|
PRIVACY POLICY - WHISTLEBLOWING Legislative Decree 24/2023
Updated to: 23.10.2023 |
PO RU 01 Annex XX rev. 0 page < 1 > of 2 |
Information pursuant to Article 13 GDPR for the reporting party
1. THE DATA CONTROLLER
The data controller, pursuant to Articles 4 and 24 of EU Reg. 2016/679 is Porro Spa, with registered office in Montesolaro, Via per Cantù 35, as represented by the company’s legal representative, who can be contacted by e-mail at porro.amministrazione@pec.net.
The Company has also appointed a Data Protection Officer (DPO pursuant to the provisions of Articles 37 - 39 of EU Reg. 2016/679, who can be contacted at - contatti: dpo-gdpr@porro.com
2. TYPE OF DATA THAT CAN BE PROCESSED
With reference to the processing that is the subject of this notice, the personal data processed will be those relating to reports made by whistleblowers, including the contents of the reports themselves, which may include personal data relating to third parties.
Personal data of the author of the report (the 'reporter'), if the report is not anonymous
- First and last name
- Addresses
- Manner and time of reporting
- Other information provided by the data subject
The persons concerned are: (a) employees (persons who have established an employment contract with the employer, including temporary workers), (b) senior persons who hold administrative, management and representative functions of the company and persons delegated by the company to perform tasks involving the use of the company's name and who may influence its management and control, (c) workers such as contractors/subcontractors, consultants employees of employment agencies or similar, d) third parties such as public and private sector employees who interact with the Controller by virtue of a contract, including workers, civil servants, self-employed workers, employees of contractors/subcontractors, shareholders, persons who are part of the administrative, management or supervisory bodies of the company, including any non-executive members, volunteers, trainees, former employees and job applicants, e) relatives persons in the same employment context as the reporting person who are related to him/her by a stable emotional or kinship relationship up to the fourth degree.
3. PURPOSE, LEGAL BASIS OF PROCESSING, DATA RETENTION PERIOD AND NATURE OF PROVISION OF DATA
The data of a personal nature provided, will be processed in compliance with the conditions of lawfulness under the provisions of article 6 EU Reg. 2016/679 (GDPR) for the following purposes:
- receipt and management of reports and/or communications of which it has become aware in the course of a legal relationship, pursuant to Article 3 of Legislative Decree No. 24/2023.
- disclosure of the identity of the reporter and/or of any other information from which that identity may be inferred, directly or indirectly, to persons other than those competent to receive and act upon the report, pursuant to Article 12(2) of Legislative Decree No. 24/2023.
The processing is necessary for fulfilling a legal obligation to which the data controller is subject (Legislative Decree 24/2023) and the processing is based on consent to the processing of personal data.
4. NATURE OF CONFERMENT
The communication of personal data is compulsory, as it is indispensable for the fulfilling of the relevant legal obligations (Legislative Decree 24/2023 and, if MOGC is adopted, Legislative Decree 231/2001).
The provision of personal data by the reporting person is optional and failure to provide them will not invalidate the report.
5. RETENTION PERIOD
As regards purpose (a), the retention period will be for the time strictly necessary to process the report and, in any case, no longer than 5 years from the date of communication of the final outcome of the reporting procedure (Article 14 of Legislative Decree No. 24/2023).
With regard to purpose (b) for as long as is strictly necessary to process the report or until consent is revoked, unless the identity of the reporter has already been disclosed.
6. RECIPIENTS OR CATEGORIES OF RECIPIENTS OF DATA
The data will not be disseminated but may be communicated to certain recipients, who will process the data in their capacity as data controllers and/or as natural persons acting under the authority of the Data Controller and Data Processor, for the purposes listed above.
The recipients identified are as follows:
- the person or internal office, or external entity, entrusted with the management of the internal reporting channel;
- third parties to manage the platforms for sending and/or handling reports;
- Judicial authorities and public authorities, including the ANAC.
7. MANNER OF PROCESSING
Processing will be carried out in automated and manual form, using methods and tools designed to ensure maximum security and confidentiality, by persons specifically appointed and trained to manage the reporting channel.
8. DATA TRANSFER TO A THIRD COUNTRY AND/OR INTERNATIONAL ORGANISATION AND GUARANTEES
Personal data collected will not be transferred to countries outside the European Union
9. RIGHTS OF THE PERSONS CONCERNED
The persons concerned may exercise their rights under Articles 15 et seq. of the GDPR with regard to such personal data.
In the event of signing any form of consent to the processing required by the company, please note that the data subject may revoke it at any time, subject to the limitations described above.
The persons concerned may also exercise these rights by sending communications to the following e-mail address: dpo-gdpr@porro.com.