Send a report with the outmost confidentiality.
Useful Links
What to report Learn more

Privacy

INFORMATION REGARDING THE PERSONAL DATA PROCESSING

pursuant to the articles 13 and 14 of EU Regulation 2016/679 – Whistleblowing

 

Joint Data Controllers: INNOVA SRL, via I Maggio nr. 8 - 38089 Storo (TN) - INNOVA ENGINEERING SRL,  via I Maggio nr. 8 - 38089 Storo (TN) - KATANA SRL, via I Maggio nr. 8 - 38089 Storo (TN) - SINERGIA SRL, via del Commercio nr. 1/A - 23017 Morbegno (SO).

Data Protection Officer (DPO): SAPI SRL, via Brennero nr. 182 - 38121 Trento email: privacy@sapi.artigiani.tn.it – Referent: Avv. Michele Pizzini – email: michelepizzini@neonomos.it  

Subject of the information - With this information, the Joint Data Controllers illustrate how they process the personal data and what rights are recognized to the data subject pursuant to EU Regulation 2016/679 (hereinafter "GDPR"), relating to the protection of natural persons with regard to the processing of personal data for the Whistleblowing management.

Purposes of the data processing - The data directly provided by you to report alleged illicit conduct of which you have become aware due to your employment, service or supply relationship with the Joint Data Controllers, are processed to manage such situations. The personal data are therefore acquired as they are contained in the report and/or in deeds and documents attached to it, refer to the reporting subject and may also refer to people indicated as possible responsible for the illicit conduct, as well as to those involved in the events reported. In particular, the data is processed to carry out the necessary investigative activities aimed at verifying the validity of what has been reported, as well as, if necessary, adopting adequate corrective measures and undertaking appropriate disciplinary and/or judicial actions against those responsible for the illicit conduct.

Legal basis - Personal data is processed by the Joint Data Controllers for the execution of a specific legal obligation (art. 6, §1 lett. c) del GDPR). The specific legal basis is identified in the reference legislation that regulates Whistleblowing reports, in particular, in Legislative Decree 24/2023 (hereinafter the "Decree").

Types of data processed - The reception and management of reports gives rise to the processing of common personal data (name, surname, contact details, job role, etc.), and may also give rise, depending on the content of the reports and the deeds and documents attached to them , to the processing of particular personal data (i.e. data relating to health conditions, sexual orientation or trade union membership, referred to in Article 9 GDPR) and personal data relating to criminal convictions and crimes (referred to in Article 10 GDPR).

Provision of data - The provision of data is optional. Failure to provide data will result in the report being managed anonymously. However, it is necessary to provide detailed information relating to the report to allow the dispute to be managed. The personal data and information you provide must be relevant to the purposes of the report, so that only reports regarding whistleblowing conduct required by law can be followed up.

Data retention - Personal data are retained for a period of 5 years starting from the date of communication of the final outcome of the reporting procedure, and, in any case, until the definition of the procedures initiated by the offices or bodies receiving the report.

Data recipients - Personal data are processed by the Joint Data Controllers and by their subjects designated by him as Data Processors or persons authorized to process who operate under the direct authority of the Joint Controller or Data Processor.

The data being processed will not be disclosed or communicated to third parties, except where necessary: (i) to subjects to whom the communication of the data must be carried out in fulfillment of an obligation established by law, by a regulation or by EU law, by a general administrative act or to comply with an order from the judicial authority; (ii) to any other third parties if communication becomes necessary for the protection of the Joint Controllers in judicial proceedings, in compliance with current provisions on the protection of personal data. The report and the identity of the whistleblower cannot be accessed either through documentary access or through generalized civic access.

Data processing - Personal data are also processed with automated tools for the time strictly necessary to achieve the purposes for which they were collected.

The Joint Data Controllers uses suitable security, organisational, technical and physical measures to protect the information from alteration, destruction, loss, theft or improper or illegitimate use. As regards the protection of the reporting party's confidentiality, the provisions of Legislative Decree 24/2023 apply.

Profiling and automated decision-making processes - The data processing is not subjected to profiling or automated decision-making processes.

Transfers of personal data to non-EU countries or international organizations- The data are not transferred to non-EU countries or international organizations. However, in the event, the transfer will take place in compliance with the legislation in force from time to time regarding the transfer of data and the art. 44 et seq. of GDPR.

Limitations on the rights of the data subject - Pursuant to art. 13 co. 3 of Legislative Decree 24/2023, in conjunction with art. 2-undecies of Legislative Decree 196/2003 (hereinafter "Privacy Code"), the legislator has provided for the imposition of a series of limitations on the exercise of the rights provided for by the articles. 15 et seq. of GDPR. In compliance with these provisions, the Joint Data Controllers may carry out an assessment in relation to the processing in question, deciding, where deemed necessary, to limit, delay or exclude the exercise of rights which may cause actual and concrete prejudice to a series of judged areas by the legislator as deserving of particular forms of protection, making in any case, without unjustified reason, a specific reasoned communication to the data subject.

How to exercise the data subject rights - The rights provided for by the articles. 15 et seq. of GDPR, can be exercised, without prejudice to the limitations provided for by the Decree and where permitted by current legislation, by email to the address of the DPO: privacy@sapi.artigiani.tn.it

In the cases indicated in the art. 2-undecies co. 3 of the Privacy Code, the rights of the interested party can also be exercised through the Supervisory Authority at the link https://www.garanteprivacy.it/i-miei-diritti