POLICY STATEMENT FOR THE PROCESSING OF PERSONAL DATA PROVIDED FOR THE MANAGEMENT OF WHISTLEBLOWING REPORTS
pursuant to Articles 13 and 14 of the EU Regulation 679/2016 (GDPR) in relation to the protection of personal data.
Dear Data Subject,
Elettromil S.r.l., with registered office in Via dei Mestieri, 10, Castiglione del Lago (PG), VAT 02379880541, in its capacity as the Data Controller (hereinafter the "Company" or the "Data Controller"), in compliance with the current legislation on Whistleblowing, as prescribed by European Regulation 2016/679 (GDPR) and Legislative Decree 24/2023 (Whistleblowing Decree), provides you with the following information.
1. Data Controller
The Personal Data Controller, i.e., the person who is responsible for decisions regarding the purposes, methods and security of personal data processing, is the Company Elettromil S.r.l., in the person of the legal representative p.t.
If you have any questions or requests regarding the processing of your personal data, you can contact us by sending a request to the following addresses:
Elettromil S.r.l., Via dei Mestieri 10, 06061 Castiglione del Lago (PG)
E-mail: privacy@elettromil.com
PEC: elettromilpec@actaliscertymail.it
2. Type of personal data processed.
Receipt and handling of whistleblowing reports may give rise to the processing of so-called "common" personal data (first name, surname, occupational role, etc.) and may give rise, depending on the content of the reports and the records and documents attached to them, to the processing of so-called "special" personal data (data relating to health conditions, sexual orientation or trade union membership and personal data relating to criminal convictions and offences).
It should be noted that the report should not contain facts that are not relevant to the report, nor special categories of personal data, as referred to in Art. 9 of the GDPR (hereinafter also " Special Data Categories," i.e., those from which racial and ethnic origin, philosophical and religious beliefs, party or trade union membership, as well as health status, sex life or sexual orientation, among others, may potentially be inferred), nor data relating to criminal convictions and offenses referred to in Art. 10 of the GDPR, except in cases where this is unavoidable and necessary for the purposes of the report itself.
In any case, the Company will take care to process only the data strictly necessary for the management of the individual report, deleting any additional data that may be provided to it, due to the principle of minimization.
The data that is subject to processing refers to the whistleblower and may also refer to persons named as possible perpetrators of violations, as well as those in various capacities involved or mentioned in the report.
3. Purpose and legal basis of the processing.
Purpose(Why we process your data) |
Legal Basis(On the basis of which provision of the law we treat the data) |
Consequences(What happens if you refuse to give personal data and/or authorize processing) |
To follow up on the reports received; to carry out the necessary investigative activities to verify the validity of the information reported |
Art. 6(1)(c) GDPR (the processing is necessary for the fulfilment of the obligations imposed on the Company by Legislative Decree 24/2023, as amended) Art. 9(2)(b) GDPR (processing is necessary for the purposes of fulfilling the obligations and exercising the specific rights of the data controller or the data subject in the area of employment and social security law and social protection, insofar as it is authorized by EU or Member State law or by a collective agreement under the laws of the Member States, where appropriate safeguards are in place for the fundamental rights and interests of the data subject) - with regard to special data. Art. 10 GDPR and Art. 2-octies Legislative Decree 196/2003 for data relating to criminal convictions and offenses - in fulfilment of legal obligations under the Decree |
The provision of data is necessary to have the protections set out in Legislative Decree 24/2023. However, reports can also be submitted anonymously. In this regard, we invite you to consult the Whistleblowing Procedure adopted by the Company. |
To disclose your identity as a whistleblower to persons other than those in charge of handling the report, in the cases expressly provided for in Article 12 of Legislative Decree 24/2023, except as required by law (e.g., criminal proceedings instituted as a result of the report) |
Art. 6, Par. 1, Lett. a) GDPR (the data subject has given consent to disclose his or her identity in the cases provided for in Art. 12 Legislative Decree 24/2023 in order to follow up the report; in this case, consent will be requested from you when the circumstances envisaged in the regulations occur) |
In absence of your consent, your identity will not be disclosed, except as required by law |
4. Method of data processing.
The data provided at the time of reporting and the data contained in the reports will be processed in accordance with the principles of fairness, lawfulness, transparency and the protection of confidentiality and rights, both yours and those of all interested parties, in compliance with the confidentiality obligations imposed by privacy regulations and the law on whistleblowing.
The data processing will make use of IT and electronic tools designed for the organisation and processing of data strictly related to the purposes referred to above, and, in any event, in such a way as to ensure the security, integrity and confidentiality of the data in compliance with the organisational, physical and logical measures envisaged in the applicable provisions.
In particular, the Data Controller, in accordance with the provisions of the Whistleblowing Decree, is equipped with an IT platform as an internal reporting channel.
The IT platform protects personal data through an encryption system, thus ensuring the confidentiality of the information transmitted.
Printed documentation is limited to the bare minimum and archived and stored in cabinets and rooms equipped with security locks.
In any case, the personal data of data subjects will not be disseminated.
5. Persons in charge of Processing data
The personal data you provide and any subsequent data acquired in the course of the service will be processed exclusively by personnel authorized for this purpose or by data processors designated for this purpose.
These individuals are all formally designated/authorized for the data processing, and are also required to maintain the confidentiality of any information learned as a result of their duties, without prejudice to the reporting and denunciation obligations set forth in Article 331 of the Criminal Code.
Further information on the designated Persons, Data Processors, and System Administrators can be obtained from the Data Controller at the contact information above.
6. Communication of personal data to third parties.
Although personal data may not be disseminated, it may be transmitted to public administrations legitimated by law (e.g., Judicial Authority, Court of Auditors, ANAC-Italian National Anti-Corruption Authority, etc.), which are considered autonomous data controllers.
The Company uses DigitalPA, as its technology partner, which is entrusted with the management of the digital platform, designated for this purpose as the Data Processor pursuant to Article 28 GDPR.
7. Transfers of personal data to third countries or international organizations - Automated processes
Your personal data is not transferred outside the European Union, nor is it processed in automated decision-making processes.
8. Data retention period.
The Company shall retain personal data in accordance with Article 14 of Legislative Decree No. 24/2023, i.e., for the time strictly necessary to investigate the report received and, in any case, for no longer than 5 years from the date of communication of the final outcome of the reporting procedure, unless legal proceedings deriving from the report itself should arise during the 5-year period. In the latter case, the data retention period will follow the course of said judicial proceedings.
Personal data that is manifestly unnecessary to the handling of a specific report is not collected or, if accidentally collected, is promptly deleted.
After the above retention periods have elapsed, the data will be destroyed, deleted, or anonymized, as consistent with the technical procedures for deletion and backup.
9. Rights of data subjects
We inform you that you have the right to exercise the following rights in relation to the personal data covered by this policy:
- Right of access and rectification (Articles 15 and 16 of the EU Regulation)
- Right to erasure of data (Art. 17 of the EU Regulation)
- Right to restriction of processing (Art. 18 of the EU Regulation)
- Right to data portability (Art. 20 of the EU Regulation)
- Right to object (Art. 21 of the EU Regulation)
- Right to lodge a complaint (Art. 77 of the EU Regulation)
- Right to revoke consent (Art. 13 of the EU Regulation)
At any time, you may exercise your rights with reference to the specific processing of personal data carried out by Elettromil s.r.l. in its capacity as Data Controller, at the contact addresses indicated in point 1 of this policy.
The aforementioned rights may not be exercised by the person involved or by the person mentioned in the report, for the time and to the extent that this is a necessary and proportionate measure, pursuant to Article 2 undecies of the Privacy Code, inasmuch as the exercise of these rights could result in actual and concrete prejudice to the protection of the confidentiality of the identity of the whistleblower.
10. Organizational and technical security measures
Elettromil S.r.l. adopts adequate organizational and technical security measures to safeguard the confidentiality, integrity, completeness and availability of the personal data it processes. Technical, logistical and organizational measures have been developed with the aim of preventing damage, loss, even accidental, alterations, improper and unauthorized use of the data processed.