- Percassi Management S.r.l., via Giorgio e Guido Paglia n. 1/D, 24122 Bergamo, P.Iva 03328470160 C.F. 03328470160 Tel 035280111, e-mail: privacy.pm@percassi.com (hereinafter also “Company”).
DATA PROTECTION RESPONSIBLE (“DPO”): the DPO can be contacted at the following e-mail address: dpo.pm@percassi.com
PERSONAL DATA PROCESSED
The Company allows detailed written or oral reports of:
- unlawful conduct of an administrative, accounting, civil or criminal nature, including pursuant to Italian Legislative Decree 231/2001 or other applicable national laws
- violations of the Company’s internal provisions, such as:
- Organization, Management and Control Model possibly adopted by the Company pursuant to Italian Legislative Decree 231/2001, or other applicable national laws, as well as related procedures;
- Code of Conduct and Anti-Corruption Regulations;
- Antitrust Compliance Program regulations;
- Anti-Discrimination Policies and pertaining to Diversity, Inclusion and Gender Equality;
- National Collective Agreements and, more generally, internal regulations (procedures, policies, operating instructions, etc.);
- Violations of European provisions consisting of:
- acts and omissions that harm the financial interests of the Union;
- acts and omissions affecting the internal market;
- acts and conduct that frustrate the object or purpose of the provisions of Union acts in the above-mentioned areas;
- violations of national and European provisions consisting of offenses concerning – but not limited to – the following areas:
- public procurement;
- services, products and financial markets and prevention of money laundering and terrorist financing;
- product safety and compliance;
- transportation safety;
- environmental protection;
digitally through its Whistleblowing Platform, as hereafter defined.
Reports can be nominal or anonymous:
- in the case of anonymous reports, the company’s IT systems will not be able to identify the reporter from the portal access point (IP address);
- in the case of written or oral and nominal reports, at the option of the reporter, the reporter’s personal data will be associated with the report. Within the form, made available in the Whistleblowing Platform, the whistleblower will be able to indicate his or her personal data, in the case of nominal reports (and, specifically, personal data and contact details), information pertaining to the relationship with the Data Controller, the circumstances and description of the fact that is the subject of the report as well as personal data of the reported and/or any third parties (hereinafter the “Data”).
In addition, the Whistleblowing Platform provides the whistleblower with the entirely optional option of making reports by voice recording, subject to express consent, in which case the Data collected will also include the voice of the whistleblower. The Whistleblowing Platform also makes it possible, at the request of the whistleblower, to schedule a direct meeting with the company functions deputized and expressly authorized for processing and which have received appropriate operational instructions. The meeting, subject to the consent of the whistleblower, will be specially documented. The Data of the whistleblower, if any, are provided directly by the whistleblower (and thus acquired by the Controller from the data subject pursuant to Article 13 of the GDPR); the data of the whistleblower and/or third parties are provided by the whistleblower (and thus acquired by the Controller from third parties pursuant to Article 14 of the GDPR). Any special categories of data (e.g., data pertaining to health status) are not required by the Controller. Should they be shared by the reporter, they will be processed only if one of the conditions set forth in Article 9 of the GDPR as indicated below is met; in the absence of such conditions, they will be immediately deleted. The same considerations apply to any judicial data (e.g., data relating to criminal offenses) that you may have provided and, therefore, the same will not be taken into account or will be processed only where required by law under Art. 10 GDPR.
PURPOSES OF THE PROCESSING
-
- Handling of circumstantiated reports of unlawful conduct or violations of the Management Model, made in written and oral form, including investigative activities aimed at verifying the justification of the reported facts and the adoption of the consequent measures in accordance with the provisions of the Management Model/offenses and/or irregularities of within the framework of pre-contractual, contractual, probationary period intercurrent relations with the Owner or after the dissolution of the legal relationship if the information on violations was acquired in the course of the same legal relationship as provided for by Legislative Decree 24/2023
LEGAL BASIS OF THE PROCESSING: The Data are processed to fulfill a legal obligation to which the Data Controller is subject pursuant to EU Directive No. 2019/1937 as transposed by the applicable national legislation, and art. 6 (1) letter c) of the GDPR. The processing, if any, of special categories of data is based on the fulfillment of obligations and the exercise of specific rights of the Data Controller and the data subject in the field of labor law pursuant to Article 9 (2) (b) of the GDPR. Any data relating to criminal convictions and offenses will be processed only in cases where it is required by law under Article 10 GDPR. With reference exclusively to the making of reports by voice recording, the recording will be processed with the express consent of the data subject.RETENTION PERIOD: The Data shall be retained for as long as necessary for the processing of the report and in any case the shorter of (i) 5 years from the date of the communication of the final outcome of the reporting procedure or (ii) the different term, if any, provided for by the applicable legislation, in compliance with the confidentiality obligations set forth in EU Directive No. 2019/1937 and the principle set forth in Article 5 (1) letter e) of the GDPR. If the report results in the initiation of litigation or disciplinary proceedings against the whistleblower or whistleblower, the Data will be retained for the duration of the litigation or extrajudicial proceedings until the expiration of the time limit for appeal actions. Exceptions to the aforementioned five-year retention period are those reports whose contents are completely unrelated to the purposes of use of the Whistleblowing Platform (by way of example but not limited to, complaints, insults, suggestions), which will be deleted within two months of the completion of the analysis, documenting the reasons why they were not considered relevant
- If necessary, to ascertain, exercise or defend the Holder’s rights in court.
LEGAL BASIS OF THE PROCESSING: Legitimate interest of the Data Controller pursuant to Article 6(1)(f) of the GDPR.
Any special data categories will be processed to establish, exercise or defend a right in court pursuant to Art. 9(2)(f) of the GDPR.
Processing of data related to criminal convictions and offenses, if sent, will be processed only in cases where it is required by law pursuant to Article 10 GDPR.RETENTION PERIOD: The Data will be retained for the duration of the judicial proceedings or until the expiration of the terms of appeal.
After the above retention periods have elapsed, the Data will be destroyed, erased or anonymized, consistent with the technical procedures for erasure, backup, as well as accountability of the Data Controller.
- Handling of circumstantiated reports of unlawful conduct or violations of the Management Model, made in written and oral form, including investigative activities aimed at verifying the justification of the reported facts and the adoption of the consequent measures in accordance with the provisions of the Management Model/offenses and/or irregularities of within the framework of pre-contractual, contractual, probationary period intercurrent relations with the Owner or after the dissolution of the legal relationship if the information on violations was acquired in the course of the same legal relationship as provided for by Legislative Decree 24/2023
PROCESSING MODALITIES
The processing of the Data, both with reference to written and oral reports, will take place by means of paper, electronic or automated tools (“Whistleblowing Platform”) with logics related to the purposes indicated above and, in any case, in such a way as to ensure the security and confidentiality of the Data. Specific security measures are observed to prevent the loss of Data, illicit or incorrect use and unauthorized access. In cases where a face-to-face meeting is requested, the meeting will be documented, subject to prior consent, by the relevant personnel by means of minutes.
OBLIGATORY NATURE OF DATA PROVISION
The provision of Data is optional. In particular, in case of failure to provide the Identifying Data of the reporter, the report will be made anonymously. The information reported in the report (e.g., the circumstances and description of the fact that is the subject of the report with reference to the reported person and/or third parties) is necessary to enable the Data Controller to acquire, manage and initiate any preliminary investigation phase pursuant to the applicable laws and regulations.
Particular Categories of Data and/or judicial data are not requested by the Data Controller and may be processed, where sent by the reporter, only in the presence of the conditions listed above. In the absence of such conditions they will be immediately deleted.
RECIPIENTS OF THE DATA
The Data may be communicated to subjects operating as Data Controllers such as, by way of example, judicial authorities and other public subjects legitimated to request them, as well as persons, companies (including those belonging to the Percassi Group and its licensor and the latter’s company group), associations or professional firms that provide assistance and consultancy on the matter in compliance with the confidentiality obligations set forth in the applicable laws and regulations.
The Data are also to be processed, on behalf of the Data Controller, by the supplier that manages the Whistleblowing Platform (as well as the storage of the information and Data contained therein), to whom appropriate operational instructions are given and specifically appointed as Data Processor pursuant to Article 28 of the GDPR.
In exceptional cases, if from the report the Companies initiate a disciplinary procedure against the reported person that is based solely on the report, the Data of the reporter may be disclosed to the reported person, only after the prior express consent of the reporter and exclusively in order for the reported person to exercise his or her right of defense, in compliance with the confidentiality obligations set forth in the applicable laws and regulations.
SUBJECTS AUTHORIZED TO PROCESS
The Data may be processed by the staff of the supplier that manages the Whistleblowing Platform, members of the Supervisory Board and internal staff of the Percassi companies involved in the management of the reports, who act on the basis of specific instructions regarding the purposes and methods of processing and who will in any case be involved only in cases that are strictly necessary, taking care to preserve the absolute confidentiality of the data subjects.
TRANSFER OF PERSONAL DATA TO COUNTRIES OUTSIDE THE EUROPEAN UNION
No transfers of data outside the European Economic Area (EEA) are envisaged with regard to the processing in question. Should the Data be transferred outside the EEA to the entities indicated in the paragraph “Recipients of the Data” for the purposes set forth in this policy, the Company guarantees that your personal data will be processed by such Recipients in accordance with applicable data protection legislation.
RIGHTS OF THE DATA SUBJECT – COMPLAINT TO THE SUPERVISORY AUTHORITY
The data subject will be able through the Whistleblowing Platform to check the status of his or her report. In the case of anonymous reports, it is not possible to exercise the rights referred to in this paragraph since the exercise of the rights implies the identification of the data subject in order to follow up on them.
In the case of nominal reports, by contacting the Companies by e-mail at privacy.pm@percassi.com, data subjects may request from the Data Controller access to the data concerning them, their deletion in the cases provided for by Article 17 of the GDPR, the rectification of inaccurate data, the integration of incomplete data, the restriction of processing in the cases provided for by Article 18 GDPR, as well as the opposition to processing, for reasons related to their particular situation, in the cases of legitimate interest of the Data Controller.
In the case of a face-to-face meeting, at the request of the reporter, the report (prepared with the consent of the reporter) may be verified, corrected and confirmed by the reporter by his or her signature. In the case of an oral report, express consent of the reporter will be required, and in the case of a transcript of the oral report, the content of the transcript may be verified, rectified or confirmed by the reporter by his or her own signature.
Data subjects have the right to lodge a complaint with the supervisory authority concerned as defined in the GDPR.
The rights set forth in Articles 15 to 22 of the GDPR may not be exercised if the exercise of such rights may result in actual and concrete prejudice to the confidentiality of the identity of the employee who reports unlawful conduct of which he or she has become aware by reason of his or her office.
In such a case, the rights in question may be exercised through the competent supervisory authority, who shall inform the person concerned that he or she has carried out all the necessary verifications or has carried out a review, as well as the right of the person concerned to seek judicial redress.