistleblowing Report”) by Trevi Finanziaria Industriale S.p.A., Tax Code and VAT No. 01547370401 (hereinafter “Trevi Finanziaria Industriale” or the “Company”) with registered office in Cesena (FC), via Larga di Sant’Andrea No 201 and will be processed by the same as Data Controller.
The Data Protection Officer of Trevi Finanziaria Industriale S.p.A. can be contacted at the following address: dpo@trevifin.com
- Categories and types of personal data subject to the processing
The management of the Whistleblowing Report entails the processing of personal data, specifically:
- common data (such as name, surname, identification document, contact details of the whistleblower)
- and, where necessary and functional to the Whistleblowing Report, special categories of personal data pursuant to Art. 9 of GDPR (i.e., data concerning health, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data to uniquely identify a natural person, data concerning a person’s sex life or sexual orientation).
With reference to special categories of personal data, it is not recommended to include this kind of data when reporting a Whistleblowing if they are not necessary or relevant. Such data, if disclosed, may not be taken into account, if their processing is not justified by their relevance with the Whistleblowing Report and would, therefore, be ignored in the consequent preliminary and investigation activity.
In order to ensure an effective process, the Whistleblowing Report shall, in addition, include the particulars of the reported person (among which - for example - first name, last name, company function, date, place and manner̀ in which the facts that are the subject of the report occurred, and any documentation suitable to prove the course of events).
The provision of your personal data is optional but any failure to provide such data would make it impossible for the Company to manage the Whistleblowing Report.
Lastly, it is specified that the platform Segnalazioni.net/en/ of Trevi Finanziaria Industriale S.p.A. only collects your registration data and those provided in the reports. In any case, your personal profile data are not directly viewable in the Whistleblowing Report.
- Purpose and legal basis of the processing of personal data
Your personal data will be processed exclusively for purposes of receipt, analysis and management of the Whistleblowing Report. Whistleblowing Reports can be sent by using the channels indicated in the Whistleblowing Policy and Procedure.
The legal basis for the processing is the need to comply with a law obligation to which the Data Controller is subject, with reference to the provisions set out in the Italian Law No. 179 of 30 November 2017 (“Provisions for the protection of whistleblowers who report offences or irregularities which have come to their attention in the context of a public or private employment relationship”) and in the Italian Legislative Decree No. 231 of 8 June 2001 (“Regulation on the administrative liability of legal persons, companies and associations with or without legal personality, pursuant to Art. 11 of Italian Law No. 300 of 29 September 2000”).
Additional facts that you decide to bring to the Company’s attention since deemed significant will be processed for the same purpose by virtue of the Data Controller’s legitimate interest in the uncovering of unlawful facts perpetrated in the Company. Any processing of personal data included in special categories of data will be carried out by the Data Controller to fulfil labour and social safety obligations while the processing of judicial data will be carried out in fulfilment of applicable regulatory provisions.
- Confidentiality and protection of the Whistleblower
It is hereby specified that the Data Controller applies Art. 6 of Italian Legislative Decree 231/2001, as amended by Art. 2 of Italian Law No. 179/2017, recorded as “Protection of the employee or collaborator who reports offences in the private sector”, which provides for the protection of the confidentiality of the whistleblower’s identity in the management of the Whistleblowing Report and prohibits direct or indirect retaliatory or discriminatory acts against the whistleblower for reasons related, directly or indirectly, to the Whistleblowing Report.
Therefore, with the exception of cases in which liability for libel and defamation can be established under the provisions of the Italian Criminal Code or Art. 2043 of Italian Civil Code and the cases in which anonymity is not enforceable by law, (e.g., criminal, tax or administrative investigations, inspections by supervisory bodies) the identity of the whistleblower will be protected from the moment the Whistleblowing Report is received and at every stage thereafter, in accordance with the provisions of the applicable regulation on personal data.
Therefore, the identity of the whistleblower may be disclosed to the disciplinary authority and the reported person only in cases where:
a) the notification of the disciplinary charge is based, in whole or in part, on the Whistleblowing Report and knowledge of the identity of the whistleblower is absolutely essential to the reported person’s defence;
b) there are mandatory provisions requiring the Company to disclose the identity of the Whistleblower.
All those who will receive and/or be involved in the management of Whistleblowing Reports are required to protect the confidentiality of such information. Any breach of obligation of confidentiality is a source of disciplinary liability, without prejudice to additional forms of liability provided for by law.
- Recipients and transfer of data
Your personal data and, more generally, all personal data communicated through the Whistleblowing Report, together with the documentation supporting it, may be shared, to the extent strictly necessary, with the following parties obliged to confidentiality:
- parties authorised by the Data Controller to manage the Whistleblowing Reports received (Whistleblowing Team established internally);
- any third parties with which the Company has entered into contracts for the processing of personal data in accordance with Art. 28 of the GDPR and which, therefore, act as data processors and may provide consultancy activities to the Company in relation to the Whistleblowing Report management activities;
- subjects, entities or authorities - autonomous data controllers - to which it is mandatory to communicate your personal data under provisions of the law or orders of the authorities.
- Data transfer to non-EU countries
Your personal data will not be transferred outside the European Economic Area.
- Storage of personal data
Your data will be stored only as long as necessary for the purposes for which they are collected, in compliance with the principles of minimisation and limitation of storage set forth in Art. 5, paragraph 1, letter c) and e) of the GDPR, except for further storage - until the judgement becomes final or out-of-court settlements are reached - in case of legal proceedings and/or initiation of dispute and/or requests by the authority.
- Method of data processing
The processing of your personal data will be carried out through IT, manual and/or telematic supports and/or tools, with logic strictly related to the purposes of the processing and in any case ensuring the confidentiality and security of the data and in compliance with the GDPR.
The personal data that you may provide in the registration form (name, e-mail address and identification document) are separate from your possible reports and the association of your identity with the Whistleblowing Report can only be carried out by the subjects in charge of managing the reports.
- Exercise of rights
Pursuant to Articles 15 and following of the GDPR, subject to any limitations arising from mandatory provisions, you are granted certain significant rights against the Data Controller, namely:
- Right of access to your personal data;
- Right of rectification of your personal data;
- Right of erasure of your personal data;
- Right of limitation of processing of your personal data;
- Right to lodge a complaint with a supervisory authority (Personal Data Protection Authority), if it is deemed that the processing of your personal data is contrary to the applicable legislation or that legal proceeding should be initiated.
It is emphasised that the exercise of the above rights may be done by sending the relevant requests to the e-mail address: dpo@trevifin.com.