Information on the processing of personal data in the context of the whistleblowing procedure
This information is provided to all data subjects who benefit from the protections afforded by Decree 24/2023 (reporter, facilitator, persons active in the same working environment, and colleagues of the reporter), as well as to the reported party. Consistent with the Anac Guidelines, combined information is provided in order to avoid multiple information flows that might make it possible to deduce the involvement of a person in a report, thus compromising the confidentiality protections afforded by Decree 24/2023 on whistleblowing matters.
Pursuant to art. 13 of Regulation (EU) 2016/679 and Decree 24/2023, Savino Del Bene Spa (the “Controller”) with registered office at Via del Botteghino 24/26 – 50018 Scandicci (Florence), provides this information about the personal data processing carried out when managing the whistleblowing reports, governed by the Whistleblowing Procedure of Savino Del Bene Spa (which applies to Savino Del Bene Spa and those Savino Del Bene Group companies within the scope of application of the Regulation) , obtained using IT tools and/or in the other ways indicated in specific related documentation. All personal data will be processed in accordance with the current regulations governing the protection of personal data, being Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”), Decree 196/2003 as amended by Decree 101/2018 (the “Privacy Code”), and any other personal data protection regulations applicable in Italy, including the measures adopted by the Italian Data Protection Authority (Garante), (hereinafter, together with the GDPR, the “Privacy Regulations”), with full respect for fundamental human rights and freedoms including, in particular, the confidential nature of the identities of the persons involved and the security of processing.
Controller and persons authorized to process personal data
The Controller is Savino Del Bene Spa with registered office at Via del Botteghino 24/26, Scandicci (FI). The Controller may be contacted at the following e-mail address: privacy@savinodelbene.com.
The Controller has established the Supervisory Body pursuant to Decree 231/2001, which inter alia, in the case of a Body with a single member, owns the process of managing reports governed by the Whistleblowing Procedure mentioned above. Such Body is based at the registered office of the Company and its member has been appointed as a person authorized to process personal data. Conversely, in the case of a Body that operates as a board, its President is deemed to be the Whistleblowing Manager.
In order to follow-up reports, the Whistleblowing Manager draws on support from the committees and/or business functions referred to in the Whistleblowing Procedure, whose personnel have also been appointed as persons authorized to process personal data and given adequate operational instructions.
Categories of personal data
Personal data is subdivided into two categories:
- Ordinary personal data pursuant to art. 4(1) GDPR of the reporter (if the report is not anonymous), the persons involved or mentioned in the report, and the facilitators, as indicated in the Whistleblowing Procedure and defined as “data subjects”, such as their personal identification details (name, surname, date and place of birth) and contact details (land-line and/or mobile phone number), postal/e-mail address;
- Special personal data pursuant to art. 9 GDPR, if included in the report (for example data that reveals the racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, genetic and biometric data that can identify a natural person unambiguously, as well as data concerning the health, sex life or sexual orientation of the person)
- Personal data relating to criminal convictions or offenses pursuant to art. 10 GDPR, if included in the report.
Purposes and lawfulness of processing - Provision of data
Personal data is collected and processed for purposes strictly connected with the management of reports filed pursuant to Decree 24/2023 about improper conduct, being activities and/or conduct inconsistent with the procedures implemented by the Company, including in particular infringements of domestic and EU laws detrimental to the public interest or that of the Controller, that become known to the reporter in a public or private working environment, as well as, more generally, infringements of the rules of professional conduct and/or the ethical principles referred to in the current regulations, and/or improper or fraudulent conduct by employees, members of corporate bodies or third parties (vendors, consultants, collaborators, etc.).
[For the reported party] Personal data may be collected via direct input to the dedicated Whistleblowing platform or, if the report is submitted using the verbal channel (recorded voice message) or at a meeting, input by a person authorized by the Controller.
[For data subjects other than the reported party] Personal data is collected from third parties and, in particular, from the report received by the Controller via a dedicated internal channel. In addition to the purposes indicated above, personal data is also processed by the Controller for purposes linked to the defense or establishment of its rights in criminal, administrative and civil disputes.
The lawfulness of processing is established:
- For purposes related to managing reports made pursuant to Decree 24/2023 and complying with EU laws and regulations, by compliance with a legal obligation to which the Controller is subject (art. 6, para. 1.c, of the GDPR);
- For purposes related to managing recorded reports made pursuant to Decree 24/2023 and collected by telephone or via voice messaging systems or, in any case, in verbal form, by compliance with a legal obligation to which the Controller is subject (art. 6, para. 1.c, of the GDPR);
- For purposes related to the defense or establishment of a right in criminal, administrative and civil disputes, by the legitimate interest of the Controller (art. 6, para. 1.f, of the GDPR).
The provision of personal data by the data subject is optional, but failure to provide it, or its partial or inexact provision, might make it impossible to manage the report.
Furthermore, if the contents of the report do not fall within the scope of application of the regulation, the related data will only be processed by the Controller if there is a mandatory requirement to do so and/or a legitimate interest to protect and/or exercise its rights in the competent jurisdictions.
The above consent and any other consent requested in order to manage reports may be revoked within the limits allowed by the applicable legislation; in particular, the revocation request will be analyzed by the responsible bodies in order to balance the need to protect the privacy rights of individuals with the need to tackle and prevent infringements of the rules of good corporate conduct or, in any case, the relevant applicable regulations. In all cases, the revocation of consent does not affect the lawfulness of the processing carried out until then.
Methods of processing and recipients
The Controller strives to process necessary data in a lawful, proper and transparent manner, in order to achieve purposes essential to the performance of report-related activities.
Processing is carried out by the Controller using inter alia electronic equipment and automated tools.
Processing will be excluded and/or restricted if the purposes pursued can be achieved via anonymization or in ways that allow data subjects to be identified solely if necessary.
If, during the management of reports, personal data is accidentally obtained that is obviously not needed to process a specific report, such data is not collected or, if collected accidentally, is erased immediately pursuant to the requirements of art. 13, para. 2, of Decree 24/2023, where applicable.
Pursuant to art. 2-(14) of the Privacy Code, personal data will only be processed by authorized persons who have been expressly and adequately instructed by the Controller about the absolute need to protect the personal data of all persons involved in the reports.
In addition, personal data may be processed to activate judicial and/or disciplinary protections related to the report, or communicated to the competent Authorities following infringements of the applicable regulations, or transmitted following a mandatory order from such Authorities.
Confidentiality and protection of the reporter
The Controller guarantees to keep confidential the identities of the reporter and the persons involved in or, in any case, mentioned in the report, together with the contents of the report and related documentation, except as envisaged in art. 12 of Decree 24/2023.
Accordingly, the identity of the reporter will be protected from receipt of the report and in all subsequent phases in accordance with the current provisions of the Privacy Regulations, except if a first-level or higher court determines that the reporter has committed the criminal offenses of slander or defamation or, in any case, that such offenses were committed by filing complaints with the judicial or accounting authority, or that the reporter has civil liability for offenses of the same type committed with malice or gross negligence, all without prejudice to any other exceptions envisaged by law (for example, obligation to inform the judicial authority).
Accordingly, without prejudice to the above exceptions, the Controller has determined pursuant to art. 12, para. 2, of Decree 24/2023 that your identity and any other information from which it could be determined, directly or indirectly, cannot be revealed to persons other than those authorized to receive or follow-up reports. Your express consent will also be obtained should it be necessary to reveal your identity pursuant to art. 12, paras. 5 and 6, of Decree 24/2023, or to decrypt your data for the purpose of defending the accused in a disciplinary procedure based solely on the report, and in which knowledge of the reporter is essential to the defense or for the defense of the person concerned.
All those who receive reports and/or are involved in their management are required to maintain the confidentiality of that information.
Infringement of this confidentiality requirement is a disciplinary offense, without prejudice to the other forms of responsibility envisaged by law.
Retention period
Internal and external reports and the related documentation are retained for the time necessary to process the report and, in all cases, for not more than five years from the date of communicating the final outcome of the investigation, consistent with the confidentiality requirements specified in art. 12 of Decree 24 dated March 10, 2023, and the principle codified in art. 5, para. 1.e), of Regulation (EU) 2016/679 and art. 3, para. 1.e), of Decree 51/2018.
If the report is submitted using a recorded telephone line or another voice messaging system, the report is documented by the authorized person – following consent from the reporter – by registration on a suitable storage/play-back device or by transcription in full. In the case of transcription, the reporter may check, correct and confirm the contents of the transcript by signing it.
If, at the request of the reporter, the report is submitted verbally during a meeting with the authorized person, the report is documented by the latter – following consent from the reporter – by registration on a suitable storage/play-back device or in written meeting minutes. In the case of meeting minutes, the reporter may check, correct and confirm their contents by signing them.
On the other hand, the data contained in reports about circumstances not envisaged in Decree 24/2023 will be retained for the time strictly necessary to pursue the purposes for which it was collected, in conformity with the regulations that safeguard the rights of data subjects and in compliance with the time-expiry deadlines envisaged by law.
Rights of data subjects
The reported party cannot exercise the rights indicated below, since their exercise might have a detrimental impact on efforts to keep confidential the identities of the reporter and the other data subjects, pursuant to art. 2-11 of Decree 196 dated June 30, 2003.
Data subjects may contact the Controller to exercise certain rights, including:
1) the right to obtain confirmation as to whether or not their personal data is being processed;
2) the right to access their personal data and certain other information (purposes for which personal data is processed, data categories, data recipients, retention period, etc.);
3) the right to request the rectification or restriction of data processing;
4) the right to obtain the erasure of their personal data on justified grounds;
5) the right to lodge a complaint with a supervisory authority.
The Controller has made the following e-mail address available for exercise of the rights granted pursuant to the Privacy Regulations: privacy@savinodelbene.com.
