Information on the Processing of Personal Data for Whistleblowing

Pursuant to Art. 12 et seq. of EU Regulation 2016/679 (“GDPR” or the “Regulation”), and in general in compliance with the principle of transparency laid down in said Regulation, the following information is provided regarding the processing of personal data (i.e. any information concerning an identified or identifiable natural person: “Data Subject”) related to the use of the so-called Whistleblowing channel.

1. DATA CONTROLLER

The data controller (i.e. the entity that determines the purposes and means of the processing of personal data) is Daldoss Elevetronic S.p.A. (“Data Controller”), with registered office in via al Dos de la Roda, 18 Pergine Valsugana (TN), Tax ID 01654330222, tel. 0461 518611, e-mail privacy@daldoss.com

2. PURPOSE OF PROCESSING

Personal data are processed for the management of the Whistleblowing procedure in accordance with the legislation, including verification of the report, contacts with the whistleblower, adopting measures resulting from the investigation of the report, and the protection, including judicial protection, of rights.

3. TYPE OF DATA PROCESSED AND MODE OF COLLECTION, AND DATA SUBJECTS

The data to be processed are those derived from the content of the report and may therefore concern any category of personal data.
The data are obtained from the Whistleblower Data Subject (content of the report and any subsequent exchanges) or through the investigations of the ensuing inquiry.
The Data Subjects are the Whistleblower and any persons who may be the subject, even indirectly, of the report.

4. COMPULSORY OR NON-COMPULSORY PROVISION AND LEGAL BASIS FOR PROCESSING

There is no legal obligation to provide the personal data, but failure to do so will affect the possibility of processing the report fully or however adequately.
The legal basis for the processing is compliance with legal obligations (legislation on Whistleblowing, including (It.) Law 179/2017 and (It.) Legislative Decree 24/2023) and the Controller’s legitimate interest in protecting lawfulness at the company. That is without prejudice to the need for consent to the disclosure of the data of the Whistleblower in the cases provided for in Art. 12(2) and (5) of (It.) Legislative Decree 24/2003 and for documentation in the cases provided for in Art. 14(2) and (4) of said Decree.

5. PROCESSING AND STORAGE METHODS

The processing shall be carried out:
- through the use of manual and automated systems;
- by persons or categories of persons authorised to perform the relevant tasks;
- with the use of appropriate measures to ensure the confidentiality of the data and prevent access thereto by unauthorised third parties.
The data shall only be stored for the period necessary to achieve the stated purposes; ordinarily (i.e. in the absence of litigation), therefore, the data shall not be retained over five years following the conclusion of the investigation concerning the report.
There are no automated decision-making processes.

6. DISCLOSURE OF DATA

The data collected and processed may be disclosed, solely for the purposes specified above, to
- all subjects whose right of access to said data is recognised by virtue of regulatory measures (e.g. Judicial Authorities);
- employees, associates, suppliers of the Data Controller, within the scope of their duties and/or contractual obligations relating to the management of the Whistleblowing procedure; the persons of the Data Controller’s organisational structure include, for example, the persons in charge of receiving, examining and assessing the reports; the Data Controller’s suppliers include, by way of example, the legal advisors and IT service companies, specifying in particular that the Whistleblowing procedure is carried out through the software platform of the company NTS Project S.p.A., based in Bastia Umbria (PG), designated as Data Processor;
- Public authorities with whom a report on the facts may be filed.
It is then pointed out that, pursuant to Art. 12 (It.) Legislative Decree 24/2023, the identity of the Whistleblower and any other information from which said identity may be inferred, directly or indirectly, may not be disclosed, without the express consent of the Whistleblower themselves, to persons other than those responsible for receiving or following up the reports, expressly authorised to process said data pursuant to Articles 29 and 32(4) of Regulation (EU) 2016/679 and Article 2-quaterdecies of the Personal Data Protection Code set out in (It.) Legislative Decree of 30 June 2003, No. 196, and that within the framework of disciplinary proceedings, the identity of the Whistleblower cannot be disclosed, where the alleged disciplinary charge is based on investigations that are separate from and additional to the report, even if consequent thereto. If the charge is based, wholly or in part, on the report, and knowledge of the Whistleblower’s identity is indispensable for the accused person’s defence, the report may be used for the purposes of disciplinary proceedings only if the Whistleblower expressly consents to the disclosure of his/her identity.
The data are not subject to dissemination.

7. PLACE OF DATA PROCESSING

The personal data are processed on the territory of the European Union. There is no intention to transfer data outside the territory of the European Union.

8. RIGHTS OF THE DATA SUBJECT

The GDPR grants the Data Subject the exercise of the following rights with regard to personal data concerning him/her (the summary description is indicative, for the full statement of the rights, including their limitations, please refer to the Regulation, and in particular to Articles 15-22):
- access to personal data (the data subject has the right to obtain, free of charge, information about the personal data concerning him/her held by the Controller and the processing thereof, as well as to obtain a copy of said data in accessible format);
- rectification of personal data (upon indication by the Data Subject, correction or integration of personal data – not expressing evaluations – that are incorrect or inaccurate, even if they have become such because they are not up-to-date);
- erasure of personal data (right to be forgotten) (e.g. the data are no longer necessary in relation to the purposes for which they were collected or processed; they have been processed unlawfully; they must be erased in order to comply with a legal obligation; the Data Subject has withdrawn consent and there is no other legal basis for the processing; the Data Subject objects to the processing, if the conditions are met);
- restriction of processing (in certain cases – the accuracy of the personal data is contested, for a period enabling the controller to verify the accuracy; processing is unlawful and the data subject opposes erasure; the personal data are no longer needed for the purposes of the processing, but they are required by the Data Subject for the defence of legal claims; the data subject has objected to processing pending the verification – the data shall be retained in such a way as to be possibly restored, but, in the meantime, they are unavailable to the Data Controller except in connection with verification of the validity of the request for restriction made by the Data Subject, or with the Data Subject’s consent, or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State);
- opposition wholly or in part to processing carried out on the basis of legitimate interest, on grounds relating to the specific situation of the Data Subject.
It should be noted, however, that the exercise of these rights is restricted in this case by Art. 2undecies (It.) Legislative Decree. 196/2003 (Privacy Code) when it may result in actual and concrete prejudice to the confidentiality of the identity of the person reporting violations of which he/she has become aware by reason of his/her employment relationship or duties. The exercise of said rights may, in any event, be delayed, restricted or excluded by reasoned notice given without delay to the Data Subject, unless such notice may undermine the purpose of the restriction, for such time and to the extent that this constitutes a necessary and proportionate measure, having regard to the fundamental rights and legitimate interests of the Data Subject. Please note that, in such cases, the rights of the Data Subject may also be exercised through the (It.) Data Protection Authority in the manner set out in Article 160 of the (It.) Privacy Code.
The data subject also has the right to lodge a complaint with the (It.) Data Protection Authority if he/she considers that the processing of his/her personal data violates the provisions of the data protection legislation; the (It.) Data Protection Authority can be contacted via the details indicated on the Authority’s website “www.garanteprivacy.it”. In any event, we would like to have the opportunity to address any concerns of the Data Subjects beforehand. The Data Subjects may contact the e-mail address privacy@daldoss.com or the other contact details of the Data Controller indicated above for any clarification regarding the processing of their personal data and to exercise their rights.