PRIVACY POLICY – WHISTLEBLOWING Italian Legislative

Decree 24/2023
Notice pursuant to Article 13 GDPR for the whistleblower

DATA CONTROLLER

The Data Controller, pursuant to Articles 4 and 24 of Reg. EU 2016/679 is Nuova Idropress SpA in the person of its pro-tempore Legal Representative with registered office in Via Consolini 10 – 42026 in Ciano d’Enza di Canossa (RE) Italy, Mobile phone +039-0522-242750 Fax +39-0522-878027 email: privacy@nuova-idropress.com

A Data Protection Officer (DPO) has not been appointed as the mandatory conditions set out in Article 37, para. 1 of EU Reg. 2016/679 have not been me

TYPE OF DATA PROCESSED

“Personal Data” means any information relating to an identified, or identifiable, natural person (the “Data Subject”).
An identifiable natural person is a person who can be identified, directly or indirectly by reference of an identifier such as: a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

With regard to the processing that is the subject of this privacy policy, the personal data processed will be those relating to the reports submitted by the whistleblowers, including the contents of the reports themselves, which may include personal data relating to third parties.

The personal data processed of the author of the report (the “whistleblower”), if the report is not made anonymously
(the data are to be defined according to the type of information to be requested in the report form):
✓ Name, title, qualification, gender.
✓ Business contact details: e.g. telephone number (mobile), email address, work address, fax number.
✓ Employment relationship (e.g. type of contract and place of work).
✓ Method and time of reporting (including site of origin).
✓ Other information provided by the data subject (personal opinions, consequences suffered as a result of the alleged violations, etc.).

The data subjects are: a) employees (persons who have established an employment contract with the employer, including temporary workers); b) senior persons who hold administrative, management and representative functions of the company and persons delegated by the company to perform tasks involving the use of the company’s name and who may influence its management and control; c) workers such as contractors/subcontractors, consultants, employees of employment agencies or similar; d) third parties such as public and private sector employees who interact with the
Controller by virtue of a contract, including workers, civil servants, self-employed workers, employees of contractors/subcontractors, shareholders, persons who are part of the administrative, management or supervisory bodies of the company, including any non-executive members, volunteers, trainees, former employees and job applicants; e)
relatives, persons in the same employment context as the whistleblower who are related to them by a stable emotional or kinship relationship down to the fourth degree.

PURPOSE, LEGAL BASIS OF THE PROCESSING, DATA RETENTION PERIOD AND NATURE OF PROVISION OF THE DATA

The personal data provided will be processed in compliance with the lawful conditions described in Article 6 of
Regulation EU 2016/679 (GDPR) for the following purposes:
A) RECEPTION AND HANDLING OF REPORTS and/or communications we become aware of in the course of a legal relationship, pursuant to Art. 3 of Italian Legislative Decree no. 24/2023.
LEGAL BASIS:
Processing is necessary for compliance with a legal obligation the Controller is subject to (Italian Legislative Decree 24/2023).
RETENTION PERIOD:
For the time strictly necessary to process the report, and in any case no longer than five years from the date of the communication of the final outcome of the reporting procedure (Article 14 of Italian Legislative Decree no. 24/2023).
NATURE OF THE PROVISION:
The provision of personal data is compulsory, as it is indispensable in order to be able to fulfil the related legal obligations (Italian Legislative Decree 24/2023, and, if an organisation and management model has been adopted, Italian Legislative Decree 231/2001).

Please note that if the report is made anonymously, no personal data of the whistleblower will be processed.

B) DISCLOSURE OF THE IDENTITY OF THE WHISTLEBLOWER and/or any other information from which such identity may be directly or indirectly inferred to persons other than those authorised to receive and act upon the report, pursuant to Article 12, paragraph 2 of Italian Legislative Decree no. 24/2023.
LEGAL BASIS:
The processing is based on consent to the processing of personal data.
RETENTION PERIOD:
For as long as is strictly necessary to process the report or until the consent is withdrawn, unless the identity of the whistleblower has already been disclosed.
NATURE OF THE PROVISION:
The provision of personal data by the whistleblower is optional, and failure to provide them will not invalidate the report.

RECIPIENTS OR CATEGORIES OF RECIPIENTS OF THE DATA

The data will not be disseminated. They may instead be disclosed to recipients, who will process the data as data processors and/or as natural persons acting under the authority of the Data Controller and the Data Processor, for the purposes listed above.
The possible recipients are as follows:
– The person, internal office or external entity entrusted with the management of the internal reporting channel.
– Third parties to manage the platforms for sending and/or handling reports.
– Judicial authorities and public authorities, including ANAC.

TRANSFER OF DATA TO A THIRD COUNTRY AND/OR AN INTERNATIONAL ORGANISATION AND GUARANTEES

The personal data collected will not be transferred to countries outside the EEA.

IS THERE AN AUTOMATED PROCESS

Processing will be carried out in automated and manual form, using methods and tools designed to ensure maximum security and confidentiality, by persons specifically appointed and trained to manage the reporting channel.

RIGHTS OF THE DATA SUBJECTS

You may assert your rights as expressed in Art. 15 and following of the GDPR by contacting the Data Controller at privacy@vismaravetro.it or at the above contacts. You have the right to ask the Data Controller for access to your personal data (Article 15) or to rectify (Article 16) or erase (Article 17) the same at any time. You may also request the
restriction of the processing of your personal data (Article 18). The Data Controller shall notify (Art. 19) each recipient to whom personal data has been disclosed of any amendment or deletion of personal data or restriction of processing carried
out. The Controller shall notify the Data Subject about these recipients if the Data Subject requests it. You also have the right to the portability of your data (Art. 20), and in such case they will be provided to you in a structured, commonly used and machine-readable format. Data Subjects who consider that the processing of personal data by the Controller is in breach of the provisions of Regulation (EU) 2016/679 have the right to lodge a complaint with the Supervisory Authority, specifically in the Member State where they normally reside or work or in the place where the alleged breach of the Regulation occurred (Privacy Authority https://www.garanteprivacy.it), or to take appropriate legal action.

Date of last update: 03/11/2023