Information pursuant to Articles 13 and 14 of the European Regulation 2016/679 on the Pro- cessing of Personal Data within the framework of the Whistleblowing System
According to the current legislation on the reporting of alleged wrongdoing in the workplace (Legis- lative Decree 24/2023 - "Implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law and on the protection of persons who report breaches of national laws"), Giovia S.r.l. has imple- mented its own "internal reporting channel" for the receipt and management of reports of alleged offences and/or violations of national and/or European Union and/or internal regulations (such as: the Code of Ethics, the Anticorruption Guidelines, the 231 Model) committed by workers and/or ex- ternal subjects within the work context to which they belong (the so-called "Whistleblowing system").
In particular, Giovia S.r.l. has set up its own 'internal reporting channel', dedicated and segregated, which guarantees exclusive access to reports pertaining to it, made in written or oral form, or anon- ymously.
Pursuant to Articles 13 and 14 of the European Regulation 679/2016 (hereinafter "GDPR"), Giovia
S.r.l. as Data Controller, hereby provides information on the processing of personal data/information ("Data") acquired directly or indirectly through the report made by its own employee and/or third party (hereinafter "whistleblower").
This Information Notice is made available and available to data subject and potential data subject by means of publication on the institutional website of Autostrade per l’Italia S.p.A.
The Data Controller reserves the right, at its discretion, to change, modify, add or remove any part of this Policy at any time. In order to facilitate the verification of any changes, this Policy will contain at the bottom an indication of the date it was updated.
- DATA CONTROLLER
The Company:
- Giovia S.r.l., subject to management and coordination by Autostrade per l'Italia S.p.A., with registered office in Via A. Bergamini 50 – 00159, Roma, Tax Code, VAT No. 09521941006, which will process the personal data of the reporting person and/or of the other persons con- cerned by the report, as Data Controller pursuant to Article 13(4) of Legislative Decree 24/23
- 'Decree'.
- The Data Controller has appointed, pursuant to Article 37 et seq. of the GDPR, its own Data Protection Officer ('DPO'), domiciled for the purpose at the respective head office indicated above, whom data subjects may contact for matters relating to the processing of their per- sonal data at the e-mail address dpo.giovia@pec.autostrade.it
- TYPES OF DATA PROCESSED
The personal data and/or information (hereinafter 'Data'), subject to processing, include the Data of the Whistleblower, of the reported person and of the natural persons - identified or identifiable in various ways - involved in and/or connected to the facts that are the subject of the report, such as, for instance, the Data of any witnesses (hereinafter 'Data Subjects').
Such Data, collected and processed by the Data Controller, may include 'common' personal data (personal details, job position held, contact details such as: email address, postal address, telephone number), and/or data belonging to special categories pursuant to Art. 9 GDPR, and/or data relating to criminal convictions and offences pursuant to Art. 10 GDPR, contained in the report and/or in the acts and documents attached thereto, in compliance with the provisions of the relevant legislation and the Opinion of the Italian Data Protection Authority, prov. 10 GDPR, contained in the report and/or in the acts and documents annexed thereto, in compliance with the provisions of the relevant legislation and the Opinion of the Italian Data Protection Authority, prov. 6 Jul. 2023, no. 304 ("Fa- vourable opinion on the Draft Guidelines on the protection of persons who report breaches of Union law and protection of persons who report breaches of national laws - procedures for the submission and management of external reports prepared by ANAC").
Data may be collected, either directly from the Data Subject or through other persons involved in the reporting, through the 'internal reporting channel' indicated above, in the manner set out in Section 4 below.
The data are provided voluntarily by the Reporting Party, also in anonymous form, to the Data Con- troller, which shall not process Data that are not strictly necessary for the purposes set out in point 3 below. By way of example but not limited to, the "report" may be made by: employees of the Data Controller, freelancers/consultants/self-employed workers, including those with a collaborative rela- tionship, who have a working and/or collaborative relationship with the Data Controller.
- PURPOSE AND LEGAL BASIS OF PROCESSING
The Data are processed exclusively for the purposes of receiving, managing and resolving on the report and, in particular, to carry out the investigation and ascertainment of the facts that are the subject of the report, as well as the adoption of any consequent measures, in accordance with the provisions of Legislative Decree 24/2023.
Personal Data collected are only those necessary and relevant for the achievement of the above- mentioned purposes, on the basis of the 'principle of minimisation', pursuant to Art. 5.1 lett. c) GDPR.
With respect to this Data, its provision is voluntary and the Data subject is requested to provide only the data necessary to describe the facts that are the subject of the report without communicating redundant and additional personal data to those necessary for the purposes indicated above. If such Data are provided, the Data Controller shall refrain from using them and shall delete them.
The Personal Data are processed on the legal basis of the legal obligation, ex art. 6, co.1 lett. c) and co. 2 and 3 (Legislative Decree 24/2023 - Legislative Decree 231/01), ex art. 9, co. 2 lett. b) and ex art. 10 and 88 (see above mentioned Opinion of the Italian Data Protection Authority, prov. 6 Jul. 2023, no. 304).
- MODE OF TREATMENT
Data are collected and processed, in compliance with the regulations in force, by means of comput- erised, electronic/telematic tools, with logics strictly related to the above-mentioned purposes, so as to guarantee the security and confidentiality of the data.
- In particular, Data received with reports made in written form are collected and processed in computerised mode through an online platform, on which a dedicated and segregated chan- nel is provided. This platform is provided to Giovia by Autostrade per l'Italia S.p.A. based on a specific service contract.
Data included in reports made orally are collected and processed electronically through the same platform, in accordance with the provisions of Article 14(2) of Legislative Decree 24/2023, subject to the consent of the reporter to the recording; the recording takes place within the platform itself, suit- able for storage and listening.
Data collected by means of this IT tool will not be subject to fully automated processing as specified in Article 22 GDPR.
Specific security measures are observed to prevent loss of data, unlawful or incorrect use and un- authorised access.
Moreover, specific technical-organisational measures, such as encryption, are taken, pursuant to Article 32 GDPR, to ensure the protection of the identity of the persons concerned, as well as the possible anonymity of the reporter and complete anonymity in accessing the platform (no log).
- DATA RETENTION PERIODS
Personal data will be kept only for the time necessary for the purposes for which they are collected in compliance with the principle of minimisation pursuant to Article 5.1.c) GDPR and, in particular, for the purposes of managing the preliminary investigation, the conclusion of the activity of defining the report and the adoption of the relative measures, in the event of an assessment, and in any case no longer than 5 years from the date of communication of the final outcome of the reporting proce- dure, in accordance with the provisions of Article 14, paragraph 1 of Legislative Decree 24/2023 and Article 5, paragraph 1 of the GDPR.
- RECIPIENTS OF DATA
Within the Data Controller, only those persons entrusted with the processing by the Data Controller, who have been instructed on the "whistleblowing" legislation and on the correct use of the "internal reporting channel", and who are authorised to carry out the processing operations within the scope of the aforesaid activities in accordance with Article 4(2) of Legislative Decree 24/2023, may become aware of the Personal Data provided.
The aforesaid Data may be disclosed to third parties (such as IT service providers) who enable the operation and maintenance of the IT tool on which the report can be entered, as indicated in point
4, obliged to process the data for the same purposes as indicated in point 3 above, who are, for this purpose, appointed "Data Processors", pursuant to Article 28 GDPR.
Under a specific assignment, in particular:
- the support and IT management activities of the internal channel provided on the online platform referred to in point 4 above will be carried out on behalf of Giovia by the data processor under Article 28 GDPR.
- the handling of reports will be carried out by Giovia’s reporting management bodies, whose employees have been specifically authorised to process them, pursuant to Article 29 of the GDPR.
Such Data may also be disclosed to the Supervisory Body, the Anti-Corruption Manager, the Antitrust Manager and Autostrade per l'Italia's Internal Audit Department, for the performance of their Whis- tleblowing activities, as well as to the ANAC, the Judicial Authority and other competent Bodies/Bod- ies in relation to the reported case, pursuant to art. 13 of Legislative Decree 24/2023.
In order to carry out some of the operations relating to the management of the report, and again for the purposes set out in point 3, the Data Controller may communicate such data to other companies belonging to the Autostrade Group. In this case, the companies, to which the Data of third parties and/or their employees and/or collaborators and/or suppliers may be communicated, shall act as autonomous Data Controllers, for the purposes of managing the activity of defining the report falling within the competence of the aforementioned Data Controller or of initiating the management of a report falling within its competence for the adoption of the relative measures, in the event of an investigation.
Report addressed by mistake to a Data Controller other than the competent Data Controller will be addressed to the competent Data Controller without any further processing other than for the above- mentioned dispatch.
The full list of persons appointed as Data Controllers by the Data Controller is available from them. Under no circumstances will personal data be disseminated.
- RIGHTS OF THE DATA SUBJECTS
Articles 15-22 GDPR give Data Subjects the possibility of exercising specific rights, such as, for example, the right of access, rectification, cancellation, limitation of processing, within the limits of the provisions of Article 2-undecies of Legislative Decree no. 196 of 30 June 2003, as set out in Article 13, co.3 of Legislative Decree 24/23.
In the event that the exercise of the above rights by the reported person may entail an actual and concrete prejudice to the protection and confidentiality of the reported person's personal data, the Data Controller may limit, delay or exclude such exercise, pursuant to Article 2-undecies(1)(f) of the Privacy Code (Legislative Decree 196/2003), and not grant the request.
In such cases, the rights of the Data Subject, pursuant to Art. 2-undecies, para. 3 of the Privacy Code, may be exercised through the Italian Data Protection Authority in the manner set out in Art. 160 of the Privacy Code.
The aforementioned rights may be exercised by making a request addressed without formalities to the Data Protection Officer (DPO) of the Data Controller concerned at the PEC address indicated in point 1 above.
The Data Subject may lodge a complaint pursuant to Art. 57 letter f) GDPR with the Italian Data Protection Authority, Piazza Venezia, 11, 00187 Rome (RM), to enforce his/her rights in relation to the processing of his/her Data.
- POSSIBLE TRANSFER ABROAD OF PERSONAL DATA
The Data shall be stored on the servers of a third party company on behalf of the Data Controller, appointed by the same Data Processor, and located in Italy and/or in the European Union and shall not be disseminated or transferred outside the European Union.
Personal data are not transferred outside the European Union.
Version 3 of 01/10/2024