Whistleblowing

DATA PROCESSING POLICY

FOR THE MANAGEMENT OF OFFENCE REPORTS

REGULATED BY THE PROCEDURE FOR REPORTING BREACHES

Reg. EU 2016/679 (GDPR)

 

  1. Data Controller

The following are Joint Data Controllers:

  • Piovan S.p.A., with registered office in Santa Maria di Sala (Venice), Via delle Industrie 16, e-mail: piovanspa@legalmail.it
  • Aquatech S.r.l., with registered office in Santa Maria di Sala (Venice), Via delle Industrie 16, e-mail: aquatech@legalmail.it
  • Energys S.r.l., with registered office in Santa Maria di Sala (Venice), Via delle Industrie 16, e-mail: energys@pec.net
  • Penta S.r.l., with registered office in Poggio Renatico (Ferrara), Via Uccellino 75/77, e-mail: penta@penta.piovan.com
  • Doteco S.p.A., with registered office in Mirandola (Modena), San Martino Spino, Via E. Mattei 30, e-mail: doteco-spa@pec.it
  • FEA process & technological plants S.r.l., with registered office in Scarnafigi (Cuneo), Strada Saluzzo 49, e-mail: amministrazione@feaptpcert.it

 

(hereinafter, also referred to as “the Data Controllers” or “the Companies”).

This policy is provided in relation to the processing of personal data of whistleblowers, those reported, whistleblower facilitators and any other third parties involved or mentioned in the report (hereinafter, “Data Subjects“) used in the management of the reports of offences addressed to the Companies falling within the scope of the “Procedure for Reporting Breaches” – drawn up in compliance with the provisions of Italian Legislative Decree no. 24 of March 10, 2023, implementing Directive (EU) 2019/1937 on the protection of whistleblowers against breaches of EU and national law –  published on the group’s corporate website www.piovan.com.

  1. Type of data processed

The following personal data are collected and processed: personal data of a common nature (e.g. personal data, contact data, etc.) of the whistleblower, the reported party, the facilitators of the report and any other third parties involved or mentioned that may be included in the report.

If mentioned in the report or, subsequently, acquired in the context of the management of the report and in the conduct of the related investigation, data may also be processed that reveal the racial or ethnic origin, political opinions, religious and/or philosophical convictions, union membership, as well as genetic data, biometric data, data related to health or sex life or sexual orientation of the Data Subjects and judicial data, related to crimes and criminal convictions.

The Data Subjects are (or may be): the author of the report (the whistleblower), the person (or persons) concerned by the report (the reported person/persons), the natural person who assists the whistleblower in the reporting process, operating within the same work context as the whistleblower and whose assistance is to be kept confidential (the whistleblower facilitator), and any other third parties involved or mentioned in the report that may be mentioned in the report or that may come to light in the course of the investigation following the report.

  1. Source of personal data

The data are collected through the reports addressed to the Companies and, subsequently, during the investigation following the report. The data of the Data Subjects contained in the report are provided directly by the whistleblower.

As reported in the Procedure for Reporting Breaches, whistleblowers can be:

  • employees, including holders of a part-time, full-time or intermittent, fixed term or open-ended employment relationship, sub-contracted, apprenticeship, accessory, or who perform occasional services;
  • self-employed workers, including holders of work contracts, agency relationships, commercial representation and other collaborative relationships;
  • workers or collaborators who provide goods or services or carry out works for the Companies;
  • freelancers and consultants;
  • volunteers and trainees, paid and unpaid;
  • shareholders and persons with functions of administration, direction, control, supervision or representation, even if these functions have been exercised merely de facto (i.e. without formal investiture).

Reports can be nominative or anonymous.

To preserve the investigative purposes, in the cases envisaged by law, the person reported, pursuant to art. 14, sub. 5, lett. d), of the GDPR, may not be immediately made aware of the processing of their data by the Data Controllers, as long as there is a risk of compromising the possibility of effectively verifying the validity of the complaint or collecting the necessary evidence.

  1. Purposes and legal basis for the Processing

The personal data of the Data Subjects are processed for the purposes related to the application of the Procedure for Reporting Breaches, prior to the management of reports of any breaches of national or European Union regulations that harm the public interest or the integrity of the Companies, as well as of relevant unlawful conduct pursuant to Italian Legislative Decree 231 of 8 June 2001, by anyone who has become aware of the aforementioned in the context of the employment or collaboration relationship with the Companies or, in any case, in the work context.

The adoption of the Procedure for Reporting of Breaches and the processing of personal data consequent to the receipt of the reports take place, therefore, on the basis of a legal obligation to which the Data Controllers are subject and/or their legitimate interest. In the event of the use of voice recording with related transcription, as well as in the event of disclosure of the identity of the whistleblower, the legal basis may exclusively be the consent of the Data Subject.

With regard to any processing of personal data subsequent to the closure of the investigation on the report, the legal basis is represented by the legitimate interest of the Data Controllers in the exercise of their rights and possibly for defense in court in all cases where it is necessary (e.g. reopening of legal proceedings, claims for compensation for damages related to the report), pursuant to art. 6, sub. 1, lett. f), and art. 9, sub. 2, lett. f), of the GDPR.

In the context of any disciplinary proceedings against the alleged perpetrator of the reported conduct, in the event that the allegation is well-founded and the identity of the whistleblower is indispensable for the defense of the person charged with the disciplinary offence or of the person in any event involved in the report, the identity of the whistleblower shall only be used in compliance with the legal basis of the whistleblower’s express consent, as requested from time to time.

  1. Communication of data to third parties – Data recipients

The related data are processed by the Ethics Committee and/or by any company functions and/or external consultants, as better specified in the Procedure for Reporting Breaches.

The internal members of the Ethics Committee are authorized to process personal data, on the basis of a specific letter of appointment, indicating the confidentiality obligations that must be respected in the performance of the assigned function.

The external member of the Ethics Committee is appointed Data Processor pursuant to art. 28 of the GDPR.

The reports and the personal data of the Data Subjects, moreover, may be communicated to the subjects involved in the management of the report, as well as the consultants and external professionals of which the Company make use, in compliance with the provisions of the law on the protection of personal data.

The identity of the whistleblower and any other information from which such identity may be inferred, directly or indirectly, may not be disclosed, without the express consent of the same, to persons other than those indicated above.

The communication of the personal data of the Data Subjects to public bodies and public authorities (including administrative, judicial and public security authorities) is without prejudice, if the conditions are met or the communication is necessary to comply with an order of the authority itself or with a legal obligation.

The identity of the whistleblower cannot be revealed even in the context of the disciplinary procedures that may arise from the report, if the dispute of the disciplinary charge is based on separate and additional findings with respect to the report itself, even if consequent to the same. Where, instead, the disciplinary dispute is based, in whole or in part, on the report and knowledge of the identity of the whistleblower is indispensable for the accused’s defense, the report shall be usable for the purposes of disciplinary proceedings only if the whistleblower has expressly consented to the disclosure of their identity. In the latter case, the whistleblower will be notified in writing of the reasons for the disclosure of the confidential data; a similar communication will be provided to the whistleblower if the disclosure of their identity and the information from which it can be obtained, directly or indirectly, is also essential for the defense of any person involved.

The data are processed, as a Data Processor, pursuant to art. 28 of the GDPR, by the company that manages the Whistleblowing platform and guarantees the storage of the personal data processed in the cloud.

The Data Controllers, pursuant to articles 28 and 29 of the GDPR, provide the Data Processor with operational instructions to ensure the confidentiality and security of the processing of personal data, ensure compliance with applicable legislation and the protection of Data Subjects.

  1. Processing methods, period and data retention criteria

The data will be processed mainly through computerized and/or automated tools within the Whistleblowing platform, with logic related to the purposes indicated above and, in any case, in such a way as to guarantee the security and confidentiality of the data.

The data will be processed for the time necessary to manage the specific whistleblowing and in any case no later than five years from the date of communication of the final outcome of the whistleblowing procedure (art. 14 of Italian Legislative Decree 24/2023).

  1. Provision of data

The provision of the whistleblower’s data is mandatory in the “nominative report” (with confidential identity management). Any refusal to provide data in the “nominative report” makes it impossible to follow the procedure described in the Procedure for Reporting Breaches.

The provision of the whistleblower’s data is optional in the “anonymous report” (which does not require prior registration and identification). However, anonymous reporting will only be taken into consideration if adequately substantiated and referring to specific facts and situations.

  1. Transfer of data to third countries

The data processed are not transferred by the Data Controllers to Third Countries. However, in the event of any transfer of data to Third Countries, the transfer itself will take place in compliance with the regulations in force from time to time regarding the transfer of data to Third Countries.

  1. Profiling and automated decision-making processes

The processing is not carried out by automated decision-making processes (e.g. profiling).

  1. Rights of the Data Subject, Withdrawal of Consent and Complaint to the Supervisory Authority

Except as set out in the following paragraph, Data Subjects may request from the Data Controllers access to the data concerning them, their rectification, integration or erasure, as well as the restriction of processing or any other right referred to in articles 15 to 22 of the GDPR, meeting the conditions, which must be highlighted in the request. The exercise of these rights may, however, be limited if there are legitimate interests prevailing over the interests, rights and freedoms of the Data Subject, also related to the establishment, exercise or defense of a right in court or to other legal obligations that the Data Controllers must fulfil or to any provisions of the Public Authorities or the Judicial Authority or the Police Bodies.

The person involved or the person mentioned in the report cannot exercise the rights that the GDPR grants to the Data Subjects with reference to their personal data processed in the context of the report (the right of access to personal data, the right to rectify them, the right to obtain their erasure or so-called right to be forgotten, the right to restriction of processing, the right to the portability of personal data and the right to object to processing). This is because the exercise of these rights could result in an effective and concrete prejudice to the protection of the confidentiality of the identity of the whistleblower. In such cases, therefore, the person reported or the person mentioned in the report is also excluded from the possibility, where they believe that the processing that concerns them breaches these rights, to contact the Data Controllers and, in the absence of a response from the latter, to lodge a complaint with the Supervisory Authority for the protection of personal data.

In cases other than that set out above, Data Subjects have the right to lodge a complaint with the Supervisory Authority for the protection of personal data in the event of illegitimate or unlawful processing of their data by the Data Controllers.

Where the processing is based on consent, the Data Subject has the right to revoke the consent given for the processing of the data at any time, without prejudicing the lawfulness of the processing based on the consent given prior to the revocation.

  1. Contacts and requests

To find out about the internal privacy organization of each Data Controller and the activities of the Data Processors, to obtain further information on the transfer of data to non-EU countries, the mechanisms and protections for transferring data pursuant to art. 44 et seq. GDPR, to exercise the revocation of any consent given and/or to exercise your rights (access, rectification, cancellation, restriction, opposition, portability) you can send a request to the e-mail contact privacy.ethicscommittee@piovan.com or forward a request through the Whistleblowing platform.

Share