pursuant to Art. 13 of Regulation (EU) 679/2016 on the processing of personal data within the
framework of whistleblowing practices, as referred to in Legislative Decree no. 24/23
Recipients: whistleblower and alleged wrongdoer
Pursuant to Article 13 of Regulation (EU) 2016/679 (“GDPR”) and to the applicable legislation on personal data protection, we inform You that Your personal data processed by our Company within the framework of the management of whistleblowing reports regarding alleged breaches of national or European Union legal provisions that harm the public interest or the integrity of the private entity, which have been received through the appropriate internal reporting channels made available by the Company pursuant to Legislative Decree 24/2023, will be processed in compliance with the above-mentioned legislation and in accordance with the principles of fairness, lawfulness and transparency by personnel authorized by the Company pursuant to Article 29 of the GDPR and Article 2-quatordecies of the “Code on the protection of personal data” (Legislative Decree 196/2003).
1. Data Controller
The Data Controller is GLASS SERVICE S.R.L, based in Via Cascina Lari snc – San Miniato (province of Pisa [PI], Italy(hereinafter also referred to as the “Company” or the “Data Controller”), that can be contacted through email: email@example.com
2. Purpose and legal basis of data processing Personal data are processed for the management of internal whistleblowing reports of alleged violations or misconduct (actions or omissions) against public interest or the integrity of a private entity, as defined by Art. 2(1)(a) of Legislative Decree 24/23, of which the whistleblower has
become aware within the context of their employment relation with the Data Controller.
The personal data processed are those contained in the internal whistleblowing report and/or in the deeds and documents attached thereto, and may refer to both the whistleblower and the persons involved who have been indicated as alleged wrongdoers, as well as to those who are involved in the whistleblowing reports in various ways.
Personal data may also be processed for the necessary preliminary investigations aimed at verifying the truth of the whistleblowing, as well as, where applicable, for the adoption of appropriate corrective measures and disciplinary measures or judicial actions against the alleged wrongdoers.
The legal basis for the processing of personal data is the fulfilment of a specific legal obligation for the Data Controller (Art. 6(1)(c) of the GDPR), , as provided for by Legislative Decree 231/2001, Law 179/2017 and Legislative Decree 24/2023. The processing may also concern special data and data relating to criminal convictions and offences included in the reports in accordance with Articles 9 and 10 of the GDPR.
3. Categories of data
The categories of personal data collected and processed are: common personal and contact details, tax code, residence address, telephone number, e-mail, relationship with Glass Service useful for non-anonymous whistleblowing reports, the whistleblowers’ voice (if the whistleblower uses the option to send a voice message), the personal details of the persons involved in the whistleblowing
(e.g., name, surname, job title), as well as information which may appear in identity documents or other documentation produced for the report or otherwise necessary to verify the validity of the report.
Special categories of personal data and judicial data should not be included in the whistleblowing report if they are not relevant to the whistleblowing case. However, should such data be present, the Company will not make any use thereof, except in cases where the processing is necessary for the assessment, exercise or defence of a right in court and is authorized by law or by a measure of the Authority for the protection of personal data or, in any case, by order of a public authority.
4. Categories of data recipients
Personal data may be transferred to independent data controllers, such as:
a) competent public authorities, law enforcement agencies, judicial authorities;
b) lawyers and freelancers who are independent data controllers by virtue of their profession;
and persons or entities acting as data processors pursuant to Art. 28 of the GDPR, such as:
c) the Company that provides the IT platform for the management of whistleblowing reports;
d) the Whistleblowing Manager.
5. Transfers outside the EU
For the pursuance of the processing purposes described above, Your personal data may be transferred to the above-mentioned recipients in Italy and abroad.
Under no circumstances may Your personal data be transferred outside the European Union.
6. Retention times
In compliance with the confidentiality obligations set out in Art. 12 of Legislative Decree 24/2023 and with the principle set out in Article 5(1)(e) of the GDPR and 3(1)(e) of Legislative Decree no. 51 of 2018, internal whistleblowing reports and the related documentation will be retained for as long as necessary for the processing of the whistleblowing report and in no case later than five years after the date of notification of the final outcome of the whistleblowing process. When the
maximum period of five years has elapsed, the information relating to the whistleblowing may be retained by the Company in order to ensure and preserve its right of defence and to demonstrate, where requested, the correct management of the whistleblowing reports received. In this case, the personal data of both the whistleblower and the persons involved in the whistleblowing, identified as alleged wrongdoers, as well as those who are in various ways involved in the reports, will be
7. Data processing methods
Personal data will only be processed by expressly authorized personnel, in such a way as to ensure the confidentiality of the identity of the whistleblower and of the content of the internal reports and related documentation, by taking appropriate technical and organizational measures to protect them from unauthorized or unlawful access, destruction, loss of integrity and confidentiality, including accidental loss. In order to ensure the confidentiality of the whistleblower throughout the processing of the internal report, the identity of the whistleblower will be known to the persons expressly authorized to manage the reports. Except in cases where liability for libel and defamation can be considered under the provisions of the Criminal Code or Art. 2043 of the Civil Code or, where applicable, within the context of criminal proceedings and in the manner and limits provided for in Article 329 of the Civil Procedure Code, the identity of the whistleblower shall be protected in any
post-whistleblowing or reporting context. Therefore, subject to the above exceptions, the identity of the Whistleblower cannot be disclosed without the express consent of the same whistleblower, and all those who receive or are involved in the management of the whistleblowing report are required to protect the confidentiality of said information.
8. Provision of data
The provision of personal data is mandatory for the registration of a non-anonymous
whistleblowing report and to verify the truthfulness of the report. If data are not provided by the whistleblower, the whistleblowing may still be managed but will not be considered as a whistleblowing report according to Legislative Decree no. 24 of 10 March 2023.
9. Rights of the Data Subject
Pursuant to and for the purposes of the GDPR, You, as Data Subject, may exercise have the following rights against the Data Controller:
a) Right to obtain confirmation from the Data Controller of whether or not Your personal data are being processed and, if so, to obtain access to Your personal data and information provided for in Art. 15, and particularly those relating to the purposes of the processing, the categories of personal data in question, the recipients or categories of recipients to whom personal data have been or will be disclosed, the retention period, etc.;
b) Right to obtain, where inaccurate, the rectification of Your personal data, as well as the integration of such data where they are deemed incomplete, always in connection with the purposes of the processing (Art. 16);
c) Right to erasure of data (“right to be forgotten”), where one of the circumstances referred to in Article 17 applies;
d) Right to restrict the processing, in the cases provided for by Art. 18;
e) Right to data portability pursuant to Art. 20;
f) Right to object to the processing pursuant to Art. 21.
Pursuant to and for the purposes of Art. 2-undecies, first paragraph, letter (f), of Legislative Decree 196/2003, as subsequently amended and implementing Article 23 of the GDPR, the above- mentioned rights (Articles 15 to 22 of the GDPR) cannot be exercised, or their exercise may be delayed or limited, if the exercise of said rights may result in actual and material prejudice to the confidentiality of the identity of the person who reports breaches they have become aware of within the context of their employment relation or tasks. In this case, the data subjects may also exercise
their rights through the Authority for the protection of personal data, as provided for in Article 160 of the Privacy Code. The data subject will receive from the Data Controller a specific and timely notification of the restriction, delay or exclusion of the exercise of their right, unless the notification may undermine the very purpose of the restriction.
These rights may be exercised by contacting the Data Controller at: firstname.lastname@example.org
Finally, You have the right to lodge a complaint with the Authority for the Protection of Personal Data [“Garante”] or with another supervisory authority pursuant to Art. 13(2)(d) of the GDPR.