Privacy notice – Whistleblowing
(Art. 13 General Data Protection Regulation n. 679/2016)
Limacorporate S.p.A. (hereinafter also referred to as the "Company" or the "Controller") has established several channels to allow the reporting of violations pursuant to Legislative Decree 24/2023 (hereinafter also referred to as the "Reports") by various individuals, as identified from time to time by the applicable legislation ("Whistleblowers").
These channels also enable the transmission of Reports in an anonymous form. However, should the Whistleblower choose to submit the Report in a non-anonymous format, and if the Report contains personal data relating to the Whistleblower and/or third parties, the Company will process the personal data contained therein. Therefore, this information outlines the methods by which Limacorporate S.p.A. collects, stores, and uses your personal data for the management of the Reports, in accordance with the provisions of Regulation (EU) 2016/679 (the "GDPR") and in compliance with any other applicable European Union or Member State regulations on privacy (together, the "Privacy Legislation").
In this regard, the Controller invites you to carefully read this notice (hereinafter, the "Notice"), as it contains important information about the protection of personal data and the security measures taken to ensure its protection in full compliance with the GDPR.
1. Data Controller
Limacorporate S.p.A., P.I. 01427710304 - 33038 Villanova di San Daniele (UD) - Via Nazionale, 52, tel. 0432.945511 – fax 0432.945512, email@example.com. You can contact these addresses for everything concerning the processing of your personal data.
2. Data Protection Officer (DPO)
LimaCorporate has appointed the Data Protection Officer pursuant to art. 37 of Reg. 2016/679/UE in Villanova di San Daniele (UD) - Via Nazionale, 52 and may be contacted at: firstname.lastname@example.org
3. Type of personal data processed
The Controller processes the personal data that may be contained in the Reports received or in documentation attached to them and/or collected during the activities of managing and verifying such Reports. This may include, for example, personal identification data, contact information, data related to work activities, and, in some cases, data concerning criminal convictions or offenses, data belonging to special categories (e.g., health data, political opinions, union membership, etc.).
Furthermore, it should be noted that, in the case of an oral Report, with the prior consent of the Whistleblower, the Report may be documented by the relevant personnel through recording on a suitable device for preservation and listening or by means of minutes that will be submitted to the Whistleblower for any corrections. In any case, the Company guarantees the confidentiality of the Whistleblower's identity and all the protections provided by law for the benefit of the Whistleblower.
The personal data may pertain to the Whistleblower, the reported individual, and/or third parties.
4. Purpose of processing
The collection and processing of personal data are carried out solely for the following purposes:
a) The proper and complete management of the Reports in compliance with the current legislation on whistleblowing, including conducting necessary investigative activities to verify the validity of the reported matter and taking appropriate measures accordingly, and responding to any requests from Authorities.
b) To ascertain, exercise, or defend in judicial and/or extrajudicial proceedings the rights or interests of the Controller or third parties.
5. Legal basis of the processing and nature of data provision
The legal basis for the processing concerning the purpose outlined in point 3.1 is Article 6(1)(c) of the GDPR - "compliance with a legal obligation to which the Controller is subject."
Regarding the purpose mentioned in point 3.2, the legal basis for the processing is Article 6(1)(f) of the GDPR - "pursuit of the legitimate interests of the Controller or third parties."
Regarding the purpose based on the legitimate interest of the Controller or third parties, according to Article 6(1)(f) of the GDPR, it is specified that the Controller's legitimate interest in processing the data is fairly balanced with your fundamental interests, rights, and freedoms. The processing based on the legitimate interest of the Controller is not mandatory, and you have the right to object to such processing as described in this Information. In such a case, the Controller will not process personal data for this purpose unless it demonstrates compelling legitimate ground.
Concerning personal data falling under special categories processed for the above-mentioned purposes, the legal basis for the processing is Article 9(2)(b) of the GDPR, which states that "processing is necessary for carrying out the obligations and exercising specific rights of the Controller or the data subject in the field of employment and social security and social protection law, insofar as it is authorized by Union or Member State law or a collective agreement pursuant to Member State law, and providing for appropriate safeguards for the fundamental rights and the interests of the data subject." Additionally, the legal basis is also Article 9(2)(f) of the GDPR, which states that "processing is necessary for the establishment, exercise, or defense of legal claims or whenever courts are acting in their judicial capacity."
Furthermore, in cases as provided for in Article 12 of Legislative Decree 24/2023, the identity of the Whistleblower and any other information from which their identity can be directly or indirectly inferred may only be disclosed with the explicit consent of the Whistleblower to persons other than those competent to receive or follow up on the Reports, expressly authorized to process such data pursuant to Articles 29 and 32(4) of the GDPR and Article 2-quaterdecies of the data protection code referred to in Legislative Decree 30 June 2003, no. 196.
It is reminded, in any case, that the Report can be submitted anonymously; however, submitting a non-anonymous Report facilitates the management of the Report itself.
Personal data is processed by LimaCorporate and by duly authorized employee responsible for the correct fulfilment of the purposes indicated in point 3) through electronic tools and paper files, using appropriate security measures to ensure the confidentiality of personal data and to avoid undue access to unauthorized parties
6. Automated Decisions
LimaCorporate does not use automated processes, including profiling, to achieve the purposes set out in this notice.
7. Communication and Transfer of Data
Your personal data may be shared with:
• Functions involved in the activity of managing the Reports, conducting investigations/verification of the reported matters;
• System administrators responsible for maintaining the platform for receiving Reports;
• External consultants, such as legal firms, who may be involved in the investigative and management phase of the Reports;
• Entities, bodies, institutions, or Authorities to whom communication is mandatory under the provisions of laws or regulations.
The entities belonging to the above-mentioned categories, where necessary, will be duly appointed, depending on the cases, as data processors according to Article 28 of the GDPR or authorized to process data under Article 29 of the GDPR and Article 2 quaterdecies of Legislative Decree 196/2003. A list of appointed data processors is available at the Data Controller's office.
8. Data retention
LimaCorporate will process and retain your personal data for the time necessary to fulfil the purposes mentioned above, and in any case, not exceeding five years from the date of communication of the final outcome of the reporting procedure. After this period, your data will be deleted, subject to any further legal obligations.
As a person, you have several rights. Shortly you can access and obtain a copy of your data on request, require changing incorrect or incomplete data, to delete or stop processing your data, object to the processing of your data, and ask us to transfer your data to another organization according to the provisions of the articles from 15 to 22 of EU Regulation 2016/679 GDPR.
If you would like to exercise any of these rights, or if you have any questions about this notice or our processing of your data more generally, please contact: the Controller Limacorporate S.p.A. - 33030 Villanova di San Daniele (UD) - Via Nazionale, 52 - Tel. +39.0432.945511 - Fax +39.0432.945512
sending an email to: email@example.com
or consulting our website at https://limacorporate.com/en/about-us/privacy-policy.html.
If you believe that LimaCorporate has not complied with your data protection rights, you can complain to the supervisory authority for data protection, the Garante privacy, Piazza Venezia 11, 00187 – Roma, e-mail: firstname.lastname@example.org or the competent Authority of your Country.
Finally, we remind you that the rights provided from Articles 15 to 22 of the GDPR cannot be exercised by contacting the Data Controller or by filing a complaint with the supervisory authority under Article 77 of the GDPR if exercising those rights could result in an actual and concrete prejudice to the confidentiality of the Whistleblower's identity.
FRM 38-30, rev.0 del 25/09/2023