PRIVACY POLICY – WHISTLEBLOWING Italian Legislative

Decree 24/2023
Notice pursuant to Article 13 GDPR for the reported person and any data subject potentially referred to in a report

DATA CONTROLLER

The Data Controller, pursuant to Articles 4 and 24 of Reg. EU 2016/679 is Nuova Idropress SpA in the person of its pro-tempore Legal Representative with registered office in Via Consolini 10 – 42026 in Ciano d’Enza di Canossa (RE) Italy, Mobile phone +039-0522-242750 Fax +39-0522-878027 email: privacy@nuova-idropress.com

A Data Protection Officer (DPO) has not been appointed as the mandatory conditions envisaged in Article 37, para. 1 of Reg. EU 2016/679.

TYPE OF DATA PROCESSED

Personal Data” means any information relating to an identified, or identifiable, natural person (the “Data Subject”). An identifiable natural person is a person who can be identified, directly or indirectly by reference of an identifier such as: a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

With regard to the processing that is the subject of this privacy policy, the personal data processed will be those relating to the reports submitted by the whistleblowers, including the contents of the reports themselves, which may include personal data relating to third parties.

The following information is provided for transparency purposes vis-à-vis the reported person and any data subject potentially referred to in a report (hereinafter jointly referred to as “reported person”), first and foremost to make them aware of the limits to the exercise of certain rights under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR):

Right to information – the right to be informed about the processing of one’s personal data pursuant to Articles 12 and 14 of the GDPR is restricted in light of the obligations of secrecy and confidentiality imposed by Italian Legislative Decree 231/2001, as amended by Italian Law no. 179/2017, as well as the risk of rendering impossible or seriously prejudicing the achievement of the purposes of the processing related to the reports under the whistleblowing system (see Art. 14, para. 5, letters b) and d) of the GDPR).

Other rights of the data subject – the rights set out in Articles 15 to 22 of the GDPR are not precluded in absolute terms to the data subject but may not be exercised (with a request to the Data Controller or with a complaint pursuant to Article 77 of the GDPR), including with regard to the knowledge of the source of the data, if the confidentiality of the identity of the data subject may be actually and concretely prejudiced as a result (see Article 2-undecies of the Privacy Code and Article 23 of the GDPR). In fact, with regard to the specific limitations to the rights of the data subject provided for in paragraph 1 with respect to whistleblowing, paragraph 3 of Article 2-undecies of the Code establishes that in such cases the rights in question may be exercised through the Privacy
Authority in the manner set out in Article 160 of the Code.

SPECIFICALLY, WE INFORM THE REPORTED PERSON THAT THE EXERCISE OF THESE RIGHTS:

– May be carried out in accordance with the provisions of the law or regulations governing the sector (including Italian Legislative Decree no. 231/2001 as amended by Italian Law no. 179/2017).
– May be delayed, limited or excluded by reasoned notice given without delay to the data subject, unless such notice would undermine the purpose of the limitation, for such time and to the extent to which this constitutes a necessary and proportionate measure, having regard to the fundamental rights and legitimate interests of the data subject, in order to safeguard the confidentiality of the identity of the reporting person and in order to safeguard certain interests such as the conduct of the defence’s investigations or the exercise of the right of defence.
– In such cases, the rights of the data subject may also be exercised through the Privacy Authority in the manner set out in Article 160 of the Privacy Code, in which case the Privacy Authority shall inform the data subject that it has carried out all necessary verifications or has conducted a review, as well as of the data subject’s right to lodge a judicial appeal.

The exercise of the reported person’s rights (including the right of access) may therefore be exercised to the extent permitted by the applicable law, and in particular it should be noted that the request will be analysed by the designated bodies in order to reconcile the need to protect the rights of individuals with the need to combat and prevent violations of the rules of good corporate governance or of the applicable regulations on the subject.

CATEGORIES OF PERSONAL DATA AND SOURCE OF COLLECTION

Personal data on the reported person are collected through the report and related documentation provided by the whistleblower. Personal data relating to the reported person will be included in the following categories:
✓ Name, title, qualification, gender.
✓ Business contact details: e.g. telephone number (mobile), email address, work address, fax number.
✓ Employment relationship (e.g. type of contract and place of work).
✓ Method and time of reporting (including site of origin).
✓ Any other information relating to the reported person that the whistleblower decides to share with the Data Controller in order to better substantiate their report, regarding: unlawful conduct relevant under Italian Legislative Decree 231/2001 or violations of the entity’s organisation and management model.
✓ Irregularities and/or unlawful conduct, whether by commission or omission, which constitute or may constitute a violation of the principles enshrined in the Code of Ethics of Dietopack srl, of company rules and/or which may result in potential or actual fraud or damage to co-workers, shareholders and stakeholders in general, or which constitute acts of an illegal nature or damage the interests and reputation of the company itself.
✓ Improper or suspicious activities and payments, other than the expenses or contributions expressly envisaged in the contracts entered into by Dietopack srl with suppliers, or donations made to public officials or requests for donations that such public officials or private entities might make.

The processing in connection with whistleblowing is carried out exclusively by staff entrusted/authorised and instructed in the proper handling of personal data, which under no circumstances will be disseminated.

PURPOSE OF THE DATA PROCESSING

Processing is carried out for the following purposes:
1) To initiate the necessary investigations aimed at verifying the validity of the reported matter learned during the performance of the employment relationship concerning unlawful or fraudulent activities, relevant pursuant to Italian Decree no. 231/2001 as amended and based on precise and concordant factual elements, or violations of the organisation and management model they have become aware of by reason of the functions performed.
2) To enforce the prohibition against direct or indirect retaliatory or discriminatory actions against the whistleblower for reasons directly or indirectly linked to the report, including by means of communication to INPS.
3) Adopt disciplinary sanctions drawn up by the Employer in accordance with the organisational model set out in Italian Law 231/2001, both against those who breach the measures for the protection of the reporting party and against those who submit reports with malice or gross negligence that turn out to be unfounded.

The legal basis for the processing is to be found in the legitimate interest of the controller (pursuant to Art. 6, letter f), GDPR).

With regard to the “special” data referred to in Article 9 of the GDPR (e.g. data on health, race, ethnicity, sexual life, religious, political and trade union beliefs, genetic data, biometric data, etc.), the legal basis is as envisaged in Article 9, para. 2, letter f), i.e. the establishment, exercise or defence of a right in a court of law, it being understood that for certain aspects relating to the employment relationship the legal basis may be found in letter b) of said provision.

With regard instead to judicial data, such data may be collected if it is done to prevent the criminal liability of the company in accordance with the rationale of Italian Law 231/2001 in compliance with the provision of Article 10 of the GDPR

The personal data of reported persons may also be used to fulfil legal obligations in the case of reports made in connection with the provision of services to public bodies

METHOD OF DATA PROCESSING AND STORAGE

The personal data are processed by automated means (e.g. using electronic procedures and media) and/or manually (e.g. on paper) for the time strictly necessary to achieve the purposes they are collected for, and in any case in accordance with the relevant regulations. Specific security measures are implemented to prevent the data from being lost, used unlawfully or inappropriately, and accessed without authorisation.

No automated decision-making and no form of profiling will be applied to the data collected.

After this period, the data will be deleted or made anonymous, unless their further storage is necessary to fulfil legal obligations or to comply with orders issued by public authorities.

DISCLOSURE OF THE DATA

Where appropriate, the recipients of the data collected as a result of the report are the Supervisory Body, the Judicial Authority, the Court of Auditors (for reports made with respect to the activities of the entities the Group companies provide public services to) and ANAC.
Specifically, the data may be disclosed to:
– External consultants (e.g. law firms) that may be involved in the investigation of the report.
– Corporate functions involved in receiving, examining and evaluating reports.
– Person(s) tasked with the function(s) concerned by the report (e.g. Internal Audit Function, Legal Function,
– Supervisory Body or other function relevant to the reported person).
– Organisational positions tasked with investigating the report in cases where their knowledge is indispensable for understanding the facts reported and/or for conducting the relevant investigation and/or processing.
– Institutions and/or public authorities, judicial authorities, police agencies, investigation agencies.
– The supervisory body appointed pursuant to Italian Legislative Decree 231/2001.
– The head of corruption prevention and transparency (RPCT), where appointed.
– INPS, where retaliatory actions against the whistleblower have been established
– The personal data collected are also processed by the data controller’s staff, who act on the basis of specific instructions given regarding the purposes and methods of the processing. The personal data collected will not be disseminated and will not be transferred to third countries (outside the EU).

Date of last update: 03/11/2023